Analecta Cyber Company Blog: Security Actions for Each Phase of an Information System Development Life Cycle

2018-04-10

Security Actions for Each Phase of an Information System Development Life Cycle

Security Actions for Each Phase of an Information System Development Life Cycle Businesses rely on secure information systems to be successful. This raises information security to a vital business function. The best way to ensure data and information systems are protected is to integrate security throughout the entire system development life cycle (SDLC). No matter what SDLC your organization uses, when security is kept at the forefront of the planning process, your company is better positioned to stay ahead of threats and vulnerabilities.

What is an information system life cycle?


An information system life cycle, or system development life cycle, is the overall process for bringing a new information system into the business. It manages the development, implementation and decommissioning of information systems. There are many models that can be used to plan out a system development life cycle. The National Institute of Standards and Technology (NIST) model we recommend consists of a series of defined steps or phases that will take the system from inception, through planning, testing, deployment and maintenance, and ending with how to properly handle the data when a system is retired.

Using the NIST guidelines as a model


Detailed guidelines are available to assist organizations that follow the NIST cybersecurity recommendations to incorporate IT security steps into each phase of the organization’s IT system life cycle. The NIST version of the life cycle includes the following phases:
  1. Initiation
  2. Acquisition/development
  3. Implementation/assessment
  4. Operations/maintenance
  5. Disposal of the system
As shown below, the cyclical representation brings to light the idea that rarely is data hatched from nowhere; it is coming from somewhere and quite possibly, a retiring system. The same principle applies when decommissioning a system. It is very likely that data currently residing on a business system will move forward to a future system rather than cease with the disposal of a physical machine.

Incorporating security measures early into each phase of the SDLC will enable your business to adapt to emerging threats without costly patchwork fixes.

How security requirements can be planned into an IT SDLC


Now that we know a bit more about the importance of having a system development life cycle, let’s explore at how IT security can be planned into the successful execution of each phase.

Initiation Phase: The initiation phase is where the process is started; the organization has decided that there is a business need for a system. The various stakeholders meet at this point to identify the purpose and requirements for the system. This is a great time to identify key security roles that need to be included in the development of the system. NIST recommends that the Chief Information Security Officer (CISO), Information System Security Officer (ISSO) or their counterpart be identified at this point in the process. Having an understanding of the company’s mission, objectives and activities as seen from the IT security standpoint goes a long way in making sure everything will be protected once the system is up and running.

Acquisition/Development Phase: The system is designed, purchased, programmed or otherwise constructed, signaling the beginning of the development or acquisition phase. During this phase, the security team should use risk modeling, a process that involves identifying and measuring potential security risks from a theoretical standpoint. Questions to be asked should include: What will the system contain that is worth protecting? Who are we protecting it from? How will they attempt to gain access? etc.

Implementation/Assessment Phase: The company can now complete a risk assessment to determine the potential security risk to the business and its interests resulting from the operation of the information system. Using the results from the risk assessment, the IT team can build baseline security controls that need to be in place to mitigate potential threats and to maintain data confidentiality, integrity and availability. After the system has been deployed into production, running security audits and developmental testing ensures that the security features and the system functions are performing as planned. It is important to document the results of these audits in order to identify trends and to ensure your security controls meet or exceed any regulatory requirements.

Operations/Maintenance Phase: The system is in place and running as intended as part of the operations or maintenance phase. Most of the security activity will turn toward monitoring the performance of the system and auditing the state of the system’s security. Maintenance will include ensuring patches and updates are installed in accordance with security requirements, privileged accounts are limited and applications are operating within appropriate privileges.

Disposal Phase: The disposal phase is just as important from a security standpoint as the other phases. Perhaps it is more so because of the potential loss of sensitive data due to unauthorized disclosure if the disposal is performed improperly. Most systems do not usually have a definitive end, but rather evolve into the next version or generation due to changing requirements or technology. Thus, much of the information from the original system may still be useful when planning security for the follow-on system.

Data that needs to be preserved should be done so in accordance with the organization’s security policy. If full disk encryption was implemented at an earlier stage, the remaining information is secure and the disk may be disposed of or destroyed. If not previously encrypted, the data needs to be removed from the storage device before disposing of it.

Justification for early security considerations


Integrating security into an established SDLC prior to the initiation phase can be valuable to an organization in many ways. As suggested by the NIST guidelines, several of the top benefits of integrating security into the SDLC include:

  • Early identification and mitigation of security vulnerabilities and problems with the configuration of systems, resulting in lower costs to implement security controls and mitigation of vulnerabilities;
  • Awareness of potential engineering challenges caused by mandatory security controls;
  •  Documentation of important security decisions made during the development process to inform management about security considerations during all phases of development;
  • Improved systems interoperability and integration that would be difficult to achieve if security is considered separately at various system levels.
From the NIST publication: The System Development Life Cycle

Communication and documentation are key


If you have your system development life cycle identified, make sure the right people are involved throughout the entire process of implementing it. Naturally, you will need input from stakeholders within your organization and the end users, but you will also need to include the individuals responsible for applying the required security controls. The security team should have a strong understanding of information security, threats, vulnerabilities and the risks posed to critical business functions. They must  be able to provide input and guidance throughout each step of the system development life cycle. 

Also, keeping up-to-date documentation on your system’s risk analysis and threat mitigation strategies will help save time and resources with similar implementations. If there are any issues, you will have a point of reference that will indicate where changes to the system were made. 

How Analecta can help protect your business


As we have shown, there are a multitude of opportunities to incorporate security throughout all phases in the system development life cycle, potentially saving your organization from overspending on mitigation solutions. From initiation to disposal, your system should be:
  • Designed with security in mind
  • Managed effectively to reduce misconfiguration
  • Monitored with vulnerabilities promptly resolved
  • Decommissioned with absolute certainty that data is protected

Analecta Cyber brings decades of expertise implementing secure information systems based on the NIST Cybersecurity Framework guidelines. Using a holistic approach and industry standards, the Analecta 96-point Cyber Risk Assessment enables you to see how to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact. We can identify the most important next steps in your firm’s cyber security program to maximize protection. Email us at info@analecta-llc.com. We are here to help!

Further Resources

  1. NIST - SP 800-64: Security Considerations in the System Development Life Cycle
  2. NIST - SP 800-53: Information Security Architecture
  3. NIST - SP 800-53: System Development Life Cycle