VIIS
SEC 3301, Security Application Development 1
Course Learning Outcomes for Unit VII Upon completion of this unit, students should be able to:
1. Identify the relationship between application security and system development. 1.1 Recognize the different phases in the systems development life cycle (SDLC) methodology.
5. Analyze the information technology (IT) physical security considerations for an organization.
5.1 Describe the information security project plan scope, milestones, and methodology. Required Unit Resources Module 11: Implementing Information Security Unit Lesson Information security in information technology (IT) systems began when system administrators realized the need to improve the security of their systems. It was subsequently called the bottom-up approach, and the main advantage focuses on the technical expertise of the individual administrators. In the end, this approach did not work well because it did not have several needed critical features, such as organizational staying power and participant support. This resulted in the need for an alternative approach called the top-down approach that would provide a better chance at the probability of success. In the top-down approach, a project is kicked-off by upper management with instructions emphasizing the policy, procedures, and processes along with the anticipated goals and expected outcomes of the project. Also, upper management set the course with the specific champion accountable for each of the required actions and also provided dedicated funding. As can be seen, the top-down approach is supported fully by upper management with the expectation that, through clear planning, an opportunity to influence organizational culture can be achieved. It has become a well-established doctrine that information security is managed just like other systems that are implemented in the organization. There are many approaches to the traditional approach to information security, which will be discussed in greater detail in other courses; these approaches include rapid application development (RAD), joint application development (JAD), Agile, and the approach of software development and operations (DevOps) (Whitman & Mattord, 2022). One approach that we will explore is the systems development life cycle (SDLC) methodology. A methodology is a formal approach to solving a problem based on a structured sequence of procedures. Through this methodology, it can be ensured that the process avoids missing those steps that can lead to compromising the end goal, which is to create a comprehensive security posture. The SDLC is used to ensure that information security elements are embedded into the IT infrastructure to enhance information systems, and it utilizes a six-phase approach in developing information systems known as the waterfall model. Each phase of the model begins with the results and information gained from the previous phase, which is shown in Figure 11-1 in the textbook. The first phase, which is the investigation phase, is considered the most important because it starts the examination and initiates the process objectives, constraints, and scope of the project, which are specified during this phase. To begin, a preliminary cost/benefit analysis is created to evaluate the potential benefits along with an approximation of the cost an organization must be willing to expend to obtain the potential benefits. Also, a feasibility analysis is performed, which is used to assess the economic, technical, and
UNIT VII STUDY GUIDE Implementing Information Security, Part 1
SEC 3301, Security Application Development 2
UNIT x STUDY GUIDE Title
behavioral feasibilities of the process. The feasibility analysis delivers an understanding of whether the implementation is worth the organization’s time and effort. Following the investigation phase is the analysis phase, which explores the information learned during the investigation phase and delivers an assessment of the organization, the status of current systems, and the capability to support the proposed systems. The analysts in this phase will begin to determine the new system’s requirements, what it is expected to do, and the new system’s interaction with existing systems. To finalize this phase, the analysts will put together the necessary documentation of the findings and will update the feasibility analysis. Next up in the SDLC methodology is the logical design phase where the information that is learned from the analysis phase is used to draft a potential system solution for a business problem by exploring applications that are capable of providing the needed services based on the business need. When determining the applications needed, data support and structures capable of providing the needed inputs are selected. As a result of the logical phase, specific technologies will be selected to implement the physical solution and, finally, another feasibility analysis is performed. After the completion of the logical phase, the physical design phase is explored where the specific technologies that are needed to support the alternatives are identified and evaluated in the logical design. At this point in the SDLC, the selected components are evaluated based on whether they were developed in- house or purchased from a vendor. In the end, another feasibility analysis is performed, and, at this point, the complete solution is presented to management for review and hopefully their approval. Once approved by management, the implementation phase is started where the required software is created and the components are ordered, received, and tested. Subsequently, users are trained, and the necessary supporting documentation is created. Once again, a feasibility analysis is prepared, and the sponsors of the system conduct performance review and acceptance testing. The final phase of the SDLC consists of the maintenance and change phase. This phase is the longest and most expensive phase of the process because it consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle. Although development may end during this phase, the life cycle of the project continues until it is determined that the current system can no longer support the changed mission of the organization, which will once again start the SDLC methodology and will ultimately result in a new system and termination of the current one. The National Institute of Standards and Technology (NIST) approach to securing the SDLC provides associated IT security steps that organizations should incorporate into the general SDLC when conducting internal development processes. NIST recommends that information security be designed into a system from the start aligning closely during or after the implementation phase. Today, organizations are moving toward more security-focused development approaches and are seeking to improve not only the functionality of the systems they have in place but the confidence of the consumer in their product. NIST’s Contingency Planning Guide for Federal Information Systems (SP 800-61 Rev. 2) provides an overview of the security considerations for each phase of the SDLC.
Waterfall SDLC Phase Equivalent SDLC Phase
Investigation Initiation Analysis Logical Design Development/Acquisition Physical Design Implementation Implementation/Assessment
Maintenance and Change Operation/Maintenance Disposal
Table 1. Comparison of Waterfall and NIST SDLC Phases To be successful, the SDLC requires a comprehensive project plan. Project planning, at the least, will need the involvement of all representatives from different departments within the organization. This is important since members involved need to know what is going on with the project and provide input. This is especially true for information security projects since all aspects of information security touch everyone in the organization. The information security projects change the climate of the business strategy as a whole
SEC 3301, Security Application Development 3
UNIT x STUDY GUIDE Title
because it involves the important issues of the organization's budgetary constraints, leadership, managerial aspects, technical requirements, and a change to the security culture, which affects those who resist changes within an organization (Whitman & Mattord, 2022).
Information security project planning involves three major steps that consist of the following:
• planning the project, • managing the milestones and procedural steps, and • closing out the project.
Each organization has its methodology of project planning, so it is important that this methodology be followed since no two organizations are the same. Of course, if something works well, then stick with what works. Developing the project plan must be detailed in nature. The work breakdown schedule (WBS) is a common tool used by all project managers to manage and delegate the WBS to subordinate supervisors. This delegation is to provide a decision-making process within those areas. Review Table 11-2 in the textbook. The table represents a WBS for a project plan. The WBS simply shows the tasks that need to be done with the resources available. Each task is also assigned the start date and end date. Note with special attention that some tasks cannot begin until a previous task is completed. The estimated hours to complete the task are provided along with the budgetary constraints. The dependencies indicate the tasks that need to be completed before starting on the new tasks. For example, you cannot start on the next task until the requirements for a current task have been met.
Many project-planning considerations affect the outcome of the project. Such considerations include finances, priorities, timing and scheduling, staffing, procurement, organizational feasibility, training and indoctrination, and the project scope. The project scope consists of determining and documenting a list of specific goals, tasks, deliverables, and deadlines of the project. Project planning must have detailed documentation to avoid drastic changes to the project, especially with information security projects. For example, a change to a device will involve a change to the security access, type of applications, other equipment adaptability, and possible training. Moreover, this simple change affects the project planning considerations such as finances (does it cost more), timing and scheduling (availability of the new device), staffing (more people), and training and indoctrination (does the individual need training). Of course, not all the planning considerations will be affected, but it only takes one to push back the entire project.
Once the project is underway, the project manager will utilize the gap analysis method to measure the project during the planning process. The gap analysis is also known as the negative feedback loop. The project close-out or project wrap-up is convened between mid-level IT managers and the information security manager to finalize the details of the project and to sort out any discrepancies found during the planning process. Once all the detailed information has been gathered and assessed, the documents are compiled into a final report and presented at the wrap-up meeting.
The project, once completed, can be implemented in four distinct changeover methods, which are described below (Whitman & Mattord, 2022).
• Direct changeover: Remove the old systems, and immediately install the new system. • Phased implementation: Roll out only part of the new system at a time, and continue the process until
the old system is fully replaced with the new system. • Pilot implementation: The new system will replace the old system within a prescribed department or
section of an organization for testing purposes without affecting other departments or sections. • Parallel operations: The new system is installed alongside the old system, so two systems, old and
new, are running in tandem. The old system is a backup system in the event of new system failures.
SEC 3301, Security Application Development 4
UNIT x STUDY GUIDE Title
Reference Whitman, M. E., & Mattord, H. J. (2022). Principles of information security (7th ed.). Cengage Learning. Suggested Unit Resources In order to access the following resources, click the links below. The following PowerPoint presentations will summarize and reinforce the information from Module 11 in your textbook. Module 11 PowerPoint presentation (PDF version of the Module 11 PowerPoint presentation) The video below from the Films on Demand database provides additional information on ICT Project Management.
ClickView Pty Limited (Producer). (2012, February 13). ICT project management [Video]. Films on Demand. https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=https://fod.infobase.com/PortalPl aylists.aspx?wID=273866&xtid=47484
To view a transcript of this video, click on the “Transcript” tab near the bottom of the video. Learning Activities (Nongraded) Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. Conducting your own research to further your learning and understanding can help you become a stronger student and can help you to see what areas interest you. Additionally, you may find resources that can help you complete your assignments. Consider searching the Academic OneFile database of the CSU Online Library using a combination of the following keywords: “IT projects,” “SDLC or system development life cycle,” “RFP,” “work breakdown schedule,” and “IT planning.” Please note: When searching, remove the commas and capitalization, and use the top search box with "Subject" selected from the dropdown. Once the results generate, use these search options to refine the results: “Peer Reviewed Journals” and "Custom Date Range" between 2022 and the present to ensure that articles are scholarly and if possible, less than 5 years old. Then, select and read two articles. Access the Academic OneFile database. Check Your Knowledge Answer the review questions and exercises for the Module 11 Review Questions and Exercises. These questions and exercises will help you assess whether or not you have mastered the unit content. Can you answer them without looking back in the textbook? After you have answered the questions and exercises, you can find out how well you did by checking the answers. Answers for Module 11 Review Questions and Exercises
- Course Learning Outcomes for Unit VII
- Required Unit Resources
- Unit Lesson
- Reference
- Suggested Unit Resources
- Learning Activities (Nongraded)