SecSDLC

This week I’d like to discuss the Security System Development Life Cycle (SecSDLC) as defined by the National Institute of Standards and Technology (NIST). We’ve started learning about it in Whitman &  Mattord’s Management of Information Security, but NIST’s model differs slightly.

The NIST first points out that many different SDLC models exist, but they all should push an organization to the same goal, which is effectively developing their information system. They describe that a traditional  SDLC is a linear sequential model that assumes the system will be delivered at the end of the cycle.

Generally a SDLC includes five phases: initiation, acquisitions/ development, implementation/ assessment,  operations/ maintenance, and sunset (or disposition). They go on to say that each phase includes a minimum set of security tasks needed to effectively incorporate security in the system development process and that  including security earlier in the process will result in less expense later on.

According to the NIST, certain questions should be addressed during the security controls that the system  will require:

- How mission-critical is the system?
- What are the security objectives required by the system?
- What regulations and policies are applicable in determining what is to
be protected?
- What threats will the system experience during normal operations?

Phases and Key Tasks described by NIST are located in their System Development Life Cycle brochure  located here: http://csrc.nist.gov/groups/SMA/sdlc/ documents/SDLC_brochure_Aug04.pdf

Cited:

National Institute of Standards and Technology, (2012, May 18).  Information Security in the Systems Development Life Cycle. Retrieved  from http://csrc.nist.gov/groups/SMA/sdlc/index.html