Risk Assessment on SDLC
Assign topic to the user
We want to start the risk assessment right before the design stage.
We want to ensure that the design is secure and taking into consideration all the security risks that system environment will be facing.
By understanding the risk and the risk level, all appropriate controls will be put in place at the design stage.
This will then ensure secure development, secure delivery and the end objective to have secure operation and maintenance.
I am thinking of using threat modelling risk assessment at the design stage.
As I understand the risk assessment is not a “one time do and forget” exercise. Thus, we should be having a periodic risk assessment, with review and monitoring. May be it is a good practice to have a yearly exercise.
For our environment, we should have it at every stages.
Hope to get some feedback from you on the above.
Answer: Your thinking is absolutely right. System security must be though as soon as possible in the development process, and s hould be periodically reviewed because of the identification of new types of threats, codification problems and opportunities of improvement. To ensure this thinking is considered in your organization's process you should consider the implementation of a Secure Development Policy (a template for this policy is included in your toolkit, at folder 08 Annex A, subfolder A.14 System acquisition, development and maintenance), as well as integrate the security activities in your current development process. A good reference for secure development is the ISO 15408 standard, which you can see at this link: https://www.iso.org/standard/50341.html
These articles will provide you further explanation about secure development:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
Comment as guest or Sign in
Nov 14, 2017