566-8

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Source code repository

A database of source code, typically used for projects involving a large number of developers and/or to store code that may be used on a number of projects. A repository may be private to an organization or public. Public repositories may be open source or restricted to developers from multiple organizations. Repositories help developers submit patches of code in an organized fashion. Often these archives support version control, bug tracking, release management, mailing lists, and wiki-based documentation

security architecture design activity Expected outputs include:

A schematic of security integration that provides details on where within the system security is implemented and shared A list of shared services and resulting shared risk Identification of common controls used by the system

Began to gain favor in the early 2000s

Agile software development

corresponds to step 1 in the NIST risk management framework defined in SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems

Categorizing information systems

A key result of this process should be a set of security requirements that are to be incorporated into the overall set of requirements for the system

Categorizing information systems and assessing impact

The expected outputs of ...................... include supporting rationale for the information system security categorization and a level of effort estimate for applying the necessary security controls, together with a specification of security requirements.

Categorizing information systems and assessing impact

The purpose of ........................ is to identify information that will be transmitted, processed, or stored by the system and to define applicable levels of information categorization based on an impact analysis.

Categorizing information systems and assessing impact

The result of .............................. should be an information taxonomy or catalog of information types.

Categorizing information systems and assessing impact

A number of security-related activities are needed to assure that security is incorporated effectively in that design phase

Major security activities

SP 800-64 makes use of the following elements in defining the security considerations applied during each phase:

Major security activities Expected outputs Synchronization Control gates

This activity includes the practices of continuous monitoring, customer feedback, and optimization to monitor how applications are performing post-release, allowing businesses to adapt their requirements as needed

Monitor and optimize

Determine whether the proposed system will in fact satisfy system requirements as defined for the user's environments.

Operational feasibility

This phase involves maintenance, replacement of outdated or malfunctioning hardware and software, and regular software updates.

Operations/maintenance

This phase involves monitoring and evaluation to determine whether requirements are being met and what is in need of improvement.

Operations/maintenance

Determine whether the proposed system is consistent with the organization's strategic objectives.

Organizational feasibility

Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, a system, or a network

Penetration testing

This activity focuses on business units and their planning process

Plan and measure

DevOps is viewed as a repetitive cycle of four major activities:

Plan and measure Develop and test Release and deploy Monitor and optimize

Carry out activities such as detailing what will actually go into the system release (for example, new features and fixes), creating initial project plans, and improving budget estimates.

Planning

Ensure that the system release is fully aligned to the master strategy and intent. System or asset owners work with appropriate stakeholders to develop a high-level strategy or roadmap of work, outlining the details of a specific system release.

Strategy

Initiation phase include

Strategy Research Feasibility Planning Requirements

A feedback loop between tasks provides opportunities to ensure that the SDLC is implemented as a flexible approach that allows for appropriate and consistent communication and the adaptation of tasks and deliverables as the system is developed

Synchronization

Contains the details of system design, programs, their coding, system flow, data dictionary, process description, and so on

System documentation

A person or an organization that has responsibility for the development, procurement, integration, modification, operation, maintenance, and final disposition of an information system

System owner

, it is often determined whether the project will be an independent information system or a component of an already defined system T or F

T

A traditional information system development project proceeds sequentially through these stages, without delivering working pieces in between and without obtaining customer feedback on the way (waterfall development) T or F

T

Assessing business impact synchronizes with the categorization activity. T or F

T

It is characterized by rapid releases, feedback loops embedded throughout the process, and a comprehensive set of tools and documented best practices to automate the DevOps process T or F

T

Operations/maintenance can mean recommending additional training, operations, procedures, or upgrades. T or F

T

Determine whether the available technology and resources are adequate to implement the proposed system.

Technical feasibility

application life cycle management (ALM)

The administration and control of an application from its inception to its demise. ALM embraces requirements management, system design, software development, and configuration management, and implies an integrated set of tools for developing and controlling the project

Targeted at system functions that end users will be able to execute while operating in the final production environment

User acceptance testing (UAT)

Provides a complete description of the system from the user's point of view, detailing how to use or operate the system

User documentation

types of documentation are prepared for the system:

User documentation System documentation

A phase of system development in which the software or system is tested in the "real world" by the intended audience.

User testing

A method of deploying software or systems in which development moves through a series of fairly well-defined stages. With large projects, once each stage is completed, it cannot be easily reversed, much as it would be difficult to move up a waterfall. This traditional system engineering flow allows for a requirements-driven process that leads to assured and verified function

Waterfall development

An expected output of Initiating project security planning activity is

an initial set of security activities and decisions related to the SDLC.

This categorization process depends initially on ......................... and should be revisited if there are updates to either of these assessments.

business and privacy impact assessments

This planning activity enables developers to

design security features into the project.

During the development/acquisition phase, the system is

designed, purchased, programmed, developed, or otherwise constructed

In addition to designing the operational solutions associated with functional and non-functional requirements, the design process also includes ........................... that will be used to verify the quality of all work performed in all downstream phases and environments

designing unit, module, integration, user acceptance, and production signoff tests

The system owner and the development team should work together to ............................ throughout the SDLC.

develop a set of principles and plans that document security expectations

The plan must include ..................... that are used to evaluate software, adapt and adjust continually, relate to customer needs, and continually update the development plan and the measurement plan

developing measures

The focus of DevOps has been the

development of application software and support software

The planning process relates business needs to the outcomes of the

development process

Typical stages in the development and deployment of applications are

development, system integration testing, user acceptance testing, and production

refers to the process of preserving (if applicable) and discarding system information, hardware, and software.

disposal phase of the system life cycle

A build team creates a fully centralized, repeatable, and automated build that will be used for ............................ in downstream phases and environments

distribution/deployment, quality assurance, and signoff

User testing Also called

end-user testing

Enterprise security considerations dictate that security focused activities and deliverables be a part of every phase of the SDLC in order to

ensure that the developed system is able to withstand malicious attacks

The information to be processed, transmitted, or stored is typically............................, along with who needs access to such information and how

evaluated

While initiating project security planning, the key security roles that will be active throughout the SDLC should be................

identified

User documentation Includes the ....................... likely to be encountered by the user

major error messages

During the initiation phase The organization establishes the

need for a particular system and documents its purpose

During the initiation phase The responsible individual or group documents the

purpose of the system and defines the requirements

The detailed design of a system release is............................, with the intent that it will be handed off for a centralized and repeatable build that can be used for distribution/deployment, quality assurance, and signoff in downstream phases and environments

realized and optimized

A ......................... enables an organization to determine the risk to operations, assets, and individuals resulting from the operation of information systems and the processing, storage, or transmission of information

risk assessment

The expected output of ..........................is a refined risk assessment that accurately reflects the potential risk to the system, known weaknesses in the design, identified project constraints, and known threats to both business and IT components

risk assessment activity

The results of ........................... are used to supplement baseline security controls identified during the initiation phase

risk assessment activity

The...................... looks at the current knowledge of the systems design and the impact assessment information from the initiation phase

risk assessment activity

It is also important to ensure that all key stakeholders have a common understanding, including

security implications, considerations, and requirements.

An expected output of Initiating project security planning activity is a ......................... that provide a record of the agreed-upon planning decisions.

set of supporting documents

Implementation is the

stage of a project during which theory is turned into practice.

Characterized by frequent release, in an iterated loop fashion, with a certain amount of automation in the form of tools that can be used to

support collaboration

All data and technology connections are ...................... for a specific system moving through the SDLC and all of its upstream system dependencies and all of its downstream system targets

tested

needs to identify the standards and regulations that apply and develop an overall plan for security milestones during system development.

the system owner

Emphasizes teamwork, customer involvement, and the creation of small or partial pieces of the total system that are tested in a

user environment

The goal of Integration testing is to........................... that will need to interact in the final operating environment

verify all appropriate data connections and data exchanges between systems

If the new system replaces an existing IT system or even a manual system, the organization needs to shift the work from the old system to the new.

■ Changeover

The data need to be converted from the old system to operate in the new format of the new system. During this part of the process, all the programs of the system are loaded onto the user's computer.

■ Conversion

The old system is completely replaced by the new system. This is a risky approach and requires comprehensive system testing and training.

■ Direct changeover

The hardware and the relevant software required for running the system must be made fully operational.

■ Installation of hardware and software

Implementation major parts of phase are:

■ Installation of hardware and software ■ Conversion ■ User training ■ Changeover ■ Direct changeover ■ Parallel run ■ Pilot run

The two systems are executed simultaneously for a certain defined period, and the same data are processed by both the systems. This strategy is less risky but more expensive.

■ Parallel run

The new system is run with the data from one or more of the previous periods for the whole system or part of it. The results are compared with the old system results. This is less expensive and risky than the parallel run approach. This strategy builds confidence and allows for error tracing without affecting operations.

■ Pilot run

The main topics of user training can include how to execute the package, how to enter data, how to process data, and how to generate reports.

■ User training

This activity focuses on collaborative development, continuous integration of new code, and continuous testing

Develop and test

It focuses on streamlining development and testing teams' capabilities

Develop and test activitie

Changeover include Three basic strategies are possible:

Direct changeover Parallel run Pilot run

SP 800-64 lists the following as benefits of integrating security into the SDLC:

Early identification and mitigation of security vulnerabilities and misconfigurations, resulting in lower cost of security control implementation and vulnerability mitigation Awareness of potential engineering challenges caused by mandatory security controls Identification of shared security services and reuse of security strategies and tools to reduce development cost and schedule while improving security posture through proven methods and techniques Facilitation of informed executive decision making through the application of comprehensive risk management in a timely manner Documentation of important security decisions made during development, ensuring management that security was fully considered during all phases Improved organization and customer confidence to facilitate adoption and use as well as improved confidence in the continued investment in system development Improved systems interoperability and integration that would be difficult to achieve if security were considered separately at various system levels

Determine whether the likely benefits of the system outweigh the cost, using a cost/benefit analysis.

Economic feasibility

Feasibility: If the overall strategy is acceptable to management, then the next step is to examine the feasibility of the system. Key considerations include:

Economic feasibility Organizational feasibility Operational feasibility Technical feasibility Social feasibility

The output from ......................... should include plans for development phase security training and quality assurance.

Ensuring secure system development

A key to success is to define specific deliverables for each activity

Expected outputs

Security testing in which advertised security mechanisms of an information system are tested under operational conditions to determine if a given function works according to requirements

Functional testing

A contraction of development and operations that refers to the tight integration between the developers of applications and the IT department that tests and deploys them. DevOps is said to be the intersection of software engineering, quality assurance, and operations

DevOps

Decision points at the end of each phase when the system is evaluated and management determines whether the project should continue as is, change direction, or be discontinued

Control gates

is monitored to optimize experiences in business applications

Customer experience

are automated and then mature to a self-service model that provides individual developers, teams, testers, and deployment managers with the capability to continuously build, provision, deploy, test, and promote

Deployments and middleware configuration

Development/acquisition phase include

Design Procurement or coding Centralized build Integration testing Documentation User acceptance testing (UAT)

The initiation phase involves the following control gates:

Determine acquisition strategy System concept review Performance specification review EA/IA (enterprise architecture/ information architecture) alignment Financial review Risk management review

This activity provides a continuous delivery pipeline that automates deployment to test and production environments

Release and deploy

are managed centrally in a collaborative environment that leverages automation

Releases

Develop a requirements specification of what needs to be accounted for in downstream design and implementation activities. The more detailed the requirements, the higher the probability that the design will align to the intended system release strategy and with end-user expectations for the release.

Requirements

Determine opportunities and solution options that meet requirements.

Research

Ensuring secure system development considerations include:

Secure concept of operations Standards and processes Security training for development team Quality management Secure environment Secure code practices and repositories

Determine whether the proposed system will produce unwanted society impacts.

Social feasibility

ISO 27002, Code of Practice for Information Security Controls, suggests that the security requirements consider the following:

The level of confidence required toward the claimed identity of users, in order to derive user authentication requirements Access provisioning and authorization processes for business users as well as for privileged or technical users User and operator knowledge of their duties and responsibilities The required protection needs of the assets involved, especially regarding availability, confidentiality, and integrity Requirements derived from business processes, such as transaction logging and monitoring as well as nonrepudiation requirements Requirements mandated by other security controls, such as interfaces to logging and monitoring and data leakage detection systems

is that all participants in creating a product or system should collaborate from the beginning, including business unit managers, developers, operations staff, security staff, and end-user groups

The philosophy

.......................... produces a detailed architecture that incorporates security features and controls into the system design

The security architecture design activity


Ensembles d'études connexes

Wound Care Pass Point + Oxygenation

View Set

English 9 | Module 1 | Lesson 10: Quiz "Author's Viewpoint and Purpose"

View Set

AOA Foundations for Living Unit 4

View Set

Illinois Accident and Health Producer General Exam SIMULATOR

View Set

A.P. Psychology Unit 1-14 Vocabulary

View Set

Chapter 10 The Gastrointestinal tract and abdominal wall

View Set

Exam 1: Suicide and Nonsuicidal Self-Injury

View Set

Comp sci Practice Attempt - 2020 Practice Exam 1 MCQ

View Set