Archive for August 13th, 2011
Risk Management in IT: SDLC
August 13th, 2011

Risk Management Guide for IT: SDLC

NIST 800-30, risk management guide for IT discusses how risk management framework matches to the system development life cycle (SDLC) , risk assessment methodology, risk mitigation, and good practice of ongoing risk assessment.

A system and its information must be protected from cradle to grave. That is why risk management applies to the entire system development life cycle. The level of risk to the system and its data depends on the criticality or importance of the system to the business and/or mission it supports.
The system development life cycle consists of: Initiation, Development/Acquisition, Implementation, Maintenance/Operations, and Disposal.

How Risk Management Framework matches to the System Development Life Cycle

SDLC
Phases

Phase
Characteristics

Support
from Risk Management Activities

Phase
1—Initiation

The need
for an IT system is

expressed
and the purpose and

scope of
the IT system is

documented

Identified
risks are used to

support
the development of the

system
requirements, including

security
requirements, and a

security
concept of operations

(strategy)

Phase
2—Development or

Acquisition

The IT
system is designed,

purchased,
programmed,

developed,
or otherwise

constructed

The risks
identified during this

phase can
be used to support

the
security analyses of the IT

system
that may lead to

architecture
and design tradeoffs

during
system

development

Phase
3—Implementation

The system
security features

should be
configured, enabled,

tested,
and verified

The risk
management process

supports
the assessment of the

system
implementation against

its
requirements and within its

modeled
operational

environment.
Decisions

regarding
risks identified must

be made
prior to system

operation

Phase
4—Operation or

Maintenance

The system
performs its

functions.
Typically the system is

being
modified on an ongoing

basis
through the addition of

hardware
and software and by

changes to
organizational

processes,
policies, and

procedures

Risk
management activities are

performed
for periodic system

reauthorization
(or

reaccreditation)
or whenever

major
changes are made to an

IT system
in its operational,

production
environment (e.g.,

new system
interfaces)

Phase
5—Disposal

This phase
may involve the

disposition
of information,

hardware,
and software.

Activities
may include moving,

archiving,
discarding, or

destroying
information and

sanitizing
the hardware and

software

Risk
management activities

are
performed for system

components
that will be

disposed
of or replaced to

ensure
that the hardware and

software
are properly disposed

of, that
residual data is

appropriately
handled, and that

system
migration is conducted

in a
secure and systematic

manner
Posted in DIARMF, DoD Risk Management Framework, DoD RMF, Main Digg, nist, Risk Management Framework by Bruce Brown
No Comments