Khandker M Qaiduzzaman

Presented Lecturer, Department of Swe

By Daffodil International University

Cell no.: +8801685679768

Email: khandker.swe@diu.edu.bd
 • Systems Development Life Cycle (SDLC):
methodology for design and implementation of
information system within an organization.

THE SYSTEMS
• Methodology: formal approach to problem solving
DEVELOPMENT based on structured sequence of procedures
LIFE CYCLE
• Using a methodology:
• Ensures a rigorous process
• Increases probability of success

• Traditional SDLC consists of six general phases

 • The same phases used in traditional SDLC may be
adapted to support specialized implementation
THE SECURITY of an IS project

SYSTEMS
DEVELOPMENT • Identification of specific threats and creating
controls to counter them
LIFE CYCLE
• SecSDLC is a coherent program rather than a
series of random, seemingly unconnected actions
BASIC IDEA OF SECSDLC
• Investigation – The investigation phase of the SecSDLC begins with a directive
from upper management specifying the process, outcomes, and goals of the
project, as well as its budget and other constraints.

• Analysis – A preliminary analysis of existing security policies or programs,

along with documented current threats and associated controls are
conducted.

• Logical Design – In the logical design phase, team members create and
develop the blueprint for security, and examine as well as implement key
policies that influence later decisions.
BASIC IDEA OF SECSDLC
• Physical Design – In the physical design phase, team members evaluate the
technology needed to support the security blueprint, generate alternative
solutions, and agree upon a final design.

• Implementation – The security solutions are acquired, tested, implemented,

and tested again. Personnel issues are evaluated and specific training and
education programs conducted

• Maintenance – Once the information security program has been

implemented, it must be operated, properly managed, and kept up to date
by means of established procedures. (Charles 2013)
 SDLC
Investigation
• What problem to be solved?
• Objective, Constraints and Scope of project
• Primarily Cost Benefit Analysis - evaluates
prescribed benefits vs. appropriate level of
cost
• Feasibility Analysis – Assess economical,
technical, behavioral feasibility of process.
(try to measure whether implementation is
worthy in the context of time and effort)
Analysis
• Primarily assessment of the organization
• Understand Current System
• Capability to support Proposed System
• What new system is expected to do?
• How the new solution interact with existing
system?
SECSDLC
Investigation & Analysis
• Document project process & goal in Security Policy as defined
by the management
• Security Categorization
o Define 3 levels (low, moderate & high) of potential impact
on organization/ individual in case of security breach.
o It is useful for organization in making the appropriate
selection of security controls.
• Primary Risk Assessment
o Identify basic Security Need of the System.
o Defines the threat environment where the system
operates.
 Logical Design Logical & Physical Design

• Create System Solution as per Business • Risk Assessment – Identify the protection requirement through a
formal risk assessment process.
Requirement.
• Applications are selected to provide
• Security Functional Requirement Analysis
• Service o System security environment
o Security functional requirement
• Data Support
• Needed input • Security Assurance Requirement – Development activity require
• No references for specific technology, vendor and assure that the information security will work correctly and
effectively by produce evidence.
& product.
• Alternative solution proposed with it • Cost consideration and reporting – How much cost can be
• Strengths & Weaknesses attributed to information security
• Cost & Benefits
• Security Plan – Ensure that agreed upon security controls are
• Another Feasibility performed properly planned or in place and fully documented.
Physical Design
• Select specific technology for implementation • Security Control Development – Ensure security controls are
• Decide make or buy designed, developed and implemented as per security plan.
• Perform another feasibility analysis
• Present the design to the higher • Developmental security test and evaluation.
management for approval
 Implementation
• Software developed/ ordered & received
• Tested in test environment
• Conduct user training
• Create supporting documents
• Implement in live environment
• Conduct feasibility analysis on
o Performance review
o Acceptance test
Implementation
• Inspection & Acceptance – Organization validates and verifies
the functionality described in specification.
• System integration
o Ensure system is integrated in operational site
o Vendor guideline followed for
 Setting Security Controls
 Enabling Switches
• Security Certificate
o Ensure controls are effectively implemented through
established verification technique.
o Describe remaining vulnerabilities.
• Security Accreditation – Provide necessary security
authorization (from Senior Management) of an Information
System to process, store or transmit that is required.
 Maintenance & Change
• Consists of the following tasks
o Support the system
o Modify the system as required until the
useful life of the system.
o Upgrade, update, patch management.
o Test the system periodically for compliance.
o Feasibility of continuance vs. discontinuance
is evaluated.
Maintenance & Change
• Configuration Management & Control – Consideration of potential
security impact due to specific changes in Information system.
• Continuous Monitoring
o Conduct security control monitoring
o Prepare security status
o Submit the status to the appropriate personnel for necessary
action
• Information Preservation
o Ensure retention of Information as necessary to confirm legal
requirement
o Accommodate future technology for information retrieval.
• Media Sanitization – Ensures that data is deleted erased, and written
over as necessary
• Hardware and software disposal – Ensure HW & SW is disposed of as
directed by the Information System Security Officer.
THANK YOU