Your SlideShare is downloading. ×
0
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Download It
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Download It

767

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
767
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Waterfall, prototyping, iterative development, spiral development models
  • The Rational Unified Process (RUP) ‘hump’ diagram shows where each discipline is emphasized, over time, through the life of the project
  • The Rational Unified Process (RUP) ‘hump’ diagram shows where each discipline is emphasized, over time, through the life of the project
  • Express the need for the system, and its purpose
  • Business requirements, CIA requirements, privacy requirements Settle these now, reduce arguing about them later You will still argue about them later
  • Lots of activities in this phase: Assess business impacts See NIST sp800-34 Contingency Planning Guide for IT Systems Set Recovery Time Objective – how long the system can be down before the business is impacted Set Recovery Point Objective – business tolerance for data loss
  • Lots of activities in this phase: Assess business impacts See NIST sp800-34 Contingency Planning Guide for IT Systems Set Recovery Time Objective – how long the system can be down before the business is impacted Set Recovery Point Objective – business tolerance for data loss
  • Design, buy, build Include security training for development teams, plans for security testing Baseline security controls, i.e. assume hostile parties know internals of your system, no security by obscurity
  • Install, roll-out, use system in the field
  • Handle changes related to on-going operations
  • Migrate to new system
  • Migrate to new system
  • Transcript

    • 1. NIST Guidance on Security and Business Continuity Planning in the SDLC 11th Annual New York State Cyber Security Conference June 2008 © CGI GROUP INC. All rights reserved James Hewitt, CISSP PMP 617.501.7908 [email_address] Mark Spreitzer, CBCP 917.304.1966 [email_address]
    • 2. Presentation Outline <ul><li>Review the NIST SDLC &amp; Security Resources </li></ul><ul><li>SDLC Policy &amp; Architecture </li></ul><ul><li>5-Phase Breakdown </li></ul><ul><li>Overlaps &amp; Iterations </li></ul>
    • 3. NIST &amp; Special Publications <ul><li>NIST = National Institute of Standards and Technology </li></ul><ul><ul><li>Technology standards and guidelines </li></ul></ul><ul><li>ITL = Information Technology Laboratory </li></ul><ul><ul><li>Technical leadership for measurement and standards </li></ul></ul><ul><ul><li>Publishes Special Publications (SP) </li></ul></ul><ul><ul><ul><li>tests, test methods, reference data, proof of concept implementations, and technical analyses </li></ul></ul></ul><ul><ul><ul><li>collaborated with industry, government, and academic organizations </li></ul></ul></ul><ul><li>Special Publication 800 series focused on Computer Security </li></ul><ul><ul><li>Guidance and support on Security and Business Continuity </li></ul></ul><ul><ul><li>SP 800-64, Security Considerations in the System Development Lifecycle </li></ul></ul><ul><ul><li>NIST SDLC Brochure August 2004, Information Security in the SDLC </li></ul></ul><ul><ul><ul><li>http://csrc.nist.gov/SDLCinfosec </li></ul></ul></ul>
    • 4. Walkthrough of NIST SP 800-64 <ul><li>Security integration with SDLC </li></ul><ul><ul><li>Guide agencies to integrate security activities into system development life-cycles (SDLC) </li></ul></ul><ul><ul><li>Defines information security components of the SDLC </li></ul></ul><ul><ul><li>Key security roles and responsibilities </li></ul></ul><ul><ul><li>Translate security activities into IT projects and initiatives that don’t have a SDLC </li></ul></ul>
    • 5. NIST ’s Security in the SDLC
    • 6. SDLC Policy &amp; Architecture <ul><li>Integrate at the enterprise level </li></ul><ul><li>Include security activities in SDLC policy </li></ul><ul><li>Include risk management </li></ul><ul><li>Implement early in every project </li></ul><ul><ul><li>NIST SP 800-53 on security controls </li></ul></ul><ul><ul><li>NIST SP 800-39 on enterprise-level risk management </li></ul></ul><ul><li>Concentrate on business requirements &amp; security requirements </li></ul>
    • 7. Benefits of Integrating security into the SDLC <ul><li>Early identification and mitigation of vulnerabilities and misconfigurations </li></ul><ul><li>Lower cost of control implementation and vulnerability mitigation </li></ul><ul><li>Identification of shared security services </li></ul><ul><li>Reuse of strategies and tools to reduce cost and schedule </li></ul><ul><li>Improvement of security through proven methods and techniques </li></ul><ul><li>Informed decision making through comprehensive risk management </li></ul><ul><li>Document ing security decisions made during development </li></ul><ul><li>Improved organization and customer confidence to facilitate adoption and usage </li></ul><ul><li>Improved systems interoperability and integration that would otherwise be hampered by securing systems at various system levels </li></ul>
    • 8. Security in the Project Lifecycle
    • 9. SDLC Phase Structure <ul><li>Phase 1: Initiation </li></ul><ul><li>Phase 2: Development / Acquisition </li></ul><ul><li>Phase 3: Implementation / Assessment </li></ul><ul><li>Phase 4: Operations / Maintenance </li></ul><ul><li>Phase 5: Sunset (Disposition) </li></ul>
    • 10. Phase 1: Initiation <ul><li>Key tasks: </li></ul><ul><ul><li>Business partner engagement </li></ul></ul><ul><ul><li>Document enterprise architecture </li></ul></ul><ul><ul><li>Identify / specify applicable policies and laws </li></ul></ul><ul><ul><li>Develop confidentiality, integrity and availability objectives </li></ul></ul><ul><ul><li>Information and information system security categorization (repeat 4 &amp; 5) </li></ul></ul><ul><ul><li>Procurement specification development </li></ul></ul><ul><ul><li>Preliminary risk assessment </li></ul></ul>
    • 11. Phase 1: Initiation <ul><li>Inputs to Security Planning inputs: </li></ul><ul><ul><li>Decision to initiate system </li></ul></ul><ul><li>Outputs from Security Planning: </li></ul><ul><ul><li>Security expectations </li></ul></ul><ul><ul><li>Schedule of security activities &amp; decisions </li></ul></ul><ul><li>Categorize system outputs: </li></ul><ul><ul><li>Security category </li></ul></ul><ul><ul><li>High-level security requirements </li></ul></ul><ul><ul><li>Level of effort </li></ul></ul><ul><li>… act as inputs to: </li></ul><ul><ul><li>Business Impact Analysis (BIA), Disaster Recovery, Contingency Planning, Continuity of Operations Planning decisions </li></ul></ul><ul><ul><ul><li>Use results of BIA to develop requirements for business partner SLAs </li></ul></ul></ul>
    • 12. Phase 1: Initiation <ul><li>Control gates: </li></ul><ul><ul><li>Categorization and impact levels </li></ul></ul><ul><ul><ul><li>See SP 800-53 on minimal security controls </li></ul></ul></ul><ul><ul><ul><li>See SP 800-60, companion to FIPS-199 </li></ul></ul></ul><ul><ul><li>Architecture alignment, standards </li></ul></ul><ul><ul><li>Initial design review against requirements </li></ul></ul><ul><ul><li>Risk management review </li></ul></ul><ul><ul><li>Financial review, balancing cost with risk management </li></ul></ul><ul><li>Major tasks: </li></ul><ul><ul><li>Identify security roles, stakeholders, milestones </li></ul></ul><ul><li>Apply to one system or multiple systems </li></ul>
    • 13. Phase 1: Initiation Relating security considerations
    • 14. Phase 2: Acquisition / Development <ul><li>Risk assessment </li></ul><ul><li>Select initial baseline of security controls </li></ul><ul><li>Refinement – security control baseline </li></ul><ul><li>Security control design </li></ul><ul><li>Cost analysis &amp; reporting [repeat with 1. risk assessment] </li></ul><ul><li>Security planning </li></ul><ul><li>Unit / integration security testing &amp; evaluation </li></ul>
    • 15. Phase 2: Acquisition / Development <ul><li>Control gates: </li></ul><ul><ul><li>Architecture / design review </li></ul></ul><ul><ul><ul><li>e.g. evaluate design for disaster recovery </li></ul></ul></ul><ul><ul><li>Performance, functional reviews </li></ul></ul><ul><ul><li>Financial review, review cost-benefit ratios </li></ul></ul><ul><ul><li>Re-visit risk management decisions </li></ul></ul><ul><li>Major tasks: </li></ul><ul><ul><li>Assess risks &amp; security categorization vs security controls </li></ul></ul><ul><ul><li>Re-visit business impact analysis </li></ul></ul><ul><ul><li>Create baseline security requirements, security architecture and security controls </li></ul></ul><ul><ul><ul><li>Include common controls </li></ul></ul></ul><ul><ul><li>Start to build and integrate controls </li></ul></ul><ul><ul><li>Start writing security tests </li></ul></ul><ul><ul><li>Review additional functionality in terms of added risk </li></ul></ul>
    • 16. Phase 2: Acquisition / Development Relating security considerations
    • 17. Phase 3: Implementation / Assessment <ul><li>Product / component inspection &amp; acceptance </li></ul><ul><li>Security control integration </li></ul><ul><li>User / administrative guidance </li></ul><ul><li>System security test &amp; evaluation plan (repeat #3) </li></ul><ul><li>System certification (repeat #2 &amp; #3) </li></ul><ul><li>Statement of residual risk </li></ul><ul><li>Security accreditation </li></ul>
    • 18. Phase 3: Implementation / Acquisition <ul><li>Control Gates: </li></ul><ul><ul><li>Reviews for test readiness, deployment readiness, deployment approval, certification &amp; accreditation </li></ul></ul><ul><ul><li>Final financial review – where did the money and effort go? </li></ul></ul><ul><li>Major Tasks: </li></ul><ul><ul><li>Integrate with existing environment controls </li></ul></ul><ul><ul><li>Test controls </li></ul></ul><ul><ul><li>Set priorities for continuous monitoring </li></ul></ul><ul><ul><li>Define final, deployable state, and certify it </li></ul></ul>
    • 19. Phase 3: Implementation / Acquisition Relating security considerations
    • 20. Phase 4: Operations / Maintenance <ul><li>Configuration management, change control and auditing </li></ul><ul><li>Continuous monitoring </li></ul><ul><li>Recertification (repeat #1) </li></ul><ul><li>Reaccreditation </li></ul><ul><li>Incident handling (repeat #1) </li></ul><ul><li>Auditing (repeat #2) </li></ul><ul><li>Intrusion detection and monitoring </li></ul><ul><li>Contingency plan testing (including continuity of operations plan) </li></ul>
    • 21. Phase 4: Operations / Maintenance <ul><li>Control Gates: </li></ul><ul><ul><li>Operational readiness review </li></ul></ul><ul><ul><li>Change control board, procedures </li></ul></ul><ul><ul><li>Decision to accredit </li></ul></ul><ul><li>Major Tasks: </li></ul><ul><ul><li>Review operational readiness, before and after a major change </li></ul></ul><ul><ul><li>Manage security configuration control </li></ul></ul><ul><ul><li>Other configuration management, with an eye to effect on system security </li></ul></ul><ul><ul><li>Monitor security controls </li></ul></ul><ul><ul><li>Periodic re-certification </li></ul></ul>
    • 22. Phase 4: Operations / Maintenance Relating security considerations
    • 23. Phase 5: Sunset (Disposition) <ul><li>Transition planning </li></ul><ul><ul><li>Migration to new system </li></ul></ul><ul><li>Component disposal </li></ul><ul><li>Media sanitization </li></ul><ul><ul><li>NIST SP 800-88 Guidelines for Media Sanitization </li></ul></ul><ul><li>Information archiving (repeat #1) </li></ul><ul><ul><li>Ensure information preservation </li></ul></ul>
    • 24. Phase 5: Sunset (Disposition) Relating security considerations
    • 25. Phase Overlaps &amp; Task Iterations <ul><li>Phase 2: Development / Acquisition </li></ul><ul><ul><li>Cost analysis &amp; reporting </li></ul></ul><ul><ul><li>Security planning </li></ul></ul><ul><li>Phase 1: Initiation </li></ul><ul><ul><li>Business partner engagement </li></ul></ul>
    • 26. Phase Overlaps &amp; Task Iterations <ul><li>Phase 3: Implementation / Assessment </li></ul><ul><ul><li>Security control integration </li></ul></ul><ul><li>Phase 2: Acquisition / Development </li></ul><ul><ul><li>Security control design </li></ul></ul>
    • 27. Phase Overlaps &amp; Task Iterations <ul><li>Phase 4: Operations / Maintenance </li></ul><ul><ul><li>Monitoring </li></ul></ul><ul><ul><li>Recertification </li></ul></ul><ul><li>Phase 1: Initiation </li></ul><ul><ul><li>Develop confidentiality, integrity and availability objectives </li></ul></ul>
    • 28. Additional Considerations <ul><li>Supply Chain and Software Assurance </li></ul><ul><li>Service Oriented Architecture </li></ul><ul><li>Specific Accreditation of Security Modules for Reuse </li></ul><ul><li>Cross-Organizational Solutions </li></ul><ul><li>Technology Advancement &amp; Major Migrations </li></ul><ul><li>Data Center or IT Facility development </li></ul><ul><li>Virtualization </li></ul>
    • 29. Mark Spreitzer, CBCP Executive Consultant Enterprise Security Practice 7 Hanover Square, 7 th Floor New York, NY 10004 Tel: (212) 612-3611 Mobile: (917) 304-1966 [email_address] James Hewitt, CISSP, PMP Senior Consultant Enterprise Security Practice 12 Corporate Woods Blvd. Albany, NY 12211 Tel: (617) 501.7908 [email_address] Questions?
    • 30. our commitment to you <ul><li>We approach every engagement </li></ul><ul><li>with one objective in mind: </li></ul><ul><li>to help clients win and grow. </li></ul>

    ×