Like the Systems Development Life Cycle, the Information Security Development Life Cycle (ISDLC) also follows almost the same path.
At its heart, information security means identifying potential security threats and protecting valuable company data from these threats. In simple terms therefore, ISDLC consists of identifying specific information security threats and creating controls to plug them.
The most sensible way to plug information security issues is to integrate ISDLC right from the inception of the software / network system itself. In other words, your information security will be tighter if you approach it holistically rather than on an ad hoc basis. Early integration of security in the system assures data integrity through:
- Early detection and mitigation of security vulnerabilities and threats
- Awareness of potential engineering challenges caused by mandatory security controls
- Identification of shared security services and reuse of security strategies and tools to reduce development cost and schedule while improving security posture through proven methods and techniques and
- Facilitation of informed executive decision making through comprehensive risk management in a timely manner.
The steps involved in the information security development life cycle include:
Identification / InvestigationThis is where the information security agency (like SNCA) interacts with the management to understand their goals and objectives for securing information. It may also involve a formulating information security policy for the enterprise, if one is already not in place. It also involves determining whether the organization has the resources and focus necessary to conduct a successful security analysis. Information security threat identification also involves analyzing known threats, legal stipulations that may affect the security solution and risk management strategies.
DesignOnce the information security threats have been identified and analyzed, the next step is to design the security solution that addresses these concerns. Designing can be further subdivided into logical and physical design of the security system. Logical design involves security incident response actions, continuity planning and disaster recovery. Physical designing assesses the proper technology to be used to implement the logical design, and creating the information security blueprint.
ImplementationOnce the threats are analyzed and the technology to be used finalized, the next step is the implementation of the information security solution. By the time you come to the implementation stage, you should have the following in place:
- Latest security policies
- Procedures and guidelines to implement them
- Disaster recovery plan
- Technical controls and human threats
- Existing devices and their shortcomings
Once you have all the data ready, the actual implementation can begin. This is a task with immense responsibility and will need a team of dedicated security professionals.
Once the security solution is implemented, it is necessary to:
- Perform a vulnerability analysis
- Evaluation of the assets and risks
- Maintenance and checking
- Train the staff and create security awareness
This completes the lifecycle of the information security development. Since it is a water fall model, the company / enterprise needs to repeat when the security system is no longer viable.
You may also like to read: