The Software Development Life Cycle: An Overview. Last Time. Session 8: Security and Evaluation. Information Systems Security Engineering
|
|
- Alice Carr
- 8 years ago
- Views:
Transcription
1 The Software Development Life Cycle: An Overview Presented by Maxwell Drew and Dan Kaiser Southwest State University Computer Science Program Last Time Brief review of the testing process Dynamic Testing Methods Static Testing Methods Deployment in MSF Deployment in RUP Session 8: and Evaluation General s Engineering Concepts s Engineering Process Relation of ISSE Process to other Processes Product, Process & Resource Evaluation Course Evaluations s Engineering General s Engineering Concepts s Engineering Process Relation of ISSE Process to other Processes s Engineering Process Discover Needs Discover Needs Define Design Assess Effectiveness Mission/Business Description Policy Consideration Mission Needs Statement (MNS) Concept of Operations (CONOPS) Users / Users Representatives Implement 1
2 Define Functionality Objectives - MoE Context/Environment Requirements - RTM Functional Analysis Define Functional Allocation - CM Preliminary Design Baseline Configuration Detailed Design - CI Implement Procurement Build Test Assess Effectiveness Interoperability Availability Training Human/Machine Interface Cost ISSE Activities Describing information protection needs Generating information protection based on needs early in the systems engineering process Satisfying the at an acceptable level of information protection risk Building a functional information protection architecture based on Allocating information protection functions to a physical and logical architecture Designing the system to implement the information protection architecture Balancing information protection risk management and other ISSE considerations within the overall system context of cost, schedule, and operational suitability and effectiveness ISSE Activities - Continued Participating in trade-off studies with other information protection and system engineering disciplines Integrating the ISSE process with the systems engineering and acquisition processes Testing the system to verify information protection design and validate information protection Supporting the customers after deployment and tailoring the overall process to their needs 2
3 Discover Protection Needs Mission Layered Requirements Hierarchy MISSION/BUSINESS Threat Analysis Policy ARCHITECTURE More More Specific Specific Functions Protection Policy DESIGN More More Abstract Abstract Requirements Protection Requirements Components IMPLEMENTATION Specifications Figure 3-2 Impact of Mission, Threats, and Policies on Protection Requirements Mission Protection Needs What kind of information records are being viewed, updated, deleted, initiated, or processed (classified, financial, proprietary, personal private, etc.)? Who or what is authorized to view, update, delete, initiate, or process information records? How do authorized users use the information to perform their duties? What tools (paper, hardware, software, firmware, and procedures) are authorized users using to perform their duties? How important is it to know with certainty that a particular individual sent or received a message or file? Threats to Management Types of Legitimate users and uses of information Threat agent considerations - Capability - Intent - Willingness - Motivation - Damage to mission Protection Policy Considerations Why protection is needed What protection is needed How protection is achieved not considered at this stage Protection Policy Issues The resources/assets the organization has determined are critical or need protection The roles and responsibilities of individuals that will need to interface with those assets (as part of their operational mission needs definition) The appropriate way (authorizations) authorized individuals may use those assets (security ). 3
4 Define Protection Protection Objectives MoE Context/Environment Protection Requirements RTM Functional Analysis Protection Objectives Should Explain: The mission objectives supported by information protection objective The mission-related threat driving the information protection objective The consequences of not implementing the objective protection guidance or policy supporting the objective Design Protection Functional Allocation Preliminary Protection Design Detailed Protection Design Preliminary Protection Design Activities Reviewing and refining Discover Needs and Define activities' work products, especially definition of the CI-level and interface specifications Surveying existing solutions for a match to CI-level Examining rationales for proposed PDR-level (of abstraction) solutions Verification that CI specifications meet higher-level information protection Supporting the certification and accreditation processes Supporting information protection operations development and life-cycle management decisions Participating in the system engineering process Detailed Protection Design Activities Reviewing and refining previous Preliminary Design work products Supporting system- and CI-level design by providing input on feasible information protection solutions and/or review of detailed design materials Examining technical rationales for CDR-level solutions Supporting, generating, and verifying information protection test and evaluation and procedures Tracking and applying information protection assurance mechanisms Verifying CI designs meet higher level information protection Completing most inputs to the life-cycle security support approach, including providing information protection inputs to training and emergency training materials Reviewing and updating information protection risk and threat projections as well as any changes to the set Supporting the certification and accreditation processes Participating in the system engineering process Implement Protection Procurement Build Test 4
5 Implement Protection General Activities Updates to the system information protection threat assessment, as projected, to the system's operational existence Verification of system information protection and constraints against implemented information protection solutions, and associated system verification and validation mechanisms and findings Tracking of, or participation in, application of information protection assurance mechanisms related to system implementation and testing practices Implement Protection General Activities (cont.) Further inputs to and review of evolving system operational procedure and life-cycle support plans, including, for example, Communication (COMSEC) key distribution or releasability control issues within logistics support and information protection relevant elements within system operational and maintenance training materials A formal information protection assessment in preparation for the Verification Review Inputs to Certification and Accreditation (C&A) process activities as required Participation in the collective, multidisciplinary examination of all system issues Build Protection Physical Integrity. Have the components that are used in the production been properly safeguarded against tampering? Personnel Integrity. Are the people assigned to construct or assemble the system knowledgeable in proper assembly procedures, and are they cleared to the proper level necessary to ensure system trustworthiness? Test Protection Activities Reviewing and refining Design Protection work products Verifying system- and CI-level information protection and constraints against implemented solutions and associated system verification and validation mechanisms and findings Tracking and applying information protection assurance mechanisms related to system implementation and testing practices Providing inputs to and review of the evolving life-cycle security support plans, including logistics, maintenance, and training Continuing risk management activities Supporting the certification and accreditation processes Participating in the systems engineering process Assess Effectiveness Interoperability. Does the system protect information correctly across external interfaces? Availability. Is the system available to users to protect information and information assets? Training. What degree of instruction is required for users to be qualified to operate and maintain the information protection system? Human/Machine Interface. Does the human/machine interface contribute to users making mistakes or compromising information protection mechanisms? Cost. Is it financially feasible to construct and/or maintain the information protection system? Relation to Other Processes Acquisition Process Risk Management Process DITSCAP Common Criteria International Standard 5
6 ISSE and Acquisition Process Flows Risk Management Process Requirements Identification Phase User Program Needs Concept Exploration Phase Identify New Concepts Engineering & Implementation Translate Into Design Production & Operational Support Build Production Understand Mission Objectives Understand Protection Needs (Services) Req. Req. Test Concepts Formalize Concepts Specify Components Purchase Components Formal Testing Support Over Lifecycle Acquisition Engineering (ISSE) Process Assess Effectiveness Implement Decision Actions Risk Management Cycle Characterize Risk Posture Discover Protection Needs Define Protection Design Protection Implement Protection Decide What Will Be Done Characterize What Can Be Done Users / Users Representatives Figure 3-5 Risk Management Process Risk Decision Flow Risk Plane Risk Decision Flow Y - CONSEQUENCE Improvements Countermeasure Identification & Characterization Mission Critical Parameter Trade-Off High A-1 Risk Analysis Compare and Contrast Available Attacks Develop Theory of Adversarial Behavior Develop Theory of Mission Impact Compare and Contrast Various Courses of Action Decide on Courses of Action Med. A-3 A-2 Low Vulnerability and Attack Identification & Characterization Threat Identification & Characterization Mission Impact Identification & Characterization Low Med. X - LIKELIHOOD OF SUCCESS High Figure 3-7 Risk Plane Foundation Research and Incidence Analysis Document Mission Need Phase 1 Definition Concepts & Relationships Registration Negotiation Agreement SSAA Phase 2 Verification Life Cycle Activity (1 to n) Owners impose value wish to minimize Development Activity Correct SSAA Certification Analysis Acceptable Reanalyze Phase 3 Validation Certification Evaluation of Certify The Integrated Ready For Certification Develop Recommendation DITSCAP Flow Countermeasures that may be reduced by may be aware of Threat Agents that exploit Vulnerabilities leading to to reduce that may possess Risk Phase 4 Post Accreditation Accreditation Granted give rise to Threats that increase to to Assets SSAA Operation Change Requested wish to abuse and/or may damage Figure 3-9 Concepts and Relationships Compliance Validation Required in the Common Criteria 6
7 TOE physical Assets requiring protection protection TOE purpose purpose Evaluation Concepts & Relationships Establish Establish security Environment material (PP/ST) Assurance Techniques Evaluation Assumptions Assumptions Threats Threats Organizational security problems security problems produce Gives evidence of CC CC catalog Establish security objectives objectives objectives Establish Requirements Objectives material (PP/ST) Protection Profile require Owners Assurance giving Confidence Functional Assurance Requirements for for the the Requirements material (PP/ST) that Countermeasures Establish TOE TOE summary summary specifications minimize Risk TOE summary specification Specification material (PP/ST) to Assets Use of Evaluation Results PPs Evaluated Products Catalog Catalog (optional) (optional) Catalog Evaluated product Product Questions? Develop & evaluate TOE TOE Evaluation results (alternatives) Accredit system Accredited system accreditation criteria Figure 3-12 Uses of Evaluation Results Evaluation General Techniques Evaluating the Product Evaluating the Process Evaluating Resources Categories of Evaluation Feature analysis: rate and rank attributes Survey: document relationships Case study sample from variables Formal experiment sample over variables 7
8 Example Feature Analysis Feature Tool 1: t-oo-l Tool 2: ObjecTool Tool 3: Importance EasyDesign Good user interface Object-oriented design Consistency checking Use cases Runs on Unix Score Case Study Types Sister projects: each is typical and has similar values for the independent variables Baseline: compare single project to organizational norm Random selection: partition single project into parts Table Design tool ratings Formal Experiment Controls variables Uses methods to reduce bias and eliminate confounding factors Often replicated Instances are representative: sample over the variables (whereas case study samples from the variables) Evaluation Steps Setting the hypothesis the tentative supposition that we think explains the behavior we want to explore Maintaining control over variables decide what effects our hypothesis Making investigation meaningful determine the degree to which results can be generalized Pitfall Common Evaluation Pitfalls Description 1. Confounding Another factor is causing the effect. 2. Cause or effect? The factor could be a result, not a cause, of the treatment. 3. Chance There is always a small possibility that your result happened by chance. 4. Homogeneity You can find no link because all subjects had the same level of the factor. 5. Misclassification You can find no link because you cannot accurately classify each subject s level of the factor. 6. Bias Selection procedures or administration of the study inadvertently bias the result. 7. Too short The short-term effects are different from the long-term ones. 8. Wrong amount The factor would have had an effect, but not in the amount used in the study. 9. Wrong situation The factor has the desired effect, but not in the situation studied. Assessment vs. Prediction An assessment system examines an existing entity by characterizing it numerically Prediction system predicts characteristic of a future entity; involves a model with associated prediction procedures deterministic prediction (we always get the same output for an input) stochastic prediction (output varies probabilistically) Table Common pitfalls in evaluation. Adapted with permission from (Liebman 1994) 8
9 Product Quality Models Boehm s Model Boehm s Model ISO 9126 Model ISO 9126 Model Targeting Item Target Malpractice level Fault removal efficiency > 95% < 70% Original fault density < 4 per function point > 7 per function point Slip or cost overrun in excess 0% > 10% of risk reserve Total creep < 1% per month average > 50% (function points or equivalent) Total program documentation < 3 pages per function point > 6 pages per function point Staff turnover 1 to 3% per year > 5% per year Table Quantitative targets for managing US defense projects. (NetFocus 1995) Software Reuse Producer reuse: creating components for someone else to use Consumer reuse: using components developed for some other product Black-box reuse: using component without modification Clear- or white-box reuse: modifying component before reusing it Process Evaluation Postmortem Analysis a post-implementation assessment of all aspects of the project Process Maturity Models development has built in feedback and control mechanisms to spur improvement 9
10 Postmortem Analysis Design and promulgate a project survey to collect relevant data. Collect objective project information. Conduct a debriefing meeting. Conduct a project history day. Publish the results by focusing on lessons learned. Table When post-implementation evaluation is done. Time period Percentage of respondents (of 92 organizations) Just before delivery 27.8% At delivery 4.20% One month after delivery 22.20% Two months after delivery 6.90% Three months after delivery 18.10% Four months after delivery 1.40% Five months after delivery 1.40% Six months after delivery 13.90% Twelve months after delivery 4.20% Table Required questions for level 1 of process maturity model. Capability Maturity Model (CMM) Question number Question Does the Software Quality Assurance function have a management reporting channel separate from the software development project management? Is there a software configuration control function for each project that involves software development? Is a formal process used in the management review of each software development prior to making contractual commitments? Is a formal procedure used to make estimates of software size? Is a formal procedure used to produce software development schedules? Are formal procedures applied to estimating software development cost? Are profiles of software size maintained for each software configuration item over time? Are statistics on software code and test errors gathered? Does senior management have a mechanism for the regular review of the status of software development projects? Do software development first-line managers sign off on their schedule and cost estimates? Is a mechanism used for controlling changes to the software? Is a mechanism used for controlling changes to the code? CMM level Initial Repeatable Defined Managed Optimizing Table Key process areas in the CMM (Paulk et. al. 1993) Key process areas none Requirements management Software project planning Software project tracking and oversight Software subcontract management Software quality assurance Software configuration management Organization process focus Organization process definition Training program Integrated software management Software product engineering Inter-group coordination Peer reviews Quantitative process management Software quality management Fault prevention Technology change management Process change management Evaluating Resources People Maturity Model goal is to improve workforce 10
11 Table People capability maturity model. (Curtis, Hefley and Miller 1995) Level Focus Key practices 5: optimizing Continuous knowledge and skills improvement Continuous workforce innovation Coaching Personal competency development 4: managed Effectiveness measured and managed, high performance teams developed 3: defined Competency-based workforce practices 2: repeatable Management takes responsibility for managing its people 1: initial Organizational performance alignment Organizational competency management Team-based practices Team-building Mentoring Participatory culture Competency-based practices Career development Competency development Workforce planning Knowledge and skills analysis Compensation Training Performance management Staffing Communication Work Questions? Course Evaluations 11
National Information Assurance Certification and Accreditation Process (NIACAP)
NSTISSI No. 1000 April 2000 National Information Assurance Certification and Accreditation Process (NIACAP) THIS DOCUMENT PROVIDES MINIMUM STANDARDS. FURTHER INFORMATION MAY BE REQUIRED BY YOUR DEPARTMENT
More informationProcess Improvement. Objectives
Process Improvement cmsc435-1 Objectives To explain the principles of software process improvement To explain how software process factors influence software quality and productivity To introduce the SEI
More informationCSC 408F/CSC2105F Lecture Notes
CSC 408F/CSC2105F Lecture Notes These lecture notes are provided for the personal use of students taking CSC 408H/CSC 2105H in the Fall term 2004/2005 at the University of Toronto. Copying for purposes
More informationIntroduction to the ITS Project Management Methodology
Introduction to the ITS Project Management Methodology In September 1999 the Joint Legislative Committee on Performance Evaluation and Expenditure Review (PEER) produced a report entitled Major Computer
More informationDepartment of Defense INSTRUCTION
Department of Defense INSTRUCTION NUMBER 5200.40 December 30, 1997 SUBJECT: DoD Information Technology Security Certification and Accreditation Process (DITSCAP) ASD(C3I) References: (a) DoD Directive
More informationSecurity Engineering Best Practices. Arca Systems, Inc. 8229 Boone Blvd., Suite 750 Vienna, VA 22182 703-734-5611 ferraiolo@arca.com.
Tutorial: Instructor: Topics: Biography: Security Engineering Best Practices Karen Ferraiolo, Arca Systems, Inc. 8229 Boone Blvd., Suite 750 Vienna, VA 22182 703-734-5611 ferraiolo@arca.com This tutorial
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication
More informationInternational Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research)
International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) International Journal of Engineering, Business and Enterprise
More informationPORTFOLIO, PROGRAMME & PROJECT MANAGEMENT MATURITY MODEL (P3M3)
PORTFOLIO, PROGRAMME & PROJECT MANAGEMENT MATURITY MODEL (P3M3) 1st February 2006 Version 1.0 1 P3M3 Version 1.0 The OGC logo is a Registered Trade Mark of the Office of Government Commerce This is a Value
More informationUSING SECURITY METRICS TO ASSESS RISK MANAGEMENT CAPABILITIES
Christina Kormos National Agency Phone: (410)854-6094 Fax: (410)854-4661 ckormos@radium.ncsc.mil Lisa A. Gallagher (POC) Arca Systems, Inc. Phone: (410)309-1780 Fax: (410)309-1781 gallagher@arca.com USING
More informationCertification and Accreditation: A Program for Practitioner Education
Certification and Accreditation: A Program for Practitioner Education K. L. Burke, C. W. Rasmussen, C. E. Irvine, G. W. Dinolt, and T. E. Levin Computer Science Department Naval Postgraduate School, Monterey,
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationJOURNAL OF OBJECT TECHNOLOGY
JOURNAL OF OBJECT TECHNOLOGY Online at www.jot.fm. Published by ETH Zurich, Chair of Software Engineering JOT, 2006 Vol. 5. No. 8, November-December 2006 Requirements Engineering Tasks Donald Firesmith,
More information(Refer Slide Time: 01:52)
Software Engineering Prof. N. L. Sarda Computer Science & Engineering Indian Institute of Technology, Bombay Lecture - 2 Introduction to Software Engineering Challenges, Process Models etc (Part 2) This
More informationA Program for Education in Certification and Accreditation
A Program for Education in Certification and Accreditation Craig Rasmussen, Cynthia E. Irvine, George W. Dinolt, Timothy E. Levin Naval Postgraduate School, Monterey, California, USA Abstract: Key words:
More informationCertified Information Security Manager (CISM)
Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security
More informationSecurity Standards. 17.1 BS7799 and ISO17799
17 Security Standards Over the past 10 years security standards have come a long way from the original Rainbow Book series that was created by the US Department of Defense and used to define an information
More information2. Identification of HF Risks and Requirements. (Supported by icmm HF Addendum Base Practices 24.01, 24.02, and 24.03)
Assessment Framework for Human Factors Process Improvement Assessment Area icmm Practices R Y G FAA HF Job Aid Best Practices R Y G FEEDBACK FOR ACQUISITION PROGRAM 1. HF Program Management 2. Identification
More informationRaytheon Secure Systems and Networks
Technology Today HIGHLIGHTING RAYTHEON S TECHNOLOGY 2007 Issue 2 Raytheon Secure s and Networks Delivering Mission Assurance in a Hostile Cyberspace Feature Ensuring That Our s Can Be Trusted The systems
More informationFrom Chaos to Clarity: Embedding Security into the SDLC
From Chaos to Clarity: Embedding Security into the SDLC Felicia Nicastro Security Testing Services Practice SQS USA Session Description This session will focus on the security testing requirements which
More informationQuality Systems Frameworks. SE 350 Software Process & Product Quality 1
Quality Systems Frameworks 1 What is a Quality System? An organization uses quality systems to control and improve the effectiveness of the processes used to deliver a quality product or service A Quality
More informationHKITPC Competency Definition
HKITPC Competency Definition for the Certification copyright 2011 HKITPC HKITPC Competency Definition Document Number: HKCS-CD-L1L2 Version: 1.0 Date: June 2011 Prepared by Hong Kong IT Professional Certification
More informationFundamentals of Measurements
Objective Software Project Measurements Slide 1 Fundamentals of Measurements Educational Objective: To review the fundamentals of software measurement, to illustrate that measurement plays a central role
More informationOPTM, A Robust Tool For Process Compliance
Defense, Space and Security OPTM, A Robust Tool For Process Compliance National Defense Industrial Association 12th Annual CMMI Technology Conference & User Group The statements contained herein are based
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationHow To Understand And Understand The Cmm
W H I T E P A P E R SEI's Capability Maturity Model Integrated (CMMI) Relative to ICM's CMII (Rev B) SUMMARY CMMI is built on a set of integrated processes and includes CM as a supporting process. The
More informationHow To Write An Slcm Project Plan
SLCM 2003.1 Artifacts in a Nutshell ( as of 01/21/2005) Project Development Phases Pension Benefit Guaranty Corporation s (PBGC) System Life Cycle Methodology (SLCM) is comprised of five project development
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationDIVISION OF INFORMATION SECURITY (DIS)
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new
More informationYour Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.
INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc. February 2013 1 Executive Summary Adnet is pleased to provide this white paper, describing our approach to performing
More informationPHASE 5: DESIGN PHASE
PHASE 5: DESIGN PHASE During the Design Phase, the system is designed to satisfy the requirements identified in the previous phases. The requirements identified in the Requirements Analysis Phase are transformed
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationInformation Technology Security Certification and Accreditation Guidelines
Information Technology Security Certification and Accreditation Guidelines September, 2008 Table of Contents EXECUTIVE SUMMARY... 3 1.0 INTRODUCTION... 5 1.1 Background... 5 1.2 Purpose... 5 1.3 Scope...
More informationLocation: [North America] [United States] [Home Working, United States]
Architect II Location: [North America] [United States] [Home Working, United States] Category: Information Technology Job Type: Fixed term, Full-time PURPOSE OF POSITION: The Architect II role is expected
More informationRequirements Analysis Concepts & Principles. Instructor: Dr. Jerry Gao
Requirements Analysis Concepts & Principles Instructor: Dr. Jerry Gao Requirements Analysis Concepts and Principles - Requirements Analysis - Communication Techniques - Initiating the Process - Facilitated
More informationSoftware Engineering/Courses Description Introduction to Software Engineering Credit Hours: 3 Prerequisite: 0306211(Computer Programming 2).
0305203 0305280 0305301 0305302 Software Engineering/Courses Description Introduction to Software Engineering Prerequisite: 0306211(Computer Programming 2). This course introduces students to the problems
More informationCertification Report
Certification Report EAL 3+ Evaluation of Rapid7 Nexpose Vulnerability Management and Penetration Testing System V5.1 Issued by: Communications Security Establishment Canada Certification Body Canadian
More informationThe Systems Security Engineering Capability Maturity Model (SSE-CMM)
The Systems Security Engineering Capability Maturity Model (SSE-CMM) Karen Ferraiolo ISSEA Director of Technical Development karen.ferraiolo@exodus.net 410-309-1780 Topics Why define security engineering
More informationDarshan Institute of Engineering & Technology Unit : 10
1) Explain management spectrum or explain 4 p s of software system. Effective software project management focuses on the four P s: people, product, process, and project. The People People factor is very
More informationMoving from ISO9000 to the Higher Levels of the Capability Maturity Model (CMM)
Moving from ISO9000 to the Higher Levels of the Capability Maturity Model (CMM) Pankaj Jalote 1 Infosys Technologies Ltd. Bangalore 561 229 Fax: +91-512-590725/590413 Jalote@iitk.ernet.in, jalote@iitk.ac.in
More informationUF Risk IT Assessment Guidelines
Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an
More informationGet Confidence in Mission Security with IV&V Information Assurance
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
More informationState of South Carolina Policy Guidance and Training
DRAFT For Discussion Purposes Only State of South Carolina Policy Guidance and Training Policy Workshop All Agencies Information Systems (IS) Acquisitions, Development, and Maintenance Policy April/May
More informationPROJECT MANAGEMENT PLAN TEMPLATE < PROJECT NAME >
PROJECT MANAGEMENT PLAN TEMPLATE < PROJECT NAME > Date of Issue: < date > Document Revision #: < version # > Project Manager: < name > Project Management Plan < Insert Project Name > Revision History Name
More informationCisco Security Optimization Service
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
More informationFISMA Implementation Project
FISMA Implementation Project The Associated Security Standards and Guidelines Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive environment
More informationKarunya University Dept. of Information Technology
PART A Questions 1. Mention any two software process models. 2. Define risk management. 3. What is a module? 4. What do you mean by requirement process? 5. Define integration testing. 6. State the main
More informationDoD Software Assurance (SwA) Overview
DoD Software Assurance (SwA) Overview Tom Hurt Office of the Deputy Assistant Secretary of Defense for Systems Engineering NDIA Program Protection Summit / Workshop McLean, VA May 19, 2014 May 19, 2014
More information<name of project> Software Project Management Plan
The document in this file is adapted from the IEEE standards for Software Project Management Plans, 1058-1998, which conforms to the requirements of ISO standard 12207 Software Life Cycle Processes. Tailor
More informationProcurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment
Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Project Management Self-Assessment Contents Introduction 3 User Guidance 4 P3M3 Self-Assessment Questionnaire
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationCertification Report
Certification Report EAL 4 Evaluation of SecureDoc Disk Encryption Version 4.3C Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification
More informationComputer Security. Evaluation Methodology CIS 5370. Value of Independent Analysis. Evaluating Systems Chapter 21
Computer Security CIS 5370 Evaluating Systems Chapter 21 1 Evaluation Methodology 1. Set of security functionality requirements 2. Set of assurance a requirements e e 3. Methodology to determine if the
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
More informationGuide to Enterprise Life Cycle Processes, Artifacts, and Reviews
Department of Health and Human Services Centers for Medicare & Medicaid Services Center for Consumer Information and Insurance Oversight Guide to Enterprise Life Cycle Processes, Artifacts, and Reviews
More informationTHREATS AND VULNERABILITIES FOR C 4 I IN COMMERCIAL TELECOMMUNICATIONS: A PARADIGM FOR MITIGATION
THREATS AND VULNERABILITIES FOR C 4 I IN COMMERCIAL TELECOMMUNICATIONS: A PARADIGM FOR MITIGATION Joan Fowler and Robert C. Seate III Data Systems Analysts, Inc. 10400 Eaton Place, Suite 400 Fairfax, VA
More informationSystems Development Life Cycle (SDLC)
DEPARTMENT OF BUDGET & MANAGEMENT (SDLC) Volume 1 Introduction to the SDLC August 2006 Table of Contents Introduction... 3 Overview... 4 Page 2 of 17 INTRODUCTION 1.0 STRUCTURE The SDLC Manual consists
More informationInformation Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationSOFTWARE DEVELOPMENT STANDARD FOR SPACECRAFT
SOFTWARE DEVELOPMENT STANDARD FOR SPACECRAFT Mar 31, 2014 Japan Aerospace Exploration Agency This is an English translation of JERG-2-610. Whenever there is anything ambiguous in this document, the original
More informationDepartment of Administration Portfolio Management System 1.3 June 30, 2010
E 06/ 30/ 2010 EX AM PL 1. 3 06/ 28/ 2010 06/ 24/ 2010 06/ 23/ 2010 06/ 15/ 2010 06/ 18/ 2010 Portfolio System 1.3 June 30, 2010 Contents Section 1. Project Overview... 1 1.1 Project Description... 1 1.2
More informationISTQB Certified Tester. Foundation Level. Sample Exam 1
ISTQB Certified Tester Foundation Level Version 2015 American Copyright Notice This document may be copied in its entirety, or extracts made, if the source is acknowledged. #1 When test cases are designed
More informationworkforce operate and maintain protect and defend securely provision support investigate analyze operate and collect CYBERSECURITY framework
introduction The National Initiative for Cybersecurity Education (NICE) is a nationally coordinated effort focused on cybersecurity awareness, education, training, and professional development. Two Executive
More information3SL. Requirements Definition and Management Using Cradle
3SL Requirements Definition and Management Using Cradle November 2014 1 1 Introduction This white paper describes Requirements Definition and Management activities for system/product development and modification
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationCertification Report
Certification Report EAL 2+ Evaluation of Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme 2008 Government of Canada, Communications
More informationSOFTWARE CONFIGURATION MANAGEMENT GUIDEBOOK
Office of Safety and Mission Assurance NASA-GB-9503 SOFTWARE CONFIGURATION MANAGEMENT GUIDEBOOK AUGUST 1995 National Aeronautics and Space Administration Washington, D.C. 20546 PREFACE The growth in cost
More informationFinding the Right People for Your Program Evaluation Team: Evaluator and Planning Team Job Descriptions
: Evaluator and Planning Team Job Descriptions I. Overview II. Sample Evaluator Job Description III. Evaluator Competencies IV. Recruiting members of your strategic evaluation planning team V. Recruiting
More informationInformation Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services
Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationThe Information Assurance Process: Charting a Path Towards Compliance
The Information Assurance Process: Charting a Path Towards Compliance A white paper on a collaborative approach to the process and activities necessary to attain compliance with information assurance standards.
More informationSEI Level 2, 3, 4, & 5 1 Work Breakdown Structure (WBS)
SEI Level 2, 3, 4, & 5 1 Work Breakdown Structure (WBS) 1.0 SEI Product 1.1 SEI Level 2 Product 1.1.1 SEI Level 2 Process 1.1.1.1 Requirements Management Process 1.1.1.2 Software Project Planning Process
More informationComputer and Network Security
Computer and Network Security Common Criteria R. E. Newman Computer & Information Sciences & Engineering University Of Florida Gainesville, Florida 32611-6120 nemo@cise.ufl.edu Common Criteria Consistent
More informationDepartment of Defense INSTRUCTION
Department of Defense INSTRUCTION NUMBER 5200.44 November 5, 2012 DoD CIO/USD(AT&L) SUBJECT: Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN) References: See Enclosure
More informationProtect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance
Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Sponsored by the U.S. Department of Homeland Security (DHS), the Software Engineering Institute
More informationSSA-312. ISA Security Compliance Institute System Security Assurance Security development artifacts for systems
SSA-312 ISA Security Compliance Institute System Security Assurance Security development artifacts for systems Version 1.01 February 2014 Copyright 2013-2014 ASCI - Automation Standards Compliance Institute,
More informationPersonal Software Process (PSP)
Personal Software Process (PSP) Application of CMM principles to individuals Developed by Watts Humphrey of the Software Engineering Institute (SEI) in the early 1990s Extensive supporting materials: books,
More informationCRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data
CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical
More informationModule 10. Coding and Testing. Version 2 CSE IIT, Kharagpur
Module 10 Coding and Testing Lesson 23 Code Review Specific Instructional Objectives At the end of this lesson the student would be able to: Identify the necessity of coding standards. Differentiate between
More informationCTR System Report - 2008 FISMA
CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control
More informationSoftware and Systems Engineering. Software and Systems Engineering Process Improvement at Oerlikon Aerospace
SYMPOSIUM at Claude Y. Laporte OA - Process Engineering Nicola R. Papiccio OA - Software Engineering AGENDA Introduction Software Engineering Process s Engineering Process Management of of Change Lessons
More informationImplementation of ANSI/AAMI/IEC 62304 Medical Device Software Lifecycle Processes.
Implementation of ANSI/AAMI/IEC 62304 Medical Device Software Lifecycle Processes.. www.pharmout.net Page 1 of 15 Version-02 1. Scope 1.1. Purpose This paper reviews the implementation of the ANSI/AAMI/IEC
More informationSummary of GAO Cost Estimate Development Best Practices and GAO Cost Estimate Audit Criteria
Characteristic Best Practice Estimate Package Component / GAO Audit Criteria Comprehensive Step 2: Develop the estimating plan Documented in BOE or Separate Appendix to BOE. An analytic approach to cost
More informationReaching CMM Levels 2 and 3 with the Rational Unified Process
Reaching CMM Levels 2 and 3 with the Rational Unified Process Rational Software White Paper TP174 Table of Contents INTRODUCTION... 1 LEVEL-2, REPEATABLE... 3 Requirements Management... 3 Software Project
More informationThe IT Service CMM. Presentation overview. IT Service CMM. What it is; what it is not. Using the IT Service CMM. Current status and outlook 19/04/2002
The IT Service CMM Frank Niessink niessink@serc.nl Version 2.4, March 15, 2002 Presentation overview IT Service CMM Services versus products Service quality What it is; what it is not Goals, structure,
More informationThe introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.
1 Cyber-attacks frequently take advantage of software weaknesses unintentionally created during development. This presentation discusses some ways that improved acquisition practices can reduce the likelihood
More informationSIN 132-51, SIN 132-51 STLOC, 132-51RC - INFORMATION TECHNOLOGY (IT) PROFESSIONAL SERVICES
AUTHORIZED FEDERAL ACQUISITION SERVICE INFORMATION TECHNOLOGY SCHEDULE PRICELIST GENERAL PURPOSE COMMERCIAL INFORMATION TECHNOLOGY EQUIPMENT, SOFTWARE AND SERVICES SIN 132-51, SIN 132-51 STLOC, 132-51RC
More informationICT Supply Chain Risk Management
ICT Supply Chain Risk Management Celia Paulsen Computer Security Division IT Laboratory Manager s Forum June 4, 2013 General Problem Definition Scope of Supplier Expansion and Foreign Involvement graphic
More informationOpen Data Center Alliance Usage: Provider Assurance Rev. 1.1
sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS
More informationSystem Development Life Cycle Guide
TEXAS DEPARTMENT OF INFORMATION RESOURCES System Development Life Cycle Guide Version 1.1 30 MAY 2008 Version History This and other Framework Extension tools are available on Framework Web site. Release
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationUnderstanding changes to the Trust Services Principles for SOC 2 reporting
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding changes to the Trust Services Principles for SOC 2 reporting
More informationProgram Lifecycle Methodology Version 1.7
Version 1.7 March 30, 2011 REVISION HISTORY VERSION NO. DATE DESCRIPTION AUTHOR 1.0 Initial Draft Hkelley 1.2 10/22/08 Updated with feedback Hkelley 1.3 1/7/2009 Copy edited Kevans 1.4 4/22/2010 Updated
More informationJuniper Networks Secure
White Paper Juniper Networks Secure Development Lifecycle Six Practices for Improving Product Security Copyright 2013, Juniper Networks, Inc. 1 Table of Contents Executive Summary...3 Introduction...3
More informationNational Information Assurance Partnership
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Protection Profile for Software Full Disk Encryption, Version 1.1 Report Number: CCEVS-VR-PP-0003
More informationHow To Integrate Software And Systems
September 25, 2014 EFFECTIVE METHODS FOR SOFTWARE AND SYSTEMS INTEGRATION P R E S E N T E D B Y: D R. B O Y D L. S U M M E R S 1 Software Engineer (Quality) Defense and Space The Boeing Company - Seattle,
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationSoftware Process for QA
Software Process for QA Basic approaches & alternatives CIS 610, W98 / M Young 1/7/98 1 This introduction and overview is intended to provide some basic background on software process (sometimes called
More informationImplementing Program Protection and Cybersecurity
Implementing Program Protection and Cybersecurity Melinda Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering Mark Godino Office of the Deputy Assistant Secretary of Defense
More informationITL BULLETIN FOR MARCH 2012 GUIDELINES FOR IMPROVING SECURITY AND PRIVACY IN PUBLIC CLOUD COMPUTING
ITL BULLETIN FOR MARCH 2012 GUIDELINES FOR IMPROVING SECURITY AND PRIVACY IN PUBLIC CLOUD COMPUTING Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationUniversity of Paderborn Software Engineering Group II-25. Dr. Holger Giese. University of Paderborn Software Engineering Group. External facilities
II.2 Life Cycle and Safety Safety Life Cycle: The necessary activities involving safety-related systems, occurring during a period of time that starts at the concept phase of a project and finishes when
More information