 |
NIST SPECIAL PUBLICATION 800-64 EXECUTIVE SUMMARY Including security early in the information system development life cycle (SDLC) will usually result in less expensive and more effective security than adding it to an operational system. This guide presents a framework for incorporating security into all phases of the SDLC process, from initiation to disposal. This document is a guide to help agencies select and acquire cost-effective security controls by explaining how to include information system security requirements in appropriate phases of the SDLC. A general SDLC is discussed in this guide that includes the following phases: initiation, acquisition/development, implementation, operations/maintenance, and disposition. Each of these five phases includes a minimum set of security steps needed to effectively incorporate security into a system during its development. An organization will either use the general SDLC described in this document or will have developed a tailored SDLC that meets their specific needs. In either case, NIST recommends that organizations incorporate the associated IT security steps of this general SDLC into their development process: Initiation Phase – – Security Categorization – defines three levels (i.e., low, moderate, or high) of potential impact on organizations or individuals should there be a breach of security (a loss of confidentiality, integrity, or availability). Security categorization standards assist organizations in making the appropriate selection of security controls for their information systems. – Preliminary Risk Assessment – results in an initial description of the basic security needs of the system. A preliminary risk assessment should define the threat environment in which the system will operate. Acquisition / Development Phase – – Risk Assessment – analysis that identifies the protection requirements for the system through a formal risk assessment process. This analysis builds on the initial risk assessment performed during the Initiation phase, but will be more in-depth and specific. – Security Functional Requirements Analysis – analysis of requirements that may include the following components: (1) system security environment, (i.e., enterprise information security policy and enterprise security architecture) and (2) security functional requirements – Security Assurance Requirements Analysis – analysis of requirements that address the developmental activities required and assurance evidence needed to produce the desired level of confidence that the information security will work correctly and effectively. The analysis, based on legal and functional security requirements, will be used as the basis for determining how much and what kinds of assurance are required. – Cost Considerations and Reporting – determines how much of the development cost can be attributed to information security over the life cycle of the system. These costs include hardware, software, personnel, and training – Security Planning – ensures that agreed upon security controls, planned or in place, are fully documented. The security plan also provides a complete characterization or description of the information system as well as attachments or references to key documents supporting the agency’s information security program (e.g., configuration management plan, contingency plan, incident response plan, security awareness and training plan, rules of behavior, risk assessment, security test and evaluation results, system interconnection agreements, security authorizations/accreditations, and plan of action and milestones). – Security Control Development – ensures that security controls described in the respective security plans are designed, developed, and implemented. For information systems currently in operation, the security plans for those systems may call for the development of additional security controls to supplement the controls already in place or the modification of selected controls that are deemed to be less than effective. – Developmental Security Test and Evaluation – ensures that security controls developed for a new information system are working properly and are effective. Some types of security controls (primarily those controls of a non-technical nature) cannot be tested and evaluated until the information system is deployed—these controls are typically management and operational controls. – Other Planning Components – ensures that all necessary components of the development process are considered when incorporating security into the life cycle. These components include selection of the appropriate contract type, participation by all necessary functional groups within an organization, participation by the certifier and accreditor, and development and execution of necessary contracting plans and processes.
– Inspection and Acceptance – ensures that the organization validates and verifies that the functionality described in the specification is included in the deliverables. – Security Control Integration – ensures that security controls are integrated at the operational site where the information system is to be deployed for operation. Security control settings and switches are enabled in accordance with vendor instructions and available security implementation guidance. – Security Certification – ensures that the controls are effectively implemented through established verification techniques and procedures and gives organization officials confidence that the appropriate safeguards and countermeasures are in place to protect the organization’s information system. Security certification also uncovers and describes the known vulnerabilities in the information system. – Security Accreditation – provides
the necessary security authorization of an information system
to process, store,
or transmit information that is required. This authorization is
granted by a senior organization official and is based on the verified
effectiveness of security controls to some agreed
– Configuration Management and Control – ensures adequate consideration of the potential security impacts due to specific changes to an information system or its surrounding environment. Configuration management and configuration control procedures are critical to establishing an initial baseline of hardware, software, and firmware components for the information system and subsequently controlling and maintaining an accurate inventory of any changes to the system. – Continuous Monitoring – ensures that controls continue to be effective in their application through periodic testing and evaluation. Security control monitoring (i.e., verifying the continued effectiveness of those controls over time) and reporting the security status of the information system to appropriate agency officials is an essential activity of a comprehensive information security program.
– Information Preservation – ensures that information is retained, as necessary, to conform to current legal requirements and to accommodate future technology changes that may render the retrieval method obsolete. – Media Sanitization– ensures that data is deleted, erased, and written over as necessary. – Hardware and Software Disposal – ensures
that hardware and software is disposed of as directed by the
information system
security officer. After discussing these phases and the information
security steps in detail, the guide provides specifications, tasks,
and clauses that can be used in an RFP to acquire information security
features, procedures, and assurances.
|
