15.4 SYSTEM DEVELOPMENT, ACCREDITATION AND CERTIFICATION

15.4 SYSTEM DEVELOPMENT, ACCREDITATION AND CERTIFICATION

One of the things an organization that is creating a risk management strategy should strive for is integration of security with existing processes. A good place to start is with the processes in place for system development or acquisition. Even if your organization is not in the business of development in-house, these principals can be applied as well. A system development process should adopt a system development life cycle in which systems are formally certified to have met a standard of security as defined in a security plan written for the given system and accredited for use in production environments. The organization's security officers formally sign off on accreditation and certification to indicate their satisfaction that security requirements have been met or that they are willing to accept any residual risks that a given system may continue to possess at the time that it is put into production. When management has to sign off and formally accept risk, security assessment and full understanding of the actual risk they are assuming is more likely to undergo deeper scrutiny. NIST has defined five distinct phases to the system development life cycle as follows :

1. Initiation -The need for the system is expressed and initial security requirements assessed.

2. Development or acquisition- System is developed or procured. A formal risk assessment takes place at this point. In a development situation, system architecture may be re-designed if security needs are able to be adequately addressed.

3. Implementation- The system is evaluated and the certification and accreditation process in invoked.

4. Operation or maintenance- Upon successful accreditation, the system is put into production. The system is periodically re-evaluated to ensure its compliance with security requirements

5. Disposal- This phase is essentially a planned decommissioning of the system in which disposal plans for hardware and media are executed and data is migrated or securely destroyed .

The operation and maintenance phase, phase 4 of the life cycle, is where many organizations starting a security management program will find most of their systems initially. Systems already in production will have to undergo a thorough risk assessment so that the risks present in those systems can be fully understood . Also, there are a broad range of implications inherent in this phase with respect to change control and change control processes. In essence, change control should be treated in much the same way that a new system or acquisition is. That is to say that the following considerations are taken into account:

• A formal assessment is made of the need for a change

• A formal assessment of the risks a change would introduce is done

• Controls to mitigate the assessed risk are considered , selected and implemented

• A certification and accreditation process is invoked such that management formally signs off on its comfort with the risk mitigation efforts and assumes the responsibility for any residual risk that may remain after risk mitigation controls are put in place