SDLC Framework

Holistic Information System Security

Too often, we think about and plan our information security in terms of protecting pieces of the system. We use firewalls and Anti-Virus (AV) software and intrusion detection and integrity checking and many more techniques to provide needed protections to various pieces. But we may not be paying enough attention to the gaps between the […]

Interconnection Security

The most fundamental reason to interconnect systems is to share data, but that can be accomplished at a variety of levels. A system interconnection can be limited and simple, using email to transfer data between systems, or it could allow two databases to share data. It can be a connection that is only used when […]

The NIST PM Security Control Family

The NIST PM control family is a set of security controls that were added to the NIST SP 800-53 catalog of controls in version 3. These controls are fundamental and foundational and need to be established early in the System Development Life Cycle (SDLC). They lay the groundwork for processes that are critical to information […]

Continuous Monitoring

Continuous monitoring is about keeping an ongoing watch on how well your security controls are doing their job. NIST introduced this idea back in 2004 when they were also evangelizing about the Authorization process, then known as Certification and Accreditation (or C&A). By law (FISMA), NIST supplies federal organizations with security guidance, which can be […]

Patch and Vulnerability Management

NIST 800-40 “Creating a Patch and Vulnerability Management Program” describes the functions and processes that a patch and vulnerability management program should cover in order to maintain effective security. Importance of patch management As operating systems, applications and utility tools continue to manifest exploitable flaws, rapid application of security patches becomes critical to security. Attackers […]

Implementation

Implementation

In addition to the IMPLEMENTATION Phase of the SDLC, smaller pieces of the general implementation process are scattered across other parts of the framework.
(…more)

Processes and Controls

Processes and Controls

Here are some processes across the SDLC Framework and related controls.
(…more)

Disposal Phase

Disposal Phase

Information needs to be preserved, then media sanitized, then hardware and software can be disposed of properly. Documentation must be updated.
(…more)

Operations and Maintenance Phase

Operations and Maintenance Phase

Configuration managment continues with monitoring and a change control process. Continuous monitoring checks critical security components. Any changes to the usual suspects must be updated.
(…more)

Implementation and Assessment Phase

Implementation and Assessment Phase

Integration of security controls, Certification & Accreditation and documentation updates.
(…more)