1 / 53

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition. Chapter 2 The Agreement Processes. Objectives. Understand the roles of the customer and supplier in the overall process of providing a product

meryl
Download Presentation

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 2 The Agreement Processes

  2. Objectives • Understand the roles of the customer and supplier in the overall process of providing a product • Understand the steps that customers must take to communicate their requirements • Understand the steps that a supplier must take to provide a secure product • Understand the advantages of a formal agreement process in ensuring product quality and security Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  3. System Lifecycle Processes: The Agreement Processes • The ISO 12207 standard has seven lifecycle process areas • The first two processes describe the relationship between customer and supplier • The 12207 standard combines them into a single category called the agreement processes • The only way to ensure a purchase offers security is to follow a standard process that has been proven to develop secure products Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  4. Establishing the Form of the Standard Lifecycle • Enterprise Software Security Framework (ESSF) - a term used by Dept. of Homeland Security to describe the concept of establishing a specific process to ensure the reliability of purchased products • The aim of ESSF is to factor all responsibility for achieving secure ICT into a “who, what, when” structure of defined roles and relationships • A standardized organizational approach is needed to coordinate the roles and activities involved in producing, maintaining, and acquiring ICT products Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  5. ISO 12207-1995 • The ISO 12207 standard was developed in 1995 to organize and coordinate all of the potential forms of best-practice activity within the ICT lifecycle • 12207-1995 was the first standard to fuse the collection of industry best practices for a customer/supplier relationship into a single recommended approach • Organizations could structure a set of procurement best practices as a single uniform approach Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  6. ISO 12207-2008 • Due to advances in technology, the 1995 model needed to be revisited • Joint Technical Committee ISO/IEC JTC 1 • The ISO committee that revises ISO standards • Revisions were made by JTC 1’s Information Technology Subcommittee SC 7 for ICT and Systems Engineering • Goal was to integrate the concepts, terminology, and framework of the ISO 12207-1995 standard with the organizational and project processes of the ISO 15288-2002 standard for system lifecycle Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  7. ISO 12207-2008 • 12207-2008 incorporates a much larger set of processes into two areas of common focus: • System lifecycle processes and ICT-specific processes • The system lifecycle process section of the standard contains most of the processes that originated in 15288 • Processes from the original ISO 12207 document are scattered across both areas of the new standard Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  8. The Acquisition Process • The 12207-2008 acquisition process describes the customer’s role in procurement activities • Acquisition always operates in conjunction with the supply process • Standard activities of the acquisition process describe an ideal way to deal with a supplier • Supply dictates the ideal way to deliver a product • These two processes together are the basis for formulating an ICT service delivery or system purchase contract Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  9. The Acquisition Process • The goal of the acquisition process: • To purchase fundamentally correct ICT products • Acquisition process begins with identification of the customers needs • Ends with acceptance of product or service as defined in the contract • Primary function of the acquisition process: • To ensure the right vendor is chosen • The organization must have precise requirement for the purchase to make an intelligent decision Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  10. The Acquisition Process • First priority of the acquisition process is to define and document all relevant product requirements • Along with the criteria for judging whether those requirements were met • Contract: a legally enforceable agreement between a customer and supplier to provide goods or services • Establishes the appropriate monitoring and control mechanisms needed to ensure that the supplier satisfies its terms and conditions Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  11. Overview of the Acquisition process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  12. Project Justification and Setup • First practical step in the ICT procurement process: • To prepare a fully documented justification for the proposed procurement of a product or service • Risk management is a process used to ensure that an acquired product satisfies the basic requirements for integrity and safety • A proper understanding of risk helps the purchaser make better decisions about the level of investment needed to address all of the known risks Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  13. Defining Project Requirements • Request for proposals (RFP) - a formal bid request that is sent to all logical vendor sources to provide a solution for the problem specified in the requirements • Includes a quoted price and usually specifies a deadline • It is important to document product requirements as early as possible in the acquisition process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  14. Documenting Requirements • System requirements specification (SRS): uses formal contractual terms to spell out the functional requirements needed to achieve a satisfactory solution • A good RFP must fully itemize the following: • The functions that must be delivered in the finished product • The criteria that the customer uses to evaluate and confirm whether the desired functions are present and correct Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  15. Documenting Requirements • Once requirements for the new system or ICT service have been defined, the next step is to contact the suppliers who can provide it • Accepted way of initiating contact is through an RFP • A good RFP specifies ICT requirements in detail and nails down the “three Ps” of the product: • Performance, price, and protection • RFP should focus on deliverables to prevent speculative bids • RFP should be viewed as a “pre-contract” Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  16. Competitive Pressure: Getting the Most Bang for the Buck • Competitive pressure: ensuring the best deal by involving the maximum number of bidders • A way of maximizing competitive pressure is through a bidder’s conference • Bid can be explained and clarified in the presence of all competitors • Allows suppliers to view their competition • Interested suppliers respond with a formal bid • Organization determines which bid comes closest to meeting its needs Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  17. Detail of the Acquisition Process: Acquisition Preparation • The first formal activity in the acquisition process is to identify and document why the system or ICT service is needed • All the business, technical, and security justifications have to be described • Includes a description of all feasibility and security issues Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  18. Detail of the Acquisition Process: System and ICT Requirements • Functional requirements: behaviors that the product must exhibit or perform • Documented in an SRS • The SRS considers all relevant safety, security, and other critical requirements in light of relevant design, testing, and compliance standards • Has to align with the proposed ICT product and service requirements with all of the general system requirements Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  19. Detail of the Acquisition Process: System and ICT Requirements • The definition of system requirements is followed by the development of a set of functional requirements for each ICT product • It is important to ensure alignment and direct mapping between the contextual system needs and each ICT component • Often requires specialized expertise form the consulting company Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  20. Detail of the Acquisition Process: ICT Product Requirements Definition Nonfunctional requirements: qualitative conditions that the product must satisfy The requirements definition process evaluates, documents, and then ensures a suitable set of functions that will be embedded in the ICT product or service Requirements definition is a critical aspect of ICT acquisition because the requirements document provides the sole point of reference for the bidding process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  21. Detail of the Acquisition Process: ICT Product Requirements Definition • Goal of the requirements definition: • To provide a complete and correct description of the actions that the ICT service or system will perform • A full description of physical and environmental factors is necessary to understand the operating context of the system or ICT product • Constraints: factors that might limit a solution • Knowing any constraints helps eliminate unfortunate surprises that can drive up costs and ruin schedules Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  22. Detail of the Acquisition Process: Risk Analysis, Decision Making, & Priorities • Requirements documentation has to address known risks and the cost of mitigating to them • Cost of mitigation must be fully understood to support a final decision about whether to: • Purchase an off-the-shelf ICT product • Develop the ICT product or service internally • Develop the ICT product or service through a contract • Develop a combination of the preceding three activities • Enhance an existing ICT product or service Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  23. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  24. Detail of the Acquisition Process: Risk Analysis, Decision Making, & Priorities • A number of popular, technologically oriented methods are also available for understanding risk • Architectural risk analysis results • Abuse and misuse cases • Attack patterns • Ethical hacks • By evaluating risk, managers can make the rational trade-offs necessary to decide how much security to buy Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  25. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  26. Detail of the Acquisition Process: Project Planning • Planning can begin once the customer sufficiently understands the product requirements • Planning starts by drawing project boundaries • Define the scope of the project in terms of cost, qualitative factors, and technical feasibility • An acquisition strategy is documented within the project scope • Identifies responsibilities of all participants • Technical, personnel, and resource constraints that underlie the strategy must be explicitly stated Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  27. Detail of the Acquisition Process: Project Planning • The plan ensures security and functional requirements align with the business case • The plan also documents the relationship between risk and cost • The planning activity leads to a decision to contract • Type of contract is determined by level of cost, schedule, and performance risks that are acceptable • Contract language spells out the ICT assurance requirements Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  28. Detail of the Acquisition Process: Outsourcing Considerations • Outsourcing: contracting work to an organization that is not the acquiring organization or the primary contractor • Supplier capability is crucial to outsourcing decision • Organization must find out in advance if contractors possess the capabilities required to do the work • In addition to outsourcing: • Organizations must address whether foreign influence and control might be exercised over the product Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  29. Detail of the Acquisition Process: Risk Management • An organization must plan a risk management approach and put it into place • The plan itemizes the details for managing risk including: • The risk assessment mechanism to be used • Method for designing and deploying risk mitigations • Monitoring activities for risk mitigation • Deciding how these activities will be adjusted to changing conditions • Must be fully documented in a project lifecycle risk management plan Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  30. Detail of the Acquisition Process: ICT Reuse in Acquired Products • ICT component reuse can be a concern in the performance of a contract • Reusable code can be risky • Its limitations must be clearly stated in the contract • A strategy and decision criteria for guiding reuse is often part of the project plan • An organization needs to know whether the reuse process will involve: • Open source code, other reusable code, and value-added products or services Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  31. Detail of the Acquisition Process: Executing the Acquisition Plan • The acquisition plan specifies: • All relevant criteria for making business decisions • Financial and technical feasibility • Contract milestones • Audits and reviews • Contractor performance • Budgetary and scheduling criteria • Scope statement • Planned employment of the system • Type of contract to be employed • Responsibilities of the organizations involved Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  32. Detail of the Acquisition Process: Executing the Acquisition Plan • The acquisition plan specifies (cont’d): • Control of subcontracts • Support to be used • Risks considered and methods to manage them • Acceptance strategy and conditions • System requirements • Specification of ICT product requirements • Technical constraints • Terms and conditions • Instructions for bidders Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  33. Detail of the Acquisition Process: Supplier Selection • The supplier selection process establishes milestones for reviewing supplier’s progress • Acquiring organizations use mutually approved and documented criteria to determining which proposal comes closest to meeting its requirements • Evaluators sometimes use outside consultants and other third parties to arrive at a decision • Expert opinion is essential • A bad decision can have costly consequences • Acquiring organization is called the owner in the contract Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  34. Detail of the Acquisition Process: Supplier Notification • The assessment and selection are based on a supplier’s demonstrated capability to deliver the system, ICT product, or service as specified • The winning bidder is selected after the organization appraises each supplier’s ability to satisfy the RFP’s terms and conditions • Standard specifications need to be considered • Once a winning bidder is selected: • The acquiring organization and supplier sign the contract Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  35. Detail of the Acquisition Process: Agreement Monitoring and Closure • Acceptance: acknowledgement that a product has been delivered as contracted, as indicated by a formal payment or other consideration • The acquiring organization conducts acceptance reviews and testing of the deliverable using an approved procedure • Documentation for acceptance procedures is controlled by the supplier • Closure occurs when the product or service has satisfied the conditions of the agreement • Acquiring organization renders payment Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  36. The Supply Process - The Other Side of the Coin • ISO 12207 includes a supply process • Itemizes the activities and tasks carried out by organizations that provide ICT products or services • The model used to ensure the correctness of the delivered project is spelled out by the eight processes in the ISO 12207 supporting process group • To ensure successful oversight: • A cooperative relationship should exist between acquiring organization and supplier Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  37. Overview of the Supply Process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  38. Unique Elements of the Supply Process • Once an RFP has been received: • First task is to conduct a review of its ICT requirements • Another purpose of the RFP review process is to characterize the product space • Product space: all feasible approaches to satisfy the constraints on the solution • Negative problem space: a situation in which the satisfaction of one constraint would prevent the attainment of another • Trade-offs may be needed Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  39. Responding to the Customer’s Bid Request The supplier develops a plan that specifies how it intends to tailor the recommendations of the ISO 12207 standard to the project The supplier must demonstrate that it can execute required processes, activities, and tasks of the standard within a defined process architecture Response specifies activities for development, sustainment, delivery, and installation of the product or service Supply process employs recommendations of the processes for ICT product implementation (7.1.1) Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  40. Negotiating the Contract from the Supplier Side • The contract must legally define all requirements of the acquisition for all parties • Including cost and schedule • Contract addresses such legal issues as: • Usage, ownership, warranty, and associated licensing rights • If the contract has to be altered, the alterations must be performed within the legal structure of the contract • All revised forms are kept by the acquiring organization Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  41. Negotiating the Contract from the Supplier Side • The supplier is responsible for: • Developing and managing a project commitment plan • Includes resource estimates and definitions of the scope and extent of the acquiring organization’s involvement at each stage • Developing a framework for quality and security assurance • Following the best approach to delivering the contracted product • Creating the management plan for the project Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  42. Project Execution • The first step in project executing is to prepare a detailed plan of how the work will be done • Usually means creating a WBS and referencing resource commitments • The overall project work includes the following options: • Develop the ICT product in accordance with the technical processes • Operate the ICT product in accordance with the ICT operation process • Maintain the ICT product in accordance with the ICT maintenance process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  43. Project Execution • The organization level, authority, and responsibility for each participant in the process are established • Assurance requirements must exist before meaningful decisions can be made about aspects of production • Audits: formal reviews of a product or process that attest to the presence of an observable condition • Can increase the acquiring organization’s visibility into the process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  44. Oversight and Control • Steps required to create a formal oversight and control management function: • Initiation • Identification of relevant review issues • Create a generic review plan • All audit and control activities are defined • Required standards and practices are identified and the review plan is integrated with the project management plan • Deploy procedures to guide the review process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  45. Documenting Contract Compliance Reviews must be able to provide documented proof that the supplier’s processes conform to the requirements of the contract If problems are identified during the review, they must be documented and resolved Records of review outcomes must be easily accessible to all managers involved in procurement The supplier is responsible for specifying a process to assure the integrity and security outcomes stated in the contract Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  46. Product and Process Assurance • Goal of product assurance is to confirm that all requisite work complies with contractual requirements • Product must be reviewed regularly to ensure all requirements are being satisfied • Customer visibility into development is covered by process assurance • The acquiring organization has a contractual right to a certain amount of transparency between customer and supplier Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  47. Ensuring the Supply Chain • A major ICT product is likely to require many levels of subcontractor involvement • Supply chain: a hierarchical framework of entities that work together to develop a product • An unmonitored supply introduces a number of potential risks into the acquisition process • An organization must have a mechanism for rigorously monitoring and controlling ICT production at all levels in the supply chain • Acquisitions through a supply chain must be closely monitored Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  48. Verification, Validation, and Testing • Testing and reviews are meant to ensure: • Progress of technical work, contract performance, costs, schedules, and reporting of project status • Problem identification, recording, analysis, and resolution • Formal reviews: evaluation activities in which a producer surrenders a product for independent assessment • Informal reviews: evaluation activities in which the producer controls the evaluation process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  49. Verification, Validation, and Testing • Walkthrough: the most informal form of inspection • The producer takes reviewers on a tour of the product • Very common in the ICT industry • Inspection: the least formal process for independent review • The ICT is presented to a third party team or individual for examination prior to the actual review • The supplier is obligated by the 12207 standard to report the results of all evaluations, reviews, audits, tests, and problem resolution meetings Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  50. Delivery and Acceptance • At time of delivery, the acquiring organization must be prepared to conduct a formal acceptance activity • Activity is usually itemized in the contract • Most acceptance plans specify the test cases, test data, test procedures, and test environment • The supplier should agree to provide routine technical support or installation service • The process ends when both parties acknowledge that all legal terms and conditions of the contract have been satisfied Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

More Related