Establishing a Good Security Policy as the Foundation for Design

C.

A security policy is an important document to develop while designing an information system.

The security policy begins with the organization's basic commitment to information security formulated as a general policy statement.

The policy is then applied to all aspects of the system design or security solution.

The policy identifies security goals (e.g., confidentiality, integrity, availability, accountability, and assurance) the system should support, and these goals guide the procedures, standards and controls used in the IT security architecture design.

The policy also should require definition of critical assets, the perceived threat, and security-related roles and responsibilities.

Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page 6).

The phase of the system development life-cycle that is most concerned with establishing a good security policy as the foundation for design is the initiation phase.

During the initiation phase, the security policy is developed to outline the objectives, goals, and requirements for security controls to be implemented throughout the system development life-cycle. A security policy is a crucial component of any security program as it provides guidance and direction for the design, implementation, and maintenance of security controls to protect the system and its data.

The initiation phase involves identifying the need for the system, defining the scope and objectives, and determining the feasibility of the project. The security policy should be developed early on in this phase to ensure that security requirements are considered throughout the entire system development life-cycle.

The development/acquisition phase focuses on building or acquiring the system, and security requirements identified in the initiation phase are incorporated into the system design. The implementation phase involves installing, testing, and deploying the system. During this phase, security controls are implemented and tested to ensure they meet the requirements established in the security policy.

The maintenance phase involves ongoing monitoring, maintenance, and support of the system. During this phase, security controls are regularly reviewed and updated to address any new threats or vulnerabilities.

In summary, the initiation phase is most concerned with establishing a good security policy as the foundation for design, and it is important to ensure that security requirements are considered throughout the entire system development life-cycle.