This video contains a discussion of requirements, acquisition, test and evaluation, and commissioning/decommissioning.
- [Instructor] In our organizations we often have a requirement to create something new. When this occurs, we may have to go out and buy a new system or we might have to develop one from the ground up to meet the internal needs of our organization. During the development of this new system, there are numerous decisions and choices that have to be made. These decisions run the gamut from the agreed upon functionality of the system to the details of the security of the system, and even the end user experience that will occur during the system's usage.
Whenever you're developing a system though, you have to do it in a methodical and logical order. If you begin to develop the system haphazardly or simply bolting on additional components here and there as you're going along, you're going to find that you have large security gaps that are going to be difficult to protect against. The system's development life cycle or SDLC is the process that occurs from the initial idea of a system, to its development, its release into operations, and finally into its retirement.
So, whenever you begin to develop a system you should always think back to the simplistic five step system development life cycle. Initiate, acquire and develop, implement, operate/maintain, and dispose. By performing each of these five steps in order, you can be assured that your organization has at least considered each portion of the system throughout its life cycle and you'll have a better idea of how to defend it. After all, it is a lot cheaper to design security from the beginning of the development of the system than it is to try to bolt it on and add it after the system has been placed into operations.
The first step is to initiate the system's development. During the initiation phase, the basic system requirements are suggested and agreed upon by key stakeholders. These requirements might be for a new feature, a new security improvement, or a new user experience. Regardless, decisions have to be made on the new functionality that will be achieved through this development. Do we suggest that our organization builds a new system from the ground up? Or will we purchase an off the shelf solution? The second step is to acquire or develop the proposed system.
If the decision was made to acquire an off the shelf solution, a risk assessment should be conducted of the proposed system or software. The risk assessment should consider the confidentiality, integrity, and availability concerns that may exist with the proposed solution. If the decision was made to develop the system in house, then it's important for us to determine if our organization has the capability and enough resources to properly and adequately develop the function of the system and the security needed to protect that system.
The third step is to implement that solution. During this stage, it's important that the solution is fully tested, evaluated, and transitioned into the live production environment. It is also during this stage that the certification and accreditation is performed. During certification, the solution's effectiveness and security is verified from a technical perspective. During accreditation, this solution receives a formal authorization to be placed into the production environment.
Additionally, during the transition the users and the operational staff will be trained on the new system. During step four, the system is now placed into operations. During the operation and maintenance phase, the service desk will handle requests from the end users and the organization is now fully utilizing the new system. During any system's development life cycle the majority of time is spent during the operate and maintain stage. This stage is also the most expensive stage in the development life cycle, representing nearly 70% of the cost of most systems in most cases.
Since the operations phase is so important and so costly, we're going to spend a separate lecture diving into its particular activities. The fifth and final step is the disposition phase. At this point in the life cycle, the system is no longer needed. The functions that were performed by the system are either stopped or transferred to a new system. The servers and the software that were associated with that system, must be disposed of properly. If they're not, they can represent a large vulnerability to our organizations.
Because asset disposal is so critical to security, we're going to spend a separate lecture going deeper into this topic as well.
- Best practices for conducting research
- Current threats and threat models
- Emerging social media platforms and their threats
- Integrating research into business functions
- Security activities across the systems and software development lifecycles
- Adapting solutions to meet business needs
- Collaborating with programmers, sales staff, facilities managers, and others
- Providing guidance to senior management