Information Assurance in System Development and Acquisition

Emerging Trend: Integrating Information Assurance (IA) into SDLC

• Modern software-engineering practice stresses that IA requirements be considered at every stage of system design and development.
• Secure design must be integrated “from cradle to grave” (planning → disposal) so that countermeasures are effective, economical, and traceable.
• Methodological differences (Agile, Scrum, XP, Kanban, Waterfall, etc.) do not negate the universal need for early-binding security controls.
• Common historical problem: programmers often “just make it run,” emphasizing functionality over security—leaving systems hack-prone.
• SSDLC therefore goes beyond coding; it establishes managerial mechanisms that direct/limit stakeholder actions according to documented requirements.

Benefits of Early and Continuous IA Integration

• Lower cost: retrofitting security after deployment disrupts operations and is expensive.
• Improved alignment with evolving threats: IA controls must track the threat/risk environment throughout the life cycle.
• Strong audit trail: documenting IA decisions in every phase provides evidence for auditors and clarifies technical intent.
• Fred Brooks (The Mythical Man-Month) productivity allocation:
• \frac{1}{6} of effort → coding.
• \frac{1}{3} of effort → planning & design.
• \frac{1}{2} of effort → component & system tests.
• Practical rule of thumb: update the System Security Plan (SSP) twice as often as the maximum period you are willing to tolerate unauthorized changes (i.e., Update Frequency = 2 \times “tolerable exposure window”).

Overview of the System Development Life Cycle (SDLC)

• Phases: Initiation → Development/Acquisition → Implementation → Operation/Maintenance → Disposal.
• Alternative development paradigms (process-model, model-driven, component-based) still map to these five security-relevant phases.
• IA team participation is mandatory in all phases for proper identification, design, integration, and maintenance of controls.

Phase A: Initiation

• Need establishment
• Define purpose; conduct user interviews; document gaps & findings.
• Security categorization
• Classify information processed (e.g., public, confidential, secret) and derive sensitivity.
• Initial risk assessment
• Identify preliminary threats/vulnerabilities; reference Chapter 11 for methodology.
• Select a minimum IA control baseline consistent with classification.

Phase B: Development / Acquisition

• Requirements analysis
• Merge security requirements with functional/user requirements.
• Produce security specifications, functional & assurance requirements.
• Formal risk assessment
• Deeper than initial; create prioritized risk-treatment list.
• Budgeting
• Include hardware, software, personnel, training, and IA cost line items.
• Security planning
• Draft/iterate SSP; create contingency, incident-response, awareness, & training plans.
• Produce user/operational manuals.
• Security control development
• Build/tailor controls to meet refined requirements.
• Security test & evaluation (pre-implementation)
• Develop technical test cases & representative data; ensure assessor independence.

Phase C: Implementation

• Execute security controls per plans; simulate environment; conduct unit, subsystem, and full-system tests.
• Inspection & acceptance
• Verify compliance with regulations, policies, standards, and performance specs.
• System integration/installation
• Confirm prescribed control settings are active before go-live.
• Security accreditation (authorization)
• Senior official validates control effectiveness and accepts residual risk on the organization’s behalf.

Phase D: Operation / Maintenance

• Configuration management & control
• Maintain configuration baselines; evaluate security impacts of changes.
• Continuous monitoring & (re)accreditation
• Schedule and perform audits; automate log review; keep risk reporting near real-time for critical systems.

Phase E: Disposal

• Information preservation
• Retain vital data to meet legal/technological requirements; define archiving method.
• Media sanitization
• Obtain written senior-management approval; delete/erase/overwrite under observation.
• Hardware & software disposal
• Follow policy-directed destruction, resale, or recycling procedures.

Information Assurance in System / Service Acquisition Life Cycle

• Challenge: business drivers (low cost, high performance) may overshadow IA if not embedded.
• IA teams must weave IA concerns into change & configuration management or risk perpetual “catch-up.”

IA Responsibilities During System Development

• Secure mandatory IA involvement during requirements gathering.
• Provide enterprise IA architectures & service baselines so developers can inherit existing controls.
• Offer workable solutions—avoid the reputation of being obstructionist; security requirements must be paired with implementation options.

IA Responsibilities During System Acquisition (incl. SaaS / Cloud)

• Participate in budget authorization; IA sign-off leverages risk management influence.
• Draft standard contract/procurement clauses (with legal) covering systems, personnel, and cross-jurisdictional data handling.
• Review provider proposals; highlight IA strengths/deficiencies.
• Engage in vendor negotiations; mandate continuous compliance monitoring.
• Perform assessments/audits to verify contractual IA obligations.

Change Management

• Change management = organizational process for communicating & vetting change; configuration management is its IT-centric subset.
• IA team duties:
• Ensure a formal change-management process exists and that IA has a “veto” for non-compliant projects.
• Track strategic direction (outsourcing, mergers, telework adoption, EOL services) for IA impacts.
• Produce Assurance Impact Assessments that map proposed changes to risk posture & tolerance; secure senior management buy-in for residual risk.

Configuration Management

• Focus: ensure consistent, secure baselines across information systems.
• IA team duties:
• Engage in creation/modification of configuration baselines.
• Assess/test baseline changes; conduct IA impact assessments.
• Monitor patches & vendor advisories; propagate security patches rapidly.
• Scan networks/systems for baseline compliance; investigate deviations and update or fork baselines as needed.