Presentation is loading. Please wait.

Presentation is loading. Please wait.

SecSDLC Chapter 2.

Published bySherilyn Logan Modified over 8 years ago

Similar presentations

Presentation on theme: "SecSDLC Chapter 2."— Presentation transcript:

1 SecSDLC Chapter 2

2 Phases of the SecSDLC

3 INVESTIGATION Directive from management Creation of security policy
Teams: Analyse problem Define Scope Specify Goals Identify Constraints Feasibility Analysis Determine: Resources Commitment

4 ANALYSIS Analysis of: Existing security policies Known threats
Current controls Legal issues –privacy laws on personal info

5 ANALYSIS – continued … Risk Management
Identify, assess & evaluate risks levels (Especially threats to information) Threat: represents a constant danger to assets Attack: harm, damage – exploit vulnerabilities to compromise controlled system Threat agent: the cause of danger – object, person or entity Exploit: techniques used to misuse, take advantage of Vulnerability: weakness, exposure, helplessness, defenceless

6 Threats to Information Security

7 ANALYSIS – continued … Prioritise risk Manage risk
By each category of threat and its related method of attack Manage risk Identify & assess value of information assets Risk assessment - Assigns comparative risk rating or score to each information asset

8 DESIGN LOGICAL DESIGN PHYSICAL DESIGN Team members:
Create & develop blue print for security Examine & implement key policies Team members: Evaluate technology to support security blue print Generate alternative solutions Agree on final design Also includes developing criteria for determining the definition of successful solution.

9 DESIGN – continued … Security Models NIST & ISO/IEC 27002
Used to guide design process Provide framework to ensure all areas of security are addressed Framework adapted/adopted to meet InfoSec needs

10 DESIGN – continued … INFORMATION SECURITY PROGRAM – critical design elements (Purpose of InfoSec Program – p. 61) Policies provides rules for protection of information assets Gen/Security program policy Issue specific security policy System specific security policy SETA Security education – building in-depth education Security training – develop skills & knowledge Security awareness – improving awareness Design of controls Managerial – deals with security planning process & security program management – RM & Sec Control review Operational – lower level planning; DR &IR Technical – address tactical/technical implementation of security; technological issues

11 DESIGN – continued … Contingency Planning (CP) prepare, react & recover from circumstances threatening organisation Incident Response Planning (IRP) Disaster Recovery Planning (DRP) Business Continuity Planning (BCP) Design, implementation & maintenance of controls for physical resources People Hardware Information system elements

12 IMPLEMENTATION Security solutions acquired, implemented and tested
Personnel issues evaluated Training Education programs Management of project plan Planning project Supervise tasks & action steps Wrapping up project

13 IMPLEMENTATION – continued …
Project team Staffing InfoSec function Position & name security function Plan for proper staffing Understand impact of InfoSec across IT Integrate InfoSec concepts into personnel management practices Information Security Professionals CIO, CISO, Security Manager, Data Owner, Data Custodian, Data users Professional Certification

14 MAINTENANCE After implementation InfoSec program must be:
Operated Properly managed Kept up to date using established procedures

15 MAINTENANCE – continued …
Maintenance Model Focus org effort on systems maintenance External monitoring – new & emerging threats Internal monitoring – org netw & info systems Planning & risk assessment Vulnerability assessment & remediation – penetration testing Readiness & review - functionality

16 Maintenance Model

17 MAINTENANCE – continued …
ISO Management Model Fault Management – id and address faults Configuration & Change Management – change components & change administration Accounting Management & Auditing – system monitoring Performance Management Security Management

Download ppt "SecSDLC Chapter 2."

Similar presentations

PhoenixPro Procurement. technology. contracts. projects.

PhoenixPro Procurement. technology. contracts. projects.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Management of Information Security Chapter 2: Planning for Security

Management of Information Security Chapter 2: Planning for Security
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Introduction to Information Security

Introduction to Information Security
Information Systems Security Officer

Information Systems Security Officer
MANAGEMENT of INFORMATION SECURITY Second Edition.

MANAGEMENT of INFORMATION SECURITY Second Edition.
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT

Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT
Planning for Contingencies

Planning for Contingencies
Principles of Information Security, 2nd Edition1 Risk Management.

Principles of Information Security, 2nd Edition1 Risk Management.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.

Similar presentations

Ads by Google