The Security System Development Life Cycle (SecSDLC) follows the same methodology as the more commonly known System Development Life Cycle (SDLC), but they do differ in the specific of the activities performed in each phase. Both the SecSDLC and the SDLC consist of the following phases:
- Logical Design
- Physical Design
The SecSDLC process involves the identification of specific threats and the risk that they represent as well as the needed implementation of security controls to counter, mitigate and manage the risk. Whereas, in the SDLC process, the focus is on the design and implementation of an information system in an organization for use in information technology (IT).
Below is a brief explanation on the specifics of activities associated with the SecSDLC process.
Investigation – The investigation phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project, as well as its budget and other constraints.
Analyst – A preliminary analysis of existing security policies or programs, along with documented current threats and associated controls are conducted.
Logical Design – In the logical design phase, team members create and develop the blueprint for security, and examine as well as implement key policies that influence later decisions.
Physical Design – In the physical design phase, team members evaluate the technology needed to support the security blueprint, generate alternative solutions, and agree upon a final design.
Implementation – The security solutions are acquired, tested, implemented, and tested again. Personnel issues are evaluated and specific training and education programs conducted
Maintenance – Once the information security program has been implemented, it must be operated, properly managed, and kept up to date by means of established procedures.