Developing secure information system:

The System Development Life Cycle (SDLC)

The system development life cycle starts with the initiation of the system planning process, and continues
through system acquisition and development, implementation, operations and maintenance, and ends with
disposition of the system. Specific decisions about security must be made in each of these phases to assure that
the system is secure.

[1]Initiation Phase

The initiation phase begins with a determination of need for the system. The organization develops its initial
definition of the problem that could be solved through automation. This is followed by a preliminary concept
for the basic system that is needed, a preliminary definition of requirements, and feasibility and technology
assessments. Also during this early phase, the organization starts to define the security requirements for the
planned system. Management approval of decisions reached is important at this stage.

The information developed in these early analyses will be used to estimate the costs for the entire life cycle of
the system, including information system security. An investment analysis should be performed to determine
the appropriate strategy for achieving the system requirements, while taking mission needs and budget
constraints into account. Expenditures for security should be considered before the system is built. It is
difficult to add functionality into a system after it has been built, and it is usually more cost-effective to include
preventive security measures from the start rather than to deal with security breaches later on.

During this initiation phase, the organization establishes the security categorization and conducts a preliminary
risk assessment for the planned information system. Categorization of the information system using federal
standards and guidelines aids system security planners in defining information system security according to
levels of impact, and in selecting a baseline of initial security controls for those impact levels. Security
categories are then used in conjunction with vulnerability and threat information in assessing risk to an
organization.

a) Security Categorization Information Systems, this determine the security category for the information
system. Security categories are to be used in conjunction with vulnerability and threat information to assess the
risk that an organization incurs when operating an information system and to select appropriate security
controls.

b) A preliminary risk assessment should be performed to develop a brief initial description of the basic
security needs of the system, including needs to protect the integrity, availability, and confidentiality of system
information. The preliminary risk assessment should define the threat environment in which the system will
operate and the potential vulnerabilities. This assessment should be followed by an initial identification of
required security controls that will protect the system in its operational environment. A detailed risk assessment
is developed in the next phase.

[2]Acquisition / Development Phase

In this phase, the organization should conduct a requirements analysis, which draws on and expands the work
done in the Initiation phase. This in-depth study of the organization’s need for the system should analyze the
security aspects of the system requirements.

a) A formal risk assessment identifies threats to and vulnerabilities in the information system, the
potential impact or magnitude of harm that a loss of confidentiality, integrity, or availability would have
 on agency assets or operations, and the security controls that are needed. This analysis builds on the
initial risk assessment performed during the Initiation phase, but is more detailed and specific. The risk
assessment brings together important information about the protection of the information system, and it
generates information required for the security plan. This risk assessment should be conducted before
the approval of design specifications. The assessment should consider existing controls and their
effectiveness, as well as the impact that the new system might have on other systems to which it will be
directly or indirectly connected. Enterprise security architectures can help minimize the vulnerabilities
that might be introduced by the new system.

b) The security functional requirements analysis considers the system security environment, including the
enterprise information security policy and the enterprise security architecture. The analysis should
address all requirements for confidentiality, integrity, and availability of information, and should include
a review of all legal, functional, and other security requirements contained in applicable laws,
regulations, and guidance.

c) The security assurance requirements analysis addresses the activities and assurance needed to produce the
desired level of confidence that the information security will work correctly and effectively. This
analysis, based on legal and functional security requirements, should be used to determine how much
and what kinds of assurance are required. The goal is to achieve cost-effective assurance that meets the
requirements for protecting the organization’s information assets. Tests and evaluations, such as the
following, can provide information about system quality and support confidence in the system.

d) IT Security Evaluation, contained in International Organization for Standardization/International

Electrotechnical Commission (ISO/IEC) 15408, is used to evaluate information security products to support
user confidence that the products meet defined security claims. NIST and the National Security Agency jointly
manage the National Information Assurance Partnership (NIAP), which develops comprehensive security
requirements and security specifications for key technologies and evaluates the security features of products
e) Third-party and other evaluations can be used, but the objectivity of these evaluations must be considered.
Government organizations may conduct their own evaluations. The results of these evaluations may or may not
be published and are normally not considered to be endorsements by federal agencies. Other sources of
evaluations include trade, professional, and commercial organizations.

f) Consideration and reporting of development cost enable organizations to determine how much of the
development cost can be attributed to information security over the life cycle of the system. These costs
include hardware, software, personnel, and training. The best source of this data is the risk assessment,
which identifies the controls that will mitigate vulnerabilities, and includes a cost-benefit analysis of
recommended controls based on consideration of the possibility of an incident and its potential impact.
g) The security plan ensures that the planned or existing security controls are fully documented. The security
plan also provides a complete description of the information system, and provides references to key
documents supporting the organization’s information security program: the configuration management
plan, contingency plan, incident response plan, security awareness and training plan, rules of behavior,
risk assessment, security test and evaluation plan, system interconnection agreements, security
authorizations and accreditations, and the plan of action with milestones.

h) A study of security controls focuses on the controls described in the security plans to assure that they are
designed, developed, and implemented. Additional controls may be needed for information systems
currently in operation.

i) A security test and evaluation plan should be developed for the security controls that can be
evaluated prior to deployment. The controls must be tested and evaluated for correct implementation
and effectiveness. Controls of a non-technical activity, such as management and operational
controls, cannot be tested and evaluated until the information system is deployed.
j) Other planning processes, studies, evaluations, and contract specifications associated with the development
and acquisition process, involving appropriate staff members, help to assure that the security requirements of
the system are identified and achieved. The IT security experts should work with the contracting office to select
the most advantageous type of contract

[3]Implementation Phase

In this phase, the system is installed and evaluated in the organization’s operational environment.

a) Inspection and acceptance of the delivered system is necessary to verify that the functionality
described in the specifications has been included in the deliverables. Testing can be done by the
organization or by an independent contractor to assure that the system meets the specifications, and that
the security features are operating.
b) Security controls are integrated at the site where the system is to be deployed for operation. Security
control settings and switches are enabled in accordance with vendor instructions and available security
implementation guidance.
c) certification and accreditation process should periodically test and evaluate the security controls in
their information systems to assure effective implementation, using established verification techniques
and procedures. Security certification gives organization officials confidence that the appropriate
safeguards and countermeasures are in place. Security certification also uncovers and describes the
known vulnerabilities in the information system. This information helps officials make decisions about
security accreditation, which is an authorization for a system to operate. Granted by a senior
organization official, accreditation is based on the verified effectiveness of security controls to some
agreed-upon level of assurance and an acceptance of identified residual risk to agency assets or
operations. The decision is risk-based and is supported by testing and evaluation results produced during
the security control verification process.

[4]Operations / Maintenance Phase

In this phase of the SDLC, information systems are operating, and may undergo enhancements and
modifications. Hardware and software may be added or replaced. The system is monitored for continued
performance in accordance with user requirements, and needed system modifications are incorporated.

a) Configuration management and control procedures are critical to establishing an initial baseline of
hardware, software, and firmware components for the information system and subsequently to
controlling and maintaining an accurate inventory of any changes to the system. Changes to the
hardware, software, or firmware of a system can have a significant impact on the security of the
system. System changes should be documented, and their potential impact on security should be
assessed regularly.

b) Controls must be continuously monitored through periodic testing and evaluation to assure that they
are effective in their application. Monitoring of security controls verifies the continued effectiveness of
those controls and reports on the security status of the system’s information.

[5] Disposition Phase

This phase provides for disposal and/or contract closeout of the system (for contracts that were employed during
the earlier phases). Disposal of the system may involve a separate contract. Government resources and assets
must be protected when information systems are transferred, disposed of, or no longer usable.
 a) Information should be retained to conform to current legal requirements and to accommodate future
technology changes that might make the system’s data retrieval method obsolete. The environmental,
management, and operational information about a system may be relevant and useful in developing the
security plan for the follow-on system. The data processed by the system should be preserved for use in
a follow-on system or archived in accordance with applicable regulations and policies.

b) Data should be deleted, erased, and written over as necessary, and the media that stored the data should
be sanitized. Degaussing, overwriting, and media destruction are some of the methods that may be
used.

c) Disposal of the hardware and software should be completed at the direction of the information system
security officer.

*******Applicatiojn development security is as application security(data base,email and internet )