Information Security

and
Management
Security in the SDLC
Balancing Information Security and Access
 Approaches to Information Security
Implementation

Bottom-up approach
A method of establishing security policies and/or practices
that begins as a grassroots effort in which systems
administrators attempt to improve the security of their
systems.

Top-down approach
A methodology of establishing security policies and/or
practices that is initiated by upper management.
 Approaches to Information Security
Implementation

1980s: Governments become proactive in the fight

against cybercrime
• Limited information security systems could not keep up with the
constant barrage of clever approaches hackers used to break into
computer systems.
• It became extremely prominent when a small group of teenagers
from Milwaukee, known as "the 414s," broke into over 60 military
and corporate computer systems and stole over $70 million from
U.S. banks.
• The sentences were exceedingly light, ranging from stern
warnings to probation.
 The Systems Development Life Cycle

SDLC - a methodology for the design and implementation

of an information system.

Waterfall model
A type of SDLC in which each phase of the process “flows
from” the information gained in the previous phase, with
multiple opportunities to return to previous phases and
make adjustments
The Systems Development Life Cycle
 The Systems Development Life Cycle

• Investigation - Examining the event or plan that initiates the

process
• Analysis - This phase consists primarily of assessments of the
organization, its current systems, and its capability to support the
proposed systems.
• Logical Design - The information gained from the analysis phase is
used to begin creating a systems solution for a business problem.
• Physical Design - Specific technologies are selected to support the
alternatives identified and evaluated in the logical design
• Implementation - Any needed software is created. Components
are ordered, received, and tested.
• Maintenance and Change - This phase consists of the tasks
necessary to support and modify the system for the remainder of its
useful life cycle.
 Software Assurance

A methodological approach to the development of

software that seeks to build security into the
development life cycle rather than address it at later
stages.
 The NIST Approach to Securing SDLC

Comparison of Waterfall and NIST SDLC Phases

Initiation
• Initial delineation of business requirements in terms of confidentiality, integrity, and
availability
• Determination of information categorization and identification of known special handling
requirements to transmit, store, or create information such as personally identifiable
information
• Determination of any privacy requirements.
 The NIST Approach to Securing SDLC

Development/Acquisition
• Conduct the risk assessment and use the results to supplement the baseline
security controls
• Analyze security requirements
• Perform functional and security testing
• Prepare initial documents for system certification and accreditation
• Design security architecture.
 The NIST Approach to Securing SDLC

Implementation/Assessment
• Integrate the information system into its environment
• Plan and conduct system certification activities in synchronization with
testing of security controls
• Complete system accreditation activities.

Operations and Maintenance

• Conduct an operational readiness review;
• Manage the configuration of the system
• Institute processes and procedures for assured operations and continuous
monitoring of the information system’s security controls
• Perform reauthorization as required.
 The NIST Approach to Securing SDLC

Disposal
• Building and executing a disposal/transition plan
• Archival of critical information
• Sanitization of media
• Disposal of hardware and software.
Microsoft’s SDL
 Security Professionals and
the Organization
Senior Management
• Chief information officer (CIO)
An executive-level position that oversees the organization’s computing
technology and strives to create efficiency in the processing and access of
the organization’s information.

• Chief information security

officer (CISO)
Typically considered the top
information security officer in an
organization. The CISO is usually
not an executive-level position,
and frequently the person in this
role reports to the CIO.
 Information Security Project Team

Project team - A small functional team of people who are

experienced in one or multiple facets of the required technical and
nontechnical areas for the project to which they are assigned.
Members’ roles:
Champion: A senior executive who promotes the project and ensures its
support, both financially and administratively, at the highest levels of the
organization.
Team leader: A project manager who may also be a departmental line
manager or staff unit manager, and who understands project
management, personnel management, and information security technical
requirements.
Security policy developers: People who understand the organizational
culture, existing policies, and requirements for developing and
implementing successful policies.
 Information Security Project Team

Members’ roles:
• Risk assessment specialists: People who understand financial risk
assessment techniques, the value of organizational assets, and the
security methods to be used.
• Security professionals: Dedicated, trained, and well-educated
specialists in all aspects of information security from both a technical and
nontechnical standpoint.
• Systems administrators: People with the primary responsibility for
administering systems that house the information used by the
organization.
• End users: Those whom the new system will most directly affect.
Ideally, a selection of users from various departments, levels, and
degrees of technical knowledge assist the team in focusing on the
application of realistic controls that do not disrupt the essential business
activities they seek to safeguard.
 Data Responsibilities

• Data custodians
Individuals who work directly with data owners and are responsible for
storage, maintenance, and protection of information.
• Data owners
Individuals who control and are responsible for the security and use of a
particular set of information
Data users
Internal and external stakeholders (customers, suppliers, and employees)
who interact with information in support of their organization’s planning
and operations.