Your SlideShare is downloading. ×
0
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Powerpoint Presentation
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Powerpoint Presentation

639

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
639
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Good Afternoon! My name is Marge Spanninger and I lead the Information Assurance Training Team at Booz-Allen and Hamilton. This afternoon I’d like to talk to you about “Developing Security Competencies Through Information Assurance Undergraduate and Graduate Programs”
  • Good Afternoon! My name is Marge Spanninger and I lead the Information Assurance Training Team at Booz-Allen and Hamilton. This afternoon I’d like to talk to you about “Developing Security Competencies Through Information Assurance Undergraduate and Graduate Programs”
  • Transcript

    1. Security Is Everyone’s Business: Role-Based Training for the System Development Life Cycle Federal Information System Security Educators Association 18 th Annual Conference March 22, 2005 Prepared by: Margaret Spanninger Booz Allen Hamilton (703) 289-5471 [email_address]
    2. Security is Everyone’s Business: Role-Based Training for the SDLC Today’s Presentation <ul><li>Introduction </li></ul><ul><li>Federal Information Security Management Act (FISMA) Requirements and Business Drivers </li></ul><ul><li>System Development Life Cycle (SDLC) </li></ul><ul><li>Personnel with Significant Security Responsibility </li></ul><ul><li>Role-Based Training and Assurance </li></ul><ul><li>Implementing National Institute of Standards and Technology (NIST) Special Publication (SP) 800-16 </li></ul>
    3. Security is Everyone’s Business: Role-Based Training for the SDLC Introduction <ul><li>Security integration into the SDLC is one of the key elements required for resolving many of the long-standing weaknesses in information technology (IT) security and achieving sustainable performance improvements in IT security programs </li></ul><ul><li>Personnel at all levels must understand that “security is not an option” but an integral element of all IT systems </li></ul>This presentation is based on the premise that security integration into organizational business processes, especially the system development life cycle (SDLC) is a fundamental requirement for FISMA compliance and achieving security performance goals.
    4. Security is Everyone’s Business: Role-Based Training for the SDLC FISMA Requirements and SDLC FISMA states under § 3544. Federal agency responsibilities (b) Agency Program— “Each agency shall develop, document, and implement an agency-wide information security program that includes…(2) policies and procedures that…(C) ensure that information security is addressed throughout the life cycle of each agency information system.”
    5. Security is Everyone’s Business: Role-Based Training for the SDLC Business Drivers <ul><li>Security is less expensive to implement if it is planned from the beginning </li></ul><ul><li>Building security controls into the system, rather than adding them after the system is already built improves system performance </li></ul><ul><li>Security becomes an enabling factor rather than a barrier to success by reducing the need for expensive reengineering and reprogramming </li></ul><ul><li>It ensures success of certification and accreditation processes and keeps the project on schedule </li></ul>
    6. Security is Everyone’s Business: Role-Based Training for the SDLC Earlier is Better <ul><li>If security is not identified with other requirements, it will not be addressed </li></ul><ul><li>It is critical that security controls are planned in the earliest phases ( BEFORE implementation) to ensure— </li></ul><ul><ul><li>Adequate and appropriate resources are allocated for security throughout the system life cycle </li></ul></ul><ul><ul><li>The most cost-effective security controls are chosen and implemented </li></ul></ul><ul><ul><li>A structured and consistent approach for developing and maintaining security for information systems </li></ul></ul><ul><ul><li>Increased homogeneity among information systems and security controls within an organization to reduce operational costs </li></ul></ul><ul><ul><li>Certification and accreditation with minimal additional effort </li></ul></ul>
    7. Security is Everyone’s Business: Role-Based Training for the SDLC Phases of the SDLC <ul><li>Initiation someone has a need or an idea </li></ul><ul><li>Development/acquisition build or buy decision </li></ul><ul><li>Implementation system development and/or integration </li></ul><ul><li>Operation/maintenance system put into service </li></ul><ul><li>Disposition system removed from service </li></ul>
    8. Security is Everyone’s Business: Role-Based Training for the SDLC Security Tasks In the SDLC <ul><li>Initiation </li></ul><ul><ul><li>Needs Determination </li></ul></ul><ul><ul><li>Security Categorization </li></ul></ul><ul><ul><li>Risk Assessment </li></ul></ul><ul><li>Development/Acquisition </li></ul><ul><ul><li>Risk Assessment </li></ul></ul><ul><ul><li>Security Functional Requirements Analysis </li></ul></ul><ul><ul><li>Security Assurance Requirements Analysis </li></ul></ul><ul><ul><li>Cost Considerations </li></ul></ul><ul><ul><li>Security Control Development </li></ul></ul><ul><ul><li>Developmental Security Test and Evaluation </li></ul></ul><ul><ul><li>Acquisition specifications </li></ul></ul><ul><li>Implementation </li></ul><ul><ul><li>Inspection and Acceptance </li></ul></ul><ul><ul><li>System Integration </li></ul></ul><ul><ul><li>Certification & Accreditation </li></ul></ul><ul><li>Operations & Maintenance </li></ul><ul><ul><li>Configuration Management and Control </li></ul></ul><ul><ul><li>Continuous Monitoring </li></ul></ul><ul><li>Disposition </li></ul><ul><ul><li>Information Preservation </li></ul></ul><ul><ul><li>Media Sanitization </li></ul></ul><ul><ul><li>Hardware and Software Disposal </li></ul></ul>
    9. Security is Everyone’s Business: Role-Based Training for the SDLC Personnel with Significant Security Responsibilities FISMA states under § 3544. Federal agency responsibilities (a) In General.—The head of each agency shall— “ (3) delegate to the agency Chief Information Officer…the authority to ensure compliance with the requirements imposed on the agency under this subchapter, including—…(D) training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; (4) ensure that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines;…”
    10. Security is Everyone’s Business: Role-Based Training for the SDLC OPM Clarifies Who Needs Trained <ul><li>OPM 5 CFR part 930.301 Computer security training program states that the following positions must be trained in computer security basics and other domains </li></ul><ul><ul><li>Executives </li></ul></ul><ul><ul><li>Program and functional managers </li></ul></ul><ul><ul><li>Chief Information Officers (CIO) </li></ul></ul><ul><ul><li>IT security program managers </li></ul></ul><ul><ul><li>Auditors </li></ul></ul><ul><ul><li>System and network administrators </li></ul></ul><ul><ul><li>System/application security officers </li></ul></ul><ul><ul><li>IT function management and operations personnel </li></ul></ul>
    11. Security is Everyone’s Business: Role-Based Training for the SDLC Moving from Theory to Practice <ul><li>It is critical that personnel in positions with significant security responsibilities actively participate in the SDLC </li></ul><ul><li>Their participation provides assurance that— </li></ul><ul><ul><li>1) security requirements have been addressed </li></ul></ul><ul><ul><li>2) countermeasures have been identified </li></ul></ul><ul><ul><li>3) controls have been properly implemented and tested </li></ul></ul><ul><ul><li>4) all changes to the operational system are reviewed to ensure the integrity of the system and security solution that have been certified and accredited </li></ul></ul><ul><ul><li>5) the data, hardware, software, and documentation are disposed of properly </li></ul></ul>
    12. Security is Everyone’s Business: Role-Based Training for the SDLC NIST 800-16 Provides Framework <ul><li>Three primary domains of security knowledge </li></ul><ul><ul><li>Laws and regulations </li></ul></ul><ul><ul><li>Security programs with two sub-categories </li></ul></ul><ul><ul><li>Security in the SDLC with six subcategories </li></ul></ul><ul><li>Six functional roles associated with each of the primary categories </li></ul><ul><ul><li>Manage </li></ul></ul><ul><ul><li>Acquire </li></ul></ul><ul><ul><li>Design and develop </li></ul></ul><ul><ul><li>Implement and operate </li></ul></ul><ul><ul><li>Review and evaluate </li></ul></ul><ul><ul><li>Use </li></ul></ul><ul><li>Twenty-six positions with significant security responsibilities </li></ul>
    13. Security is Everyone’s Business: Role-Based Training for the SDLC Personnel With Significant Security Responsibilities Play Critical Role <ul><li>CIO </li></ul><ul><li>Sr. IRM Official </li></ul><ul><li>System Owner </li></ul><ul><li>Program Manager </li></ul><ul><li>Information Resource Manager </li></ul><ul><li>Records Mgt. Official </li></ul><ul><li>FOIA Official </li></ul><ul><li>Privacy Act Official </li></ul><ul><li>DAA </li></ul><ul><li>Certification Reviewer </li></ul><ul><li>ISO/ISM </li></ul><ul><li>Auditor, Internal </li></ul><ul><li>Auditor External </li></ul>Acquisition Operations User <ul><li>Source Selection Board </li></ul><ul><li>Contracting Officer </li></ul><ul><li>COTR </li></ul><ul><li>System Designer/Developer </li></ul><ul><li>System/Program Analyst </li></ul><ul><li>Data Center Manager </li></ul><ul><li>Network Administrator </li></ul><ul><li>System Administrator </li></ul><ul><li>Database Administrator </li></ul><ul><li>Technical Support (Help Desk) </li></ul><ul><li>System Operator </li></ul><ul><li>Telecommunications Specialist </li></ul><ul><li>Any position that uses IT resources </li></ul>Executive Management Compliance Design and Development
    14. Security is Everyone’s Business: Role-Based Training for the SDLC The NIST Core Body of Knowledge <ul><li>Laws and regulations </li></ul><ul><li>IT security programs </li></ul><ul><li>System environment </li></ul><ul><li>System interconnection (physical access) </li></ul><ul><li>Information sharing (logical access) </li></ul><ul><li>Sensitivity </li></ul><ul><li>Risk management </li></ul><ul><li>Life cycle controls </li></ul><ul><li>Management controls </li></ul><ul><li>Operational controls </li></ul><ul><li>Technical controls </li></ul><ul><li>Awareness, training and education </li></ul>
    15. Security is Everyone’s Business: Role-Based Training for the SDLC Stakeholders and the SDLC CIO Sr. IRM Official System Owner Program Manager Information Resource Mgr. Records Mgt. Official FOIA Official Privacy Act Official Source Selection Board Contracting Officer COTR System Designer/Developer System/Program Analyst Data Center Manager Network Administrator System Administrator Database Administrator Technical Support (Helpdesk) System Operator Telecomm. Specialist DAA Certification Reviewer ISO/ISM Auditor, Internal Auditor External Users                                                       SDLC Phase Initiation Development/Acquisition Implementation/Integration Operations & Maintenance Disposal                                   
    16. Security is Everyone’s Business: Role-Based Training for the SDLC Role-Based Training and NIST SP 800-16
    17. Security is Everyone’s Business: Role-Based Training for the SDLC Manage Role, CBK, and Positions Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Life Cycle Controls Operational Controls Awareness and Training Technical Controls Domains Laws and Regulations SP – Planning SP – Management SLCS – Initiation SLCS – Development SLCS – Test & Evaluation SLCS – Implementation SLCS – Operation SLCS – Termination SP = Security Program SLCS = Sys Life Cycle Security Cell 1A 2.1A 2.2A 3.1A 3.2A NA 3.4A 3.5A 3.6A Key: Core Body of Knowledge                                                                                              ISO/ISM Info. Resource Manager CIO Senior IRM Official Program Manager System Owner System Designer/Developer Network Administrator System Administrator Data Center Manager Database Administrator Positions
    18. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Manage (1 of 3) <ul><li>1A, Laws and Regulations – Managers are able to understand applicable governing documents and their relationships and interpret and apply them to the manager’s area of responsibility. </li></ul><ul><li>2.1A, Security Program: Planning – Individuals involved in the management if IT security programs are able to understand principles and processes of program planning and can organize resources to develop a security program that meets organizational needs. </li></ul><ul><li>2.2A, Security Program: Management – Individuals in IT security program management understand and are able to implement a security program that meets their organization’s needs. </li></ul>
    19. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Manage (2 of 3) <ul><li>3.1A, Life Cycle: Initiation – Individuals with management responsibilities are able to identify steps in the SDLC where security requirements and concerns need to be considered and to define the processes to be used to resolve those concerns. </li></ul><ul><li>3.2A, Life Cycle: Development – Individuals with management responsibilities are able to ensure that the formal development baseline includes approved security requirements and that security-related features are installed, clearly identified, and documented. </li></ul><ul><li>3.3A, Life Cycle: Test & Evaluation – Not applicable. </li></ul>
    20. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Manage (3 of 3) <ul><li>3.4A, Life Cycle: Implementation – Individuals with management responsibilities are able to oversee the implementation and deployment of an IT system in a manner that does not compromise in-place and tested security safeguards. </li></ul><ul><li>3.5A, Life Cycle: Operations – Individuals with management responsibilities are able to monitor operations to ensure that safeguards are effective and have the intended effect on balancing efficiency with minimized risk. </li></ul><ul><li>3.6A, Life Cycle: Termination – Individuals with management responsibilities are able to understand the special IT security considerations and measures required during the shutdown of a system, and effectively plan and direct these activities. </li></ul>
    21. Security is Everyone’s Business: Role-Based Training for the SDLC Acquire Role, CBK, and Positions ISO/ISM COTR Contracting Officer Source Selection Board Senior IRM Official Telecomm Specialist Info. Resource Manager System Designer/Developer System Owner Program Manager Positions Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Life Cycle Controls Operational Controls Awareness and Training Technical Controls Domains Laws and Regulations SP – Planning SP – Management SLCS – Initiation SLCS – Development SLCS – Test & Evaluation SLCS – Implementation SLCS – Operation SLCS – Termination SP = Security Program SLCS = Sys Life Cycle Security Cell 1B 2.1B 2.2B 3.1B 3.2B NA 3.4B 3.5B NA Key: Core Body of Knowledge                                                                      
    22. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Acquire (1 of 3) <ul><li>1B, Laws and Regulations – Individuals involved in the acquisition of information technology resources have sufficient understanding of IT security requirements and issues to protect the government’s interests in such acquisitions. </li></ul><ul><li>2.1B, Security Program: Planning – Individuals involved in planning the IT security program can identify the resources required for successful implementation. Individuals recognize the need to include IT security requirements in IT acquisitions and to incorporate appropriate acquisition policy and oversight in the IT security program. </li></ul><ul><li>2.2B, Security Program: Management – Individuals involved in managing the IT security program have a sufficient understanding of IT security and the acquisition process to incorporate IT security program requirements into acquisition work steps. </li></ul>
    23. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Acquire (2 of 3) <ul><li>3.1B, Life Cycle: Initiation – Individuals with acquisition responsibilities are able to analyze and develop acquisition documents and/or provide guidance which ensures that functional IT security requirements are incorporated. </li></ul><ul><li>3.2B, Life Cycle: Development – Individuals with acquisition responsibilities are able to monitor procurement actions to ensure that IT security requirements are satisfied. </li></ul><ul><li>3.3B, Life Cycle: Test & Evaluation – Not applicable. </li></ul>
    24. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Acquire (3 of 3) <ul><li>3.4B, Life Cycle: Implementation – Individuals with acquisition responsibilities are able to ensure that the system, as implemented, meets all contractual requirements related to the security and privacy of IT resources. </li></ul><ul><li>3.5B, Life Cycle: Operations – Individuals with acquisition responsibilities are able to understand the IT security concerns associated with system operations and to identify and use the appropriate contract vehicle to meet current needs in a timely manner. </li></ul><ul><li>3.6B, Life Cycle: Termination – Not applicable. </li></ul>
    25. Security is Everyone’s Business: Role-Based Training for the SDLC Design/Develop Role, CBK, and Positions ISO/ISM Sys. Designer/Developer Program/Sys Analyst Program Manager Info. Resource Mgr. Auditor, Internal Privacy Act Official Database Administrator Network Administrator System Administrator System Operator Position                                 ISO/ISM Sys. Designer/Developer Program/Sys Analyst Program Manager Info. Resource Mgr. Auditor, Internal CIO Senior IRM Official System Owner Records Mgt. Official FOIA Official Positions                               Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Life Cycle Controls Operational Controls Awareness and Training Technical Controls Domains Laws and Regulations SP – Planning SP – Management SLCS – Initiation SLCS – Development SLCS – Test & Evaluation SLCS – Implementation SLCS – Operation SLCS – Termination SP = Security Program SLCS = Sys Life Cycle Security Cell 1C 2.1C 2.2C 3.1C 3.2C 3.3C 3.4C 3.5C NA Key: Core Body of Knowledge                                                    
    26. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Design/Develop <ul><li>1C, Laws and Regulations – Individuals responsible for the design and development of automated information systems are able to translate IT laws and regulations into technical specifications which provide adequate and appropriate levels of protection </li></ul><ul><li>2.1C, Security Program: Planning – Individuals responsible for the design and development of an IT security program are able to create a security program specific to a business process or organizational entity. </li></ul><ul><li>2.2C, Security Program: Management – Individuals responsible for the design and development of an IT security program have sufficient understanding of the appropriate program elements and requirements to be able to translate them into detailed policies and procedure which provide adequate and appropriate protection for the organization’s IT resources in relation to acceptable levels of risk. </li></ul>(1 of 3)
    27. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Design/Develop <ul><li>3.1C, Life Cycle: Initiation – Individuals responsible for the design and development of IT systems are able to translate IT security requirements into system-level security specifications. </li></ul><ul><li>3.2C, Life Cycle: Development – Individuals responsible for system design, development or modification are able to use baseline IT security requirements to select and install appropriate safeguards. </li></ul><ul><li>3.3C, Life Cycle: Test & Evaluation – Individuals are able to design tests to evaluate the adequacy of security safeguards in IT systems. </li></ul>(2 of 3)
    28. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Design/Develop <ul><li>3.4C, Life Cycle: Implementation – Individuals responsible for system design and/or modification are able to participate in the development of procedures which ensure the safeguards are not compromised as they are incorporated into the production environment. </li></ul><ul><li>3.5C, Life Cycle: Operations – Individuals responsible for system development are able to make procedural and operational changes necessary to maintain the acceptable level of risk. </li></ul><ul><li>3.6C, Life Cycle: Termination – Not applicable. </li></ul>(3 of 3)
    29. Security is Everyone’s Business: Role-Based Training for the SDLC Implement/Operate Role, CBK, and Positions ISO/ISM Sys. Designer/Developer Program/Sys Analyst Program Manager Info. Resource Mgr. Program Manager System Designer/Developer Database Administrator Data Center Manager Certification Reviewer/DAA Telecom Specialist Position                                        ISO/ISM Network Administrator System Administrator System Operator Technical Support Program/System Analyst Auditor, Internal CIO Information Resource Mgr System Owner Senior IRM Official Position                                        Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Life Cycle Controls Operational Controls Awareness and Training Technical Controls Domains Laws and Regulations SP – Planning SP – Management SLCS – Initiation SLCS – Development SLCS – Test & Evaluation SLCS – Implementation SLCS – Operation SLCS – Termination SP = Security Program SLCS = Sys Life Cycle Security Cell 1D 2.1D 2.2D NA 3.2D 3.3D 3.4D 3.5D 3.6D Key: Core Body of Knowledge                                                           COTR Records Mgt Official FOIA Official Privacy Act Official
    30. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Implement/Operate <ul><li>1D, Laws and Regulations – Individuals responsible for technical implementation and daily operations of an automated information system are able to understand IT security laws and regulations in sufficient detail to ensure that appropriate safeguards are in place and enforced </li></ul><ul><li>2.1D, Security Program: Planning – Individuals responsible for implementing and operating an IT security program are able to develop plans for countermeasures, security controls, and processes as required to execute the existing program. </li></ul><ul><li>2.2D, Security Program: Management – Individuals who are responsible for the implementation and daily operations of an IT security program have a sufficient understanding of the appropriate program elements and requirements to be able to apply them in a manner which provides adequate and appropriate levels of protection for the organization’s IT resources. </li></ul>(1 of 3)
    31. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Implement/Operate <ul><li>3.1D, Life Cycle: Initiation – Not applicable. </li></ul><ul><li>3.2D, Life Cycle: Development – Individuals responsible for system implementation or operation are able to assemble, integrate, and install systems so that the functionality and effectiveness of safeguards can be tested and evaluated. </li></ul><ul><li>3.3D, Life Cycle: Test & Evaluation – Individuals responsible for system implementation of operation are able to conduct tests of the effectiveness of security safeguards in the integrated system. </li></ul>(2 of 3)
    32. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Implement/Operate <ul><li>3.4D, Life Cycle: Implementation – Individuals responsible for system implementation or operation ensure the approved safeguards are in place and effective as the system moves into production. </li></ul><ul><li>3.5D, Life Cycle: Operations – Individuals responsible for system implementation or operation are able to maintain appropriate safeguards continuously within acceptable levels of risk. </li></ul><ul><li>3.6D, Life Cycle: Termination – Individuals responsible for IT system operations are able to develop and implement the system termination plan, including security requirements for archiving/disposing of resources. </li></ul>(3 of 3)
    33. Security is Everyone’s Business: Role-Based Training for the SDLC Review/Evaluate Role, CBK and Positions ISO/ISM Auditor, Internal Auditor, External Certification Reviewer Info. Resource Manager Senior IRM Official CIO System Owner Program Manager DAA Records Mgt. Official Position Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Life Cycle Controls Operational Controls Awareness and Training Technical Controls Domains Laws and Regulations SP – Planning SP – Management SLCS – Initiation SLCS – Development SLCS – Test & Evaluation SLCS – Implementation SLCS – Operation SLCS – Termination SP = Security Program SLCS = Sys Life Cycle Security Cell 1E 2.1E 2.2E 3.1E 3.2E 3.3E 3.4E 3.5E 3.6E Key: Core Body of Knowledge                                                                                                                             
    34. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Review/Evaluate <ul><li>1E, Laws and Regulations – Individuals responsible for the review/evaluation of an automated information system are able to use IT security laws and regulations in developing a comparative baseline and determining the level of system compliance </li></ul><ul><li>2.1E, Security Program: Planning – Individuals responsible for the review/evaluation of an IT security program are able to review the program to determine its continuing capability to cost-effectively address identified requirements. </li></ul><ul><li>2.2E, Security Program: Management – Individuals responsible for the review/evaluation of an IT security program have adequate understanding of IT security laws, regulations, standards, guidelines, and the organizational environment to determine if the program adequately addresses all threats and areas of potential vulnerability. </li></ul>(1 of 3)
    35. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Review/Evaluate <ul><li>3.1E, Life Cycle: Initiation – Individuals are able to evaluate planning documents associated with a particular system to ensure that appropriate IT security requirements have been considered and incorporated. </li></ul><ul><li>3.2E, Life Cycle: Development – Individuals responsible for review and evaluation are able to examine development efforts at specified milestones to ensure that approved safeguards are in place and documented. </li></ul><ul><li>3.3E, Life Cycle: Test & Evaluation – Individuals are able to evaluate the appropriateness of test methodologies, and conduct independent tests and evaluations to ensure that adequate and appropriate safeguards are in place, effective, and documented; and to prepare C&A documentation. </li></ul>(2 of 3)
    36. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Review/Evaluate <ul><li>3.4E, Life Cycle: Implementation – Individuals responsible for review and evaluation are able to analyze system and test documentation to determine whether the system provides adequate and appropriate IT security to support C&A. </li></ul><ul><li>3.5E, Life Cycle: Operations – Individuals responsible for review and evaluation are able to examine the operational system to determine the adequacy and effectiveness of safeguards and to ensure that a consistent and appropriate level of security is maintained. </li></ul><ul><li>3.6E, Life Cycle: Termination – Individuals responsible for review and evaluation are able to verify the appropriateness of the termination plan and processes used to terminate the IT system securely. </li></ul>(3 of 3)
    37. Security is Everyone’s Business: Role-Based Training for the SDLC Use Role, CBK and Positions (1 of 3) ISO/ISM Users System Owner Info. Resource Manager Position Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Life Cycle Controls Operational Controls Awareness and Training Technical Controls Domains Laws and Regulations SP – Planning SP – Management SLCS – Initiation SLCS – Development SLCS – Test & Evaluation SLCS – Implementation SLCS – Operation SLCS – Termination SP = Security Program SLCS = Sys Life Cycle Security Cell 1F NA NA 3.1E 3.2E 3.3E 3.4E 3.5E NA Key: Core Body of Knowledge                                
    38. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Use (1 of 3) <ul><li>1F, Laws and Regulations – users understand individual accountability and applicable governing documents (e.g., Computer Security Act, Computer Fraud and Abuse Act, Copyright Act, Privacy Act) </li></ul><ul><li>2.1F, Security Program: Planning – Not applicable. </li></ul><ul><li>2.2F, Security Program: Management – Not applicable. </li></ul>
    39. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Use (2 of 3) <ul><li>3.1F, Life Cycle: Initiation – Potential users are able to participate in needs analyses and understand the various points of view involved in setting the balance between IT security controls and system efficiency. </li></ul><ul><li>3.2F, Life Cycle: Development – Potential users are able to provide input to system development efforts to ensure that IT security safeguards are as transparent to the user as feasible and are balanced with ease of use. </li></ul><ul><li>3.3F, Life Cycle: Test & Evaluation – Users are able to participate in acceptance tests and evaluate the impact of security safeguards on the operational environment. </li></ul>
    40. Security is Everyone’s Business: Role-Based Training for the SDLC Behavioral Outcome for Use (3 of 3) <ul><li>3.4F, Life Cycle: Implementation – Users are able to identify and report security and efficiency concerns encountered during normal operations. </li></ul><ul><li>3.5F, Life Cycle: Operations – Users are able to understand the objectives of and comply with the “rules of behavior” for the system. </li></ul><ul><li>3.6F, Life Cycle: Termination – Not applicable. </li></ul>
    41. Security is Everyone’s Business: Role-Based Training for the SDLC Final thoughts <ul><li>Training can promote cultural change </li></ul><ul><li>It can shift the workforce from being observers who show interest in security to becoming participants who demonstrate commitment to security </li></ul><ul><li>It is only through the understanding of these security roles and their relationships among each other and across the life cycle that total security integration can occur </li></ul>
    42. Security Is Everyone’s Business: Role-Based Training for the System Development Life Cycle Federal Information System Security Educators Association 18 th Annual Conference March 22, 2005 Prepared by: Margaret Spanninger Booz Allen Hamilton (703) 289-5471 [email_address] Thanks for attending this session!

    ×