VIIIS

SEC 3301, Security Application Development 1

Course Learning Outcomes for Unit VIII Upon completion of this unit, students should be able to:

1. Analyze the relationship between application security and system development. 1.1 Differentiate the information areas that monitor the security maintenance management. 1.2 Define the processes related to the digital forensics and traditional forensics investigation.

3. Explain the best practices for securing an application and database.

4. Outline potential application security vulnerabilities.

4.1 Summarize the domains that support the recommended maintenance model that provides monitoring as well as risk and vulnerability assessments.

5. Analyze the information technology (IT) physical security considerations for an organization.

Required Unit Resources Module 12: Information Security Maintenance Unit Lesson The new or upgraded system is now in place and working like a charm. Whatever implementation phase was used to install and replace the legacy systems seems to have been a success. Now, the question is, “Are we done with the project?” The answer is no! The maintenance phase is the last phase of the project and consists primarily of making sure the new or upgraded system is maintained and monitored daily during its life cycle until such time the system is replaced by another new or upgraded system. Maintaining the system includes the review of recommended security management models, which aid in the establishment of a full maintenance program. Also in the maintenance program, we must identify the key factors that may influence internal and external environments and how they affect system monitoring. Most individuals believe that once the project has been completed, it is the end of the project. Earlier in the course, we mentioned that all projects have a start date and an end date. The end date is not the completion of the system development but, rather, is the end of the project, which includes the maintenance phase. To easily clarify the project, allow us to consider National Aeronautical Space Administration (NASA) space mission projects. NASA developed the Mercury, Apollo, and Shuttle programs. Once the space capsules and shuttle were completed, the project did not end; these vehicles were maintained for the next space mission.

In the information security world, once a system is implemented, it is maintained to make sure the security is always updated based on the current and future vulnerability risks. This includes periodic updates and patches to ensure the system is protected and updated according to the current competitive market outlook. The successful implementation and testing should include a new and improved security profile, but this may provide a false sense of security for an organization. The security profile may provide a sense of confidence about protection level, but the organization should always be on guard! Another area in planning is to ensure that the system always remains online. Since this may not always be feasible, it is important to develop disaster planning, risk assessment, vulnerability, assessment, and remediation for a system’s outage. Also, once the system is implemented, there may have been upgrades over time, which mandates that the environment and security should encompass additional refinements.

UNIT VIII STUDY GUIDE Implementing Information Security, Part 2

SEC 3301, Security Application Development 2

UNIT x STUDY GUIDE Title

Within the security environment, there are well-established security management maintenance models that managers can use to maintain the security of the systems. “The National Institute of Standards and Technology's (NIST) Information Security Handbook: A Guide for Managers (SP 800-100) has been produced for managers to implement 13 information areas to monitor the security management of the systems. This document is a guide that provides managerial guidance for the establishment and implementation of an information security program, including information security governance. Whitman and Mattord (2022) describe the 13 core areas that address the expected tasks of an information security manager after the program is working and day-to-day operations are established; see below.

1. Information Security Governance 2. Systems Development Life Cycle 3. Awareness and Training 4. Capital Planning and Investment Control 5. Interconnecting Systems 6. Performance Management 7. Security Planning 8. Information Technology Contingency Planning 9. Risk Management

10. Certification, Accreditation, and Security Assessments 11. Security Systems and Products Acquisition 12. Incident Response 13. Configuration and Change Management

An organization should adopt the management maintenance model for its information security systems that provides continuous improvements. Continuous improvements are essential to ensuring that the system is most up-to-date to protect the information it has within it. Management models are frameworks that structure the tasks of managing a particular set of activities or business functions. How to manage maintenance models can be found in the International Standards Organization (ISO) 2700 series of standards and NIST’s Information Security Handbook: A Guide for Managers (SP 800-100); however, Whitman and Mattord (2022) also illustrate the maintenance model that depicts changes to information security maintenance (see Figure 1 below).

Figure 1. Maintenance Model Changes to Security Information Systems (Whitman & Mattord, 2022)

SEC 3301, Security Application Development 3

UNIT x STUDY GUIDE Title

These changes are reflected in the configuration and change management and the monitoring of the security management of the systems. We know there are constant changes from the external monitoring, planning and risk assessment, vulnerability assessment and remediation, readiness and review, and internal monitoring. It is a must that the two databases shown in Figure 1 be updated continually to ensure the security framework of the organization as a whole is protected from all threats and has knowledgeable facts on the risks involved within the information system’s assets. A recommended security maintenance model is dependent on external monitoring, internal monitoring, planning and risk assessment, vulnerability assessment, remediation, and readiness and review. The security maintenance model is an aid to focus an organization’s efforts to successfully maintain the system. Let’s take a look at these in order. First up is the external monitoring domain. The objective of the external monitoring domain process in the maintenance model is to provide early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks that are needed to mount an effective and timely defense. The external monitoring entails collecting intelligence from data sources and using that intelligence context and meaning for use by decision makers within the organization. The internal monitoring domain is an informed awareness of the state of the organization’s networks, information systems, and information security defenses. Internal monitoring domain builds and maintains an inventory of network devices and channels, information technology (IT) infrastructure and applications, and information security infrastructure elements monitoring the internal state of the organization’s networks and systems. The planning and risk assessment objective is to keep an eye on the entire information security program, in part by identifying and planning ongoing information security activities to reduce risk over time. Here, the risk assessment group also identifies and documents risks introduced by both IT projects and information security projects. The group also identifies and documents risks that may be latent in the present environment. The vulnerability assessment and remediation domain use document vulnerability assessment procedures to safely collect intelligence about internal and public networks; platforms including servers, desktops, and process control; and wireless network systems ensuring that the proper level of management is involved in deciding to accept the risk of loss associated with unrepaired vulnerabilities. An organization must also complete readiness and reviews to keep information security programs functioning as they are designed over time. There are three tasks of policy reviews, program reviews, and rehearsals that can accomplish the goal of keeping a domain ready and reviewed. Physical access controls are additional protection efforts that define the concept of facility management and its role in maintaining a secure facility where information is stored, housed, and transmitted. A secure facility must implement multiple layers of defense should an attack occur. Fire safety and security are used to recognize that fires account for more property damage, personal injury, and death than any other threat to physical security. Physical security plans must implement strong measures to detect and respond to fires and fire hazards. Heating, ventilation, and air conditioning (HVAC) systems can have a dramatic impact on information, information systems, and their protection. High temperature and improper filtration, humidity, and static electricity can have a significant impact on information systems and security systems in place. Power management and conditioning must be properly grounded when used to maintain an organization’s physical environment. In areas where water accumulation is possible, computing and other electrical equipment must be uniquely grounded using ground fault circuit interruption (GFCI) equipment. Also, backup systems should be tested frequently, and documenting the facility’s configuration, operation, and function should be integrated into disaster recovery plans and standard operating procedures. Mobile and portable systems can have a cause-and-effect on an information security network, and, due to their portability, they must have stronger levels of security than stationary counterparts, such as desktops. An organization should review different software and hardware techniques that can be used to protect devices

SEC 3301, Security Application Development 4

UNIT x STUDY GUIDE Title

that move in and out of an office. For instance, laptops must always remain secure and measure inaction to help reduce the risk that a mobile computing device is stolen or damaged. Ending this discussion, we should address the three types of data interception: direct observations, interception of data transmissions, and electromagnetic interception (Whitman and Mattord, 2022).

• Direct observations require that a person be close enough to the information to breach confidentiality. • Interception of data transmissions can occur from anywhere, as they are not restricted to a location

with the exception of tapping into a local area network (LAN), eavesdropping on a secure network, or wiretapping.

• Electromagnetic interception is another type of interception, although it is unlikely to occur. Though possible, it is difficult, impractical, and expensive to carry out.

Reference Whitman, M. E., & Mattord, H. J. (2022). Principles of information security (7th ed.). Cengage Learning. Suggested Unit Resources In order to access the following resources, click the links below. The following PowerPoint presentation will summarize and reinforce the information from Module 12 in your textbook. Module 12 PowerPoint presentation (PDF version of the Module 12 PowerPoint presentation) The video below discusses system development, maintenance, and support of an entire IT system. The video also discusses the importance of teamwork. ClickView Pty Limited (Producer). (2009, November 2). System development, maintenance, and support

(Segment 7 of 7) [Video]. In Roles and responsibilities in IT. Films on Demand. https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=https://fod.infobase.com/PortalPl aylists.aspx?wID=273866&xtid=40210&loid=65571

To view a transcript of this video, click on the “Transcript” tab near the bottom of the video. Learning Activities (Nongraded) Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. Conducting your own research to further your learning and understanding can help you become a stronger student and can help you to see what areas interest you. Additionally, you may find resources that can help you complete your assignments. Consider searching the Academic OneFile database of the CSU Online Library using a combination of the following keywords or phrases: “InfoSec performance management,” “metric, planning, and risk assessment domain,” “penetration testing,” “war driving,” “tailgating,” and “mantrap.” Please note: When searching, remove the commas and capitalization, and use the top search box with "Subject" selected from the dropdown. Once the results generate, use these search options to refine the results: “Peer Reviewed Journals” and "Custom Date Range" between 2022 and the present to ensure that articles are scholarly and if possible, less than 5 years old. Then, select and read two articles. Access the Academic OneFile database.

SEC 3301, Security Application Development 5

UNIT x STUDY GUIDE Title

Check Your Knowledge Answer the review questions and exercises for the Module 12 Review Questions and Exercises. These questions and exercises will help you assess whether or not you have mastered the unit content. Can you answer them without looking back in the textbook? After you have answered the questions and exercises, you can find out how well you did by checking the answers. Answers for Module 12 Review Questions and Exercises