Kudler Security Report

During SDLC phase one, the initiation phase, “the need for a system is expressed and the purpose of the system is documented” (NIST, 2008). Some of the expected outcomes from this phase would be a project plan and schedule; system performance specifications outlining the operational requirements, system design documents, and a document that defines roles and responsibilities. The corresponding RMF step, security categorization, establishes the foundation for security standardization among information systems and provides a vital step towards integrating security into the information system (NIST, 2008). During this step, the type(s) of information processed by the information system are identified and the information system is categorized to determine the level of protection requirements to put in place. Some of the expected outputs of this step include a security project plan and schedule, documented system boundary, the system categorization, and the security roles and responsibilities. These two process steps are very similar except the focus of RMF is on information security related functions. In some cases, SDLC produces the expected outputs that RMF requires, and the security professionals only require a copy of the documentation for their records. For example, the system design document often depicts the system boundary. The reason this step is so critical is that it

1.1Security CategorizationUsing either FIPS 199 or CNSS 1253, categorize the information system. The completed categorization should be included in the security plan.

1. The scope of the RFP states the State want a review of its entire system security

Management defines information security policies to describe how the organization wants to protect its information assets. After policies are outlined, standards are defined to set the mandatory rules that will be used to implement the policies. Some policies can have multiple guidelines, which are recommendations as to how the policies can be implemented. Finally, information security management, administrators, and engineers create procedures from the standards and guidelines that follow the policies.

After the information system is installed, the IS security controls must be monitored and assessed on a continuous basis. Continuous monitoring ensures the security controls in place are effective. In this step, there are five tasks. The first task requires managers to determine the security impact based on the threat environment. The second task is conducting assessments on certain security controls as outlined in their Continuous Monitoring Strategy. The third task is correcting discrepancies found in the assessment. The fourth task requires updating the Security Authorization package based on the previous results. The fifth task requires the appropriate officials to make a risk determination and acceptance by reviewing the reported security

12. Why is a methodology important in the implementation of information security? How does a methodology improve the process?

To guide and assist organizations with implementing the security program that is appropriate for their needs, certain industry accepted standards have been designed and made available to the market. NIST is popular predominantly in the USA – a recent survey found that 82 percent of 150 IT and security professionals in the federal government said their agencies are either fully or partially implementing the

The Information Technology (IT) Security Certification and Accreditation (C&A) process evaluates the implementation of an IT system or site against its security requirements. The process produces evidence used by a designated manager as part of the basis for making an informed decision about operating that IT system or site. The NSTISSI2 NATIONAL INFORMATION SYSTEMS SECURITY (INFOSEC) GLOSSARY No. 4009 September 2000 defines certification as a “comprehensive evaluation of the technical and non-technical security safeguards of an IS to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements” and accreditation is a “formal declaration by a Designated Approving Authority (DAA) that an IS is approved to operate in a particular security mode at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards” (SANS Institute, 2007, p. 1).

In today’s complex IT system because of the wide abundance of threats and deliberate attempts to attack networks and IT assets, it is crucial to have a stream-lined process which attempts to incorporate security as an integral part of the development process as opposed to including security measures after the development cycle has finished. System Development Lifecycle (SDLC) is a hypothetical method created for the design and step-by-step implementation of general information system in business organizations using six different phases. Security System development lifecycle (SecSDLC) uses the same six phases to implement the security project except that its intent and scope is specific to the particular threats identified and designing

The newest standards are ISO 26000, which standardizes social responsibility, and ISO/IEC 27001, which is a developed management system to standardize information security (ISO, n.d.). The most well-known and best-selling standard of the ISO governing body is ISO 9000, which was developed in 1987 (ISO, n.d.). ISO 9000 is for quality management standards. Quality management includes standards that help the organization identify processes that can be developed and employ constant performance improvement. ISO 9000 has been utilized by many national and international companies to constantly improve performance and processes, but ISO 9000 usually involves a manufacturing company.

Have a good Information Security Governance that translates into a set of policies, processes, and responsibilities associated with structures and people in the organization. It makes it possible to clearly establish the decision-making process and the guidelines for the management and use of IT, all in a way that is aligned with the organization's vision, mission and strategic goals. It also ensures the alignment of IT plans with business plans, which the anticipated benefits are actually being generated. Allowing the organization to recognize all risks (and opportunities) for the business by deciding the appropriate plans to mitigate, accept or avoid them. Having fundamental performance measurement throughout this process, monitoring and monitoring strategy implementation, use of resources and delivery of services.

Information security is defined as the preservation of confidentiality, integrity and availability of information …

ISO 9004-1 addresses internal procedures such as organizational goals, management responsibilities, training, and servicing. As in the ISO 9001 series, this series also contains twenty clauses. This is also the standard, which provides for the most misunderstandings. It is important that companies completing the certification process understand the relationship of this standard to the other ISO 9000 family standards. Clauses within the ISO 9004-1 standard provide the foundation for completing certain ISO 9001 requirements.

ISO/IEC 27001 is the most popular IS the ISO/IEC 27000 standard series. As per its credentials, ISO 27001 is meant to offer an archetypal for implementing, establishing, monitoring, improving, maintaining, reviewing, and operating an ISMS. ISO 27001 is technology-neutral and utilizes a rundown list of risk-based approaches (Disterer, 2013; ISO, 2014). Its specifications describe a six-part process of planning:

In this section include open or closed IT audit findings, risk derived findings, internal assessments, at the time of approval of the security plan.