Information security built into SDLC

An SDLC/SELC life cycle is used to ensure repeatable processes as part of an engineering and/or development project. An organization uses these processes to improve the predictability that a quality product will come out of the engineering or development process. The SDLC/SELC process, combined with strong security policies, will help to ensure a well-designed system that has security built in from project initiation. A typical SDLC/SELC process contains the following phases:

The following is the detailed explanation of different phases of SDLC/SELC:

• Initiation phase: During the initiation phase of a project, the organization defines the need for an information system. Information security planning begins in the initiation phase where the information security professional works with the project team to understand the security considerations that will need to be applied to the system.
• Requirements analysis phase: During the requirements analysis phase, the project team works with users and business stakeholders to develop the requirements necessary for the new system. It is the job of the information security professional to ensure that security requirements are included for the new system and that they are given a high priority.
• Design phase: During the design phase, the requirements that were gathered during the requirements analysis phase are used to construct the new system. The role of the information security professional in this phase is to ensure that the correct information security controls are implemented as part of the system design. The design phase can be further broken down into subphases where the engineering team develops:
  • Concept of operation: A document that describes the characteristics of a system from a user perspective. This document is used to communicate how the system will operate to business stakeholders.
  • High-level design: A document that describes the logical components of a system and how they will interact. This document includes data flows and how part of the system will interconnect.
  • Detailed design: A document that takes the high-level design and applies the specific configurations and costs that will be part of the system.
  • Proof of concept system: A proof of concept system takes the detailed design and implements a system that can be used to determine if the design system meets the user and business stakeholder requirements. Often, the proof of concept is a scaled-down version of the proposed system in order to test functionality without incurring the full cost of the final system.
• Implementation phase: During the implementation phase, the project team builds the production information system based on the design defined in the previous phase. The role of the information security professional is to ensure that the designed security controls are properly implemented and working.
• Testing phase: During the testing phase, the project team executes an agreed upon test plan to ensure that the system functions as expected. The information security professional must ensure that the implemented security controls work as expected. If any deficiencies are discovered, the security control must be identified and flagged for repair.
• Operations and maintenance phase: During this phase, the system is in production and is under configuration management. The information security professional must ensure that any new changes to the system are thoroughly examined for their impact on the security controls that were applied during the implementation phase.
• Disposition phase: During the disposition phase, the useful life of the system has been reached and the business has decided to decommission the system. It is the responsibility of the information security professional to ensure that the system has been properly archived and sanitized in accordance with organizational policy and applicable laws.