Forwarded from: Elizabeth Lennon <elizabeth.lennon@private>
ITL BULLETIN FOR SEPTEMBER 2004
INFORMATION SECURITY WITHIN THE SYSTEM DEVELOPMENT LIFE CYCLE
By Annabelle Lee and Tanya Brewer-Joneas
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce
Many System Development Life Cycle (SDLC) models exist that can be
used by an organization to effectively develop an information system.
A traditional SDLC is a linear sequential model. This model assumes
that the system will be delivered near the end of its life cycle.
Another SDLC model uses prototyping, which is often used to develop an
understanding of system requirements without developing a final
operational system. More complex models have been developed to address
the evolving complexity of advanced and large information system
designs. The SDLC model is embedded in any of the major system
developmental approaches:
* Waterfall - the phases are executed sequentially.
* Spiral - the phases are executed sequentially with
feedback loops to previous phases.
* Incremental development - several partial deliverables
are constructed and each deliverable has incrementally more
functionality. Builds are constructed in parallel, using
available information from previous builds. The product is
designed, implemented, integrated, and tested as a series
of incremental builds.
* Evolutionary - there is re-planning at each phase in the
life cycle based on feedback. Each phase is divided into
multiple project cycles with deliverable measurable results
at the completion of each cycle.
Security should be incorporated into all phases, from initiation to
disposition, of an SDLC model. There are several NIST documents that
are applicable to every phase of the SDLC, including Special
Publications (SPs) 800-27 and 800-64 (see reference list at the end of
this bulletin).
The following questions are some high-level starting points that
should be addressed in determining the security
controls/countermeasures that will be required for a system:
* How critical is the system in meeting the organization's
mission?
* What are the security objectives required by the system,
e.g., integrity, confidentiality, and availability?
* What regulations and policies are applicable in
determining what is to be protected?
* What are the threats that are applicable in the
environment where the system will be operational?
* Who selects the protection mechanisms that are to be
implemented in the system?
A general SDLC includes five phases. Each of the five phases includes
a minimum set of information security tasks needed to effectively
incorporate security into a system during its development. The
following illustrates the information security tasks applicable to
each SDLC phase and the relevant references.
Listed below are the five phases with the information security tasks
performed in each phase and the applicable references. At the end of
the phase and task descriptions is a complete listing of all the
references.
(See http://www.itl.nist.gov/lab/bulletns/bltnsep04.pdf for
full-page graphic on page 2.)
Phase 1: Initiation
Key Tasks:
1. Business partner engagement (Key Documents: SP
800-35, 800-27; Additional References: Federal Information
Processing Standard [FIPS] 191, SP 800-65, SP 800-47, SP 800-33)
2. Document enterprise architecture (Key Document: SP
800-47; Additional References: SP 800-58, SP 800-48, SP
800-46, SP 800-45, SP 800-44, SP 800-43, SP 800-41, SP
800-40, SP 800-36, SP 800-33, SP 800-31, SP 800-28)
a. Security environment
b. Interconnections to external systems
3. Identification/specification of applicable policies
and laws (Key Documents: SP 800-14, SP 800-12)
4. Development of Confidentiality, Integrity, and
Availability objectives (Key Documents: FIPS 199, SP 800-60)
5. Information and information system security
categorization (Key Documents: FIPS 199, SP 800-60;
Additional Reference: SP 800-59)
6. Procurement specification development (Key
Documents: SP 800-36, SP 800-23; Additional References: SP
800-66, SP 800-49, SP 800-47, SP 800-27)
a. FIPS 140-2 validated cryptographic algorithms and
modules (Additional References: FIPS 140-2; FIPS 46-3, FIPS
81, FIPS 180-2, FIPS 185, FIPS 186-2, FIPS 197, FIPS 198,
SP 800-67, SP 800-38A, SP 800-38B, SP 800-38C, 800-22, SP
800-21, SP 800-20, SP 800-17)
b. Common Criteria (CC) evaluated products (Additional
Reference: CC)
7. Preliminary Risk Assessment (Key Document: SP 800-30)
Phase 2: Acquisition/ Development
Key Tasks:
1. Risk assessment (Key Document: SP 800-30;
Additional References: SP 800-14, SP 800-12)
2. Selection of initial baseline of security controls
(Key Document: SP 800-53)
a. System specific controls
b. Agency common controls
3. Refinement - security control baseline (Key
Document: SP 800-53; Additional References: SP 800-36, SP
800-35, SP 800-31)
4. Security control design (Key Documents: SP 800-36,
SP 800-23; Additional References: FIPS 181, FIPS 190, FIPS
196, SP 800-70, SP 800-66, SP 800-64, SP 800-58, SP 800-49,
SP 800-48, SP 800-46, SP 800-45, SP 800-44, SP 800-43, SP
800-41, SP 800-35, SP 800-33, SP 800-31, SP 800-28)
5. Cost analysis and reporting (Key Documents: SP
800-64, SP 800-36; Additional References: SP 800-65, SP
800-35, SP 800-12)
6. Security planning (Key Document: SP 800-55;
Additional References: SP 800-65, SP 800-26, SP 800-12)
a. Security plan (Additional Reference: SP 800-18)
b. Configuration management (CM) plan (Additional
Reference: SP 800-64)
c. Contingency plan (including continuity of
operations plan) (Additional References: FIPS 87, SP
800-34, SP 800-12, SP 800-14)
d. Training plan (Additional References: SP 800-50,
800-16, SP 800-14, SP 800-12)
e. Incident response plan (Key Document: SP 800-61;
Additional References: SP 800-40, SP 800-14, SP 800-12)
7. Unit/integration security test and evaluation
(ST&E) (Key Documents: CC, FIPS 140-2; Additional
Reference: SP 800-37)
Phase 3: Implementation/ Assessment
Key Tasks:
1. Product/component inspection and acceptance (Key
Documents: SP 800-64, SP 800-51; Additional References: CC,
FIPS 140-2)
2. Security control integration (Key Document: SP 800-64)
3. User/administrative guidance (Key Documents: SP
800-61; SP 800-36, SP 800-35; SP 800-56, SP 800-57)
a. Procedures (Additional Reference: SP 800-14)
b. Security checklists and configuration (Additional
References: FIPS 181, FIPS 190, FIPS 196, SP 800-70, SP
800-68, SP 800-58, SP 800-49, SP 800-48, SP 800-47, SP
800-46, SP 800-45, SP 800-44, SP 800-43, SP 800-41, SP
800-40, SP 800-33, SP 800-31, SP 800-28)
c. Key management
4. System ST&E plan (Key Document: SP 800-55;
Additional References: SP 800-47, SP 800-46, SP 800-45, SP
800-44, SP 800-42, SP 800-41)
5. Security certification (Key Document: SP 800-37, SP
800-53A; Additional References: SP 800-42, SP 800-41, SP
800-26)
6. Statement of residual risk (Key Document: SP 800-37)
7. Security accreditation (Key Document: SP 800-37)
Phase 4: Operations/ Maintenance
Key Tasks:
1. CM change control and auditing (Key Document:
Handbook [HB] 150; Additional References: HB 150-17, HB
150-20)
2. Continuous monitoring (Key Document: SP 800-26;
Additional References: SP 800-51, SP 800-42, SP 800-41, SP
800-40, SP 800-36, SP 800-35, SP 800-28)
a. Installation of patches (Additional References: SP
800-40)
b. FIPS 140-2 crypto module revalidation (Additional
References: FIPS 140-2, FIPS 46-3, FIPS 81, FIPS 180-2,
FIPS 185, FIPS 186-2, FIPS 197, FIPS 198, SP 800-67, SP
800-38A, SP 800-38B, SP 800-38C, SP 800-22, SP 800-21, SP
800-20, SP 800-17)
c. CC product reevaluation (Additional References: CC)
d. Assessment of operational controls
i. Administrative/personnel (Additional Reference: SP
800-35)
ii. Physical (Additional Reference: SP 800-35)
3. Recertification (Key Documents: SP 800-37, SP
800-53A; Additional References: SP 800-42, SP 800-41)
4. Reaccreditation (Key Document: SP 800-37)
5. Incident handling (Key Document: SP 800-61;
Additional References: SP 800-40, SP 800-14, SP 800-12)
6. Auditing (Key Documents: HB 150, SP 800-55;
Additional References: HB 150-17, HB 150-20)
7. Intrusion detection and monitoring (Key Documents:
SP 800-61, SP 800-31)
8. Contingency plan testing (including continuity of
operations plan) (Key Document: SP 800-34; Additional
References: FIPS 87, SP 800-14, SP 800-12)
Phase 5: Disposition (Sunset)
Key Tasks:
1. Transition planning (Key Document: SP 800-64;
Additional References: SP 800-47, SP 800-46, SP 800-45, SP
800-44, SP 800-43, SP 800-41, SP 800-35, SP 800-27, SP
800-14, SP 800-12)
2. Component disposal (Key Document: SP 800-35;
Additional Reference: SP 800-14)
3. Media sanitization (Key Document: SP 800-36)
4. Information archiving (Key Documents: SP 800-14, SP
800-12)
a. Confidentiality
b. Integrity
References:
Statutes and Regulations
Federal Information Security Management Act of 2002
(FISMA), H.R. 2458, Title III [Public Law 107-347], 107th
U.S. Congress, December 17, 2002.
Cyber Security Research and Development Act, H.R. 3394
[Public Law 107-355], 107th U.S. Congress, November 27, 2002.
U. S. Office of Management and Budget, Circular No. A-130,
Appendix III, Security of Federal Automated Information
Resources, February 1996.
Special Publications
(For current status of NIST publications (draft or final),
go to http://csrc.nist.gov.)
SP 800-70, The NIST Security Configuration Checklists Program
SP 800-68, Guidance for Securing Microsoft Windows XP
Systems for IT Professionals: a NIST Security Configuration
Checklist
SP 800-67, Recommendation for the Triple Data Encryption
Algorithm (TDEA) Block Cipher
SP 800-66, An Introductory Resource Guide for Implementing
the Health Insurance Portability and Accountability Act
(HIPAA) Security Rule
SP 800-65, Integrating Security into the Capital Planning
and Investment Control Process
SP 800-64, Security Considerations in the Information
System Development Life Cycle
SP 800-61, Computer Security Incident Handling Guide
SP 800-60, Guide for Mapping Types of Information and
Information Systems to Security Categories
SP 800-59, Guideline for Identifying an Information System
as a National Security System
SP 800-58, Security Considerations for Voice Over IP Systems
SP 800-57, Recommendation on Key Management
SP 800-56, Recommendation on Key Establishment
SP 800-55, Security Metrics Guide for Information
Technology Systems
SP 800-53A, Guide for Assessing the Security Controls in
Federal Information Systems
SP 800-53, Recommended Security Controls for Federal
Information Systems
SP 800-51, Use of the Common Vulnerabilities and Exposures
(CVE) Vulnerability Naming Scheme
SP 800-50, Building an Information Technology Security
Awareness and Training Program
SP 800-49, Federal S/MIME V3 Client Profile
SP 800-48, Wireless Network Security: 802.11, Bluetooth,
and Handheld Devices
SP 800-47, Security Guide for Interconnecting Information
Technology Systems
SP 800-46, Security for Telecommuting and Broadband
Communications
SP 800-45, Guidelines on Electronic Mail Security
SP 800-44, Guidelines on Securing Public Web Servers
SP 800-43, Systems Administration Guidance for Windows 2000
Professional
SP 800-42, Guideline on Network Security Testing
SP 800-41, Guidelines on Firewalls and Firewall Policy
SP 800-40, Procedures for Handling Security Patches
SP 800-38C, Recommendation for Block Cipher Modes of
Operation: the CCM Mode for Authentication and Confidentiality
SP 800-38B, Recommendation for Block Cipher Modes of
Operation: the CMAC Authentication Mode
SP 800-38A, Recommendation for Block Cipher Modes of
Operation - Methods and Techniques
SP 800-37, Guide for the Security Certification and
Accreditation of Federal Information Systems
SP 800-36, Guide to Selecting Information Security Products
SP 800-35, Guide to Information Technology Security Services
SP 800-34, Contingency Planning Guide for Information
Technology Systems
SP 800-33, Underlying Technical Models for Information
Technology Security
SP 800-31, Intrusion Detection Systems (IDS)
SP 800-30, Risk Management Guide for Information Technology
Systems
SP 800-28, Guidelines on Active Content and Mobile Code
SP 800-27, Engineering Principles for Information
Technology Security (A Baseline for Achieving Security)
SP 800-26, Security Self-Assessment Guide for Information
Technology Systems
SP 800-23, Guideline to Federal Organizations on Security
Assurance and Acquisition/Use of Tested/Evaluated Products
SP 800-22, A Statistical Test Suite for Random and
Pseudorandom Number Generators for Cryptographic Applications
SP 800-21, Guideline for Implementing Cryptography in the
Federal Government
SP 800-20, Modes of Operation Validation System for the
Triple Data Encryption Algorithm (TMOVS): Requirements and
Procedures
SP 800-18, Guide for Developing Security Plans for
Information Technology Systems
SP 800-17, Modes of Operation Validation System (MOVS):
Requirements and Procedures
SP 800-16, Information Technology Security Training
Requirements: A Role- and Performance-Based Model
SP 800-14, Generally Accepted Principles and Practices for
Securing Information Technology Systems
SP 800-12, An Introduction to Computer Security: The NIST
Handbook
FIPS
FIPS 46-3, Data Encryption Standard (DES)
FIPS 81, DES Modes of Operation
FIPS 87, Guidelines for ADP Contingency Planning
FIPS 140-2, Security requirements for Cryptographic Modules
FIPS 180-2, Secure Hash Standard (SHS)
FIPS 181, Automated Password Generator
FIPS 185, Escrowed Encryption Standard
FIPS 186-2, Digital Signature Standard (DSS)
FIPS 190, Guideline for the Use of Advanced Authentication
Technology Alternatives
FIPS 191, Guideline for The Analysis of Local Area Network
Security
FIPS 196, Entity Authentication Using Public Key Cryptography
FIPS 197, Advanced Encryption Standard
FIPS 198, The Keyed-Hash Message Authentication Code (HMAC)
FIPS 199, Standards for Security Categorization of Federal
Information and Information Systems
Handbooks
NIST Handbook 150: 2001, NVLAP Procedures and General
Requirements
NIST Handbook 150-17, NVLAP Cryptographic Module Testing
NIST Handbook 150-20, NVLAP Information Technology Security
Testing - Common Criteria
Miscellaneous
CC, Common Criteria for Information Technology Security
Evaluation, Version 2.2
Disclaimer: Any mention of commercial products or
reference to commercial organizations is for information
only; it does not imply recommendation or endorsement by
the National Institute of Standards and Technology nor does
it imply that the products mentioned are necessarily the
best available for the purpose.
Elizabeth B. Lennon
Writer/Editor
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 840-1357
_________________________________________
Donate online for the Ron Santo Walk to Cure Diabetes - http://www.c4i.org/ethan.html
This archive was generated by hypermail 2.1.3 : Thu Sep 30 2004 - 07:52:42 PDT