Security Considerations in System Life Cycle:
Historically, many organizations addressed security as the last feature in the SLC
process. Luckily, regardless of the age of the system (new or legacy), security
considerations can be addressed, evaluated and accommodated. Again, the increased
sophistication of the intruder community and the more complicated technologies and
operating environments have proportionally affected the attention organizations are
devoting to these activities. Each of the five phases in the SLC; initiation,
development/acquisition, implementation, operational/maintenance, or
disposal/retirement has activities associated with them. Key activities for the various
stages include assessing data sensitivity and handling, risk assessments, and
operational technical and managerial controls analysis. Each component needs to be
defined, assessed and audited via standardized checklists for the appropriate phase
and reevaluated when operational systems are modified.
· Password/USERID Management:
Basic USERID policies should include the following:
o Be approved by appropriate level of management.
o Key information included on request (background investigation/security clearance
status, and tied to position; verified currency.
o Ideally tied systematically to HR and contractor database to verify pertinent
o Non-employee database maintained of pertinent information including
responsible manager, duration of access, etc.
o Signed statement (preferably digitally) acknowledging completed SATP and
understand responsibilities, policies and rules of behavior.
o Exit procedures include ISS signoff and termination of access.
o Periodic report to the responsible manager for review and certification of all
o All USERID are assigned to individuals
o Application processes USERIDs assigned to accountable individual
o USERID are not meaningful and access is not determined by the content of the
o Rules of behavior and consequences for violation are clearly defined.
o Termination after lack of use – criteria defined, exceptions analyzed and
o Failed attempts stopped at three, logged, reviewed and tracked.
o The requirement that documentation (preferably electronically) is required and
maintained for the life of the USERID/access.
Basic password policies should include the following:
o Initial password modification requirement
o Password aging and how many time back to check reused password content
o Only encrypted version stored/displayed (strength commensurate with sensitivity
of data being accessed.
o Shared secret when processing USERID or password reset


Leave Comment

Your email address will not be published. Required fields are marked *