Professional Documents
Culture Documents
Lec2-Is-Intorduction - Part II (2 Nov 2022)
Lec2-Is-Intorduction - Part II (2 Nov 2022)
31
06
2
The Systems Development Life Cycle
• Systems development life cycle (SDLC) is methodology
CS and design for implementation of information security
31 within an organization
06
• Methodology is formal approach to problem-solving
based on structured sequence of procedures
• Using a methodology
• ensures a rigorous process
• avoids missing steps
• Goal is creating a comprehensive security
posture/program
• Traditional SDLC consists of six general phases
Principles of Information Security, 4th Edition 3
SDLC Water Fall Methodology
CS
31
06
CS
• The same phases used in traditional SDLC may
31 be adapted to support specialized
06 implementation of an IS project
CS • Investigation
31
06 • Identifies process, outcomes, goals, and
constraints of the project
• Begins with enterprise information security
policy
• Analysis
• Existing security policies, legal issues,
• Perform risk analysis
Principles of Information Security, 2nd Edition 6
The Security Systems Development Life Cycle
CS
• Logical Design
31
06 • Creates and develops blueprints for information security
• Incident response actions: Continuity planning,
Incident response, Disaster recovery
• Physical Design
• Needed security technology is evaluated, alternatives
generated, and final design selected
Principles of Information Security, 2nd Edition 7
The Security Systems Development Life Cycle
• Implementation
CS • Security solutions are acquired, tested, implemented,
31 and tested again
06
• Personnel issues evaluated; specific training and
education programs conducted
• Entire tested package is presented to management for
final approval
CS
• A number of individuals who are experienced in one
31
or more facets of technical and non-technical areas:
06
• Champion: Senior executive who promotes the project
• Team leader: project manager, departmental level
manager
• Security policy developers
• Risk assessment specialists
• Security professionals
• Systems administrators
• End users
Principles of Information Security, 2nd Edition 11
Data Ownership
CS
• Access • Security Blueprint
31
06
• Asset • Security Model
• Attack • Security Posture or
• Control, Safeguard or Security Profile
Countermeasure
• Exploit • Subject
• Exposure • Threats
• Hacking • Threat Agent
• Object • Vulnerability
• Risk Principles of Information Security, 2nd Edition 14
Summary
CS
• Information security is a “well-informed sense of
31 assurance that the information risks and controls
06 are in balance.”