1

কঠোর

2
3
 SDLC SecSDLC
Investigation
SDLC Investigation
SecSDLC
& Analysis
•What problem toInvestigation
be solved? Investigation
•Document project process & goal in
•Objective,
Outline the Constraints
project scopeand
andScope
goals of project Security Policydefines
•Management as defined by the
project processes
management
and goals and documents these in the
•Primarily Cost Benefit Analysis -evaluates
Estimate costs
prescribed benefitsresources
vs. appropriate level of cost •program
Securitysecurity
Categorization
policy.
•Evaluate existing
••Feasibility Analysis – Assess economical, o Define 3 levels (low, moderate
Analyze feasibility & high) of potential impact on
technical, behavioral feasibility of process. (try
to measure whether implementation is worthy in organization/ individual in case
Analysis
Analysis
the context of time and effort) •Analyzeofexisting
security breach.
security policy and
•Assess Current System against plan developed
Analysis o
programIt is useful for organization in
in Investigation
•Primarily phase. of the organization
assessment •Analyzemaking the appropriate selection
current Threats and Controls
of security controls.
••Develop preliminary
Understand system requirements
Current System •Examine legal issues
•Primary Risk Assessment
••Study integration
Capability of new
to support systemSystem
Proposed with existing •Perform Risk Analysis
system o Identify basic Security Need of
•What new system is expected to do? the System.
•Documents findings and update feasibility
•How the new solution interact with existing o Defines the threat environment
analysis
system? where the system operates.
4
 SDLC SecSDLC
Logical Design Logical
Logical
& Physical
DesignDesign
•Create
Assess System
current business
Solution needs
as per against
Businessplan •Risk
Develop
Assessment
security blueprint
– Identify the
developed in Analysis phase
Requirement. protection requirement through a formal
•Plan incident response actions
••Applications are selected
Select application, to provide
data support and structure risk assessment process.
o Service ••Plan business
Security responseRequirement
Functional to disaster
•Generate multiple solution for consideration
o Data Support Analysis
•Determine feasibility of continuing
•Document finding and update feasibility o System security environment
o Needed input and/or out sourcing the project.
analysis o Security functional requirement
•No references for specific technology, vendor
•Security Assurance Requirement –
& product.
Development activity require and assure
•Alternative solution proposed with its that the information security will work
o Strengths & Weaknesses correctly and effectively by produce
o Cost & Benefits evidence.
•Another Feasibility performed. •Cost consideration and reporting –
How much cost can be attributed to
information security
5
 SDLC SecSDLC
Physical Design
Physical Design Physical
Logical Design
& Physical Design
••Select
Select technology to support
specific technology forsolution
implementation ••Select technologies needed
Security Plan – Ensure thattoagreed
support
upon
developed in Logical Design phase security
•Decide make or buy security blueprint
controls are properly planned or
•Select best solution in place and fully documented.
•Perform another feasibility analysis •Develop definition of successful solution
•Decide to make or buy components
•Present the design to the higher management ••Security Controlsecurity
Design physical Development – Ensure
measures to
for approvalfinding and update feasibility
•Document security controls are designed,
support technological solution developed
analysis and implemented as per security plan.
•Review and approve project
•Developmental security test and
evaluation.

6
 SDLC SecSDLC
SDLC
Implementation SecSDLC
Implementation
Implementation Implementation
•Inspection & Acceptance – Organization
•Software developed/ ordered & received
•Develop or buy software validates
•Buy or and verifies
develop the functionality
security solutions
•Tested in test environment
described in specification.
•At the end of the phase, present tested
•Order components
•Conduct user training •System
packageintegration
to management for approval
•Document
•Create the System
supporting documents o Ensure system is integrated in
•Train usersin live environment
•Implement operational site
•Update the feasibility analysis o Vendor guideline followed for
•Conduct feasibility analysis on
 Setting Security Controls
•Present system to users
o Performance review  Enabling Switches
•Test
o the system and
Acceptance review performance
test •Security Certificate
o Ensure controls are effectively
implemented through established
verification technique.
o Describe remaining vulnerabilities.
•Security Accreditation – Provide necessary
security authorization (from Senior
Management) of an Information System to
process, store or transmit that is required.
7
 SDLC SecSDLC
Maintenance & Change Maintenance & Change
SDLCtasks
•Consists of the following •Configuration Management & Control –
SecSDLC
Consideration of potential security impact due to
o Support
Maintenance & Change
the system Maintenance & Change
specific changes in Information system.
o Modify
•Support the system
and modify systemasduring its useful •Constantly
•Continuous monitor, test, modify, update
Monitoring
life required until the useful life and repair
o Conduct to meet
security changing
control threats
monitoring
of the system. o Prepare security status
•Test periodically for compliance with
o Upgrade, o Submit the status to the appropriate
business needs update, patch
management. personnel for necessary action
•Upgrade and patch as necessary
o Test the system periodically •Information Preservation
o Ensure retention of Information as necessary
for compliance.
to confirm legal requirement
o Feasibility of continuance vs. o Accommodate future technology for
discontinuance is evaluated. information retrieval.
•Media Sanitization – Ensures that data is deleted
erased, and written over as necessary
•Hardware and software disposal – Ensure HW &
SW is disposed of as directed by the Information
System Security Officer.
8
9