|
SDLC Activities |
Security Activities |
|
A. INITIATION PHASE: |
|
Need for system established and purpose of system is
documented |
·
Conduct sensitivity assessment (information, potential damage,
laws and regulations, threats, environmental concerns, security
characteristics, NIH policy and guidance).
·
Perform initial or preliminary Risk Assessment
·
Review solicitation documents (e.g., Requests for Proposal) |
|
B. DEVELOPMENT/ACQUISITION PHASE: |
|
Design, program, develop, or purchase system |
Develop security
requirements:
·
Technical features (e.g.,
access controls)
·
Assurances (e.g., background checks for developers)
·
Operational practices (e.g., awareness and training)
·
Test plans/script/scenarios.
·
Cost associated with background checks. |
|
|
Incorporate security requirements into specifications. |
|
|
For built systems:
·
Develop security features
·
Monitor development process for security problems
·
Respond to changes
·
Monitor threats - Threats and vulnerabilities include Trojan
horses, incorrect code, poorly functioning development tools, manipulation
of code, and malicious insiders. |
|
|
For off-the-shelf
systems:
·
Monitor to ensure security is part of market surveys
·
Contract solicitation documents
·
Evaluate proposed systems. |
|
|
Develop operational practices:
·
System Security Plan (SSP)
·
Contingency plan (CP)
·
Awareness and training
·
Documentation preparation (i.e., user manual,
operations/administrative manuals). |
|
C. IMPLEMENTATION PHASE: |
|
Test and certification of system |
·
Develop test data.
·
Test unit, subsystem, and entire system.
·
Ensure it undergoes technical evaluation (federal laws [Sec.
508], regulations, policies, guidelines, and standards). |
|
Install/field system |
·
Enable or configure security features. Consider data field
sensitivity and control. |
|
|
Review the following:
·
Security management (administrative controls, safeguards)
·
Physical facilities
·
Personnel, responsibilities, job functions, and interfaces
·
Procedures (e.g., backup, labeling)
·
Use of commercial or in-house services (e.g., networking)
·
Contingency planning
·
Disaster Recovery plans. |
|
D. OPERATIONS/MAINTENANCE PHASE: |
|
System performs its work |
Operational and administrative activities:
·
Perform backups
·
Hold training classes
·
Manage cryptographic keys
·
Maintain user administration and access privileges
·
Ensure audit logs are available
·
Update security software
·
Review physical protection
·
Review off-site storage usage, services, and availability
·
Review output distribution process
·
Review software and hardware warranties. |
|
Enhancements are programmed and tested |
Operation assurance activities:
·
Review action of people who operate system (e.g., change
control procedures)
·
Review technical controls
·
Review interdependencies
·
Compare documentation to current system. |
|
Hardware and/or software is added or replaced |
Perform self-administered or independent security
audits (risk assessments) periodically. Types: using automated tools,
internal control audit, security checklists, and penetration testing.
|
|
|
Monitor system and/or users. Methods: review system
logs and reports, use automated tools, review change management, monitor
external sources (trade literature, publications, electronic news, etc.),
and periodic re-accreditation. |
|
E. DISPOSAL PHASE: |
|
Resolve disposition (move, sanitize, dispose, archive,
etc.) of information, software, and hardware. |
For encrypted data ensure long-term storage of
cryptographic keys. |
|
|
Consider legal requirements for records retention. |
|
|
Consult with agency office regarding retaining and
archiving federal records. |
|
|
Sanitize media: overwrite, degauss, or destroy. |
