Friday, July 5, 2013

Security Implementations in the SDLC of systems

System development life cycle (SDLC) is a series of step that a system undergoes prior to its completion. Each step is concerned with its own aspect of the final product and this calls for security implementation in each step so as to avoid a collective failure of the  entire system


The steps of the SDLC are;

  •   Initiation
  •  Development and acquisition
  • Implementation and Assessment
  • Operations and Maintenance
  • Disposal
Initiation
the need for the system is established and the purpose of the system is documented. Deliverables are  produced at this time include the funding request, a Project Plan, the Cost/Benefit Analysis, Risk Assessment, and User Requirement. is where there is an identified need for a new system though analysis and information gathering.
The security concerns in this stage are;
        i       Identify information systems – within the initiation there is collection of information where developers establish what information is to me used in the finished product. The information systems used during or after system development should be uniquely identified and analyzed so that security control mechanisms are identified. It involves performing data sensitivity assessment.
        ii.            Carrying out and Developing the initial or preliminary Risk Assessment that identifies weaknesses and recommends safeguards -  this assessment is used to identify and point out weaknesses in confidentiality, integrity or availability of information that may be required to develop or use the system.
      iii.            Selecting of security controls – this is carried out after identifying all system information types. It is used to identify the security controls that need to be applied to the information system.

Development and acquisition
This is a broad part of the SDLC which involves designing, programming, developing or purchasing where the system is acquired from vendors. This phase determines how the systems will work in the current world of complex systems and interconnectivity hence comprehensive testing should be done to ensure data availability, confidentiality and integrity. Major security concerns in the phase are the security design, failure scenarios, infrastructure needs and interoperability of the system.
The security activities in the phase are;
        i.            Developing system security plan - this assumes the vulnerabilities the system is likely to get once it is put in implantation. This feature provides an plan on how the developers and the end users will work to enhance the security of a system
      ii.            Developing security architecture – it involves the criteria which will be followed in order to attain the security requirement of the system. It involves technical features and their design. The problems in this phase can cause delays or force compromises in the final product.
    iii.            Conducting background checks on developers - developers of  a system should be scrutinize as they are the most important part in security implementation as the do the actual coding and developing the system. Before and after engaging developers in creation of a system, the security personnel should ensure that they have a clear copy of who they are and their deliverables.
    iv.            Reviewing of test plans – during system development, one of the fundamental parts is testing the system. The security personnel should ensure that they counter check the test plans and procedures because most of the system work in the What You See Is What You Get(WYIWYG) which means wrong test procedures eventually produce wrong results and eventually compromise the security of a system.
      v.            Perform initial risk assessments - this helps the organization to counter check whether the planned security practices meets the requirements as outlined from the initiation phase.
    vi.            Perform a contingency plan – also known as Plan B is a process that prepares the organization to respond coherently to an unplanned event. The contingency plan can be also used as an alternative for action if expected results fail to materialize.  This is done to give a solution to what should be done in case the system security features don’t deliver the expected.

Implementation and Assessment
During this phase the system enters production. This calls for testing the system against the working environment and the data it is expected to handle. The most important activities in the phase are testing, certifying and system installation.
The major security activities are;
        i.            Inclusion of technology best security practices - systems interoperate with other system so as to give the desired results. Developers should ensure they acquire the best of the third party security mechanisms and  incorporate them to the system
      ii.            Develop a security control testing plan – the testing plan is created to reflect the information provided in the system security plan.
    iii.            Test security controls – this ensures that the security controls outlined in the system security plan work are effectively working.
    iv.            Develop a Plan of Action – this is an activity that provides a schedule as to how and when defects found in test results will be fixed and the resources that will be required. This is done because it is not always obvious that security controls and mechanisms employed in system development will work as required.
      v.            Authorize the system – here the system owner or the developers leader provides the authorizing officials with the security authorization package. It contains system security plan, security assessment documentation and plan of action. According to the information provided the officials decide whether the system will undergo production. They also ensure the system complies with state laws and regulations.

Operations and Maintenance
It entails all the activities required to keep the system working as required. As security is concerned it does not include functionality enhancements as this will make the system undergo the first phase again. The security activities in this phase are;
        i.            Managing configuration changes – once the system enters the operations, its interoperability with the other systems is established and evaluated in security. During this a track of all configuration modifications and changes of effective security is recorded.
      ii.            Remediating the plan of action – most systems are put into operations while they still have security problems. Plan of action is initiated to fix identified security issues.
    iii.            Retesting security controls – so as to ensure maximum a security, the system is retested in operation mode to ensure that all security measures are effective working and that it is providing the desired results.
    iv.            Performing operation security - this is an activity that puts all the components of the system including the environment under a security checks. It involves vulnerabilities management, managing and monitoring firewalls and security devices and incident response. This involves performing backups, trainings and managing cryptographic keys.

Disposal
This phase is concerned with systems that are replaced or the functionality is no longer needed. The system is taken out of production The importance of maintaining security in this phase is because if data contained in the system is not well handled it may compromise data and  information confidentiality.
The main security activities involved here are;
        i.            Preserve information – once a system is no longer required to operate, the information there in may be required to be retained in the organization for some time. This calls for the organization to review the laws concerned with keeping of information in the state, reviewing legal requirements for records retention and consults the organization on methods of archiving hard copies of information.

      ii.            Sanitizing media - the media that has been cleared from being used in the system should be destroyed through approved methods that data may be not recovered even with professional data recovery services.


No comments:

Post a Comment