CHAPTER 15

Information Assurance in System Development and Acquisition

An emerging trend in software engineering is the consideration of the information assurance requirements during system design and development. Integrate secure design into all stages of system development to ensure appropriate protection. As with other aspects of system development, countermeasures are most effective when planned and managed from the initial planning phase up to the disposal phase. This was introduced in Chapter 2 as part of the MSR model.

This chapter provides an overview of how to integrate information assurance requirements into each stage of the system development life cycle (SDLC) to ensure producing a secure system. This chapter also explains the role of information assurance planning in a system development context to ensure that information assurance issues are addressed at the earliest stages of a software project. Although agile, scrum, waterfall, XP, and Kanban differ in detail, the discussion in this chapter also applies in general to application development.

Frequently, software systems projects are designed and implemented by programmers without adequate consideration for information assurance, architectural, and software engineering principles. One view of system development is that software engineers have the imagination to see how something can be created, while other engineers imagine how things might fail. In the middle are programmers who just build things and worry little about either problem. Just make it run. They create software to function and skip the security portion. The secure software development life cycle (SSDLC) is more than programming. For managers, the SSDLC requires establishing mechanisms that direct or restrain the actions of the program stakeholders and to those enumerated in the requirements and specifications. Information assurance and associated security measures must be early binding functions; build these in from the beginning to produce hack-resistant and resilient software.

Internationally recognized software engineer and computer scientist Fred Brooks realized that functionality frequently supplants design. In his classic work, The Mythical Man Month, he suggests that only one-sixth of the effort be devoted to coding, while one-third be devoted to planning and design. The remaining half of the effort is focused on the component and system tests.

Benefits of Incorporating Security Considerations

Organizations that develop their own systems benefit when integrating information assurance and security into their development methods. Since adding information assurance at a later stage may introduce disruptions to current operations and incur additional costs, information assurance is managed best if planned at the beginning of system development.

Even though it is advisable to integrate information assurance at the beginning of system development, it also needs to be examined and integrated throughout the life cycle to ensure that information assurance keeps up with changes in the threat/risk environment. Adding new information assurance controls to a system after a security event or incident happens is more expensive. Since it is impossible to anticipate problems that may arise during a system’s lifetime, update the system security plan at the end of each phase in the system development and regularly throughout its use. For most organizations, the system security plan should be updated twice as frequently as the period in which you are willing to accept unauthorized changes to the system.

To ensure that information assurance is covered comprehensively and that related issues can be traced and managed, you should document decisions made about information assurance in all phases of system development. This documentation is useful to both technical personnel and auditors. Auditors can use the documentation as evidence that adequate information assurance has been incorporated into the system.

Overview of the System Development Life Cycle

The system development life cycle is the overall process of creating, implementing, and decommissioning information systems through a multistep process from initiation, analysis, design, implementation, and maintenance to disposal. Figure 15-1 is an overview of the system development life cycle, while Table 15-1 summarizes the information assurance activities in each phase of the system development life cycle. Other system development approaches that also apply the phases in Figure 15-1 are process model, model-driven, and component-based.

Figure 15-1 Overview of the system development life cycle (SDLC)

Table 15-1 Activities in a System Development Life Cycle

The five phases of the system development life cycle can be used to develop either a new or an upgraded system or module. Table 15-1 describes activities performed for each respective phase in the system development life cycle.

Information Assurance in the System Development Life Cycle

Integrate information assurance activities into the system development life cycle to ensure proper identification, design, integration, and maintenance of applicable information assurance controls throughout an information system’s life cycle. The information assurance team should actively participate in each stage of the life cycle to ensure that information assurance is examined and integrated during system development. Table 15-2 summarizes the activities in all phases of the system development life cycle.

Table 15-2 Secure System Development Life Cycle (SSDLC) in Information Assurance

Information Assurance in the System or Service Acquisition Life Cycle

Integrating information assurance into business processes and development or acquisition life cycles can be a challenging, yet necessary, business function. System developers and system owners are most interested in ensuring their system is up and operational at the lowest cost and the greatest performance. System developers and owners must know about information assurance requirements and the risks of not implementing them as part of their life cycles. Information assurance teams must work hard to integrate information assurance into change management and configuration management processes within their organizations, or they will constantly be playing “catch up!”

System Development

As noted earlier, system development relies on stakeholders to establish requirements for the developers. Information assurance teams must be represented at the table, and they must deliver accurate and concise information assurance requirements for the development process. This is often the most overlooked step in ensuring information assurance is included in the system development process. Information assurance teams should perform the following to ensure they are part of any system development process:

      • Gain management buy-in for mandatory involvement of the information assurance team during the requirements gathering phase of system development. The lead information technology professional must require developers to consult and get the information assurance team’s sign-off on any new requirements.

      • Develop and use standard information assurance enterprise architectures that explain commonly available security services and controls throughout the organization. These baselines can then aid the system development team in understand what existing services and controls can be adopted or inherited into new development processes.

      • Information assurance teams must be able to provide solutions. Stating an application cannot be developed because of security concerns is largely seen as obstructionist; development teams may try to circumvent information assurance processes. If the information assurance team is requiring a control, they must be able to offer realistic implementation options or considerations.

System Acquisition

More systems are being procured in the cloud as Software as a Service (SaaS) than ever before. While these solutions provide “turn-key” access to information systems, the organization and senior management must be aware of the limitations and restrictions these providers may entail. The information assurance team is a vital member of the acquisition team. To ensure information assurance risk is uncovered and treated as part of a system acquisition, the information assurance team should do the following:

      • Ensure the team is involved in the budget authorization process for all information technology and service acquisitions. If the information assurance function of an organization must “sign off” on budgets that involve information technology, it gives the team leverage to ensure risk is managed as part of the process.

      • Develop standard contract and procurement language with the aid of legal counsel. These contract standards should include information assurance requirements for not only information systems but also personnel and legal jurisdictions. Remember, an organization’s information is subject to the legal jurisdictions of all countries in which it is processed, stored, or transmitted.

      • Review contract proposals and provide input into the information assurance advantages and deficiencies of providers.

      • Participate in negotiations with vendors to ensure information assurance requirements are initially met and are continuously monitored for compliance.

      • If needed, assess, audit, or independently verify and validate the provider to ensure it has met the requirements of the contract and the organization.

Change Management

Organizational change management often separates chaotic low-performing organizations for nimble high-performing organizations. Change management is the process of ensuring changes to the organization are communicated to all relevant stakeholders and impacts are understood prior to changes being implemented. Configuration management is a subprocess of change management for information systems and services. Information assurance teams must be involved in change management to ensure changes to organizational systems, people, and processes do not have undesired impacts to the organization. Information assurance teams should do the following:

      • Ensure a change management process exists and ensure they are part of the voting process. Information assurance team members often have a “veto” vote for projects that are not fully information assurance compliant. Thus, their vote does not count for anything specifically, but they can demand a change be put on hold or canceled because of associated risks.

      • Collaborate with business lines and stakeholders to understand which changes are on the horizon and what direction the organization is headed. Is the organization moving toward more outsourcing? Is a merger or acquisition in the future? Does a mission area want to adopt a new mode of working like telework? Are services or systems out of maintenance because of age or a lack of renewal? These are all questions that can have a substantial information assurance impact if not managed correctly.

      • Clearly communicate the risk of a change through a formal assurance impact assessment process. This assessment process should review the change in light of the organization’s risk posture and risk tolerance. The information assurance team should ensure clear explanations of impact are reported and the senior management officials involved in the decision are aware of the impact and approve of the residual risk.

Configuration Management

Configuration management is a more specific subset of change management. Configuration management specifically focuses on the information systems and services used by an organization. Configuration management ensures consistent secure baselines are applied to information services and systems. To ensure configuration management does not introduce information assurance risk, the information assurance team should do the following:

      • Ensure they are involved in any configuration development or modification processes. This includes the development of new system or services configuration baselines and the updating of baselines already in development.

      • Assess and test new configuration baselines and proposed changes to configuration baselines. An information assurance impact assessment can be used to test changes and ensure they are not introducing risk to the information system.

      • Monitor patches and vendors to ensure new security and information assurance–related patches are acquired, tested, added to the baseline, and propagated as quickly as possible.

      • Scan and monitor the organization’s networks and information systems to determine whether all systems are in compliance with the approved configurations. Deviations should be identified and assessed to determine whether the baseline should be updated or a new baseline should be created for the deviation.

Further Reading

      • An Introduction to Computer Security: The NIST Handbook (Special Publication 800-12). NIST, 1996.

      • Bowen, P., et al. Information Security: A Guide for Managers (Special Publication 800-100). NIST, 2006.

      • Brooks, Frederick P. The mythical man-month. Vol. 1995. Addison-Wesley, 1975.

      • Howard, M., and S. Lipner. The Security Development Lifecycle. Microsoft Press, 2006.

      • Schou, Corey D., and K.J. Trimmer. “Information Assurance and Security.” Journal of Organizational and End User Computing, vol. 16, no. 3, July–September 2004.

      • Schou, Corey D., and D.P. Shoemaker. Information Assurance for the Enterprise: A Roadmap to Information Security. McGraw-Hill Education, 2007.

      • Tipton, Harold F., and S. Hernandez, ed. Official (ISC)² Guide to the CISSP CBK 3rd edition. ((ISC)²) Press, 2012.

      • Trimmer, K.J., C.D. Schou, and K. Parker. “Enforcing Early Implementation of Information Assurance Precepts Throughout the Design Phase.” Journal of Informatics Education Research, 2007.

Critical Thinking Exercises

        1. A cloud CRM provider verbally promises state-of-the-art security and protection of all organizational information. What can the organization do to ensure the cloud provider is keeping its word? What other concerns should the organization have?

        2. An organization currently allows employees to use their personal devices for organizational work. Because of the openness of this policy, the organization now has almost every modern operating system and every mobile device imaginable operating on its network. Network utilization is extremely high, the help desk is unable to provide effective resolution of support calls because of the variation of platforms, and information assurance incidents are on the rise. What can the organization do to help reign in this environment?

        3. An organization wants to develop a new information system that will process and store personally identifiable information and some health-related information about individuals. The organization works primarily in the United Kingdom and the United States. In a general sense, what requirements should an information assurance team be focusing on during the requirements gathering phase?