Upload
databaseguys
View
629
Download
0
Tags:
Embed Size (px)
Citation preview
Security Is Everyone’s Business:Role-Based Training for theSystem Development Life Cycle Federal Information System Security Educators Association
18th Annual Conference
March 22, 2005
Prepared by:
Margaret Spanninger
Booz Allen Hamilton
(703) 289-5471
2
Security is Everyone’s Business: Role-Based Training for the SDLC
Today’s Presentation Introduction
Federal Information Security Management Act (FISMA) Requirements and Business Drivers
System Development Life Cycle (SDLC)
Personnel with Significant Security Responsibility
Role-Based Training and Assurance
Implementing National Institute of Standards and Technology (NIST) Special Publication (SP) 800-16
3
Security is Everyone’s Business: Role-Based Training for the SDLC
Introduction
Security integration into the SDLC is one of the key elements required for resolving many of the long-standing weaknesses in information technology (IT) security and achieving sustainable performance improvements in IT security programs
Personnel at all levels must understand that “security is not an option” but an integral element of all IT systems
This presentation is based on the premise that security integration into organizational business processes, especially the system development life cycle (SDLC) is a fundamental requirement for FISMA compliance and achieving security performance goals.
4
Security is Everyone’s Business: Role-Based Training for the SDLC
FISMA Requirements and SDLC
FISMA states under §3544. Federal agency responsibilities (b) Agency Program— “Each agency shall develop, document, and implement an agency-wide information security program that includes…(2) policies and procedures that…(C) ensure that information security is addressed throughout the life cycle of each agency information system.”
5
Security is Everyone’s Business: Role-Based Training for the SDLC
Business Drivers Security is less expensive to implement if it is
planned from the beginning Building security controls into the system, rather
than adding them after the system is already built improves system performance
Security becomes an enabling factor rather than a barrier to success by reducing the need for expensive reengineering and reprogramming
It ensures success of certification and accreditation processes and keeps the project on schedule
6
Security is Everyone’s Business: Role-Based Training for the SDLC
Earlier is Better If security is not identified with other requirements,
it will not be addressed It is critical that security controls are planned in the earliest
phases (BEFORE implementation) to ensure—– Adequate and appropriate resources are allocated for
security throughout the system life cycle– The most cost-effective security controls are chosen and
implemented– A structured and consistent approach for developing and
maintaining security for information systems– Increased homogeneity among information systems
and security controls within an organization to reduce operational costs
– Certification and accreditation with minimal additional effort
7
Security is Everyone’s Business: Role-Based Training for the SDLC
Phases of the SDLC Initiation
someone has a need or an idea Development/acquisition
build or buy decision Implementation
system development and/or integration Operation/maintenance
system put into service Disposition
system removed from service
8
Security is Everyone’s Business: Role-Based Training for the SDLC
Security Tasks In the SDLC Initiation
– Needs Determination
– Security Categorization
– Risk Assessment
Development/Acquisition
– Risk Assessment
– Security Functional Requirements Analysis
– Security Assurance Requirements Analysis
– Cost Considerations
– Security Control Development
– Developmental Security Test and Evaluation
– Acquisition specifications
Implementation
– Inspection and Acceptance
– System Integration
– Certification & Accreditation
Operations & Maintenance
– Configuration Management and Control
– Continuous Monitoring
Disposition
– Information Preservation
– Media Sanitization
– Hardware and Software Disposal
9
Security is Everyone’s Business: Role-Based Training for the SDLC
Personnel with Significant Security Responsibilities
FISMA states under §3544. Federal agency responsibilities (a) In General.—The head of each agency shall— “(3) delegate to the agency Chief Information Officer…the authority to ensure compliance with the requirements imposed on the agency under this subchapter, including—…(D) training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; (4) ensure that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines;…”
10
Security is Everyone’s Business: Role-Based Training for the SDLC
OPM Clarifies Who Needs Trained OPM 5 CFR part 930.301 Computer security training
program states that the following positions must be trained in computer security basics and other domains – Executives– Program and functional managers– Chief Information Officers (CIO) – IT security program managers– Auditors– System and network administrators– System/application security officers– IT function management and operations personnel
11
Security is Everyone’s Business: Role-Based Training for the SDLC
Moving from Theory to Practice It is critical that personnel in positions with significant
security responsibilities actively participate in the SDLC Their participation provides assurance that—
1) security requirements have been addressed 2) countermeasures have been identified 3) controls have been properly implemented and tested 4) all changes to the operational system are reviewed
to ensure the integrity of the system and security solution that have been certified and accredited
5) the data, hardware, software, and documentation are disposed of properly
12
Security is Everyone’s Business: Role-Based Training for the SDLC
NIST 800-16 Provides Framework Three primary domains of security knowledge
– Laws and regulations– Security programs with two sub-categories– Security in the SDLC with six subcategories
Six functional roles associated with each of the primary categories– Manage– Acquire– Design and develop– Implement and operate– Review and evaluate– Use
Twenty-six positions with significant security responsibilities
13
Acquisition
Operations
User
Source Selection Board
Contracting Officer
COTR
System Designer/Developer
System/Program Analyst
Data Center Manager
Network Administrator
System Administrator
Database Administrator
Technical Support (Help Desk)
System Operator
Telecommunications Specialist
Any position that uses IT resources
Executive
Management
Compliance
Design and Development
Security is Everyone’s Business: Role-Based Training for the SDLC
Personnel With Significant Security Responsibilities Play Critical Role CIO
Sr. IRM Official
System Owner
Program Manager
Information Resource Manager
Records Mgt. Official
FOIA Official
Privacy Act Official
DAA
Certification Reviewer
ISO/ISM
Auditor, Internal
Auditor External
14
Security is Everyone’s Business: Role-Based Training for the SDLC
The NIST Core Body of Knowledge Laws and regulations IT security programs System environment System
interconnection (physical access)
Information sharing (logical access)
Sensitivity
Risk management Life cycle controls Management controls Operational controls Technical controls Awareness, training
and education
15
Security is Everyone’s Business: Role-Based Training for the SDLC
Stakeholders and the SDLC
CIO
Sr.
IR
M O
ffic
ial
Sy
ste
m O
wn
er
Pro
gra
m M
an
ag
er
Info
rma
tio
n R
es
ou
rce
Mg
r.
Re
co
rds
Mg
t. O
ffic
ial
FO
IA O
ffic
ial
Pri
va
cy
Ac
t O
ffic
ial
So
urc
e S
ele
cti
on
Bo
ard
Co
ntr
ac
tin
g O
ffic
er
CO
TR
Sy
ste
m D
es
ign
er/
De
ve
lop
er
Sy
ste
m/P
rog
ram
An
aly
st
Da
ta C
en
ter
Ma
na
ge
r
Ne
two
rk A
dm
inis
tra
tor
Sy
ste
m A
dm
inis
tra
tor
Da
tab
as
e A
dm
inis
tra
tor
Te
ch
nic
al
Su
pp
ort
(H
elp
de
sk
)
Sy
ste
m O
pe
rato
r
Te
lec
om
m.
Sp
ec
iali
st
DA
A
Ce
rtif
ica
tio
n R
ev
iew
er
ISO
/IS
M
Au
dit
or,
In
tern
al
Au
dit
or
Ex
tern
al
Us
ers
SDLC Phase
Initiation
Development/Acquisition
Implementation/Integration
Operations & Maintenance
Disposal
16
Security is Everyone’s Business: Role-Based Training for the SDLC
Role-Based Training and NIST SP 800-16
17
Security is Everyone’s Business: Role-Based Training for the SDLC
Manage Role, CBK, and Positions
ISO
/IS
M
Info
. R
es
ou
rce
Ma
na
ge
r
CIO
Se
nio
r IR
M O
ffic
ial
Pro
gra
m M
an
ag
er
Sy
ste
m O
wn
er
Sy
ste
m D
es
ign
er/
De
ve
lop
er
Ne
two
rk A
dm
inis
tra
tor
Sy
ste
m A
dm
inis
tra
tor
Da
ta C
en
ter
Ma
na
ge
r
Da
tab
as
e A
dm
inis
tra
tor
Positions
La
ws
an
d R
eg
ula
tio
ns
IT S
ec
uri
ty P
rog
ram
Sy
ste
m E
nv
iro
nm
en
t
Sy
ste
m I
nte
rco
nn
ec
tio
n
Info
rma
tio
n S
ha
rin
g
Se
ns
itiv
ity
Ris
k M
an
ag
em
en
t
Ma
na
ge
me
nt
Co
ntr
ols
Lif
e C
yc
le C
on
tro
ls
Op
era
tio
na
l C
on
tro
ls
Aw
are
ne
ss
an
d T
rain
ing
Te
ch
nic
al
Co
ntr
ols
Domains
Laws and Regulations
SP – Planning
SP – Management
SLCS – Initiation
SLCS – Development
SLCS – Test & Evaluation
SLCS – Implementation
SLCS – Operation
SLCS – Termination
SP = Security Program
SLCS = Sys Life Cycle Security
Cell
1A
2.1A
2.2A
3.1A
3.2A
NA
3.4A
3.5A
3.6A
Key:
Core Body of Knowledge
18
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Manage (1 of 3)
1A, Laws and Regulations – Managers are able to understand applicable governing documents and their relationships and interpret and apply them to the manager’s area of responsibility.
2.1A, Security Program: Planning – Individuals involved in the management if IT security programs are able to understand principles and processes of program planning and can organize resources to develop a security program that meets organizational needs.
2.2A, Security Program: Management – Individuals in IT security program management understand and are able to implement a security program that meets their organization’s needs.
19
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Manage (2 of 3)
3.1A, Life Cycle: Initiation – Individuals with management responsibilities are able to identify steps in the SDLC where security requirements and concerns need to be considered and to define the processes to be used to resolve those concerns.
3.2A, Life Cycle: Development – Individuals with management responsibilities are able to ensure that the formal development baseline includes approved security requirements and that security-related features are installed, clearly identified, and documented.
3.3A, Life Cycle: Test & Evaluation – Not applicable.
20
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Manage (3 of 3)
3.4A, Life Cycle: Implementation – Individuals with management responsibilities are able to oversee the implementation and deployment of an IT system in a manner that does not compromise in-place and tested security safeguards.
3.5A, Life Cycle: Operations – Individuals with management responsibilities are able to monitor operations to ensure that safeguards are effective and have the intended effect on balancing efficiency with minimized risk.
3.6A, Life Cycle: Termination – Individuals with management responsibilities are able to understand the special IT security considerations and measures required during the shutdown of a system, and effectively plan and direct these activities.
21
Security is Everyone’s Business: Role-Based Training for the SDLC
Acquire Role, CBK, and Positions
ISO
/IS
M
CO
TR
Co
ntr
ac
tin
g O
ffic
er
So
urc
e S
ele
cti
on
Bo
ard
Se
nio
r IR
M O
ffic
ial
Te
lec
om
m S
pe
cia
lis
t
Info
. R
es
ou
rce
Ma
na
ge
r
Sy
ste
m D
es
ign
er/
De
ve
lop
er
Sy
ste
m O
wn
er
Pro
gra
m M
an
ag
er
Positions
La
ws
an
d R
eg
ula
tio
ns
IT S
ec
uri
ty P
rog
ram
Sy
ste
m E
nv
iro
nm
en
t
Sy
ste
m I
nte
rco
nn
ec
tio
n
Info
rma
tio
n S
ha
rin
g
Se
ns
itiv
ity
Ris
k M
an
ag
em
en
t
Ma
na
ge
me
nt
Co
ntr
ols
Lif
e C
yc
le C
on
tro
ls
Op
era
tio
na
l C
on
tro
ls
Aw
are
ne
ss
an
d T
rain
ing
Te
ch
nic
al
Co
ntr
ols
Domains
Laws and Regulations
SP – Planning
SP – Management
SLCS – Initiation
SLCS – Development
SLCS – Test & Evaluation
SLCS – Implementation
SLCS – Operation
SLCS – Termination
SP = Security Program
SLCS = Sys Life Cycle Security
Cell
1B
2.1B
2.2B
3.1B
3.2B
NA
3.4B
3.5B
NA
Key:
Core Body of Knowledge
22
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Acquire (1 of 3)
1B, Laws and Regulations – Individuals involved in the acquisition of information technology resources have sufficient understanding of IT security requirements and issues to protect the government’s interests in such acquisitions.
2.1B, Security Program: Planning – Individuals involved in planning the IT security program can identify the resources required for successful implementation. Individuals recognize the need to include IT security requirements in IT acquisitions and to incorporate appropriate acquisition policy and oversight in the IT security program.
2.2B, Security Program: Management – Individuals involved in managing the IT security program have a sufficient understanding of IT security and the acquisition process to incorporate IT security program requirements into acquisition work steps.
23
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Acquire (2 of 3)
3.1B, Life Cycle: Initiation – Individuals with acquisition responsibilities are able to analyze and develop acquisition documents and/or provide guidance which ensures that functional IT security requirements are incorporated.
3.2B, Life Cycle: Development – Individuals with acquisition responsibilities are able to monitor procurement actions to ensure that IT security requirements are satisfied.
3.3B, Life Cycle: Test & Evaluation – Not applicable.
24
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Acquire (3 of 3)
3.4B, Life Cycle: Implementation – Individuals with acquisition responsibilities are able to ensure that the system, as implemented, meets all contractual requirements related to the security and privacy of IT resources.
3.5B, Life Cycle: Operations – Individuals with acquisition responsibilities are able to understand the IT security concerns associated with system operations and to identify and use the appropriate contract vehicle to meet current needs in a timely manner.
3.6B, Life Cycle: Termination – Not applicable.
25
Security is Everyone’s Business: Role-Based Training for the SDLC
Design/Develop Role, CBK, and Positions
ISO
/IS
M
Sy
s.
De
sig
ne
r/D
ev
elo
pe
r
Pro
gra
m/S
ys
An
aly
st
Pro
gra
m M
an
ag
er
Info
. R
es
ou
rce
Mg
r.
Au
dit
or,
In
tern
al
Pri
va
cy
Ac
t O
ffic
ial
Da
tab
as
e A
dm
inis
tra
tor
Ne
two
rk A
dm
inis
tra
tor
Sy
ste
m A
dm
inis
tra
tor
Sy
ste
m O
pe
rato
r
Position
ISO
/IS
M
Sy
s.
De
sig
ne
r/D
ev
elo
pe
r
Pro
gra
m/S
ys
An
aly
st
Pro
gra
m M
an
ag
er
Info
. R
es
ou
rce
Mg
r.
Au
dit
or,
In
tern
al
CIO
Se
nio
r IR
M O
ffic
ial
Sy
ste
m O
wn
er
Re
co
rds
Mg
t. O
ffic
ial
FO
IA O
ffic
ial
Positions
La
ws
an
d R
eg
ula
tio
ns
IT S
ec
uri
ty P
rog
ram
Sy
ste
m E
nv
iro
nm
en
t
Sy
ste
m I
nte
rco
nn
ec
tio
n
Info
rma
tio
n S
ha
rin
g
Se
ns
itiv
ity
Ris
k M
an
ag
em
en
t
Ma
na
ge
me
nt
Co
ntr
ols
Lif
e C
yc
le C
on
tro
ls
Op
era
tio
na
l C
on
tro
ls
Aw
are
ne
ss
an
d T
rain
ing
Te
ch
nic
al
Co
ntr
ols
Domains
Laws and Regulations
SP – Planning
SP – Management
SLCS – Initiation
SLCS – Development
SLCS – Test & Evaluation
SLCS – Implementation
SLCS – Operation
SLCS – Termination
SP = Security Program
SLCS = Sys Life Cycle Security
Cell
1C
2.1C
2.2C
3.1C
3.2C
3.3C
3.4C
3.5C
NA
Key:
Core Body of Knowledge
26
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Design/Develop 1C, Laws and Regulations – Individuals responsible for the design
and development of automated information systems are able to translate IT laws and regulations into technical specifications which provide adequate and appropriate levels of protection
2.1C, Security Program: Planning – Individuals responsible for the design and development of an IT security program are able to create a security program specific to a business process or organizational entity.
2.2C, Security Program: Management – Individuals responsible for the design and development of an IT security program have sufficient understanding of the appropriate program elements and requirements to be able to translate them into detailed policies and procedure which provide adequate and appropriate protection for the organization’s IT resources in relation to acceptable levels of risk.
(1 of 3)
27
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Design/Develop 3.1C, Life Cycle: Initiation – Individuals responsible for
the design and development of IT systems are able to translate IT security requirements into system-level security specifications.
3.2C, Life Cycle: Development – Individuals responsible for system design, development or modification are able to use baseline IT security requirements to select and install appropriate safeguards.
3.3C, Life Cycle: Test & Evaluation – Individuals are able to design tests to evaluate the adequacy of security safeguards in IT systems.
(2 of 3)
28
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Design/Develop 3.4C, Life Cycle: Implementation – Individuals
responsible for system design and/or modification are able to participate in the development of procedures which ensure the safeguards are not compromised as they are incorporated into the production environment.
3.5C, Life Cycle: Operations – Individuals responsible for system development are able to make procedural and operational changes necessary to maintain the acceptable level of risk.
3.6C, Life Cycle: Termination – Not applicable.
(3 of 3)
29
Security is Everyone’s Business: Role-Based Training for the SDLC
Implement/Operate Role, CBK, and Positions
ISO
/IS
M
Sy
s.
De
sig
ne
r/D
ev
elo
pe
r
Pro
gra
m/S
ys
An
aly
st
Pro
gra
m M
an
ag
er
Info
. R
es
ou
rce
Mg
r.
Pro
gra
m M
an
ag
er
Sy
ste
m D
es
ign
er/
De
ve
lop
er
Da
tab
as
e A
dm
inis
tra
tor
Da
ta C
en
ter
Ma
na
ge
r
Ce
rtif
ica
tio
n R
ev
iew
er/
DA
A
Te
lec
om
Sp
ec
iali
st
Position
ISO
/IS
M
Ne
two
rk A
dm
inis
tra
tor
Sy
ste
m A
dm
inis
tra
tor
Sy
ste
m O
pe
rato
r
Te
ch
nic
al
Su
pp
ort
Pro
gra
m/S
ys
tem
An
aly
st
Au
dit
or,
In
tern
al
CIO
Info
rma
tio
n R
es
ou
rce
Mg
r
Sy
ste
m O
wn
er
Se
nio
r IR
M O
ffic
ial
Position
La
ws
an
d R
eg
ula
tio
ns
IT S
ec
uri
ty P
rog
ram
Sy
ste
m E
nv
iro
nm
en
t
Sy
ste
m I
nte
rco
nn
ec
tio
n
Info
rma
tio
n S
ha
rin
g
Se
ns
itiv
ity
Ris
k M
an
ag
em
en
t
Ma
na
ge
me
nt
Co
ntr
ols
Lif
e C
yc
le C
on
tro
ls
Op
era
tio
na
l C
on
tro
ls
Aw
are
ne
ss
an
d T
rain
ing
Te
ch
nic
al
Co
ntr
ols
Domains
Laws and Regulations
SP – Planning
SP – Management
SLCS – Initiation
SLCS – Development
SLCS – Test & Evaluation
SLCS – Implementation
SLCS – Operation
SLCS – Termination
SP = Security Program
SLCS = Sys Life Cycle Security
Cell
1D
2.1D
2.2D
NA
3.2D
3.3D
3.4D
3.5D
3.6D
Key:
Core Body of Knowledge
COTRRecords Mgt OfficialFOIA OfficialPrivacy Act Official
30
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Implement/Operate
1D, Laws and Regulations – Individuals responsible for technical implementation and daily operations of an automated information system are able to understand IT security laws and regulations in sufficient detail to ensure that appropriate safeguards are in place and enforced
2.1D, Security Program: Planning – Individuals responsible for implementing and operating an IT security program are able to develop plans for countermeasures, security controls, and processes as required to execute the existing program.
2.2D, Security Program: Management – Individuals who are responsible for the implementation and daily operations of an IT security program have a sufficient understanding of the appropriate program elements and requirements to be able to apply them in a manner which provides adequate and appropriate levels of protection for the organization’s IT resources.
(1 of 3)
31
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Implement/Operate
3.1D, Life Cycle: Initiation – Not applicable. 3.2D, Life Cycle: Development – Individuals responsible
for system implementation or operation are able to assemble, integrate, and install systems so that the functionality and effectiveness of safeguards can be tested and evaluated.
3.3D, Life Cycle: Test & Evaluation – Individuals responsible for system implementation of operation are able to conduct tests of the effectiveness of security safeguards in the integrated system.
(2 of 3)
32
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Implement/Operate
3.4D, Life Cycle: Implementation – Individuals responsible for system implementation or operation ensure the approved safeguards are in place and effective as the system moves into production.
3.5D, Life Cycle: Operations – Individuals responsible for system implementation or operation are able to maintain appropriate safeguards continuously within acceptable levels of risk.
3.6D, Life Cycle: Termination – Individuals responsible for IT system operations are able to develop and implement the system termination plan, including security requirements for archiving/disposing of resources.
(3 of 3)
33
Security is Everyone’s Business: Role-Based Training for the SDLC
Review/Evaluate Role, CBK and Positions
ISO
/IS
M
Au
dit
or,
In
tern
al
Au
dit
or,
Ex
tern
al
Ce
rtif
ica
tio
n R
ev
iew
er
Info
. R
es
ou
rce
Ma
na
ge
r
Se
nio
r IR
M O
ffic
ial
CIO
Sy
ste
m O
wn
er
Pro
gra
m M
an
ag
er
DA
A
Re
co
rds
Mg
t. O
ffic
ial
Position
La
ws
an
d R
eg
ula
tio
ns
IT S
ec
uri
ty P
rog
ram
Sy
ste
m E
nv
iro
nm
en
t
Sy
ste
m I
nte
rco
nn
ec
tio
n
Info
rma
tio
n S
ha
rin
g
Se
ns
itiv
ity
Ris
k M
an
ag
em
en
t
Ma
na
ge
me
nt
Co
ntr
ols
Lif
e C
yc
le C
on
tro
ls
Op
era
tio
na
l C
on
tro
ls
Aw
are
ne
ss
an
d T
rain
ing
Te
ch
nic
al
Co
ntr
ols
Domains
Laws and Regulations
SP – Planning
SP – Management
SLCS – Initiation
SLCS – Development
SLCS – Test & Evaluation
SLCS – Implementation
SLCS – Operation
SLCS – Termination
SP = Security Program
SLCS = Sys Life Cycle Security
Cell
1E
2.1E
2.2E
3.1E
3.2E
3.3E
3.4E
3.5E
3.6E
Key:
Core Body of Knowledge
34
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Review/Evaluate 1E, Laws and Regulations – Individuals responsible for the
review/evaluation of an automated information system are able to use IT security laws and regulations in developing a comparative baseline and determining the level of system compliance
2.1E, Security Program: Planning – Individuals responsible for the review/evaluation of an IT security program are able to review the program to determine its continuing capability to cost-effectively address identified requirements.
2.2E, Security Program: Management – Individuals responsible for the review/evaluation of an IT security program have adequate understanding of IT security laws, regulations, standards, guidelines, and the organizational environment to determine if the program adequately addresses all threats and areas of potential vulnerability.
(1 of 3)
35
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Review/Evaluate 3.1E, Life Cycle: Initiation – Individuals are able to evaluate
planning documents associated with a particular system to ensure that appropriate IT security requirements have been considered and incorporated.
3.2E, Life Cycle: Development – Individuals responsible for review and evaluation are able to examine development efforts at specified milestones to ensure that approved safeguards are in place and documented.
3.3E, Life Cycle: Test & Evaluation – Individuals are able to evaluate the appropriateness of test methodologies, and conduct independent tests and evaluations to ensure that adequate and appropriate safeguards are in place, effective, and documented; and to prepare C&A documentation.
(2 of 3)
36
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Review/Evaluate 3.4E, Life Cycle: Implementation – Individuals responsible for
review and evaluation are able to analyze system and test documentation to determine whether the system provides adequate and appropriate IT security to support C&A.
3.5E, Life Cycle: Operations – Individuals responsible for review and evaluation are able to examine the operational system to determine the adequacy and effectiveness of safeguards and to ensure that a consistent and appropriate level of security is maintained.
3.6E, Life Cycle: Termination – Individuals responsible for review and evaluation are able to verify the appropriateness of the termination plan and processes used to terminate the IT system securely.
(3 of 3)
37
Security is Everyone’s Business: Role-Based Training for the SDLC
Use Role, CBK and Positions (1 of 3)
ISO
/IS
M
Us
ers
Sy
ste
m O
wn
er
Info
. R
es
ou
rce
Ma
na
ge
r
Position
La
ws
an
d R
eg
ula
tio
ns
IT S
ec
uri
ty P
rog
ram
Sy
ste
m E
nv
iro
nm
en
t
Sy
ste
m I
nte
rco
nn
ec
tio
n
Info
rma
tio
n S
ha
rin
g
Se
ns
itiv
ity
Ris
k M
an
ag
em
en
t
Ma
na
ge
me
nt
Co
ntr
ols
Lif
e C
yc
le C
on
tro
ls
Op
era
tio
na
l C
on
tro
ls
Aw
are
ne
ss
an
d T
rain
ing
Te
ch
nic
al
Co
ntr
ols
Domains
Laws and Regulations
SP – Planning
SP – Management
SLCS – Initiation
SLCS – Development
SLCS – Test & Evaluation
SLCS – Implementation
SLCS – Operation
SLCS – Termination
SP = Security Program
SLCS = Sys Life Cycle Security
Cell
1F
NA
NA
3.1E
3.2E
3.3E
3.4E
3.5E
NA
Key:
Core Body of Knowledge
38
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Use (1 of 3)
1F, Laws and Regulations – users understand individual accountability and applicable governing documents (e.g., Computer Security Act, Computer Fraud and Abuse Act, Copyright Act, Privacy Act)
2.1F, Security Program: Planning – Not applicable. 2.2F, Security Program: Management – Not applicable.
39
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Use (2 of 3)
3.1F, Life Cycle: Initiation – Potential users are able to participate in needs analyses and understand the various points of view involved in setting the balance between IT security controls and system efficiency.
3.2F, Life Cycle: Development – Potential users are able to provide input to system development efforts to ensure that IT security safeguards are as transparent to the user as feasible and are balanced with ease of use.
3.3F, Life Cycle: Test & Evaluation – Users are able to participate in acceptance tests and evaluate the impact of security safeguards on the operational environment.
40
Security is Everyone’s Business: Role-Based Training for the SDLC
Behavioral Outcome for Use (3 of 3)
3.4F, Life Cycle: Implementation – Users are able to identify and report security and efficiency concerns encountered during normal operations.
3.5F, Life Cycle: Operations – Users are able to understand the objectives of and comply with the “rules of behavior” for the system.
3.6F, Life Cycle: Termination – Not applicable.
41
Security is Everyone’s Business: Role-Based Training for the SDLC
Final thoughts Training can promote cultural change
It can shift the workforce from being observers who show interest in security to becoming participants who demonstrate commitment to security
It is only through the understanding of these security roles and their relationships among each other and across the life cycle that total security integration can occur
Security Is Everyone’s Business:Role-Based Training for theSystem Development Life Cycle Federal Information System Security Educators Association
18th Annual Conference
March 22, 2005
Prepared by:
Margaret Spanninger
Booz Allen Hamilton
(703) 289-5471
Thanks for attending this
session!