nce these tasks have been completed and a need has been recognized for a new or enhancedIT product or service, several processes must take place before the project is approved, toinclude clearly defining project goals and defining high-level information security requirements.Typically, during this phase, the organization defines high-level information security policyrequirements as well as the enterprise security system architecture.
During this phase, the system is designed, purchased, programmed, developed, or otherwiseconstructed. This phase often consists of other defined cycles, such as the system developmentcycle or the acquisition cycle.During the first part of the development/acquisition phase, the organization shouldsimultaneously define the systems security and functional requirements. These requirementscan be expressed as technical features (e.g., access control), assurances (e.g., backgroundchecks for system developers), or operational practices (e.g., awareness and training). Duringthe last part of this phase, the organization should perform developmental testing of thetechnical and security features/functions to ensure that they perform as intended prior tolaunching the implementation and integration phase.
3. Write about:
Metrics Development and Implementation ApproachAns:Metric Types -
etrics are tools that support decision making. Like experience, externalmandates, and strategies, metrics are one element of a managers toolkit for making andsubstantiating decisions.
etrics are used to answer three basic questions:
Am I implementing the tasks for which I am responsible?
Consider the example of a programmanager with responsibility for 250 information systems.
mong other things, that manager isresponsible for the security certification and accreditation of those systems.
commonly usedimplementation metric for security certification and accreditation is the percentage of systemsaccredited.
How efficiently or effectively am I accomplishing those tasks?
Such metrics often answermore complex questions after an activity is fully implemented. For example, federal lawrequires that security certification and accreditation take place following a major systemchange.
ne might measure the efficiency of a security certification and accreditation programby determining the time lag between each major system change and that systems renewedaccreditation.
r one might measure the effectiveness of a security certification and