Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The software development project has just been kicked off for a couple of days and you are preparing for the project meeting tomorrow. As a security professional, which of the following should you consider first?
A. Risks to the system
B. Impact of privacy breach
C. System Security Architecture
D. Stakeholders protection needs and requirements
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Risks to the system.
A project is typically justified by a business case that includes alternatives with cost/benefit analysis and authorized by the project charter.
A business case is developed by a business analyst who elicits and analyzes stakeholders’ needs, proposes alternative solutions, conducts cost/benefit analysis, and suggests the solution to be implemented.
Once the management selected and approved the suggested solution, a project manager is assigned and a project charter is developed to initiate the project. A project kickoff meeting is held thereafter to set the course and tone for the project.
Ubiquitous Risk Management
Risk should be considered before the project is initiated and across the Software Development Life Cycle (SDLC), while the Privacy Impact Assessment (PIA) can be conducted before or after the project is initiated.
Privacy Impact Assessment (PIA)
According to the NIST Risk Management Framework (RMF), categorizing the system based on the information types is the first step. It’s a good time to identify if the system processes privacy data. ISO/IEC 29134:2017 is a good reference to conduct PIA.
The Software Development Life Cycle
The planning phase starts after the project is initiated. The development approach or methodology is determined at this stage.
Stakeholders’ protection needs and requirements are analyzed, specified, verified, and validated. In a plan-driven waterfall, a user requirement specification (URS) is signed off.
A design is the representation of the software solution to address the Stakeholders’ needs and requirements. The system architecture is one of the most prominent work products in the design phase.