The information security manager’s role in systems and software development is key. You will be required to ensure that the output from any development projects running in your organization (or outsourced to a third-party development company) is secure, whether they are creating a new line-of-business application or a new infrastructure capability . “But I’m not a developer,” I hear you shout. I’ve also heard new information security managers say, “What do I know about configuring a network switch or Windows Domain Controller?” The simple answer is that no one expects you to be a developer or know as much about Windows Domain Controllers are the SMEs in your infrastructure teams, however, you need to have enough knowledge to work with those guys to determine what changes may need to be introduced to make them secure.
If you are lucky enough to have introduced a full organizational program of security, then you’ll probably have some architect-types you can call on to help you express some of those complex security requirements that need to filter into development projects. If not, you should really seek a champion in the development team that can become the security go-to guy, who takes advice and guidance from you on your assurance plan, but has the skills to look at the detail of how systems and code are constructed and can help find the pesky defects in release packages that end up as vulnerabilities in your production systems.
Protection of Systems – Secure Development Business Processes
The users need a system that does x. So, the developers set about coding a system that does x. Sometimes, the better developers will say, “hold on just a minute, we’ve not even written these requirements down and checked them.” That’s a good developer, hang onto her.
The reality is that software development will significantly benefit from contact with aspects of the business that could be impacted by the introduction of the new system or product. Brand new business applications often arrive on the users’ desktops as nothing more than mere reflections of what the developer thought the user wanted, given a couple of high-level discussions. However, without consultation with the user community, including usability testing with new interface ideas, workflow checking and security requirements analysis from the beginning of the development cycle, you’ll never be sure you’ve delivered the application that the business really wants.
The software development process works particularly well when trade-offs are required, where certain requirements may need to be dropped because of cost or timeframe. Security requirements are also often traded off against expediency to market, which can lead to business data being placed at significant risk. In project management terms, the job of dealing with these trade-offs is known as stakeholder management , which is a powerful tool that should be used for managing both user and security requirements. The information security manager’s role in all of this is to maintain contact with the development team, retaining an executive role on the project board, providing input and guidance to the technical development team to ensure that security policy, security requirements, and any security standards or guidelines are understood and adhered to. You will also need to make sure that test plans include security testing, both from a security requirements perspective and a penetration testing perspective.
- Change Control
- Acceptance Processes
- Managing Multiple Environments
- Working with Outsourcers
- Finding Covert Channels and Embedded Malware
- Security Patching Considerations
Click Here To Sign-Up https://lp.constantcontactpages.com/su/oCxWsoH/ProtectionofSystems