KEMBAR78
Security Lifecycle Management | PPT
Barry Caplin, profile picture
Uploaded byBarry Caplin
PPT, PDF3,010 views

Security Lifecycle Management

The document discusses information lifecycle security management (ILSM) and outlines the key steps in the process. It begins with an overview of the Minnesota Department of Human Services (DHS) and its mission to help citizens meet basic needs. It then describes the DHS enterprise security strategy and emphasizes building security into systems from the beginning. Finally, it details the ILSM process which incorporates security activities at each stage of the system development lifecycle from concept through disposal.

Downloaded 111 times
ISM in the ILM (Information Lifecycle Security Management) Barry Caplin Chief Information Security Officer Minnesota Department of Human Services [email_address] May 18, 2006 10:00-11:00 a.m. Secure360
 
Agenda DHS Overview Enterprise Security Strategy Build Security In? Information Lifecycle Security Management
MN DHS Mission - helps people meet their basic needs so they can live in dignity and achieve their highest potential Consumers include: seniors who need help paying for hospital and nursing home bills or who need home-delivered meals families with children in a financial crisis parents who need child support enforcement or child care money people with physical or developmental disabilities who need assistance to live as independently as possible
MN DHS Direct service through: DHHS – Deaf and Hard of Hearing Services SOS – State Operated Services includes RTC’s – Regional Treatment Centers, including St. Peter, Moose Lake Forensics – St. Peter, Moose Lake, METO (MN Extended Treatment Options) State-run group homes New community-based treatment centers State-run nursing home – Ah-Gwah-Ching
MN DHS Administrations (Divisions): CFS – Children and Family Services – Child Support Enforcement, Endangerment, Social Services, Medical/Welfare Eligibility Chemical and Mental Health Services– including SOS Health Care Administration and Operations Continuing Care FMO – Finance and Management Operations – including Information Security, IT
MN DHS Programs are state-administered, county-delivered Including MinnesotaCare, Medical Assistance, General Assistance Medical Care, mental health services, alternative care services, chemical dependency services and regional treatment center services One of the largest state agencies 2500 CO, 5000 SOS distributed staff State and Federal funding
Enterprise Security Strategy
Security Strategy - The 10000 Foot View Information Security Governance Framework (COBIT Security Baseline) People Organization Awareness Technology Operations Architecture Enterprise High-Level Functions Information Risk Management Information Policy Information Lifecycle Management Process
Security Strategy Governance organization operations architecture awareness people technology IRM Policy ILM Processes
Security Strategy 4 C’s Confidence Credibility Communication Compliance Governance organization operations architecture awareness people technology IRM Policy ILM Processes
Build Security In?
Build Security In What do we mean by this? Everyone says it… but how? https://buildsecurityin.us-cert.gov/portal/
Why Build Security In?
Why Build Security In?
Cost – “measure twice, cut once” Efficiency – build it “right” the first time Time – fixing problems later will likely delay production use Why Build Security In?
SDLC SEI-CMMI (formerly CMM) ( http:// www.sei.cmu.edu/cmmi / ) IEEE and ISO 12207 standards ( http://www.acm.org/tsc/lifecycle.html ). Extreme Programming ( http://www.xprogramming.com/ , http://www.extremeprogramming.org/ ) On Wikipedia ( http:// en.wikipedia.org/wiki/Software_development_life_cycle )
Information Lifecycle Security Management
Information Lifecycle Security Management
Operate Major Release Software Development Lifecycle (SDLC) Maintenance Lifecycle Dispose Information Lifecycle Security Management Deploy Develop Design Analysis Concept
Operate Major Release Deploy Develop Design Analysis Concept Information Lifecycle Security Management Preliminary Risk Analysis Business Impact Analysis Privacy and Security Requirements BCP/ COOP Privacy and Security Mitigation Plans Incident Response Plans Security Test Plans BCP/COOP Testing & Maintenance IT Audit Business Requirements Security Sign off Security Sign off
Business Requirements A statement of the business problem or challenge the business area needs to solve Should not include recommended technical solutions Constraints/Assumptions Concept Business Requirements
Preliminary Risk Analysis Security Questionnaire Preliminary Privacy Analysis Preliminary Security Risk Analysis Risk Briefing Concept Risk of not doing Preliminary Risk Analysis
Privacy and Security Requirements Preliminary Privacy Assessment Preliminary Security Risk Assessment Privacy Requirements Security Requirements Preliminary Design Requirements Analysis Words To Live By: “ Minimum Necessary” Privacy and Security Requirements
Business Impact Analysis Business/System Impact Analysis Analysis Business Impact Analysis
Security Sign-Off Keys: Business Requirements received Requirements understood (by business area) Risks acknowledged Security Sign off
Privacy and Security Requirements Vendor Security Questionnaire Security Architecture Assessment Information Policy Analysis Risk Assessment (OCTAVE) HIPAA Assessment Detailed Design Requirements Project Security Roadmap & Required Doc List Design Privacy and Security Requirements
Detailed Security Architecture Design Design Review Security Risk Mitigation Plans Action Plan for compliance design Design Privacy and Security Mitigation Plans Privacy and Security Mitigation Plans
Business Continuity/Disaster Recovery Business Continuity Planning Disaster Recovery Planning Preliminary COOP (Continuity Of Operations Plan) Document Design BCP/ COOP
Security Test Plans Test Data Plans Security Testing Plan Security Testing Use/Abuse Cases Code Review Tools Vulnerability Assessment Develop Security Test Plans
Incident Response Plans Incident Response Plans Final COOP Develop Incident Response Plans
Security Sign-Off Keys: Identified issues mitigated Assessments completed Security Requirements met Documentation completed BCP/COOP completed Security Sign off
Deploy Change Management Monitoring Deploy
IT Audit Security Policy Compliance Review (COBIT Audit Guideline) Operate IT Audit
BCP/COOP Testing & Maintenance Plan Testing Plan Updates & Review BIA Updates Operate BCP/COOP Testing & Maintenance
Major Release What is a Major Release? Significant new functionality Code rewrites Significant architecture or design changes Site Dependent May require any/all ILSM steps Major Release
Information Disposal Measures based on: Business type Data classification Regulatory issues: PHI FTI Others… Dispose
Operate Major Release Deploy Develop Design Analysis Concept Information Lifecycle Security Management Preliminary Risk Analysis Business Impact Analysis Privacy and Security Requirements BCP/ COOP Privacy and Security Mitigation Plans Incident Response Plans Security Test Plans BCP/COOP Testing & Maintenance IT Audit Business Requirements Security Sign off Security Sign off
Final Thoughts SMT buy in is critical Be consistent Advertise, advertise, advertise
Discussion?

More Related Content

PPT
Internal Risk Management
byBarry Caplin
 
PPTX
Cissp- Security and Risk Management
byHamed Moghaddam
 
PPTX
Risk Management and Security in Strategic Planning
byKeyaan Williams
 
PDF
Simplifying the data privacy governance quagmire building automated privacy ...
byAvinash Ramineni
 
PPTX
A guide to Sustainable Cyber Security
byErnest Staats
 
PPTX
Risk Management Approach to Cyber Security
byErnest Staats
 
PPTX
Information Security - Back to Basics - Own Your Vulnerabilities
byJack Nichelson
 
DOCX
SEC440: Incident Response Plan
byThomas Christopher Ty
 
Internal Risk Management
byBarry Caplin
 
Cissp- Security and Risk Management
byHamed Moghaddam
 
Risk Management and Security in Strategic Planning
byKeyaan Williams
 
Simplifying the data privacy governance quagmire building automated privacy ...
byAvinash Ramineni
 
A guide to Sustainable Cyber Security
byErnest Staats
 
Risk Management Approach to Cyber Security
byErnest Staats
 
Information Security - Back to Basics - Own Your Vulnerabilities
byJack Nichelson
 
SEC440: Incident Response Plan
byThomas Christopher Ty
 

What's hot

PPTX
Information risk management
byAkash Saraswat
 
PPTX
How to assess and manage cyber risk
byStephen Cobb
 
PDF
Chapter 12 iso 27001 awareness
bynewbie2019
 
PPTX
Information Security Management
byEC-Council
 
PPTX
Network Security: Physical security
bylalithambiga kamaraj
 
PDF
Cybersecurity Goverence for Boards of Directors
byPaul Feldman
 
PPT
Information Security
bychenpingling
 
PDF
Incident Response
byInnoTech
 
PDF
Physical Security Management System
byDaniel Suchy, CPP, MSyI
 
PDF
Craft Your Cyber Incident Response Plan (Before It's Too Late)
byResilient Systems
 
PPTX
Cybertopicsecurity_3
byAnne Starr
 
PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PDF
How to Build an Insider Threat Program in 30 Minutes
byObserveIT
 
PDF
Dealing with Information Security, Risk Management & Cyber Resilience
byDonald Tabone
 
PDF
The Accidental Insider Threat
byMurray Security Services
 
PDF
Internal Threats: The New Sources of Attack
byMekhi Da ‘Quay Daniels
 
PDF
Cybersecurity Challenges in Healthcare
byDoug Copley
 
PPTX
Introduction to Cybersecurity Fundamentals
byToño Herrera
 
PDF
IT Risk Management
byTudor Damian
 
PPTX
MIS: Information Security Management
byJonathan Coleman
 
Information risk management
byAkash Saraswat
 
How to assess and manage cyber risk
byStephen Cobb
 
Chapter 12 iso 27001 awareness
bynewbie2019
 
Information Security Management
byEC-Council
 
Network Security: Physical security
bylalithambiga kamaraj
 
Cybersecurity Goverence for Boards of Directors
byPaul Feldman
 
Information Security
bychenpingling
 
Incident Response
byInnoTech
 
Physical Security Management System
byDaniel Suchy, CPP, MSyI
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
byResilient Systems
 
Cybertopicsecurity_3
byAnne Starr
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
How to Build an Insider Threat Program in 30 Minutes
byObserveIT
 
Dealing with Information Security, Risk Management & Cyber Resilience
byDonald Tabone
 
The Accidental Insider Threat
byMurray Security Services
 
Internal Threats: The New Sources of Attack
byMekhi Da ‘Quay Daniels
 
Cybersecurity Challenges in Healthcare
byDoug Copley
 
Introduction to Cybersecurity Fundamentals
byToño Herrera
 
IT Risk Management
byTudor Damian
 
MIS: Information Security Management
byJonathan Coleman
 

Similar to Security Lifecycle Management

PDF
Technology Trends: Value Office
bySSF Global
 
PPTX
EMC SourceOne for SharePoint
byJ. David Morris
 
PPT
Use of the COBIT Security Baseline
byBarry Caplin
 
PDF
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
byHealth IT Conference – iHT2
 
PDF
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
PDF
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
PPTX
Contract Security Officer Services
byAnthony Noblett CISSP, CISA, CGEIT, CRISC, CCSK
 
PPTX
DojoSec FISMA Presentation
bydanphilpott
 
PPT
Intro.ppt
byRamaNingaiah
 
PPT
Introduction to Information Security CSE
byBurhanKhan774154
 
PDF
1. Security and Risk Management
bySam Bowne
 
PPT
Info Security & PCI(original)
byNCTechSymposium
 
PPT
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjs
byrasanjakavindu54
 
PPTX
IQPC eDiscovery Goverment - Washington D.C.
byJ. David Morris
 
PDF
CIS 2015- Assessing the Risk of Identity and Access- Venkat Rajaji
byCloudIDSummit
 
PPTX
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
bydrsajjad13
 
PPTX
Database development and security certification and accreditation plan pitwg
byJohn M. Kennedy
 
PPT
S nandakumar_banglore
byIPPAI
 
PPT
S nandakumar
byIPPAI
 
PPT
Cyber crime with privention
byManish Dixit Ceh
 
Technology Trends: Value Office
bySSF Global
 
EMC SourceOne for SharePoint
byJ. David Morris
 
Use of the COBIT Security Baseline
byBarry Caplin
 
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
byHealth IT Conference – iHT2
 
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
Contract Security Officer Services
byAnthony Noblett CISSP, CISA, CGEIT, CRISC, CCSK
 
DojoSec FISMA Presentation
bydanphilpott
 
Intro.ppt
byRamaNingaiah
 
Introduction to Information Security CSE
byBurhanKhan774154
 
1. Security and Risk Management
bySam Bowne
 
Info Security & PCI(original)
byNCTechSymposium
 
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjs
byrasanjakavindu54
 
IQPC eDiscovery Goverment - Washington D.C.
byJ. David Morris
 
CIS 2015- Assessing the Risk of Identity and Access- Venkat Rajaji
byCloudIDSummit
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
bydrsajjad13
 
Database development and security certification and accreditation plan pitwg
byJohn M. Kennedy
 
S nandakumar_banglore
byIPPAI
 
S nandakumar
byIPPAI
 
Cyber crime with privention
byManish Dixit Ceh
 

More from Barry Caplin

PPTX
Healing healthcare security
byBarry Caplin
 
PPTX
It’s not If but When 20160503
byBarry Caplin
 
PPTX
Dreaded Embedded sec360 5-17-16
byBarry Caplin
 
PPTX
It’s not if but when 20160503
byBarry Caplin
 
PPT
Wearing Your Heart On Your Sleeve - Literally!
byBarry Caplin
 
PPTX
CISOs are from Mars, CIOs are from Venus
byBarry Caplin
 
PPTX
Online Self Defense - Passwords
byBarry Caplin
 
PPT
The CISO Guide – How Do You Spell CISO?
byBarry Caplin
 
PPT
Bullying and Cyberbullying
byBarry Caplin
 
PPT
3 factors of fail sec360 5-15-13
byBarry Caplin
 
PPT
Tech smart preschool parent 2 13
byBarry Caplin
 
PPT
Embracing the IT Consumerization Imperative NG Security
byBarry Caplin
 
PPT
Online Self Defense
byBarry Caplin
 
PPT
Embracing the IT Consumerization Imperitive
byBarry Caplin
 
PPT
Embracing the IT Consumerization Imperitive
byBarry Caplin
 
PPTX
Stuff my ciso says
byBarry Caplin
 
PPTX
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
byBarry Caplin
 
PPT
Toys in the office 11
byBarry Caplin
 
PPT
Accidental Insider
byBarry Caplin
 
PPT
Teens 2.0 - Teens and Social Networks
byBarry Caplin
 
Healing healthcare security
byBarry Caplin
 
It’s not If but When 20160503
byBarry Caplin
 
Dreaded Embedded sec360 5-17-16
byBarry Caplin
 
It’s not if but when 20160503
byBarry Caplin
 
Wearing Your Heart On Your Sleeve - Literally!
byBarry Caplin
 
CISOs are from Mars, CIOs are from Venus
byBarry Caplin
 
Online Self Defense - Passwords
byBarry Caplin
 
The CISO Guide – How Do You Spell CISO?
byBarry Caplin
 
Bullying and Cyberbullying
byBarry Caplin
 
3 factors of fail sec360 5-15-13
byBarry Caplin
 
Tech smart preschool parent 2 13
byBarry Caplin
 
Embracing the IT Consumerization Imperative NG Security
byBarry Caplin
 
Online Self Defense
byBarry Caplin
 
Embracing the IT Consumerization Imperitive
byBarry Caplin
 
Embracing the IT Consumerization Imperitive
byBarry Caplin
 
Stuff my ciso says
byBarry Caplin
 
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
byBarry Caplin
 
Toys in the office 11
byBarry Caplin
 
Accidental Insider
byBarry Caplin
 
Teens 2.0 - Teens and Social Networks
byBarry Caplin
 

Recently uploaded

PDF
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PDF
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
PDF
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
PPTX
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
PDF
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
PDF
2025 October Patch Tuesday
byIvanti
 
PDF
Using Copilot with Microsoft Office Apps
byDeb Walther
 
PPTX
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
PPTX
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
PDF
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PDF
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
PDF
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
 
PDF
TrustArc Webinar - Migration to TrustArc: What Your Journey Will Look Like
byTrustArc
 
PDF
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
PDF
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PPTX
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
2025 October Patch Tuesday
byIvanti
 
Using Copilot with Microsoft Office Apps
byDeb Walther
 
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
 
TrustArc Webinar - Migration to TrustArc: What Your Journey Will Look Like
byTrustArc
 
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 

Security Lifecycle Management

  • 1.
    ISM in theILM (Information Lifecycle Security Management) Barry Caplin Chief Information Security Officer Minnesota Department of Human Services [email_address] May 18, 2006 10:00-11:00 a.m. Secure360
  • 2.
  • 3.
    Agenda DHS OverviewEnterprise Security Strategy Build Security In? Information Lifecycle Security Management
  • 4.
    MN DHS Mission- helps people meet their basic needs so they can live in dignity and achieve their highest potential Consumers include: seniors who need help paying for hospital and nursing home bills or who need home-delivered meals families with children in a financial crisis parents who need child support enforcement or child care money people with physical or developmental disabilities who need assistance to live as independently as possible
  • 5.
    MN DHS Directservice through: DHHS – Deaf and Hard of Hearing Services SOS – State Operated Services includes RTC’s – Regional Treatment Centers, including St. Peter, Moose Lake Forensics – St. Peter, Moose Lake, METO (MN Extended Treatment Options) State-run group homes New community-based treatment centers State-run nursing home – Ah-Gwah-Ching
  • 6.
    MN DHS Administrations(Divisions): CFS – Children and Family Services – Child Support Enforcement, Endangerment, Social Services, Medical/Welfare Eligibility Chemical and Mental Health Services– including SOS Health Care Administration and Operations Continuing Care FMO – Finance and Management Operations – including Information Security, IT
  • 7.
    MN DHS Programsare state-administered, county-delivered Including MinnesotaCare, Medical Assistance, General Assistance Medical Care, mental health services, alternative care services, chemical dependency services and regional treatment center services One of the largest state agencies 2500 CO, 5000 SOS distributed staff State and Federal funding
  • 8.
  • 9.
    Security Strategy -The 10000 Foot View Information Security Governance Framework (COBIT Security Baseline) People Organization Awareness Technology Operations Architecture Enterprise High-Level Functions Information Risk Management Information Policy Information Lifecycle Management Process
  • 10.
    Security Strategy Governanceorganization operations architecture awareness people technology IRM Policy ILM Processes
  • 11.
    Security Strategy 4C’s Confidence Credibility Communication Compliance Governance organization operations architecture awareness people technology IRM Policy ILM Processes
  • 12.
  • 13.
    Build Security InWhat do we mean by this? Everyone says it… but how? https://buildsecurityin.us-cert.gov/portal/
  • 14.
  • 15.
  • 16.
    Cost – “measuretwice, cut once” Efficiency – build it “right” the first time Time – fixing problems later will likely delay production use Why Build Security In?
  • 17.
    SDLC SEI-CMMI (formerlyCMM) ( http:// www.sei.cmu.edu/cmmi / ) IEEE and ISO 12207 standards ( http://www.acm.org/tsc/lifecycle.html ). Extreme Programming ( http://www.xprogramming.com/ , http://www.extremeprogramming.org/ ) On Wikipedia ( http:// en.wikipedia.org/wiki/Software_development_life_cycle )
  • 18.
    Information Lifecycle Security Management
  • 19.
  • 20.
    Operate Major ReleaseSoftware Development Lifecycle (SDLC) Maintenance Lifecycle Dispose Information Lifecycle Security Management Deploy Develop Design Analysis Concept
  • 21.
    Operate Major ReleaseDeploy Develop Design Analysis Concept Information Lifecycle Security Management Preliminary Risk Analysis Business Impact Analysis Privacy and Security Requirements BCP/ COOP Privacy and Security Mitigation Plans Incident Response Plans Security Test Plans BCP/COOP Testing & Maintenance IT Audit Business Requirements Security Sign off Security Sign off
  • 22.
    Business Requirements Astatement of the business problem or challenge the business area needs to solve Should not include recommended technical solutions Constraints/Assumptions Concept Business Requirements
  • 23.
    Preliminary Risk AnalysisSecurity Questionnaire Preliminary Privacy Analysis Preliminary Security Risk Analysis Risk Briefing Concept Risk of not doing Preliminary Risk Analysis
  • 24.
    Privacy and SecurityRequirements Preliminary Privacy Assessment Preliminary Security Risk Assessment Privacy Requirements Security Requirements Preliminary Design Requirements Analysis Words To Live By: “ Minimum Necessary” Privacy and Security Requirements
  • 25.
    Business Impact AnalysisBusiness/System Impact Analysis Analysis Business Impact Analysis
  • 26.
    Security Sign-Off Keys:Business Requirements received Requirements understood (by business area) Risks acknowledged Security Sign off
  • 27.
    Privacy and SecurityRequirements Vendor Security Questionnaire Security Architecture Assessment Information Policy Analysis Risk Assessment (OCTAVE) HIPAA Assessment Detailed Design Requirements Project Security Roadmap & Required Doc List Design Privacy and Security Requirements
  • 28.
    Detailed Security ArchitectureDesign Design Review Security Risk Mitigation Plans Action Plan for compliance design Design Privacy and Security Mitigation Plans Privacy and Security Mitigation Plans
  • 29.
    Business Continuity/Disaster RecoveryBusiness Continuity Planning Disaster Recovery Planning Preliminary COOP (Continuity Of Operations Plan) Document Design BCP/ COOP
  • 30.
    Security Test PlansTest Data Plans Security Testing Plan Security Testing Use/Abuse Cases Code Review Tools Vulnerability Assessment Develop Security Test Plans
  • 31.
    Incident Response PlansIncident Response Plans Final COOP Develop Incident Response Plans
  • 32.
    Security Sign-Off Keys:Identified issues mitigated Assessments completed Security Requirements met Documentation completed BCP/COOP completed Security Sign off
  • 33.
    Deploy Change ManagementMonitoring Deploy
  • 34.
    IT Audit SecurityPolicy Compliance Review (COBIT Audit Guideline) Operate IT Audit
  • 35.
    BCP/COOP Testing &Maintenance Plan Testing Plan Updates & Review BIA Updates Operate BCP/COOP Testing & Maintenance
  • 36.
    Major Release Whatis a Major Release? Significant new functionality Code rewrites Significant architecture or design changes Site Dependent May require any/all ILSM steps Major Release
  • 37.
    Information Disposal Measuresbased on: Business type Data classification Regulatory issues: PHI FTI Others… Dispose
  • 38.
    Operate Major ReleaseDeploy Develop Design Analysis Concept Information Lifecycle Security Management Preliminary Risk Analysis Business Impact Analysis Privacy and Security Requirements BCP/ COOP Privacy and Security Mitigation Plans Incident Response Plans Security Test Plans BCP/COOP Testing & Maintenance IT Audit Business Requirements Security Sign off Security Sign off
  • 39.
    Final Thoughts SMTbuy in is critical Be consistent Advertise, advertise, advertise
  • 40.