Sample Life Cycle Management Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 14:14, 1 May 2010 by Mdpeters (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Document History


Version Date Revised By Description
1.0 1 January 2010 <Current date> Michael D. Peters <Owners's name> This version replaces any prior version.


Document Certification


Description Date Parameters
Designated document recertification cycle in days: 30 - 90 - 180 - 365 <Select cycle>
Next document recertification date: 1 January 2011 <Date>


Sample Life Cycle Management Standard


The <Your Company Name> (the "Company") Sample Asset Management Policy defines objectives for establishing specific standards for properly managing the Company Information Technology infrastructure, including networks, systems, and applications that store, process, and transmit information assets.

This Life Cycle Management Standard builds on the objectives established in the Sample Asset Management Policy , and provides specific instructions and requirements for life cycle management of Company information systems, including hardware and software.

I. Scope


All employees, contractors, part-time and temporary workers, service providers, and those employed by others to perform work on Company premises, or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.

Encryption refers to a method of scrambling information to render it unreadable to anyone except the intended recipient, who must decrypt it to read it.

Life Cycle Management refers to the process of managing systems through several sequential phases, including design/acquisition, implementation, operation/maintenance, inventory, and disposal.

Information assets are defined in the Sample Asset Identification and Classification Policy.

Protection standard refers to the required system and security configuration for a network device, system, or application.

Sensitive information refers to information that is classified as Restricted or Confidential. Refer to the Sample Information Classification Standard for confidentiality classification categories.

System Security Accreditation refers to the formal authorization for system operation and acceptance of risk by an accrediting authority.

II. Requirements


A. General


1. Life cycle management requirements for enterprise-wide systems and applications developed by the Company or on behalf of the Company for production implementation are defined in the Sample System Development Life Cycle Standard.


2. The Company Life Cycle Management process shall include the following phases:


  • Design/Acquisition
  • Implementation
  • Operation/Maintenance
  • Disposal


B. Design/Acquisition Phase


1. Risk Assessment:


A. A risk assessment must be performed to examine the information assets, threats, and vulnerabilities of the system in order to determine the most appropriate and cost-effective security controls required for the system.


B. The scope of the risk assessment shall be commensurate with the sensitivity, complexity, and cost of the system.


2. Security Requirements:


A. Security requirements shall comply with applicable laws, regulations, and Company policies, standards, and guidelines.


B. Security requirements must support the functional needs of the system.


C. Existing security controls shall be utilized where available.


D. The selected computing environment, including facilities and supporting infrastructure, must support all security requirements of the system.


E. A statement should be made and documented in the environment description if the system has no specific security requirements above those required by Company asset protection standards.


F. The system design must include security administration functions.


G. Staffing requirements must include personnel to perform ongoing security administration functions.


H. The system must support a minimum separation of functionality between users and administrator access.


I. The system must provide the capability to log security administration activities.


J. The system must provide the capability to review system-generated logs.


K. The system must protect against deletion or alteration of audit records or logs from any source other than a specific program or person intended for that purpose.


L. Company policies, standards, and procedures shall be updated, if appropriate.


3. Contract Requirements:


A. Any contracts for purchase of hardware and software that are developed during Design/Acquisition Phase must include security and data privacy requirements.


B. Any contract for technical support of purchased hardware or software must include provisions to prohibit unauthorized disclosure of Company confidential information (e.g., system configuration, security settings) by the vendor.


C. Any contracts for staffing services, external hosting, or other service provisioning needs must address security, privacy, and data handling requirements.


4. Physical Delivery Requirements:


A. Access to a holding area from outside of the building should be restricted to identified and authorized personnel.


B. The holding area should be designed so that hardware can be unloaded without delivery staff gaining access to other parts of the building.


C. Incoming material should be inspected for potential hazards before it is moved from the holding area to the point of use.


D. Incoming hardware and software should be registered or inventoried, if appropriate, on entry to the site.


C. Implementation Phase


1. Implementation Requirements:


A. Required security controls must be enabled and configured.


B. Manual security processes required for implementation must be in place.


C. If the new system is replacing an existing system, procedures for maintaining security administration on both systems during the implementation must be established.
D. Backup and recovery of the security database must be verified.


E. Adequate change management control must be put into place after successful implementation.


F. Security administrators must be trained on the new security functions.


2. Testing Requirements:


A. Formal testing of security controls implemented in the system must be performed in order to determine whether security requirements and specifications have been met.


B. Security administration functions must be tested.


C. Technical support from the vendor during the testing is advisable.


D. The system must be tested when the security function is disabled to ensure that the application is fail-safe.


E. The system must be tested within the physical production environment to ensure that all supporting infrastructure controls function appropriately under realistic loads.


F. Systems that process, store, or transmit sensitive information require a system security accreditation.


G. System security accreditations shall be valid for a period not to exceed <SPECIFY TIMEFRAME>.


H. An independent third party should perform testing or validate the testing.


3. Documentation Requirements:


A. The vendor should provide adequate security documentation if the hardware and software is acquired or purchased off the shelf.


B. Training materials pertaining to security functionality of the system shall be distributed only to authorized security personnel.


C. A written vendor statement that all security controls have been provided and are functional must be obtained if the software is acquired or purchased off the shelf.


D. Operations/Maintenance Phase


1. Security Operations and Administration Requirements:


1. Several security tasks and activities shall be routinely performed to operate and administer the system, including but not limited to:


  • Administering users and access
  • Tuning performance
  • Performing backups
  • Performing system maintenance (i.e., testing and applying security updates and patches)
  • Conducting training and awareness
  • Conducting periodic system vulnerability assessments
  • Conducting annual risk reviews


2. Prior to sending system components off site for routine or emergency maintenance, adequate backups should be performed and sensitive information should be removed.


2. Operational Assurance Requirements:


A. Operational systems shall be reviewed to ensure that the security controls, both automated and manual, are functioning correctly and effectively.


B. Operational system logs must be periodically reviewed to evaluate the security of the system, and validate audit controls.


C. Ongoing monitoring of systems and users shall be implemented to ensure detection of security violations and unauthorized changes, and validate the effectiveness of the implemented security controls.


D. System auditing and monitoring efforts shall be conducted in accordance with the Sample Threat Monitoring Standard.


3. Change Management Requirements:


A. All changes to operational systems in the Company production environment must be made in accordance with the Sample Change Control Standard.


4. Re-Accreditation Requirements:


A. Accredited systems require re-accreditation after a time lapse of <SPECIFY TIMEFRAME> since the last accreditation.


B. Systems may require re-accreditation after major changes to the system.


E. Disposal Phase


1. Secure Disposal Requirements:


A. Determine data retention requirements for the system based on applicable laws, regulations, and Company policies, standards, and procedures.


B. Prior to disposal, sensitive information should be identified to determine if it should be transferred, archived, discarded, or destroyed.


C. Prior to disposal, encrypted information should be identified to determine if cryptographic keys require secure long-term storage.


D. Hardware devices containing sensitive information should be sanitized or securely overwritten.


E. Hardware devices containing sensitive information should be destroyed if they cannot be sanitized or securely overwritten.


F. Damaged hardware devices containing sensitive information may require a risk assessment to determine if the items should be destroyed, repaired or discarded.


G. The disposition of software shall be in accordance with applicable license agreements.


H. Disposal of system components including hardware and software should comply with applicable laws, regulations, and environmental statues and guidelines.


I. Assess and document how to mitigate residual application and infrastructure vulnerabilities.


J. Update Company policies, standards, and procedures, if appropriate.


2. Removal Requirements:


A. Hardware, information or software should not be moved or removed from Company facilities without authorization.


B. The removal of hardware or information from the system must comply with procedures determined by the Asset Owner.


C. Company inventories and records should be updated when hardware and software are removed.


III. Responsibilities


The Chief Information Security Officer (CISO) approves the Life Cycle Management Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Life Cycle Management Standard.

Legal counsel is responsible for ensuring that all licenses, contracts, and service agreements comply with Company policies and standards, and that data privacy and intellectual property rights are respected.

Company management, including senior management and department managers, is accountable for ensuring that the Life Cycle Management Standard is properly communicated and understood within its respective organizational units. Company management also is responsible for defining, approving, and implementing procedures in its organizational units and ensuring their consistency with the Life Cycle Management Standard.

Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Life Cycle Management Standard; ensuring cost-effective requirements and controls are defined and implemented; securing the required approval for hardware and software including procurement, implementation, operation, and maintenance costs; ensuring system security accreditation is obtained and retained; and ensuring compliance with applicable laws, regulations, and Company policies, standards, and guidelines.

Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process, or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information; proving routine system operation and administration; ensuring hardware and software are configured to meet system requirements and are in accordance with established Company protection standards; ensuring changes to hardware and software in the production environment are made in accordance with the Sample Change Control Standard; supporting accreditation efforts for sensitive systems; and cooperating with the Information Security Department and/or the Audit Department in operational assurance efforts.

Users are the individuals, groups, or organizations authorized by the Owner to access information assets. Users are responsible for familiarizing themselves and complying with the Life Cycle Management Standard and associated guidelines; following Company-approved processes and procedures for the life cycle management of hardware and software, including acquisition and disposal; and maintaining the confidentiality, integrity and availability of information accessed, consistent with the Owner's approved safeguards while under the User's control.

IV. Enforcement and Exception Handling


Failure to comply with the Life Cycle Management Standard and associated guidelines and procedures can result in disciplinary actions, up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the Life Cycle Management Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Life Cycle Management Standard.

V. Review and Revision


The Life Cycle Management Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter .

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Security Officer