Download It


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Waterfall, prototyping, iterative development, spiral development models
  • The Rational Unified Process (RUP) ‘hump’ diagram shows where each discipline is emphasized, over time, through the life of the project
  • The Rational Unified Process (RUP) ‘hump’ diagram shows where each discipline is emphasized, over time, through the life of the project
  • Express the need for the system, and its purpose
  • Business requirements, CIA requirements, privacy requirements Settle these now, reduce arguing about them later You will still argue about them later
  • Lots of activities in this phase: Assess business impacts See NIST sp800-34 Contingency Planning Guide for IT Systems Set Recovery Time Objective – how long the system can be down before the business is impacted Set Recovery Point Objective – business tolerance for data loss
  • Lots of activities in this phase: Assess business impacts See NIST sp800-34 Contingency Planning Guide for IT Systems Set Recovery Time Objective – how long the system can be down before the business is impacted Set Recovery Point Objective – business tolerance for data loss
  • Design, buy, build Include security training for development teams, plans for security testing Baseline security controls, i.e. assume hostile parties know internals of your system, no security by obscurity
  • Install, roll-out, use system in the field
  • Handle changes related to on-going operations
  • Migrate to new system
  • Migrate to new system
  • Download It

    1. 1. NIST Guidance on Security and Business Continuity Planning in the SDLC 11th Annual New York State Cyber Security Conference June 2008 © CGI GROUP INC. All rights reserved James Hewitt, CISSP PMP 617.501.7908 [email_address] Mark Spreitzer, CBCP 917.304.1966 [email_address]
    2. 2. Presentation Outline <ul><li>Review the NIST SDLC & Security Resources </li></ul><ul><li>SDLC Policy & Architecture </li></ul><ul><li>5-Phase Breakdown </li></ul><ul><li>Overlaps & Iterations </li></ul>
    3. 3. NIST & Special Publications <ul><li>NIST = National Institute of Standards and Technology </li></ul><ul><ul><li>Technology standards and guidelines </li></ul></ul><ul><li>ITL = Information Technology Laboratory </li></ul><ul><ul><li>Technical leadership for measurement and standards </li></ul></ul><ul><ul><li>Publishes Special Publications (SP) </li></ul></ul><ul><ul><ul><li>tests, test methods, reference data, proof of concept implementations, and technical analyses </li></ul></ul></ul><ul><ul><ul><li>collaborated with industry, government, and academic organizations </li></ul></ul></ul><ul><li>Special Publication 800 series focused on Computer Security </li></ul><ul><ul><li>Guidance and support on Security and Business Continuity </li></ul></ul><ul><ul><li>SP 800-64, Security Considerations in the System Development Lifecycle </li></ul></ul><ul><ul><li>NIST SDLC Brochure August 2004, Information Security in the SDLC </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul>
    4. 4. Walkthrough of NIST SP 800-64 <ul><li>Security integration with SDLC </li></ul><ul><ul><li>Guide agencies to integrate security activities into system development life-cycles (SDLC) </li></ul></ul><ul><ul><li>Defines information security components of the SDLC </li></ul></ul><ul><ul><li>Key security roles and responsibilities </li></ul></ul><ul><ul><li>Translate security activities into IT projects and initiatives that don’t have a SDLC </li></ul></ul>
    5. 5. NIST ’s Security in the SDLC
    6. 6. SDLC Policy & Architecture <ul><li>Integrate at the enterprise level </li></ul><ul><li>Include security activities in SDLC policy </li></ul><ul><li>Include risk management </li></ul><ul><li>Implement early in every project </li></ul><ul><ul><li>NIST SP 800-53 on security controls </li></ul></ul><ul><ul><li>NIST SP 800-39 on enterprise-level risk management </li></ul></ul><ul><li>Concentrate on business requirements & security requirements </li></ul>
    7. 7. Benefits of Integrating security into the SDLC <ul><li>Early identification and mitigation of vulnerabilities and misconfigurations </li></ul><ul><li>Lower cost of control implementation and vulnerability mitigation </li></ul><ul><li>Identification of shared security services </li></ul><ul><li>Reuse of strategies and tools to reduce cost and schedule </li></ul><ul><li>Improvement of security through proven methods and techniques </li></ul><ul><li>Informed decision making through comprehensive risk management </li></ul><ul><li>Document ing security decisions made during development </li></ul><ul><li>Improved organization and customer confidence to facilitate adoption and usage </li></ul><ul><li>Improved systems interoperability and integration that would otherwise be hampered by securing systems at various system levels </li></ul>
    8. 8. Security in the Project Lifecycle
    9. 9. SDLC Phase Structure <ul><li>Phase 1: Initiation </li></ul><ul><li>Phase 2: Development / Acquisition </li></ul><ul><li>Phase 3: Implementation / Assessment </li></ul><ul><li>Phase 4: Operations / Maintenance </li></ul><ul><li>Phase 5: Sunset (Disposition) </li></ul>
    10. 10. Phase 1: Initiation <ul><li>Key tasks: </li></ul><ul><ul><li>Business partner engagement </li></ul></ul><ul><ul><li>Document enterprise architecture </li></ul></ul><ul><ul><li>Identify / specify applicable policies and laws </li></ul></ul><ul><ul><li>Develop confidentiality, integrity and availability objectives </li></ul></ul><ul><ul><li>Information and information system security categorization (repeat 4 & 5) </li></ul></ul><ul><ul><li>Procurement specification development </li></ul></ul><ul><ul><li>Preliminary risk assessment </li></ul></ul>
    11. 11. Phase 1: Initiation <ul><li>Inputs to Security Planning inputs: </li></ul><ul><ul><li>Decision to initiate system </li></ul></ul><ul><li>Outputs from Security Planning: </li></ul><ul><ul><li>Security expectations </li></ul></ul><ul><ul><li>Schedule of security activities & decisions </li></ul></ul><ul><li>Categorize system outputs: </li></ul><ul><ul><li>Security category </li></ul></ul><ul><ul><li>High-level security requirements </li></ul></ul><ul><ul><li>Level of effort </li></ul></ul><ul><li>… act as inputs to: </li></ul><ul><ul><li>Business Impact Analysis (BIA), Disaster Recovery, Contingency Planning, Continuity of Operations Planning decisions </li></ul></ul><ul><ul><ul><li>Use results of BIA to develop requirements for business partner SLAs </li></ul></ul></ul>
    12. 12. Phase 1: Initiation <ul><li>Control gates: </li></ul><ul><ul><li>Categorization and impact levels </li></ul></ul><ul><ul><ul><li>See SP 800-53 on minimal security controls </li></ul></ul></ul><ul><ul><ul><li>See SP 800-60, companion to FIPS-199 </li></ul></ul></ul><ul><ul><li>Architecture alignment, standards </li></ul></ul><ul><ul><li>Initial design review against requirements </li></ul></ul><ul><ul><li>Risk management review </li></ul></ul><ul><ul><li>Financial review, balancing cost with risk management </li></ul></ul><ul><li>Major tasks: </li></ul><ul><ul><li>Identify security roles, stakeholders, milestones </li></ul></ul><ul><li>Apply to one system or multiple systems </li></ul>
    13. 13. Phase 1: Initiation Relating security considerations
    14. 14. Phase 2: Acquisition / Development <ul><li>Risk assessment </li></ul><ul><li>Select initial baseline of security controls </li></ul><ul><li>Refinement – security control baseline </li></ul><ul><li>Security control design </li></ul><ul><li>Cost analysis & reporting [repeat with 1. risk assessment] </li></ul><ul><li>Security planning </li></ul><ul><li>Unit / integration security testing & evaluation </li></ul>
    15. 15. Phase 2: Acquisition / Development <ul><li>Control gates: </li></ul><ul><ul><li>Architecture / design review </li></ul></ul><ul><ul><ul><li>e.g. evaluate design for disaster recovery </li></ul></ul></ul><ul><ul><li>Performance, functional reviews </li></ul></ul><ul><ul><li>Financial review, review cost-benefit ratios </li></ul></ul><ul><ul><li>Re-visit risk management decisions </li></ul></ul><ul><li>Major tasks: </li></ul><ul><ul><li>Assess risks & security categorization vs security controls </li></ul></ul><ul><ul><li>Re-visit business impact analysis </li></ul></ul><ul><ul><li>Create baseline security requirements, security architecture and security controls </li></ul></ul><ul><ul><ul><li>Include common controls </li></ul></ul></ul><ul><ul><li>Start to build and integrate controls </li></ul></ul><ul><ul><li>Start writing security tests </li></ul></ul><ul><ul><li>Review additional functionality in terms of added risk </li></ul></ul>
    16. 16. Phase 2: Acquisition / Development Relating security considerations
    17. 17. Phase 3: Implementation / Assessment <ul><li>Product / component inspection & acceptance </li></ul><ul><li>Security control integration </li></ul><ul><li>User / administrative guidance </li></ul><ul><li>System security test & evaluation plan (repeat #3) </li></ul><ul><li>System certification (repeat #2 & #3) </li></ul><ul><li>Statement of residual risk </li></ul><ul><li>Security accreditation </li></ul>
    18. 18. Phase 3: Implementation / Acquisition <ul><li>Control Gates: </li></ul><ul><ul><li>Reviews for test readiness, deployment readiness, deployment approval, certification & accreditation </li></ul></ul><ul><ul><li>Final financial review – where did the money and effort go? </li></ul></ul><ul><li>Major Tasks: </li></ul><ul><ul><li>Integrate with existing environment controls </li></ul></ul><ul><ul><li>Test controls </li></ul></ul><ul><ul><li>Set priorities for continuous monitoring </li></ul></ul><ul><ul><li>Define final, deployable state, and certify it </li></ul></ul>
    19. 19. Phase 3: Implementation / Acquisition Relating security considerations
    20. 20. Phase 4: Operations / Maintenance <ul><li>Configuration management, change control and auditing </li></ul><ul><li>Continuous monitoring </li></ul><ul><li>Recertification (repeat #1) </li></ul><ul><li>Reaccreditation </li></ul><ul><li>Incident handling (repeat #1) </li></ul><ul><li>Auditing (repeat #2) </li></ul><ul><li>Intrusion detection and monitoring </li></ul><ul><li>Contingency plan testing (including continuity of operations plan) </li></ul>
    21. 21. Phase 4: Operations / Maintenance <ul><li>Control Gates: </li></ul><ul><ul><li>Operational readiness review </li></ul></ul><ul><ul><li>Change control board, procedures </li></ul></ul><ul><ul><li>Decision to accredit </li></ul></ul><ul><li>Major Tasks: </li></ul><ul><ul><li>Review operational readiness, before and after a major change </li></ul></ul><ul><ul><li>Manage security configuration control </li></ul></ul><ul><ul><li>Other configuration management, with an eye to effect on system security </li></ul></ul><ul><ul><li>Monitor security controls </li></ul></ul><ul><ul><li>Periodic re-certification </li></ul></ul>
    22. 22. Phase 4: Operations / Maintenance Relating security considerations
    23. 23. Phase 5: Sunset (Disposition) <ul><li>Transition planning </li></ul><ul><ul><li>Migration to new system </li></ul></ul><ul><li>Component disposal </li></ul><ul><li>Media sanitization </li></ul><ul><ul><li>NIST SP 800-88 Guidelines for Media Sanitization </li></ul></ul><ul><li>Information archiving (repeat #1) </li></ul><ul><ul><li>Ensure information preservation </li></ul></ul>
    24. 24. Phase 5: Sunset (Disposition) Relating security considerations
    25. 25. Phase Overlaps & Task Iterations <ul><li>Phase 2: Development / Acquisition </li></ul><ul><ul><li>Cost analysis & reporting </li></ul></ul><ul><ul><li>Security planning </li></ul></ul><ul><li>Phase 1: Initiation </li></ul><ul><ul><li>Business partner engagement </li></ul></ul>
    26. 26. Phase Overlaps & Task Iterations <ul><li>Phase 3: Implementation / Assessment </li></ul><ul><ul><li>Security control integration </li></ul></ul><ul><li>Phase 2: Acquisition / Development </li></ul><ul><ul><li>Security control design </li></ul></ul>
    27. 27. Phase Overlaps & Task Iterations <ul><li>Phase 4: Operations / Maintenance </li></ul><ul><ul><li>Monitoring </li></ul></ul><ul><ul><li>Recertification </li></ul></ul><ul><li>Phase 1: Initiation </li></ul><ul><ul><li>Develop confidentiality, integrity and availability objectives </li></ul></ul>
    28. 28. Additional Considerations <ul><li>Supply Chain and Software Assurance </li></ul><ul><li>Service Oriented Architecture </li></ul><ul><li>Specific Accreditation of Security Modules for Reuse </li></ul><ul><li>Cross-Organizational Solutions </li></ul><ul><li>Technology Advancement & Major Migrations </li></ul><ul><li>Data Center or IT Facility development </li></ul><ul><li>Virtualization </li></ul>
    29. 29. Mark Spreitzer, CBCP Executive Consultant Enterprise Security Practice 7 Hanover Square, 7 th Floor New York, NY 10004 Tel: (212) 612-3611 Mobile: (917) 304-1966 [email_address] James Hewitt, CISSP, PMP Senior Consultant Enterprise Security Practice 12 Corporate Woods Blvd. Albany, NY 12211 Tel: (617) 501.7908 [email_address] Questions?
    30. 30. our commitment to you <ul><li>We approach every engagement </li></ul><ul><li>with one objective in mind: </li></ul><ul><li>to help clients win and grow. </li></ul>