SDLC PDF
SDLC PDF
SDLC PDF
The most effective way to protect information and information systems is to integrate
security into every step of the system development process, from the initiation of a
project to develop a system to its disposition. The multistep process that starts with the
initiation, analysis, design, and implementation, and continues through the maintenance
and disposal of the system, is called the System Development Life Cycle (SDLC).
The guide focuses on the information security components of the SDLC. One section
summarizes the relationships between the SDLC and other information technology (IT)
disciplines. Topics discussed include the steps that are prescribed in the SDLC approach,
and the key security roles and responsibilities of staff members who carry out
information system development projects.
NIST SP 800-64 helps organizations integrate specific security steps into a linear and
sequential SDLC process. The five-phase method of development that is described in the
guide is also known as the waterfall method, and is one process for system development.
Other methodologies can be used as well. Detailed charts and tables in the guide present
specific activities for each step of the SDLC, and the security activities associated with
each step.
Another section of NIST SP 800-64 provides insight into IT projects and initiatives that
are not as clearly defined as SDLC-based developments. Projects such as service-oriented
architectures, cross-organization projects, and IT facility developments often require a
somewhat different approach to security integration than the traditional system
development efforts.
The system development life cycle is the overall process of developing, implementing,
and retiring information systems through a multistep process from initiation, analysis,
design, implementation, and maintenance to disposal. There are many different SDLC
models and methodologies, but each generally consists of a series of defined steps or
phases. For any SDLC model that is used, information security must be integrated into
the SDLC to ensure appropriate protection for the information that the system will
transmit, process, and store.
Some of the benefits of integrating security into the system development life cycle
include:
Initiation Phase. During the initiation phase, the organization establishes the
need for a system and documents its purpose. Security planning should begin in the
initiation phase with the identification of key security roles to be carried out in the
development of the system. The information to be processed, transmitted, or stored is
evaluated for security requirements, and all stakeholders should have a common
understanding of the security considerations. The Information System Security Officer
(ISSO) should be identified as well.
Security considerations are key to the early integration of security, and to the assurance
that threats, requirements, and potential constraints in functionality and integration are
considered. Requirements for the confidentiality, integrity, and availability of information
should be assessed at this stage. Federal agencies should apply the provisions of Federal
Information Processing Standard (FIPS) 199, Standards for Security Categorization of
Federal Information and Information Systems, and FIPS 200, Minimum Security
Requirements for Federal Information and Information Systems. These standards require
agencies to categorize their information systems as low-impact, moderate-impact, or
high-impact for the security objectives of confidentiality, integrity, and availability and to
select appropriate security controls. Any information privacy requirements should be
determined as well.
Early planning and awareness will result in savings in costs and staff time through proper
risk management planning. In this phase, the organization clearly defines its project goals
and high-level information security requirements, as well as the enterprise security
system architecture.
The risk assessment enables the organization to determine the risk to operations, assets,
and individuals resulting from the operation of information systems, and the processing,
storage, or transmission of information. After categorizing their systems in accordance
with FIPS 199 and 200, federal agencies should meet the minimum security requirements
by selecting the appropriate security controls and assurance requirements that are
described in NIST SP 800-53, Recommended Security Controls for Federal Information
Systems.
Another essential element is the development of security plans, which establish the
security requirements for the information system, describe security controls that have
been selected, and present the rationale for security categorization, how controls are
implemented, and how use of systems can be restricted in high-risk situations. Security
plans document the decisions made in the selection of controls, and are approved by
authorized officials.
The developmental testing of the technical and security features and functions of the
system ensure that they perform as intended, prior to launching the implementation and
integration phase.
Disposal Phase. In this phase, plans are developed for discarding system
information, hardware, and software and making the transition to a new system. The
information, hardware, and software may be moved to another system, archived,
discarded, or destroyed. If performed improperly, the disposal phase can result in the
unauthorized disclosure of sensitive data. When archiving information, organizations
should consider the need for and the methods for future retrieval.
The disposal activities ensure the orderly termination of the system and preserve the vital
information about the system so that some or all of the information may be reactivated in
the future, if necessary. Particular emphasis is given to proper preservation of the data
processed by the system so that the data is effectively migrated to another system or
archived in accordance with applicable records management regulations and policies for
potential future access. The removal of information from a storage medium, such as a
hard disk or tape, should be done in accordance with the organization’s security
requirements.
More Information
NIST SP 800-64 is a reference document that should be used in conjunction with other
NIST publications throughout the development of the system.
FIPS 199, Standards for Security Categorization of Federal Information and Information
Systems.
FIPS 200, Minimum Security Requirements for Federal Information and Information
Systems.
NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Information
Technology Systems.
NIST SP 800-30, Risk Management Guide for Information Technology Systems. NIST SP
800-64 complements the Risk Management Framework discussed in NIST SP 800-30 by
providing a sample roadmap for integrating security functionality and assurance into the
SDLC. NIST SP 800-64 also provides further detail on additional activities that are
valuable for consideration in different system and agency settings.
NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal
Information Systems. This publication is being revised.
NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information
Systems.
NIST SP 800-60 Revision 1, Guide for Mapping Types of Information and Information
Systems to Security Categories.
NIST SP 800-65, Integrating Security into the Capital Planning and Investment Control
Process. The CPIC process is defined by OMB Circular A-130 as “a management
process for ongoing identification, selection, control, and evaluation of investments in
information resources. The process links budget formulation and execution, and is
focused on agency missions and achieving specific program outcomes.” This publication
described a seven-step methodology to help organizations integrate security into the
CPIC process and to assure that capital planning and information security goals and
objectives are met.
NIST Interagency Report (NISTIR) 7298, Glossary of Key Information Security Terms.
For information about NIST standards and guidelines that are listed above, as well as
other security-related publications, see NIST’s Web page:
http://csrc.nist.gov/publications/index.html
Disclaimer
Any mention of commercial products or reference to commercial organizations is for
information only; it does not imply recommendation or endorsement by NIST nor does it
imply that the products mentioned are necessarily the best available for the purpose.