Information Systems Security Computer System Life Cycle Security.

Slides:



Advertisements
Similar presentations
Module 1 Evaluation Overview © Crown Copyright (2000)
Advertisements

Configuration Management
Software Quality Assurance Plan
Software Quality Assurance Plan
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
Lecture 1: Overview modified from slides of Lawrie Brown.
Security Controls – What Works
Configuration management. Reasons for software configuration management  it facilitates the ability to communicate  status of documents, coding, changes.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
7.2 System Development Life Cycle (SDLC)
Computer Security: Principles and Practice
Concepts of Database Management Seventh Edition
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Introduction to Systems Analysis and Design
Configuration Management
Software Configuration Management
Chapter 17 Acquiring and Implementing Accounting Information Systems
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
SDLC: System Development Life Cycle cs5493. SDLC Classical Model Linear Sequential – Aka waterfall model.
SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework
S/W Project Management
Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.
Concepts of Database Management Sixth Edition
Software Configuration Management
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Concepts of Database Management Eighth Edition
Topic (1)Software Engineering (601321)1 Introduction Complex and large SW. SW crises Expensive HW. Custom SW. Batch execution.
SENG521 (Fall SENG 521 Software Reliability & Testing Software Product & process Improvement using ISO (Part 3d) Department.
Installation and Maintenance of Health IT Systems
End HomeWelcome! The Software Development Process.
Principles of Information Systems, Sixth Edition Systems Design, Implementation, Maintenance, and Review Chapter 13.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Information Systems Security Operational Control for Information Security.
Software Requirements Engineering: What, Why, Who, When, and How
Information Systems Security Operations Security Domain #9.
Principles of Information Systems, Sixth Edition Systems Design, Implementation, Maintenance, and Review Chapter 13.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
© Mahindra Satyam 2009 Configuration Management QMS Training.
CSCE 522 Secure Software Development Best Practices.
Configuration Management and Change Control Change is inevitable! So it has to be planned for and managed.
CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
CSCE 548 Secure Software Development Security Operations.
Principles of Information Systems, Sixth Edition 1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
CSCE 201 Secure Software Development Best Practices.
ISO/IEC 27001:2013 Annex A.8 Asset management
SecSDLC Chapter 2.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
State of Georgia Release Management Training
Next VVSG Training Security: Testing Requirements October 15-17, 2007 Nelson Hastings Alicia Clay Jones National Institute of Standards and Technology.
The NIST Special Publications for Security Management By: Waylon Coulter.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
WSU IT Risk Assessment Process
Software Configuration Management
Software Project Configuration Management
Fundamentals of Information Systems, Sixth Edition
Introduction to the Federal Defense Acquisition Regulation
Systems Analysis and Design
Software Requirements
INFORMATION SYSTEMS SECURITY and CONTROL
IS4680 Security Auditing for Compliance
Chapter # 3 COMPUTER AND INTERNET CRIME
Presentation transcript:

Information Systems Security Computer System Life Cycle Security

Integrating security to computer system Security should not be an afterthought Security can be applied more systematically Security needs to be incorporated into all phases of the computer life cycle to ensure that security can keep up with change in the system’s environment, technology, procedures and personnel.

Computer System Life Cycle Initiation Development/Acquisition Implementation Operation/Maintenance Disposal Note: the SDLC is included in the Development/Acquisition phase

Initiation The discovery of the need for a new system or enhancement to an existing system The system characteristics and functionality proposed within the given constraints Basic security aspect of the system developed through Sensitivity Assessment

Sensitivity Assessment What information is handled What potential damage could occur through error, unauthorized disclosure or modification, or unavailability of data or system What laws or regulations affect security To what threats is the system or information particularly vulnerable

Sensitivity Assessment Are there significant environmental considerations What are the security relevant characteristics of the user community What internal security standards, regulations, or guidelines apply to the system

Development/Acquisition Determine security features, assurances, and operational practices Incorporating the security requirement into design specification Actually acquiring them

Determining security requirements Technical (access controls) Assurances (background check for developers) Operating practices (awareness and training) Balance between function and usability Based on cost-benefit analysis

Taking security requirements into specifications The information on security requirements needs to be validated, updated and organized into detailed security protection requirements and specifications used by system developers and purchasers

Acquiring the system If the system is being built Monitor the development process for security problems Incorrect code Poor development tools Manipulation of code Malicious insiders Trojan horses

Acquiring the system If the system is bought Ensure security is part of contract documents Security analysis of proposed systems

Implementation Proper configuration of the system Security testing Security certification and accreditation

Some hints on installation Obtain software from refutable vendor Verify the software Test on test system before moving to production system Read the installation and see what happens Do a complete installation before customization Cleanse the test system before moving to production system

Operation and Maintenance Security operation and administration Operational assurance Periodic re-analysis of the system and re- accreditation Manage change

Security operation and administration Holding training classes Backup Manage cryptographic keys Administer user accounts and access privileges Apply upgrade and patch

Operational Assurance Monitoring Perform system audit

Periodic re-analysis Is there a major change in the system Environmental change System change New vulnerability found Time lapse

Disposal Information archived Media sanitized Overwriting Degaussing Destruction Can license of software be transferred

Configuration Management The control of changes that are made to the hardware, software, firmware, and the documentation of the information system throughout its life cycle, and the auditing and reporting of the changes. This can be looked upon as a quality assurance process.

Configuration Management To configuration items Identify and document the functional and physical characteristics of the configuration item Control changes to configuration items and their related documentation

Configuration Management Record and report information needed to manage configuration items effectively, including the status of proposed changes and the implementation status of approved changes Audit configuration items to verify conformance to specifications, drawing, interface control documents and other contract requirements.

Configuration Management To digital data files Uniquely identify the digital data files, including versions of the files and their status (e.g. working, released, submitted, approved) Record and report information needed to manage the data files effectively, included the status of updated versions of files

Configuration Management Things to consider How to initiate the change Who are the concerned parties What is the approval process How to phase in the changes What to do with the older versions What if problem happens

Configuration Management Work required Revision control Installation and testing Fault tracing System integration Maintenance of development environment Periodic auditing

Penetration Testing To test a system by breaking in To identify methods of gaining access to a system by using common tools and techniques used by the attackers The objective is to determine feasibility of an attack, the amount of business impact of a successful exploit, if discovered.

Penetration Testing The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures

Penetration Testing Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

Penetration Testing To be used with careful consideration, notification and planning It might slow the organization’s network response time and in some extreme case cause damage to the system Formal permission must be obtained from the organization and the rule of engagement established

Type of Test Blue teaming Test with the knowledge and consent of the organization’s IT staff Red teaming Test without the knowledge of the organization’s IT staff but full knowledge and permission of the upper management

Type of Test External test Tester are not provided with any real information about the target environment but has to collect it covertly Internal Test Tester are granted some level of access to the network usually as a user

Testing methodology

The attack phases

Reference An Introduction to Computer Security: The NIST Handbook – Chapter 8 Mil-STD 973: Configuration Management Guideline on Network Security Testing – NIST publication

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.