Initiation

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary. Yes,
00:00
of course, I'm your instructor, Brad Rhodes.
00:00
Let's talk about the first phase
00:00
of the system development life cycle,
00:00
and that is initiation.
00:00
In this lesson, we're going to talk
00:00
about security activities.
00:00
In this phase, we're going to talk about the linkages
00:00
from NIST and we're going to define what initiation is.
00:00
Security activities are pretty straightforward.
00:00
We got to look at the CIA triad.
00:00
For example, if we're talking about say,
00:00
an e-commerce site or something like that,
00:00
they're probably going to be
00:00
more concerned about availability
00:00
and less about confidentiality and integrity.
00:00
Obviously, PCI, DSS, when it comes to
00:00
a control set or a recommended control set for say,
00:00
credit card processing,
00:00
they're going to care about that as well,
00:00
but they really want to make sure the site is
00:00
up so people can buy things from them.
00:00
We're going to look to see,
00:00
do we need to handle information especially,
00:00
for example, we talked about the credit card information.
00:00
Obviously, that probably is PII,
00:00
especially when we associate it with
00:00
users and their home addresses and everything like that.
00:00
If you've ever filled out
00:00
a site for a purchase on a website,
00:00
they asked for a lot of information because
00:00
if your credit card bounces,
00:00
if you will, they have to come after you for the money.
00:00
You are giving up that information
00:00
willingly so that they can do that,
00:00
then of course, any privacy requirements that exist.
00:00
Here's a challenge here for ISSE's,
00:00
ISSE's in the United States,
00:00
have a set of laws to follow and there's 54
00:00
of them across the states and territories.
00:00
If you go to Europe, you've got GDPR.
00:00
If you go to East Asia, it's totally different.
00:00
The way we do these security activities and what's
00:00
important to us and what is
00:00
a privacy requirement is going to vary wildly
00:00
depending on what jurisdiction you happen to be in.
00:00
These are the linkages in Phase 1 initiation.
00:00
Up at the top here we make a decision to
00:00
initiate the system from an ISSE perspective,
00:00
we're going to be doing our security planning.
00:00
We're going to be looking at all things here.
00:00
We're going to go to categorize the information system.
00:00
We're going to determine what
00:00
our estimates are for security needed.
00:00
We're going to ensure
00:00
the security development of the system.
00:00
We're going to look at a business impacts.
00:00
We're going to look at privacy impacts.
00:00
We're going to develop things like
00:00
our quality assurance plants.
00:00
We've talked about those and at
00:00
the end of this we have
00:00
an acquisition strategy potentially.
00:00
We've reviewed the system concept and cutoffs.
00:00
We've done risk management right now,
00:00
we've decided we're going to move to
00:00
the development and acquisition phase.
00:00
Obviously, one of the big things
00:00
we make a decision on here,
00:00
is what type of
00:00
system development model are we going to use?
00:00
Are we going to use Agile?
00:00
Are we going to use Waterfall?
00:00
Are we going to use Spiral?
00:00
Are we going to use the V.
00:00
This is where that decision is made because if you
00:00
don't make a decision in initiation and you
00:00
roll right into the acquisition side.
00:00
The next step in our process,
00:00
we are going to be potentially
00:00
not making a good decision
00:00
on either acquisition or development.
00:00
Part of the things that come out
00:00
of initiation is those types of decisions.
00:00
What is initiation?
00:00
Simple. We've talked about this.
00:00
This is much akin to discover
00:00
information protection needs that
00:00
we've talked about previously.
00:00
Is really the requirements.
00:00
When we are in the initiation phase
00:00
of the system development life cycle,
00:00
we are gathering the requirements
00:00
that we need for this system or
00:00
controls that we are going to be
00:00
implementing for our organization.
00:00
In this lesson, we've talked about
00:00
the security activities in initiation phase,
00:00
we talked about the linkages as defined by nist and
00:00
the decisions that come out of that
00:00
ultimately there's one big decision.
00:00
Are we going to move to acquisition or development.
00:00
That's the big decision and also the decision of
00:00
which type of acquisition model are we going to follow,
00:00
really tied to what your company
00:00
or organization is going to use.
00:00
Then we talked about the fact that initiation
00:00
is our requirements. We'll see you next time.
Up Next