HackingTheUniverse

The SDLC framework is a multi-step outline that describes the life cycle of an information system.
(…more)

This is where the need and purpose for the information system is defined and documented. This includes System Characterization and the beginnings of Risk Assessment.
(…more)

Defining the security requirements, including risk assessment and security controls. Security planning involves documenting these requirements and preventative controls.
(…more)

Integration of security controls, Certification & Accreditation and documentation updates.
(…more)

Configuration managment continues with monitoring and a change control process. Continuous monitoring checks critical security components. Any changes to the usual suspects must be updated.
(…more)

Information needs to be preserved, then media sanitized, then hardware and software can be disposed of properly. Documentation must be updated.
(…more)

Here are some processes across the SDLC Framework and related controls.
(…more)

In addition to the IMPLEMENTATION Phase of the SDLC, smaller pieces of the general implementation process are scattered across other parts of the framework.
(…more)

NIST 800-40 “Creating a Patch and Vulnerability Management Program” describes the functions and processes that a patch and vulnerability management program should cover in order to maintain effective security. Importance of patch management As operating systems, applications and utility tools continue to manifest exploitable flaws, rapid application of security patches becomes critical to security. Attackers […]

Continuous monitoring is about keeping an ongoing watch on how well your security controls are doing their job. NIST introduced this idea back in 2004 when they were also evangelizing about the Authorization process, then known as Certification and Accreditation (or C&A). By law (FISMA), NIST supplies federal organizations with security guidance, which can be […]