1 / 69

SDLC: System Development Life Cycle

SDLC: System Development Life Cycle. cs5493. SDLC Classical Model. Linear Sequential Aka waterfall model. SDLC. Example: Concept to Planning. SDLC Model Variants. The classical SDLC model has been refined into more useful variants. SDLC Refined Model. SDLC Sustainment Cycle.

ciqala
Download Presentation

SDLC: System Development Life Cycle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SDLC: System Development Life Cycle cs5493

  2. SDLC Classical Model • Linear Sequential • Aka waterfall model

  3. SDLC

  4. Example: Concept to Planning

  5. SDLC Model Variants • The classical SDLC model has been refined into more useful variants.

  6. SDLC Refined Model

  7. SDLC Sustainment Cycle • Changes are required to sustain the system • Planning needed changes based on technology, market forces, security requirements, etc. • Analysis of proposed changes on the system • Design and integration of changes into the system • Implement proposed changes (make it so!) • Maintenance (things break, need replacement, obsolescence)

  8. SDLC : Sustainment Loop (cycle)

  9. SDLC Refined Model

  10. SDLC Applied to Information Systems NIST (Uncle Sam) recommends including security in all development stages of an information system.

  11. NIST Information SDLC Phases • Initiation Phase

  12. SDLC Phases • Initiation Phase • Acquisition/Development Phase

  13. SDLC Phases • Initiation Phase • Acquisition/Development Phase • Implementation Phase

  14. SDLC Phases • Initiation Phase • Acquisition/Development Phase • Implementation Phase • Operations/Maintenance Phase

  15. SDLC Phases • Initiation Phase • Acquisition/Development Phase • Implementation Phase • Operations/Maintenance Phase • Disposition Phase

  16. Information SDLC (Executive Summary)

  17. SDLC Phases • Initiation Phase • Acquisition/Development Phase • Implementation Phase • Operations/Maintenance Phase • Disposition Phase

  18. 1. Initiation Phase • Security Categorization • Preliminary Risk Assessment

  19. 1. Initiation Phase • Security Categorization • Security categorization standards assist in the appropriate selection of security controls.

  20. 1. Initiation Phase • Security Categorization • Categorization levels can be labeled low, moderate, or high. • ...later to be categorized into a CC EAL. • (Common Criteria Evaluation Assurance Level)

  21. 1. Initiation Phase • b) Preliminary Risk Assessment • Analysis that identifies the protection requirements for the system.* • *This would also be used in the certification/accreditation process.

  22. SDLC Phases • Initiation Phase • Acquisition/Development Phase • Implementation Phase • Operations/Maintenance Phase • Disposition Phase

  23. 2. Acquisition/Development Phase • Risk Assessment (overlap with the previous phase)

  24. 2. Acquisition/Development Phase • Risk Assessment • Security Functional Requirements

  25. 2. Acquisition/Development Phase • Risk Assessment • Security Functional Requirements • Security Assurance Requirements Analysis

  26. 2. Acquisition/Development Phase • Risk Assessment • Security Functional Requirements • Security Assurance Requirements Analysis • Cost Considerations & Reporting

  27. 2. Acquisition/Development Phase • Risk Assessment • Security Functional Requirements • Security Assurance Requirements Analysis • Cost Considerations & Reporting • Security Planning

  28. 2. Acquisition/Development Phase • Risk Assessment • Security Functional Requirements • Security Assurance Requirements Analysis • Cost Considerations & Reporting • Security Planning • Security Control Development

  29. 2. Acquisition/Development Phase • Risk Assessment • Security Functional Requirements • Security Assurance Requirements Analysis • Cost Considerations & Reporting • Security Planning • Security Control Development • Developmental Security Test & Evaluation

  30. 2. Acquisition/Development Phase • Risk Assessment • Security Functional Requirements • Security Assurance Requirements Analysis • Cost Considerations & Reporting • Security Planning • Security Control Development • Developmental Security Test & Evaluation • Other Components

  31. 2. a) Risk Assessment • Overlaps with the previous phase: • identify the protection requirements for the system .

  32. 2. b) Security Functional Requirements Analysis • Should include consideration of relevant laws and regulations. • This applies to • Government agencies • Companies with government contracts • Payment card industry laws and regulations • etc

  33. 2. c) Security Assurance Requirements Analysis • The correct and effective use of security controls. • CC can be helpful here. Choose systems that have been evaluated to meet an assurance standard.

  34. 2. d) Cost Considerations and Reporting • Estimate the cost of information security over the life-cycle of the system.

  35. 2. e) Security Planning • The agreed security controls, planned or in place, are fully documented.

  36. 2. f) Security Control Development 1. New systems : the security plan includes provisions for development of security controls. (Sustainability cycle) 2. Existing systems : implies the advancement of the security controls, especially those that are ineffective. (Sustainability cycle)

  37. 2. g) Developmental Security Testing and Evaluation • An assurance that the security controls for a new system are: • Implemented correctly • Operate as intended • Produce the desired outcome • (as in certification and accreditation…)

  38. 2. h) Other Planning Components • Examples: • Participation of all the relevant groups & individuals in the security planning process.* • *This would include among others, such individuals as the Certification Agent and Information System Owner.

  39. SDLC Phases • Initiation Phase • Acquisition/Development Phase • Implementation Phase • Operations/Maintenance Phase • Disposition Phase

  40. 3. Implementation Phase • Inspection & Acceptance

  41. 3. Implementation Phase • Inspection & Acceptance • Security Control Integration

  42. 3. Implementation Phase • Inspection & Acceptance • Security Control Integration • Security Certification

  43. 3. Implementation Phase • Inspection & Acceptance • Security Control Integration • Security Certification • Security Accreditation

  44. 3. a) Inspection & Acceptance • Validate that the documented functionality is actually implemented.

  45. 3. b) Security Control Integration • The security controls are integrated at the operational site where the information system is deployed for operation.

  46. 3. c) Security Certification • Certification occurs when security controls are • Implemented correctly, • Operate as intended; and, • Produce the desired outcome. (As determined by the Certification Agent)

  47. 3. d) Security Accreditation • The Authorizing Official (AO) will determine if the risks are acceptable for the information system.

  48. SDLC Phases • Initiation Phase • Acquisition/Development Phase • Implementation Phase • Operations/Maintenance Phase • Disposition Phase

  49. 4. Operations Maintenance Phase • Configuration Management Control

  50. 4. Operations Maintenance Phase • Configuration Management & Control • Continuous Monitoring

More Related