[go: up one dir, main page]
Scribd
Upload
34 views5 pages

IAS - Week 2-3

This document discusses information security and the systems development life cycle (SDLC). It covers the following key points: 1. The SDLC phases of investigation, analysis, logical design, physical design, implementation, and maintenance can be adapted for information security projects to identify threats and implement controls. 2. A top-down or bottom-up approach can be used for information security implementation, with top-down having higher success rates due to management support. 3. Each phase of the SDLC should consider security for the system being developed to protect organizational assets and information.

Uploaded by

Judielyn Cualbar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
34 views5 pages

IAS - Week 2-3

This document discusses information security and the systems development life cycle (SDLC). It covers the following key points: 1. The SDLC phases of investigation, analysis, logical design, physical design, implementation, and maintenance can be adapted for information security projects to identify threats and implement controls. 2. A top-down or bottom-up approach can be used for information security implementation, with top-down having higher success rates due to management support. 3. Each phase of the SDLC should consider security for the system being developed to protect organizational assets and information.

Uploaded by

Judielyn Cualbar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

COURSE CODE: IT311 – Information Assurance and

Security
Module 2

Week 2 and 3: September 1 – September 11 , 2020 | 1st Semester, S.Y. 2020-2021

Introduction
The same phases used in the traditional SDLC can be adapted to support the
implementation of an information security project. While the two processes may
differ in intent and specific activities, the overall methodology is the same. At its
COURSE MODULE

heart, implementing information security involves identifying specific threats and


creating specific controls to counter those threats.
Intended Learning Outcomes
 Explain the security mindset.
 Outline the system life-cycle and its relationship to security.
 Prepare a threat analysis.

Topic 1
Security Mindset:
 Managed Paranoia
 They are out to get me..
 How could they get me?
 Do I care?
 What is the real risk?
 What countermeasures can I apply to mitigate the risks
(threats)?
 Where am I vulnerable?
 What will it cost to fix it?
 Is it worth it?
 Apply countermeasure…
 Attacks teach you many things.
 It is important to know you’ve been attacked!
 You must design and build security into a system, bolting it on
after just doesn’t work.
 Patches suck, but you have to fix known vulnerabilities or your
insurance company won’t pay damages and you might get
thrown in jail… especially if you work with medical or personnel
records.
 Still want to be an IT major?
 That’s why they pay us the big bucks…

Approaches to Information Security Implementation


Bottom-up approach
 Information security can begin as a grassroots effort in which systems
administrators attempt to improve the security of their systems.
 The technical expertise of the individual administrators is the key
advantage of this approach.
Top-down approach
 The project is initiated by upper-level managers who issue policy,
procedures and processes, dictate the goals and expected
outcomes, and determine accountability for each required action—
has a higher probability of success.
 Has strong upper-management support, a dedicated champion,
usually dedicated funding, a clear planning and implementation
process, and the means of influencing organizational culture.

The organizational hierarchy and the bottom-up and top-down approaches are
illustrated in Figure 1-9.
COURSE MODULE

Systems Development life cycle (SDLC).

Methodology and Phases

The systems development life cycle (SDLC) is a methodology for the


design and implementation of an information system. A methodology is a
formal approach to solving a problem by means of a structured sequence
of procedures. Using a methodology ensures a rigorous process with a
clearly defined goal and increases the probability of success.

The traditional SDLC consists of six general phases. If you have taken
a system analysis and design course, you may have been exposed to a
model consisting of a different number of phases. SDLC models range from
having three to twelve phases, all of which have been mapped into the six
presented here. The waterfall model pictured in Figure 1-10 illustrates that
each phase begins with the results and information gained from the previous
phase.
The investigation phase
COURSE MODULE

The investigation phase begins with an examination of the event or


plan that initiates the process. During the investigation phase, the
objectives, constraints, and scope of the project are specified.
Analysis
The analysis phase begins with the information gained during the
investigation phase. This phase consists primarily of assessments of the
organization, its current systems, and its capability to support the proposed
systems.
Logical Design
In the logical design phase, the information gained from the analysis
phase is used to begin creating a systems solution for a business problem.
Physical Design
During the physical design phase, specific technologies are selected
to support the alternatives identified and evaluated in the logical design.
The selected components are evaluated based on a make-or-buy decision
(develop the components in-house or purchase them from a vendor).
Implementation
In the implementation phase, any needed software is created.
Components are ordered, received, and tested. Afterward, users are
trained and supporting documentation created.
Maintenance and Change
The maintenance and change phase is the longest and most
expensive phase of the process. This phase consists of the tasks necessary to
support and modify the system for the remainder of its useful life cycle.
Securing the SDLC
Each of the phases of the SDLC should include consideration of the security
of the system being assembled as well as the information it uses. Whether
the system is custom and built from scratch, is purchased and then
customized, or is commercial off-the-shelf software (COTS), the
implementing organization is responsible for ensuring it is used securely. This
means that each implementation of a system is secure and does not risk
compromising the confidentiality, integrity, and availability of the
organization’s information assets.

The Security Systems Development Life Cycle

Table 1-2 summarizes the steps performed in both the systems development
life cycle and the security systems development life cycle.
COURSE MODULE

TRY THIS!

1. What are the three components of the C.I.A. triangle? What are they
used for?
2. Identify the six components of an information system. Which are most
directly affected by the study of computer security? Which are most
commonly associated with its study?
3. Why is a methodology important in the implementation of information
security? How does a methodology improve the process?

Case Exercises

The next day at SLS found everyone in technical support busy restoring computer
systems to their former state and installing new virus and worm control software.
Amy found herself learning how to install desktop computer operating systems and
applications as SLS made a heroic effort to recover from the attack of the previous
day.

Questions:

1. Do you think this event was caused by an insider or outsider? Why do you
think this?
2. Other than installing virus and worm control software, what can SLS do to
prepare for the next incident?
3. Do you think this attack was the result of a virus or a worm? Why do you
think this?
Reference
 Whitman, M. E. et.al. (2012). Principles of Information Security.
Cengage Learning.

COURSE MODULE

Prepared by:

JUDIELYN L. CUALBAR
Instructor

You might also like