Your company initiates a project to develop a customer relationship management (CRM) system. As a security professional, you are invited to join the project. Which of the following will you suggest first so that the project manager can incorporate it into the project schedule? (Wentz QOTD)
A. Identify stakeholders and security roles
B. Assess the business impact of the system
C. Identify information types processed by the system
D. Conduct a risk-based review of the system’s design
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Identify stakeholders and security roles.
Even though NIST SP 800-64 R2 has been withdrawn on May 31, 2019, and superseded by NIST SP 800-160 V1, it still provides good guidance for organizations in private or public sectors to implement information systems. It introduced the NSIT SDLC and major security activities in each phase, which map to the NIST RMF nicely.
The following diagram shows primary security activities in the initiation phase of the NIST SDLC:
Security planning should begin in the initiation phase by:
• Identifying key security roles for the system development;
• Identifying sources of security requirements, such as relevant laws, regulations, and standards;
• Ensuring all key stakeholders have a common understanding, including security implications, considerations, and requirements; and
• Outlining initial thoughts on key security milestones including time frames or development triggers that signal a security step is approaching.
This early involvement will enable the developers to plan security requirements and associated constraints into the project. It also reminds project leaders that many decisions being made have security implications that should be weighed appropriately, as the project continues.
Identification of Security Roles
Identification of the ISSO (Information System Security Officer) is an important step that should take into consideration the amount of time the individual will devote to this task, the skills needed to perform the duties, and the capability the individual has to effectively carry out the responsibilities.
Identifying the ISSO early in the process provides the individual key insights into risk-based decisions made early in the process and provides the other team members access to the ISSO for support in integrating security into the system development.
Stakeholder Security Integration Awareness
The ISSO provides the business owner and developer with an early understanding of the security steps, requirements, and expectations so security can be planned from the beginning. Topics may include:
• Security Responsibilities
• Security Reporting Metrics
• Common Security Controls Provided (if applicable)
• Certification & Accreditation Process
• Security Testing and Assessment Techniques
• Security Document & Requirement Deliverables
• Secure Design, Architecture, and Coding Practices
• Security Acquisition Considerations
• Major activities with development schedule and resource impact such as active testing, accreditation, and training
Initial Project Planning
Developing an initial project outline for security milestones that is integrated into the development project schedule will allow proper planning as changes occur. At this stage, activities may be more in terms of decisions followed by security activities.
Source: NIST SP 800-64 R2
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
貴公司啟動了一個開發客戶關係管理系統(CRM)的專案。 作為一名資安專業人士，您被邀請加入該專案。 以下哪一項您會優先建議專案經理將其納入專案時程中？ (Wentz QOTD)
B. 評鑑該系統對業務的衝擊(business impact)
C. 找出這個系統所處理的資訊型態(information types)