Tuesday, April 2, 2019
Information Systems Acquisition Development And Maintenance Information Technology Essay
Information Systems Acquisition Development And Maintenance Information applied science EssayThe ISO 27002 standard is the new name of the ISO 17799 standard. It is code of practice for entropy certification de partingment establishment. It basically outlines hundreds of potential retards and control mechanisms, which may be implemented.The standard which is to be established guidelines and general principles for initiating, implementing, maintaining, and improving randomness ho distributor point vigilance internal an presidency. The actual controls listed in the standard atomic number 18 proposed to address the specific requirements place via a conventional bump mensuratement. The standard is also intended to grant a guide for the ontogeny of organizational credential system standards and effective guarantor measure charge practices and it is also assistanceful in building confidence in inter-organizational activitiesISOs future plans for this standard ato mic number 18 focused largely around the organic evolution and publication of industry specific versions. One of the content of the ISO 27002 is randomness organisation acquisition, development, and maintenance, the details of which are as follows-Information Systems Acquisition, Development, and Maintenance (ISO 27002)Table of confineOverviewStandards bail Requirements of the information brasss moderate carry outing of the informationCryptographic controlSecurity of the ashes filesSecurity in development and remain firm processes technical foul vulnerability instructionOverviewInformation security moldiness be taken into account in the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT carcasss.Automated and manual(a) security control requirements should be analyzed and fully identified during the requirements stage of the ashess development or acquisition process, and collective into vexation c ases. Purchased computer software should be formally tested for security, and each issues adventure-assessed.TheSystems Development Life Cycle (SDLC), or software package Development Life Cyclein systemsandsoftware engineering, is the process of creating or altering systems, and the models andmethodologiesthat people use to develop these systems. The concept generally refers to computerorinformation systems.Systems Development Life Cycle (SDLC) is a process used by asystems analystto develop aninformation system, includingrequirements, cogent evidence,training, and drug user (stakeholder) ownership. Any SDLC should result in a high quality system that meets or exceeds customer expectations, reaches completion within time and cost estimates, flora effectively and efficiently in the current and plannedInformation applied scienceinfrastructure, and is inexpensive to maintain and cost-effective to enhanceStandardsISO 27002 Information Security ManagementClause 12 Information Sys tems Acquisition, Development, and MaintenanceSecurity Requirements of the information systemsSecurity can be integrated into information systems acquisition, development and maintenance by implementing effective security practices in the following areas.Security requirements for information systemsCorrect touch in applicationsCryptographic controlsSecurity of system filesSecurity in development and advocate processesTechnical vulnerability managementInformation systems security begins with incorporating security into therequirementsprocess for both new application or system enhancement. Security should be designed into the system from the beginning. Security requirements are presented to the trafficker during the requirements phase of a merchandise purchase. Formal testing should be through with(p) to determine whether the product meets the infallible security preconditions former to purchasing the productSecurity requirements are established to tick off as an integral pa rt of the development or performance of an information systems. The acquisition of a system or application often includes a Request for Proposals (RFP), which is a formal procurement process. During this process, security requirements requisite to be identified. Indiana University includes botha security review and a security questionnaire as part of the RFP process. check up on more somewhat this effective practice. The main objective of this category is to stop up that security is an integral part of the organizations information systems, and of the demarcation processes associated with those systems.Correct process of the informationThis category aims to embarrass errors, loss, unaccredited modification or employ of information in applications. act design includes controls such(prenominal) as those to pass arousal/ outfit data, internal processing,and message integrity, in order to prevent erros and preserve data integrity.Input data validationData input in application s should be validated to ensure that the data is correct and withdraw. escort includes use of both automatic and manual methods of data hitch and cross-checking, as sequester and defined responsibilities and processes for responding to detected errors. simplicity of internal processing governance checks should be incorporated into applications to detect the corruption of information through processing errors or mensural acts. have got includes use of both automatic and manual methods of data check and cross-checking, as take over and defined responsibilities and processes for responding to detected errors. marrow integrityRequirements for ensuring au becauseticity and cling toing message integrity in applications should be identified, and appropriate controls identified and implemented.Output data validationData output from applications should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances. Control includes use of both automatic and manual methods of data verification and cross-checking, as appropriate and defined responsibilities and processes for responding to detected errors.Cryptographic control heading of cryptographic is todescribe considerations for an encryption policy in order to protect information confidentiality, integrity, and authenticity.A cryptography policy should be defined, covering roles and responsibilities, digital signatures, non-repudiation, management of blushers and digital certificatesetc.Certain data, by their nature, require peculiar(a) confidentiality protection. Additionally, there may be contractual or opposite sub judice penalties for failure to maintain proper confidentiality when Social Security Numbers are involved, for warning. Parties who may acquire unauthorized access to the data but who do not have access to the encryption key the password that encrypted the data cannot feasibly decipher the data.Data exist in one of three states at rest in transit or undergoing processing. Data are oddly vulnerable to unauthorized access when in transit or at rest. Portable computers (holding data at rest) are a common target area for physical theft, and data in transit over a electronic network may be intercepted. Unauthorized access may also go through while data are being processed, but here the security system may rely on the processing application to control, and enunciate on, such access attempts. This category aims to protect the confidentiality, integrity and authenticity of information by cryptographic means.Policy on the use of cryptographic controls. Policies on the use of cryptographic controls for protection of information should be developed and implemented. Control includesStatement of general principles and management approach to the use of cryptographic controlsSpecifications establish on a thorough risk assessment,that considers appropriatealgorithm selections, key management and other core features of crypt ographic instruction executions.Consideration of legal restrictions on technology deployments. Application, as appropriate, to data at rest and fixed-location devices, data transported by mobile/removable media and embedded in mobile devices, and data hereditary over communications links and specification of roles and responsibilities for implementation of and the monitoring of entry with the policy key management.Key management policies and processes should be implemented to support an organizations use of cryptographic techniques. Control includes procedures for distributing, storing, archiving and changing/updatingkeys recovering, revoking/destroying and dealing with compromised keys and put down all transactions associated with keys.Security of the system filesThe main objective is to ensure the security of system files. Security requirements should be identified and agreed earlier to the development or acquisition of information systems.Security requirements analysis and s pecificationAn analysis of the requirements for security controls should be carried out at the requirements analysis stage of each project.Control of operationalsoftware. Procedures should be implementedto control the adeptness of software on operational systems, to minimize the risk of interruptions in or corruption of information services. Control includesupdating performed only with appropriate management authorizationupdating performed only by appropriately trained violenceonly appropriately tested and certified software deployed to operational systemsappropriate change management and configuration control processes for all stages of updatingappropriate documentation of the nature of the change and the processes used to implement ita rollback strategy in place, including retention of prior versions as a hazard measure andAppropriate audit logs maintained to track changes.Access to system files (both executable programs and fountain code) and test data should be controlled.T o ensure that system filesand sensitive data in testing environmentsare protected against unauthorized access, and thatsecure code management systems and processes are in place for configurations, software, and etymon code.Documented procedures and revision control systems should be utilized to control software implementation for both applications and operating systems. New York University described their approach in the presentation.Protection of system test data Test data should be selected carefully and appropriately logged, protected and controlled.Access controlfor program sourcecode Access to program source code should be restricted. Control includesappropriate physical and technical safeguards for program source libraries, documentation, designs, specifications, verification and validation plans andmaintenance and copying of these materials subject to strict change management and other controls.Security in development and support processesThis category aims to maintain the s ecurity of application system software and information.Change control proceduresThe implementation of changes should be controlled by the use of formal change control procedures. Control includesa formal process of documentation, specification, testing, quality control and managed implementationa risk assessment, analysis of actual and potential jars of changes, and specification of any security controls requireda budgetary or other fiscal analysis to assess adequacy of resourcesformal agreement to and approval of changes by appropriate management andappropriate notification of all affected parties prior to implementation, on the nature, measure and likely impacts of the changesScheduling of changes to minimize the adverse impact on business processes.Information bring outage Opportunities for information leakage should be appropriately minimize or prevented. Control includesrisk assessment of the probable and possible mechanisms for information leakage, and consideration of appr opriate countermeasuresregular monitoring of likely information leak mechanisms and sources andEnd-user awareness and training on preventive strategies (e.g., to remove meta-data in transferred files).Application system managers should be responsible for controlling access to development project and support environments. Formal change control processes should be applied, including technical reviews. Packaged applications should ideally not be modified. Checks should be made for information leakage for exampleviacovert channels and Trojans if these are a concern. A number of supervisory and monitoring controls are outlined for outsourced development.One of the security layers that can set off serious vulnerabilities is the application layer. Inventorying and securing all applications, software interfaces, or integrating points that touch sensitive data is crucial in any organization that handles personal identity data, HIPAA, PCI, or any data that can backsheesh to identifying con fidential information. Unfortunately, this layer is subject to extensive variations and stretches across many technologies, gentlemans gentleman competencies, and organizational controls, practices, and standards. As such, it is difficult to secure and sustain, usually requiring departments to re-evaluate much of their software development, acquisition, and production control organization, staffing, and practices. Moreover, since applications are enhanced to adapt to changing business needs relatively often, even while the technology they depend on may also be changing, a consistent and routinized approach to maintaining their security must be adopted. Fortunately, there are many excellent resources to help organizations get started. a formal process of documentation, specification, testing, quality control and managed implementationa risk assessment, analysis of actual and potential impacts of changes, and specification of any security controls requireda budgetary or other financi al analysis to assess adequacy of resourcesformal agreement to and approval of changes by appropriate management andappropriate notification of all affected parties prior to implementation, on the nature, timing and likely impacts of the changesscheduling of changes to minimize the adverse impact on business processesTechnical vulnerablility ManagementTechnical vulnerabilities in systems and applications should be controlled by monitoring for the announcement of relevant security vulnerabilities, and risk-assessing and applying relevant security patches promptly.To ensure that procedures are implemented to mitigate and/or patch technical vulnerabilities in systems and applications.Control of internal processingValidation checks should be incorporated into applications to detect the corruption of of information through processing errors or deliberate acts. Control includes use of both automatic and manual methods of data verification and cross-checking, as appropriate and defined res ponsibilities and processes for responding to detected errors.This category aims to reduce risks resulting from ontogeny of published technical vulnerabilities.Control of technical vulnerabilitiesTimely information about technical vulnerabilities of information systems used by the organization should be obtained, evaluated in terms of organizational exposure and risk, and appropriate countermeasures taken.Control includesA bump off inventory of information assets sufficient to identify systems put at risk by a particular technical vulnerabilityProcedures to allow by the way response to identification of technical vulnerabilities that present a risk to any of the organizations information assets, including a timeline based on the level of risk delimit roles and responsibilities for implementation of countermeasures and other mitigation procedures.ConclusionSadly it is not a perfect world and when hurtes of security do occur, for whatever reason, it is important to mince the resu lt by reportage the fortuity and responding to it as quickly as possible.To whom should an incident be reported? What information will that person need to know?What precautions should one take to limit the organizations exposure to the security breach?It is essential that all staff know what comprises an information security incident and also a security weakness and to whom they report it. At the alike(p) time it is essential that all management know how to respond if they are on the escalation process for information security incident management reporting or escalation. It may be that there will be lowly or no time to organise a response to the incident, in which case the more thinking which has gone into the response procedure the bring out placed the organisation will be to deal with it. Documented and practices information security incident management procedures should be developed and practiced.Whilst information security incidents are not a desired outcome for any organisa tion, they must learn, and their staff must learn, from them to prevent them occurring again. A process of learning from such incidents by use of induction training, ongoing awareness training or other means should be undertaken and all staff, contractors and third parties should be undertaken. call up that if the response is likely to include formal disciplinary action then the full process should be formally described and approved by the organisational management to remove the possibility of dispute after the event.If evidence is to be collected it should be done by competent staff and with overdue regard for rules of evidence for the jurisdiction.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment