5 hours 58 minutes
welcome back to CyberRays is. Of course, I'm your instructor. Bread roads. Let's jump into the next phase of the system development life cycle. That's acquisition slash development.
So in this learning objective, we're going to cover the security activities. We're again gonna look at linkages. Now, we're gonna talk about what acquisition slash development is
so our security active activities here. When we talk about the acquisition of development processes, we're going to do our risk assessment. So we've talked previously, and the risk management is a domain about what we do in risk assessments. We're gonna look at those security requirements that have come out of phase one. We are going to potentially perform
functional security testing where we're taking
the things that we're gonna reuse, right? Maybe things like God's government off the shelf that we already exist that we could grab. We're gonna test those. We're gonna make sure they're gonna work for us on. But we're going to start to begin to prepare the documentation for certification and accreditation, which we now know right is tied to what we call the risk management framework, the RMF,
and that's where we get terms like authority to operate or interim authority to operate.
And then the last thing we do from a security perspective here in the acquisition of development phase is we look at the architectural, where does the security controls that we need to mitigate risk fit into the overall design of our system.
So based on our decision that we made in phase One, which we said, Okay, here's what, um, development. If we're developing, here's what development, um, model we're going to use. Right? So here's what happened. So we made the decision. We come in and we start to assess system risk.
We then look at our controls and decide what we're gonna do and those output into the security plan.
You should, for the ESOP content, understand these outputs. They're very important to understand. Then we work on the security architecture, and out of that is the integration off a security into our architecture, our into our system. Then we're going to engineer those security controls, and basically that's where we place
If we're developing
right the controls and and putting them into operations and testing them right and then we're going thio importantly here, and this is a really important one here. We're going to document what we do. And this is one of those things that we struggle with in the info Second cybersecurity communities. We are terrible documentation. I'm personally terrible documentation.
You need to know and become very good at documentation. It just is what it is.
And then we have a series of control gates we go through and then we decide. Are we going to implement or not? Right. What's great about the system development life cycle is you could get all the way that you could get from your initiation phase into this acquisitions, that's development phase and decided not to go forward.
Right? And that's okay, that's the great thing. That's why each of the gates between the different functions and the different phases off the system development lifecycle exists. Its decision points right that allow us to decide whether it's worth it to continue or not and hopefully not waste a lot of money.
what is acquisition slapped? Slash development? It's the by
versus build decision.
Okay, so if we're gonna buy something, because maybe it's less expensive to buy it and build it ourselves because remember, if you build it yourself. You in all the zero days, right? That's a decision we have to make here. We can't just say we're going to develop, but no, as if he's right. We're gonna do those tradeoffs in each of those areas because we want to make sure we make the right decision.
Then, of course, the flip side of that is built, right?
Maybe we go out and assess the market when we're doing our Bible decision process and we determine through a series of trade offs. Remember, we talked about trade offs before through a series of credits. We go, man, it is just not worth it for us to expose the things that we're doing toe by something that would give away too much. Maybe it's
maybe we're developing, Ah, great set of
se threat intelligence feeds. And we don't want to give away our secret sauce by buying a bunch of stuff. And so we just decided to build it. So there's lots of reasons why we decided to buy. There's lots of reasons why we decided to build. But if he's Europe, the forefront off helping to make those decisions from both a technical and a non technical perspective.
So in this lesson we talked about the acquisition slash development phase of the system development life cycle. We reviewed security activities that if he does, we talked about the linkages and decisions around different things. And then we talked about that. Acquisitions has developed and is the buyer build decision. It's
modeling what it is we're going to do. Sometimes it's better to buy. Sometimes it's better to build,
but as this is, we help to inform those decisions.
We'll see you next time.
Certified Information Systems Security Professional (CISSP) 2021
CISSP is the basis of advanced information assurance knowledge for information security professionals. Often referred ...
16 CEU/CPE Hours Available
Certificate of Completion Offered
ISC2 CISSP Practice Test: Certified Information Systems Security Professional
There is a growing need for information security leaders who possess the depth of expertise ...