Question

Describe 2 systems you developed and document what you did during the analysis, design, and implementation phases? Be specific, this question is worth 12 points. What happens if you jump too quickly to the design phase?

Answer 1

Information Security in the Systems Development Life Cycle

Planning:
During this first phase of the development life cycle, security considerations are key to diligent and early integration,
thereby ensuring that threats, requirements, and potential constraints in functionality and integration are considered.
At this point, security is looked at more in terms of business risks with input from the information security office.
For example, an agency may identify a political risk resulting from a prominent website being modified or made
unavailable during a critical business period, resulting in decreased trust by citizens.
Key security activities for this phase include:

Initial delineation of business requirements in terms of confidentiality, integrity, and availability;
Determination of information categorization and identification of known special handling requirements to transmit, store,
or create information such as personally identifiable information; and
Determination of any privacy requirements.

Analysis

This section addresses security considerations unique to the second SDLC phase.
Key security activities for this phase include:

Conduct the risk assessment and use the results to supplement the baseline security controls;
Analyze security requirements;
Perform functional and security testing;
Prepare initial documents for system certification and accreditation;

Design

During this phase of SDLC, the security architecture is designed.

Implementation

During this phase, the system will be installed and evaluated in the organization’s operational environment.
Key security activities for this phase include:

Integrate the information system into its environment;
Plan and conduct system certification activities in synchronization with testing of security controls; and
Complete system accreditation activities.

Maintenance/Support

In this phase, systems are in place and operating, enhancements and/or modifications to the system are developed and
tested, and hardware and/or software is added or replaced.
The system is monitored for continued performance in accordance with security requirements and needed system modifications
are incorporated.
The operational system is periodically assessed to determine how the system can be made more effective, secure,
and efficient.
Operations continue as long as the system can be effectively adapted to respond
to an organization’s needs while maintaining an agreed-upon risk level.
When necessary modifications or changes are identified, the system may reenter a previous phase of the SDLC.
Key security activities for this phase include:

Conduct an operational readiness review;
Manage the configuration of the system ;
Institute processes and procedures for assured operations and continuous monitoring of the information system’s
security controls; and
Perform reauthorization as required.

2.SDLC Phases

Planning:
Planning the system requires the user to define what the problem is.
The planning may also include how the user would like to solve the problem.
Defining the scope of the problem is also important in this stage as well.
Defining the scope helps to prevent the project from scope creep.
Once the problem is determined, and one or more solutions have been selected, planning to implement the solution begins.
Multiple scenarios may be enacted to determine the best course of action for implementing the system.

Course of action should be well documented and take into consideration a schedule showing anticipated start and completion
times of activities (milestones) leading to the objectives, knowing expenditures required to achieve objectives,
scheduling regular status reviews (are we on course?), anticipating any organizational restructuring to accommodate
the objectives, anticipating and planning for mitigation of risks that may hinder achievements, implementing policies
and procedures for decision making, and defining a standard level of performance.

Within the planning according to the John Sazinger "five of the main activities must exist" as he explain in his book
the fives activities should include:

Define the problem
Produce the project schedule
Confirm project feasibility
Staff the project
Launch the project[3]

Why do plans fail? Some of the many reasons are:

Goals/specifications are not understood.
Objectives are too extensive for the time allotted.
Budgets were not accurate.
Project is understaffed or under skilled.
Status reviews were not scheduled or insufficient.
Poor morale (no commitment).

One of the most difficult decisions in planning is to know when to pull the plug on a project.
This will require an effective control and monitoring system. If you cannot monitor a system you cannot control it.
No organization wants to admit failure but there may come a point when a project can no longer be salvaged.
This is especially critical with Information Technology projects because of rapidly changing technologies.
Most managers are reluctant to prematurely terminate a project as careers and egos are at stake.
The fallacy of sunk costs may play a role as well. The result is that projects continue beyond the point of no return.
To avoid this problem, monitor and control systems must be put in place early during the planning stage.
It is critical to define and enforce milestones where a project will be terminated if necessary.
A saving grace is that because a project is terminated it doesn't make it a complete failure.
Excessive cost are saved for the organization and management can walk away with lessons learned that can be applied
to the next project.
In general there are two types of monitoring "INFORMAL" and "FORMAL".
Informal are typically general meetings, email, and observing.
The formal include status reports, scheduled milestones, audits, reviews, and benchmarks.
The formal reviews are generally more costly and are used during system development processes.
Both systems can be used in combination and involve the questions:
"what performance metrics to use" and "how often do reviews occur"?
Attention and energy must be focused on identifying and correcting out-of-control processes.

Analysis

The analysis phase involves gathering requirements for the system.
At this stage, business needs are studied with the intention of making business processes more efficient.
The system analysis phase focuses on what the system will do in an effort that views all stakeholders,
as viable sources of information. In the analysis phase, a significant amount of time is spent talking with
stakeholders and reviewing the stakeholder’s input. Common stakeholders for IT projects are:

Architecture office
Testing & certification office
Records management team
Application support group

Once stakeholders have been recognized, the gathering and analysis of the requirements can begin.
Requirement gathering must be related to business needs or opportunities.
Requirement analysis involves capturing requirements and analyzing requirements.
Capturing requirements is communicating with stakeholders to agree on what the requirements are.
Analyzing requirements is using standard tools to produce a baseline of the requirements.
Once the stakeholders concur on the requirements, the baseline is created and becomes the formal requirement source.

Within this analysis phase, the analyst is discovering and fact finding.
Along with meeting with stakeholders,the analyst must meet with end users to understand what the user's needs are and to
learn about problems that affect the current system in order to assist with designing a new and more efficient system.
There are several activities that must occur within the analysis phase:

Gather Information
Define the new system's requirements
Build prototypes for the new system
Prioritize requirements
Evaluate alternatives
Meet with management to discuss new options

Design

The design phase is concerned with the physical construction of the system.
Included are the design or configuration of the network (hardware, operating system, programming, etc.),
design of user interfaces (forms, reports, etc.), design of system interfaces (for communication with other systems),
and security issues. It is important that the proposed design be tested for performance,
and to ensure that it meets the requirements outlined during the analysis phase.
In other words, the main objective of this phase is to transform the previously defined requirements into a complete
and detailed set of specifications which will be used during the next phase. Some of the activities that need to
take place during the design phase are:

Design the application
Design and integrate the network
Design and integrate the database
Create a contingency plan
Start a Maintenance, Training and Operations plan
Review the design
Articulate the business processes and procedures
Establish a transition strategy
Deliver the System Design Document
Review final design

Implementation

Initiating a project first requires the documenting of needs or requirements.
Clear objectives should be developed from this study with reasons for selecting the objectives.
Deliverables then need to be documented along with the project scope.
Scope can be refined during this initialization process.
Assumptions and constraints should also be documented.
All stakeholders should be involved in this process.
This information will become the projects charter and the basis for initiating the project.
The project then follows the PLAN-DO CHECK-ACT cycle
(as defined by Shewhart and modified by Deming, in the ASQ Handbook, American Society for Quality, 1999).
The results of each cycle will be linked to the next as input.
This process should increase the likelihood of deliverable acceptance.

In order to achieve deliverable of acceptance and meeting of objectives, the new system being built must be tested.
Aligned with this, the end users must be fully trained so the company will benefit from the new system.
There are five activities that must be performed during the implementation phase:

Construct software components
Verify and test
Convert Data
Training end users and document the system
Install the system