Security Considerations in IT System Development Life-cycle

C.

Security must be considered in information system design.

Experience has shown it is very difficult to implement security measures properly and successfully after a system has been developed, so it should be integrated fully into the system life-cycle process.

This includes establishing security policies, understanding the resulting security requirements, participating in the evaluation of security products, and finally in the engineering, design, implementation, and disposal of the system.

Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page 7).

When considering an IT System Development Life-cycle (SDLC), security should be treated as an integral part of the overall system design. This means that security should be taken into account from the very beginning of the development process and throughout each stage of the SDLC. The SDLC typically includes the following phases:

1. Initiation Phase: This phase involves identifying the need for the system, defining the scope of the project, and determining the feasibility of the project. Security should be considered during this phase to ensure that the project is feasible from a security standpoint and that the necessary security controls can be implemented.

2. Planning Phase: This phase involves creating a detailed project plan, identifying project risks, and developing a risk management plan. Security should be considered during this phase to identify potential security risks and to develop a plan for addressing those risks.

3. Analysis Phase: This phase involves gathering and analyzing requirements for the system. Security requirements should be identified during this phase to ensure that the system meets the necessary security standards and regulations.

4. Design Phase: This phase involves creating a detailed design for the system, including the hardware, software, and network components. Security should be considered during this phase to ensure that the necessary security controls are integrated into the system design.

5. Implementation Phase: This phase involves actually building and deploying the system. Security should be considered during this phase to ensure that the system is implemented in a secure manner and that all necessary security controls are in place.

6. Testing Phase: This phase involves testing the system to ensure that it meets the requirements and functions as intended. Security testing should be conducted during this phase to identify any security vulnerabilities or weaknesses.

7. Maintenance Phase: This phase involves maintaining and updating the system over time. Security should be considered during this phase to ensure that the system remains secure and that any necessary security updates or patches are implemented.

In summary, security should be treated as an integral part of the overall system design and should be considered throughout each stage of the SDLC to ensure that the system is developed and maintained in a secure manner.