System Development Life Cycle Flashcards
What 2 approaches or methodologies exist to develop or acquire information systems?
Traditional and alternative
Describe the traditional approach.
Requires systematic and disciplined work internally using a system SDLC methodology.
What are the 5 phases of SDLC?
1) Planning/initiation
2) Development/acquisition
3) Implementation/assessment
4) Operation/maintenance
5) Disposal/decommissioning
Planning/Initiation - System related activities
1) Understand functional users request for new system
2) Conduct feasibility study
3) High-level needs assessment
4) Preliminary risk assessment
5) Using decision tables, flowcharts, data flow diagrams - express user needs and system requirements
Planning/initiation - security-related activities
1) Security planning document
- security awareness and training plans
- rules of behaviour
- risk assessment
- configuration mgt plan
- contingency plan
- incident response plan
- system interconnection agreements
- security tests and evaluation results
- plan of actions and milestones
(Does not contain a request for proposal, vendor contract plans or statement of work - that is project mgt not security mgt)
2) Sensitivity assessment
3) Security assurance
Development/Acquisition - System related activities
1) Performing an in-depth analysis of user needs
2) Performing general and detailed system design work
3) Developing computer programs
4) Conducting unit and system testing
5) Planning desk reviews, mutation analysis, sensitivity analysis for analyzing changes, boundary-value analysis, and error seeding methods during testing
6) Performing quality assurance (QA) and quality control (QC) reviews
7) Doing a detailed risk assessment
During this phase, the system is designed, purchased, programmed, developed, or otherwise constructed.
Development/Acquisition - security related activities
1) Determining security features, controls, assurances, and operational practices
2) Incorporating these security requirements into security design specifications
3) Actually building or buying these security requirements into the system
4) Conducting design reviews through walkthroughs
5) Preparing test documents with test cases and test procedures with formal specific programming languages
6) Conducting certification and accreditation activities
Possible security threats or vulnerabilities that should be considered during this phase include Trojan horses, incorrect/incomplete program code, poorly functioning software development tools, manipulation of program code, and malicious insiders.
Implementation/Assessment - system related activities
1) Providing training to end users and system users
2) Conducting acceptance testing for end users
3) Converting the old system into the new system
4) Developing instruction manuals for system use
5) Performing QA and QC reviews
After acceptance testing and conversion, the system is installed or fielded with a formal authorization from management to put into production status.
Implementation/Assessment - security related activities
- include installing or turning on security controls, performing security tests (e.g., functional tests, penetration tests), and security evaluation report and accreditation statement.
Operation/Maintenance - system related activities
1) Doing production operations and support work
2) Performing a postimplementation review
3) Undertaking system maintenance and modification work
4) Monitoring the system’s performance
During this phase, the system is fully operational and doing its work as intended and planned. The system is frequently modified by the addition of new hardware and software and by new functional requirements. The CM process is implemented with baselines and change controls.
Operation/Maintenance - security related activities
1) Security operations and administration (e.g., performing backups, managing cryptographic keys, setting user access accounts, and updating security software)
2) Operational assurance (e.g., conducting system audits and continuous monitoring)
3) Periodic reaccreditation when security is insufficient and when the changes made are significant
What is the focus of system requirements in system development?
System requirements describe external behavior of a computer system. They focus on what the software is to accomplish. Requirements present unmet user needs and unsolved business problems.
What is the focus of system design in system development?
System design describes the internal behavior of a computer system. It focuses on how to develop solutions to unmet user needs and business problems. Design satisfies user needs and solves business problems.
What is the focus of system implementation in system development?
System implementation focuses on how to use and operate the software.
Disposal/Decommissioning - system related activities
- include system retirement or replacement plans and media sanitization procedures. The computer system is disposed of (terminated) once the transition to a new computer system is completed.
Disposal/Decommissioning - security related activities
1) Disposition of information (i.e., data sanitization), hardware, and software
2) Moving information to archives after considering legal and audit requirements for records retention and the method of retrieving the information in the future
3) Disposition of software after considering licensing terms and agreements (site specific) with the developer, if the agreement prevents the software from being transferred
4) Taking appropriate steps to ensure secure long-term storage of cryptographic keys and for the future use of data if the data have been encrypted
What should happen when a software intensive system is retired or replaced?
- the data must be migrated by validated means to the new software-intensive system or must be made unreadable before disposal.
- Note that encrypted data may not be adequately protected if they are weakly encrypted.
- Simply stated, residual data equals residual risk.
What should be considered with storage devices used in virtualisation process?
- Before a device using a virtualization process permanently leaves an organization (such as when a leased server’s lease expires or when an obsolete personal computer [PC] is being recycled), the organization should remove any sensitive data from the host.
- Data may also need to be wiped if an organization provides loaner devices to teleworkers, particularly for travel.
- Note that sensitive data may be found nearly anywhere on a device because of the nature of virtualization.
- For this reason, an organization should strongly consider erasing all storage devices completely.
What should be considered with regards to basic input/output (BIOS) system?
- in this phase is removing or destroying any sensitive data from the basic input/output system (BIOS) to reduce the chances of accidental data leakage.
- The configuration baseline should be reset to the manufacturer’s default profile; in particular, sensitive settings, such as passwords, should be deleted from the system, and cryptographic keys should be removed from the key store.
6 models exist to either develop or acquire information systems.
In practice a combination of these models may be deployed after considering time, cost, skill constraints and trade-offs.
Name the 6 models.
1) Waterfall model
2) Rapid application development model
3) Incremental development model
4) Spiral model
5) Rapid prototyping model
6) Object-oriented development model
Models in system development - waterfall model
takes a linear, sequential view of the software engineering process, similar to an SDLC model.
Models in system development - rapid application development model
- opposite to waterfall model
- good when requirements are not fully understood by both parties
- uses computer aided software engineering (CASE) tools, fourth generation programming languages (4GLs), and software reuse modules to quickly prototype an information system.