Managing Risk from the Inception

Imagine that you are building a new office building. You trust the builder to include all the necessary components, such as the foundation, framing, wiring, plumbing, and walls. What would happen if a couple of days before you moved in, the builder told you that he had forgotten to install the plumbing? Obviously, the time and effort involved at this point is substantial and will considerably delay your move-in date, and will it really be to the same standard as if it were installed from inception?

Security is as important to our systems as plumbing is for your office or home. Building security into a system, process or product early in its design is less expensive and time-consuming than trying to re-mediate a system that isnít secure or . Planning for security enables your projectís success by dedicating sufficient time, money, and people. Policy, documentation, and a review of requirements help you ensure that all functions required by a system are implemented correctly

Security and Project Management

When you integrate security from inception into the System Design Life Cycle works to your advantage. Such a model benefits you by ensuring the most cost-effective security controls are chosen and implemented. It also increases the consistency and standardization of controls implemented throughout your product, service and company, reducing operational costs. Thinking of security early in the SDLC ensures vulnerabilities are addressed before they can disrupt business and helps risk management become part of the culture.

Before you can begin building a system, process or product you need to look at the system requirements, regulatory compliance requirements, and the enterprise environment. The system you develop will have a sensitivity level depending on these factors. For instance, service, benefit, and medical information systems have different acceptable risk exposure and sensitivity levels. An analysis provides the backbone of your planning efforts. Understanding how information in your system will affect and be affected by the enterprise governs the security strategy. It also affects the allocation of the resources you need to offset and mitigate risks.

The Threat is real, the attacks are increasing in sophistication and frequency.

Threat - the potential to cause unauthorized disclosure, changes, or destruction to an asset

  • Impact: potential breach in confidentiality, unavailability of information, and integrity failure
  • Types: natural, environmental, and man-made

Cyber attacks - attacks that are malicious with the intent to cause major disruptions to our everyday government operations

  • The Department of Defense (DoD) detects three million unauthorized "scans" - or attempts by possible intruders to access official networks every day
  • The Department of Homeland Security (DHS) received 37,000 reports of attempted breaches on government and private systems within Fiscal Year 2007 (FY07) - an increase of 54 percent from FY06