Week 3 - SDLC
Cards (48)
- The six phases of SecSDLC; Investigation, Analysis, Logical Design, Physical Design, Implementation, Maintenance and Change
- Investigation - It begins with a directive from upper management that dictates the process, outcomes, and goals of the project, as well as its budget and other constraints.
- Investigation - This phase begin with an EISP, which outlines the implementation of a security program within the organization.
- Investigation - The SecSDLC phase where identify security requirements, assess potential risks, and define security objectives and goals for the system.
- Analysis - The documents from the investigation phase are studied.
- Analysis - The development team conducts a preliminary analysis of existing security policies or programs, documented current threats, and associated controls.
- Enterprise Information Security Policy - EISP
- Analysis - The risk management begin in this stage which focuses on identifying, assessing, and evaluating the levels of risk in an organization, specifically the threats to its security and to the information it sotres and processes.
- Logical Design - It creates and develops the blueprints for information security. Examines and implements key policies that influence late decisions.
- Three planning in logical design; Continuity Planning, Incident Response, Disaster Recovery
- Continuity Planning - It ask on how will business continue in the even of a loss
- Incident Response - It ask what steps are taken when an attack occurs?
- Disaster Recovery - It ask what must be done to recover information and vital systems immediately after a disastrous event?
- Logical Design - The team also plans incident response actions to be taken in the event of partial or catasthropic loss.
- Physical Design - This phase evaluates the information security technology needed to support the blueprint as it has been outlined in the logical design.
- Physical Design - It is usually chosen from several competing alternatives, each of which could meet the logical design requirements.
- Implementation - This phase of the SecSDLC is similar to that of the traditional SDLC
- Implementation - The entire tested package is prensente to upper management for final approval
- Maintenance and Change - The last phase and the most important one given to the ever-changing threat environment
- Maintenance and Change - Today's information security systems need constant monitoring, testing, modification, updating and repairing
- Chief Information Officer - This is an executive level position that oversees the organizations information
- Chief Information Security Officer - It is usually not an executive level position, and frequently the person in this role report to the CIO
- Project Team - A small functional team of people who are experience in one or multiple facets of the required technical and nontechnical areas for the project to which they are assigned.
- Champion - A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization
- Team Leader - A project manager who may also be a departmental line manager or staff unit manager, and who understand project management, personnel mamangement, and infroamtion security technical requirements.
- Security Policy Developers - People who understand the organization cultures, existing policies, and requirements for developing and implementing successful policies.
- Risk Assessment Specialists - People who understand financial risk assessment techniques, the values of organizational assets, and the security method.
- Security Professionals - Dedicated, trained, and well-educated specialists in all aspects of information security from both technical and nontechnical standpoint.
- Systems Administrators - People with the primary responsibility for administering systems that house the information used by the organization
- End Users - Those whom the new system will most directly affect and it is a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls that do not disrupt the essential business activities they seek to safeguard.
- Data Owners - They are the members of senior management who are responsible for the security and use of a particular set of information
- Data Owners - They usaully determine the level od data classification as well as the changes to that classification required by organization change.
- Data Custodians - They are working directly with the data owners, and responsible for the information and the systems that process, transmit, and store it.
- Data Custodians - They are often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner.
- Data Users - Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role.
- Communities of Interest - A group of people who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives.
- Information Security Management and Professional - They are aligned with the goals and mission of the information security community of interest.
- Information Security Management and Professional - These job functions and organization roles focus on protecting the organization's information systems and stored information from attacks.
- Information Technology Management and Professional - The community of interest made up of IT managers and skilled professionals in systems design, programming, netwroks, and other related disciplines has many of the same objectives as the information security community.
- Information Technology Management and Professional - The members focus more on costs of the stystems creation and operation, ease of use for system users, and timeliness of system creation, as well as transaction response time.