A Comparison of the System Development Life Cycle and the Risk Management Framework The System Development Life Cycle (SDLC) and the Risk Management Framework (RMF) are both processes that are critical to the overall function of an information system, however many project managers and system developers working with the SDLC regularly neglect to incorporate the RMF steps into the development of information systems. This lack of planning and foresight often has unexpected financial impacts, or worse, adverse security effects to an organization later on. Is it possible these individuals overlook the RMF because it is difficult to follow or does not align well with the SDLC? What is the purpose of, and the steps involved with each of these …show more content…
During SDLC phase one, the initiation phase, “the need for a system is expressed and the purpose of the system is documented” (NIST, 2008). Some of the expected outcomes from this phase would be a project plan and schedule; system performance specifications outlining the operational requirements, system design documents, and a document that defines roles and responsibilities. The corresponding RMF step, security categorization, establishes the foundation for security standardization among information systems and provides a vital step towards integrating security into the information system (NIST, 2008). During this step, the type(s) of information processed by the information system are identified and the information system is categorized to determine the level of protection requirements to put in place. Some of the expected outputs of this step include a security project plan and schedule, documented system boundary, the system categorization, and the security roles and responsibilities. These two process steps are very similar except the focus of RMF is on information security related functions. In some cases, SDLC produces the expected outputs that RMF requires, and the security professionals only require a copy of the documentation for their records. For example, the system design document often depicts the system boundary. The reason this step is so critical is that it
IT projects can have a lot of different components to them which creates the potential for more risks. These risks need to be identified, analyzed, and addressed as the project progresses (Schwalbe Ph.D., 2014). There are different types of risk that can affect the implementation of a system that will allow people to manage their own human resource information. A positive risks can produce a project under budget or ahead of schedule, while a negative risks can have adverse effects on a project such as going way over budget. There are also some risks that do not have a positive or negative impact on a project. Identifying risks and addressing them is mostly handled by the program manager.
Another step involves security checks upon implementation and describes agency-level threat to the business scenario or the mission. It similarly entails sanctioning the information system for processing and lastly constant monitoring of the security controls. FISMA and NIST's standards are aimed at offering the ways for agencies to achieve their identified missions with safety commensurate with the threat (United States Department of Agriculture, 2015). Together with guidelines from the Office of Management and Budget (OMB), FISMA and NIST create a framework for advancing and growing an information security scheme (SecureIT, 2008). Such framework includes control descriptions and evaluation, program development, and system certification and accreditation. The final objective involves conducting daily functioning of the agency and achieving the agency's articulated objectives with sufficient security commensurate with risk.
“The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347)” ("FIPS PUB 199," 2004). In this paper, FIPS PUB 199 has been chosen as the security standard used by State of Maryland Department of information technology. This standard addresses to develop standards for categorizing information and information systems. On the other hand, ISO/IEC 27001 is the other standard not used by State of Maryland which has been discussed as a contrast standard.
Harris, S. (2006, November 5). Developing an information security program using SABSA, ISO 17799. Retrieved September 19th, 2015, from
This paper serves to direct the development team along a pathway of security, with the intent to share information about the most secured manner to implement this project. It must first be acknowledged that for information to be secured, information security must be integrated into the SDLC from system inception. The early integration of security in the
Other security elements are in reference to data recovery, database administration, handling a breach in security and administrative security policies such as access procedure, employee transfer and excessive user access. As I assume the role of the chief security officer, database designer, database administrator, and chief applications designer this project is very important to the armed services and the Virgin Islands National Guard as we strive to provide global security.
The continual strive for world class health care has identified the systems life cycle as an import element to improve patient care. Systems development life cycle is a “phased approach to analysis and design which holds that systems are best developed through the use of a specific cycle of analyst and user activities” (Kendall & Kendall, 2014, p.4). The seven phases of the systems life cycle are identifying problems, determining human information requirements, analyzing system needs, design the system, developing and documenting software, testing and maintain the system, and implementing and evaluating the system (Kendal &Kendall, 2014). The roles of the nurse informatician and a project manager play an integral part in the development and success of a project.
However, when IT projects fall behind schedule, these efficiencies can quickly evaporate and lead to cost overruns, glitches and bugs. (3) Due to their inherently complex nature, IT projects are susceptible to many types of failures; mainly caused by a lack or risk management and flexibility. Many of the risks present in IT projects are unrealistic goals; inaccurate estimates of needed resources; badly defined system requirements; poor reporting of the project’s status; poor communication between developers and users; adoption of immature technology; inability to cope with project complexity; sloppy developed practices; mismanagement of the project; stakeholder politics; and commercial pressures. (4) With so many potential risks, it is not surprising that IT projects that are completed on time, and on budget, are more the exception rather than the rule. Additionally, before IT projects begin, clear objectives and the allocation of time and resources need to be defined; all of which are usually lacking for one reason or another. The result is a high failure rate associated with IT projects overall, which puts a spot light on the need for organizations to improve their risk management abilities and design processes that will allow them the flexibility to reallocate resources when unexpected problems when they
Big Corporations and Health care organization are always looking to improve their information systems to save time, money, and people lives. One most used information system would be the System Development Lifecycle (SDLC). A system development can sometimes run over budget or the corporation and organizations will never receive full satisfaction if their goals are not accomplish.
Whitman, M. E., & Mattord, H. J. (2010). Management of information security (3rd ed.). Boston, MA: Course Technology.
While this is a daunting task, by breaking these controls down into larger groups the basis for policies and procedures are outlined and framed. The key areas that must be met initially are the establishment of a system security plan that describes we are implementing as well as the security control requirements for the
In shaping a new security policies, it is essential to have a full understanding of all aspects of the internal network and services to be protected from both internal and outside threats. An article by Solms & Solms (2004) outlines several criteria in developing information security. First, a governing body must be formed to ensure all sensitive data is secured and provide due
Risk management is an ongoing process that must continue through the life of a project. It includes processes for risk management planning, identification, analysis, monitoring, and control. These processes need to be reviewed throughout the project’s lifecycle as new risks arise throughout the implementation of the project. It is the objective of risk management to decrease the probability and impact of events adverse to the project. On the other hand, any event that could have a positive impact should be exploited.
In this second part of article review, it will be mainly focused on the controllable part (Risk Management Framework, RMF). The controllable part contains six different phases that work among the system development life cycle (SDLC). The controllable phases provide the system developers a way to enable security controls, measure the risk level of data, and the system. Combine both parts, it becomes a security framework to allow the system developers to go through the step-by-step process to gather useful system data,
Computer system plays an important role in solving human problem in their daily life. There are standard steps in order to develop information system called System Development Life Cycle (SDLC). SDLC is the framework available to build a complete system. There are five phases in SDLC which are planning, analysis, design, coding, testing and maintenance (refer to Figure 1 in Appendix 1).