Holistic Information System Security

Too often, we think about and plan our information security in terms of protecting pieces of the system. We use firewalls and Anti-Virus (AV) software and intrusion detection and integrity checking and many more techniques to provide needed protections to various pieces. But we may not be paying enough attention to the gaps between the pieces or how the pieces fit together.

System Development Life Cycle (SDLC) is a term most often used to describe all the phases of designing and building a system, from inception to implementation to retiring the system at end of life. The point of studying SDLC is to make sure that all the pieces are being taken into account and there is an awareness of the timeline and flow of system development.

The state of security of an information system benefits from using an SDLC point of view. We don’t build businesses in an instant and the same is true of information systems. The development of a business is spread out across a framework of time and so is the development of an information system and furthermore, the development of an information system is often spread out across the development of the business.

Think about the way we develop a business. We get an idea to build a lemonade stand on the sidewalk in front of our house and sell lemonade to people who walk by. Once we have the idea firmly in hand, we start to accumulate the resources we’ll need. We’ll need a couple of our friends to help and they will need cell phones to talk and text with each other. We’ll need some materials to build the stand and some materials to make advertising posters. We’ll need a desk and a chair and a computer to run a spreadsheet to keep track of expenses and revenues.

This is also how adult world businesses start up. They need to lease/rent office space and get phone systems. They need to hire staff. At some point, they will need to plan for an information system, but they may need staff and space and some rudimentary level of resources before the information system. And there are information system security controls involved with every one of those steps.

Consider the following security controls:

  • PM-11 MISSION/BUSINESS PROCESS DEFINITION
  • PL-2 SYSTEM SECURITY PLAN
  • RA-2 SECURITY CATEGORIZATION
  • PS-3 PERSONNEL SCREENING
  • CM-8 INFORMATION SYSTEM COMPONENT INVENTORY
  • PE-16 DELIVERY AND REMOVAL
  • PL-5 PRIVACY IMPACT ASSESSMENT
  • CA-3 SYSTEM INTERCONNECTIONS

Most if not all of these controls should be considered right at the beginning of a business or enterprise. The point of studying the SDLC is to integrate security planning during business planning and before decisions are being made that may affect purchasing and implementing information system components.

Comments are closed.