System Development Life Cycle

“Both risk governance and regulatory requirements emphasize the need for an effective risk management plan. And to effectively manage risk, it is important that definitions of the risk management plan objectives are clear from the start, so that the plan can head in the right direction. Risk management of information assets also provides a strong basis for information security activities, such as controlling risk to the confidentiality, integrity, and availability of information aligning mitigation efforts with business objectives, and providing cost-effective solutions after analyzing security risks” (University of Phoenix – Skillsoft®, 2012). A security development life cycle is a guide for ensuring that security is continually being improved. Security lifecycle implementation requires policy and standards implementation from the start.

Security policy and standards are the foundation to any component of a security plan. These are especially critical in both the assessment and protection phase of the lifecycle. The assessment phase will use the standards and policy as the basis of conducting the assessment. Resources will be evaluated against the security policy. During the protection phase, resources will be configured to meet policy and standards. Security should be addressed at all stages of the systems development life cycle (SDLC). “The systems development life cycle (SDLC) is a methodology for the design and implementation of an information system.

A methodology is a formal approach to solving a problem by means of a structured sequence of procedures. Using a methodology ensures a rigorous process with a clearly defined goal and increases the probability of success. Completion of methodology adoption triggers activities such as, establishing key milestones and team selection ensuring accountability for accomplishing the project goals” (Whitman, 2012, p. 21). The stages of an SDLC include:

1.Investigation
2. Analysis
3. Logical design
4. Physical design
5. Implementation
6. Maintenance and Change

The only differences between the two are the specific activities and intent that takes place for each phase in the SDLC (table 1-2). The investigation phase of the SecSDLC starts with a directive from upper management specifying the process, outcomes, and goals of the project, as well as its budget and other constraints. NIST SP 800-60 is a great resource to identify different information types as well as listing security impact levels and justifications. Additionally, NIST SP 800-53 separates controls into three baselines that match the potential system impact levels including system owner identification. The requirement analysis phase involves conducting a preliminary analysis of existing security policies or programs, along with documented current threats and associated controls.

The logical design phase involves team members creating and developing the blueprint for security, examining, as well as implementing key policies that influence decisions in the future. The physical design phase involves team members evaluating technology needs to support the security blueprint, providing alternative solutions, and approving the final design. The implementation phase involves acquiring, testing, implementing, and retesting of security solutions. This phase also involves conducting evaluation, specific training, and education programs provided to personnel.

In this phase, DISA STIGS, NIST SP 800-18, NIST SP-53A, and NIST SP 800-37 are the references that incorporates technology best practices, finalize system security plan, develop security control testing plan, test security controls, authorize system, and develop plan of action and milestones. The maintenance and change phase involves the operation, proper management, and keeping up to date of the information security program through established procedures. In this activity, it is important to incorporate recommendations from resources such as, NIST SP 800-53a, NIST SP 800-86, NIST SP 800-83, NIST SP 800-61, and NIST 800-40.

Table 1-2, (Whitman, 2012, p. 28).
The Information Technology (IT) Security Certification and Accreditation (C&A) process evaluates the implementation of an IT system or site against its security requirements. The process produces evidence used by a designated manager as part of the basis for making an informed decision about operating that IT system or site.

The NSTISSI2 NATIONAL INFORMATION SYSTEMS SECURITY (INFOSEC) GLOSSARY No. 4009 September 2000 defines certification as a “comprehensive evaluation of the technical and non-technical security safeguards of an IS to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements” and accreditation is a “formal declaration by a Designated Approving Authority (DAA) that an IS is approved to operate in a particular security mode at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards” (SANS Institute, 2007, p. 1).

“The NIACAP establishes a standard national process, set of activities, general tasks, and a management structure to certify and accredit systems that will maintain the information assurance (IA) and security posture of a system or site” (National Security Telecommunications and Information Systems Security Committee, 2000). The process certifies that the information system (IS) meets documented security requirements and will continue to maintain the accredited security posture throughout the system life cycle. “Adapting the process includes existing system certifications and evaluations of products. Users of the process must align the process with their program strategies and integrate the activities into their enterprise system life cycle. While the NIACAP maps to any system life cycle process, its four phases are independent of the life cycle strategy.

While developed for national security systems, the NIACAP may, at an agency’s discretion, be adapted to any type of IS and any computing environment and mission subject to the policies found in OMB Circular A-130, Appendix III and the standards and guidance issued by the National Institute of Standards and Technology (NIST)” (National Security Telecommunications and Information Systems Security Committee, 2000, p. 1). NIST Special Publication 800-64, rev. 1, provides an overview of the security considerations for each phase of the SDLC – “Each SDLC phases includes a minimum set of security steps needed to effectively incorporate security into a system during its development.

An organization will either use the general SDLC described or will have developed a tailored SDLC that meets their specific needs. Based on NIST recommendation, organizations should incorporate associated IT security steps of the general SDLC into their development process” (Whitman, 2012, p. 24). Integrating security activities into the SDLC, allow organizations to get the most out of three key advantages. First, the system benefits from a tougher security, decreasing the probability and effect of intentional and unintentional vulnerabilities. Second, by considering security concepts during the correct SDLC phase, the incorporation of security into the system becomes seamless and benefits from cost reduction. Otherwise, retrofitting a system with security requirements is a costly process. Finally, “the activity of integrating security into the lifecycle of federal information systems is required by the Certification and Accreditation (C&A) process” (Onpointcorp.com, n.d.).

References

National Security Telecommunications and Information Systems Security Committee. (2000). National Information Assurance Certification and Accreditation Process (NIACAP). Retrieved from https://www.fismacenter.com/nstissi_1000.pdf Onpointcorp.com. (n.d.). Incorporating Security into the System Development Life Cycle (SDLC). Retrieved from http://www.onpointcorp.com/uploads/137/doc/Security_in_the_SDLC.pdf SANS Institute. (2007). Certification and Accreditation (C&A) Vs System Development Life Cycle Management (SDLC). Retrieved from http://www.sans.org/reading-room/whitepapers/auditing/certification-accreditation-c-a-system-development-life-cycle-management-sdlc-1961 University of Phoenix – Skillsoft®. (2012). CISM 2012: Information Risk Management and Compliance (Part 1): Information Risk Management Overview. Retrieved from https://library.skillport.com/courseware/Content/cca/sp_cisn_a04_it_enus//output/t4/misc/transcript.html Whitman, M. E. (2012). Principles of Information Security (4th ed.). Mason, OH: Cengage Learning.