An excellent article by Ismael Valenzuela in the latest issue 11 of [IN]SECURE eZine explains how information security can and indeed should be integrated with the systems development lifecycle (SDLC), using ISO/IEC 27002:2007 (currently known as ISO/IEC 17799:2005). There is a useful table linking specific clauses in the ISO standard to SDLC phases starting from the risk assessment stage, prior to drawing up security requirements, and continuing right through development, testing and operations to eventual retirement of the system at the end of its life.
The NoticeBored security awareness module on this topic a year ago took the same basic idea one step further. The concept was simple: we provided a 'sales brochure' to help the Information Security Department sell their services to software development project managers and hence to the development teams. The brochure is a folder containing two sheafs of glossy leaflets, one set explaining the kinds of security-SDLC process integration issues covered by Ismael, the other outlining the range of information security controls that are typically required for most IT systems. Contact me (Gary@isect.com) if you'd like more information on the module but that's not a bad brief to write your own!
Thanks for your reference Gary. It's always a pleasure to have your invaluable feedback based on real implementations experience rather than just the theory.
ReplyDeleteWe know how difficult is to embed security into software development units, but fresh iniciatives like yours are really helpful.
Well done!