Systems Lifecycle Management

The Information Systems Security Lifecycle Management article from TeleCommunication Systems (TCS) provides an overview of lifecycle management. The article expounds upon the business challenges associated with ISSLM from the perspective of an association with the DOD, details about how IA is currently being handled and treated, and provides a recommended approach in the form of a process that can be applied to any area of an organization. As an organization TCS has a relatively narrow focus, but their methodology follows DoD requirements, which can be used as a model for any organization. First a statement of work must be developed that addresses all aspects of information assurance. Next, security engineering must be an integral part of the design of an information system from the beginning, instead of trying to engineer security in at a later point in time that can lead to many issues or insufficient security. A concept of operations must also be considered, taking into account the end user and ensuring that the way a user will utilize the system will not interfere with the security of the system itself. Any formal or standard process used by the organization to ensure that an IS will maintain IA structure through the system’s lifecycle, like DIACAP for the DoD, must be incorporated. Personnel who are working on the system must be qualified and have the appropriate tools and materials. The lifecycle process must also contain strong configuration management procedures, and finally systems must be maintained and updated according to the policies and procedures laid out by the organization. Any organization that sets up their ISSLM in a way that mirrors that followed by the DoD will increase their security effectiveness.