After I read the NIST 800-64 publication on “Security Considerations in the Software Development Life Cycle”, particularly the segment focusing on the operations and maintenance phase, I felt that I had taken in a lot of information to process all at once in regards to security considerations for operations and maintenance. After reading through a second time, I understand now why they go into so much detail, as the idea of discontinuing a once-important software for an organization can be a daunting task in regards to information security. The primary reasons that cause organizations to enter the disposal phase of the software development life cycle is when the information systems become obsolete, are no longer being supported by updates from the manufacturer, become inoperative, or are simply replaced by a newer system. In order for an organization to dispose of their information systems, the NIST article explains that a Disposal and Transition Plan need to be in place to ease the process. This is often followed by a properly indexed information preservation function, followed by a well-documented sanitization of all the outdated information systems. The next phase has multiple decisions that could be taken and is often decided at the discretion of the organization, developer, or regulation, which is the physical disposal of the information system. An interesting note that was included in this step was that property accountability requirements should still be considered as important, even during the disposal phase. The disposal phase ends on the official closure of the system, where all relevant parties are notified and closure documentation is archived.
Operations and maintenance phase are the fourth phase of the SDLC where systems are present and in operations at the same time. In this stage, it is very important to understand that for the systems to operate efficiently there is need for continuous maintenance, modifications and also enhancements. This has the meaning that during the operations time, assessments on the existing system are done to check for the necessity of innovations and corrections or rather modifications in case of any inadequacy.
The disposal of a system is interesting which is new to me, and the purpose of the system disposal is to properly protect the data and information that may be reactivated in the future, so those data can be migrated into other systems or managed properly for future use. In other words, the data in a disposable system, the data is the most important thing that needs to take care of for future use as well as keep the data safe. The process of disposal of a system needs to be well planned and documented, sanitization of media, and disposal of hardware and software. It would be important for organizations to deal with system disposal properly, even most of the times systems can be updated instead of just disposal, and one example I could think of is the Symbian system which would need to disposal.
This part focuses on how to manage the inevitable changes to the project due to the fact that poor change control is a frequent cause of projects going wrong. In the first section, one point I took is that the challenge of the change management is to get people to comply with this policy for all changes to configurations, systems, application software, access rights and system privileges and project plans. The conflicts between people and lack of communication have a huge impact on that. Thus, it is necessary to be patient, keep employees up-to-speed, show how change will contribute to company and create a successful and create a successful timeline for change.
I agree to your point. Resilence to change is one of the biggest problem in change management process. Change is one of the inevitable aspects of business and life. Some find it difficult to deal with change, and their attitude toward it limits their growth. Others embrace change and handle it constructively.
In this part, it introduces the fourth phase, operations and maintenance, and the last phase, disposal, in the System Development Life Cycle. In operations and maintenance, the system operates under monitor for periodical assessment to make it more effective, secure and efficient as well as maintain the agreed risk level. By monitoring the system continuously, it needs to ensure that the production environment is fully functional and performs, and then it is necessary to monitor phase performance by gathering information about all changes to baseline system performance, change management information, activity progress with status details, activities initiated and finished, testing results and deliverable acceptance and resource utilization data. Daily operations also contain identifying and implementing modifications in order to to function optimally and correctly. All maintenance and enhancements are part of a continuous improvement process for the system.
I also studied the “operation and maintenance” phase in SDLC cycle, I think this phase is a critical step. First of all, the purpose of the Operations and Maintenance Phase is to ensure the information system is fully functional and performs optimally until the system reaches its end of life. Also, during the maintenance phase, errors or defects may exist, which would require repairs during additional testing of the software.
After I finished reading NIST “Security Considerations in the SDLC”, I learn that Operations and Maintenance is the fourth phase of the SDLC. In this phase, systems are in place and operating, enhancements to the system are developed and tested, and hardware and software is added or replaced. To deeply understand operation and maintenance, we need to obtain an understanding on its main activities in this phase. The main activities include: Conduct an operational readiness review; Manage the configuration of the system ; Institute processes and procedures for assured operations and continuous monitoring of the information system’s security controls; and Perform reauthorization as required.
The four main security activities you’ve noted are important to ensure proper operation and maintenance in the fourth phase of the system lifecycle. These audit techniques are needed to successfully navigate this phase.
In the software development life cycle, a system is removed from production which is the disposal phase. In this phase, plans are developed for discarding system information, hardware, and software and making the transition to a new system. The information, hardware, and software may be moved to another system, archived, discarded, or destroyed. If performed improperly, the disposal phase can result in the unauthorized disclosure of sensitive data. When archiving information, organizations should consider the need for and the methods for future retrieval. Usually, there is no definitive end to a system. System normally evolve or transition to the next generation because of changing requirements or improvements in technology. System security plans should continually evolve with the system. Much of the environmental, management, and operational information for the original system should still be relevant ad useful when the organization develops the security plan for the follow-on system.
Good points. Also, I wan to talk about advantage of the SDLC. The biggest advantages are that it provides some level of control of the development process to ensure that the ultimate solution is consistent with the original requirements and to ensure that the design process and testing process leading to release of a solution is sound and well-managed. It also has the advantage that it is a repeatable process. If you develop something with a given SDLC and a similar project comes along, you should be able to use the same process with some level of confidence of success.
Disposal is what we really need to focus on. When scrapping or replacing system components, a risk assessment is performed to ensure that the hardware and software are properly disposed of and residual information is properly processed. The company has to ensure that the replacement of the system can be done in a safe and systematic way.
What I took away from this reading is Build and Execute a Disposal/Transition Plan. Building a disposal/transition plan ensures that all stakeholders are aware of the future plan for the system and its information. This plan should account for the disposal/transition status for all critical components, services, and information. Some implementation’s tips are consulting with the agency to make sure compliance with laws and applicable policy; plan ahead, do not wait until the event comes. Plan for disposal/transition throughout all phases of the life cycle. This is best done as part of the requirements phase so full resource requirements for disposal/transition are understood and planned for. Throughout the life cycle, this can be done as hardware and software become obsolete or damaged.
Operations and Maintenance is the fourth phase of the SDLC. In this phase, systems are in place and operating, enhancements and/or modifications to the system are developed and tested, and hardware and/or software is added or replaced. The system is monitored for continued performance in accordance with security requirements and needed system modifications are incorporated. The operational system is periodically assessed to determine how the system can be made more effective, secure, and efficient. Operations continue as long as the system can be effectively adapted to respond to an organization’s needs while maintaining an agreed-upon risk level. When necessary modifications or changes are identified, the system may reenter a previous phase of the SDLC.
In the Security Considerations in the SDLC, I think Conduct Continuous Monitoring is an interesting topic. In this part, there are four expected outputs: documented results of continuous monitoring, POA&M review, security reviews, metrics, measures, and trend analysis, and updated security documentation and security re-accreditation decision. According to what I found, the Plan of Actions & Milestones is a key document in the security authorization package and for continuous monitoring activities. The POA&M facilitates a disciplined and structured approach to tracking risk mitigation activities. It incorporates security discoveries for the framework from consistent checking exercises and intermittent security evaluations, for example, the Annual Assessment. Moreover, for continuous monitoring, the processes should be evaluated periodically to review changes in threats and how this could affect the ability of controls to protect a system.
Operations and maintenance is the last phase of SDLC. In order to eliminate the faults and errors in the system operation, the software and hardware maintenance personnel should make necessary modifications and improvements to the system. In order to make the system adapt to the changes of the user environment, to meet the new needs, but also to the original system to do some local updates. Software maintenance is the longest phase of the lifecycle. After the system is developed and put into use, due to various reasons, the system cannot continue to adapt to the requirements of users. To extend the service life of system, system must be maintained. According to the NIST document, system maintenance includes review operational readiness, perform configuration management and control and conduct continuous monitoring.
In NIST “Security Considerations in the SDLC” p. 32-39 we begin by exploring the operations and maintenance of systems in the SDLC. Immediately off the bat, the article speaks of how this stage of the SDLC can offer “enhancements” to the system or products that has recently been deployed. Especially in a security context — this is extremely relevant. I know that when Microsoft/HP has an update appear on my computer it is often imperative to undergo that update. Same goes with Apple and apps in the app store. The main reason my be “bug fixes” or enhancements; in addition, there could be a security patch or new firewall that will be extremely beneficial. In moving through the article, we get into controls and change control requests. This is also an important aspect as the “change process” will impact all of the users down the line. A part of maintenance is improving the overall user experience. Through having a smooth change process this can be achieved.
Who are the key participants in the SDLC will depending on the nature and scope of the system and organization; however, key roles include the chief information officer (CIO), contracting officer, IT investment board, information security program manager, information system security officer, program manager, and legal advisor/contract attorney.
Hi Alex,
Great job pointing out Microsoft/HP are relevant to our reading about enhancement for security. This reading offers a good amount of guidelines and controls for security considerations for the system. I would also like to add that planning ahead is very important for the security of the system because you do not want to wait until the problem surfaces.
Operations/Maintenance phase is the fourth phase of the SDLC, in this phase, systems are now in place and are consistently modified and tested. The operating enhancements, and modifications are developed and tested, and new hardware and software is added or replaced. The system is then monitored on performance in accordance with the security requirements and whatever needed system modifications are incorporated. There are 4 key security activities for this phase:
Conduct an operational readiness review;
• Manage the configuration of the system ;
• Institute processes and procedures for assured operations and continuous monitoring of the
information system’s security controls; and
• Perform reauthorization as required.
I agree. The key security takeaways are very important in this article about security considerations. Of course, security considerations are very important whenever there is a change.
Good explanation, Mei! During the maintenance phase, the system performance is monitored, applications are updated as needed and bugs are corrected. Changes to the system are requested via the Request for Change (RFC). This is a formal process that requires all changes to be documented.
Operations and Maintenance is my main takeaway from this reading. To begin this phase, systems have to be in place and running. In terms of security maintenance, you have to be able to operate a readiness report, manage the configuration of the system, etc… Your control gates have to be established.
“Continuous monitoring activities can provide useful data to support security performance plans and measures of security return on investment (ROI). ”
The line I just quoted stuck out to me because it shows that everything you do in the process should always be tied back to the business purpose and return on investment. If you weren’t going to make money or reduce losses, you wouldn’t be doing it at all. Because, of course, time is money.
Great comments. Thank you for sharing your thoughts on the NIST reading. I agree with you that the process should be implemented by satisfying the business purpose. If the return does not make up the cost, the process should be reviewed.
Howdy Panayiotis, operations and maintenance are the main points of this article. When I went through this article, I also noted the importance of control and control gates. Controls are vital to attempting to control the security and usability of the system. In addition, best practice is continuous and ongoing monitoring the system in its entirety.
Incorporating security into the SDLC section in NIST SP 800-64 R4 includes a brief explanation about the five different phases of SDLC which includes Initiation, Development/Acquisition, Implementation, Maintenance and Disposal. It describes a number of security considerations that will help integrate information security into the SDLC. The fourth phase that is Operations and Maintenance which is our current week discussion topic emphasizes on system monitoring for the continued performance in accordance with security requirements and periodic assessment of system to assess the efficiency, security and effectiveness of the system.
This document helps the IS audit to understand the following general types of control gates and security gates to consider for this phase – Operational Readiness Review, Change Control Board Review of Proposed Changes, Review of POA&Ms and Accreditation Decisions.
Section 3.5.1: The standard way of deleting data on many types of systems are inadequate as it will leave its contents recoverable. Hence, the secure disposal of an information system and archiving data and assets is an important part of the SDLC cycle. This phase ensures that information is retained to conform to legal requirements and to accommodate future technology changes. During this phase, media is sanitized to prevent the loss of CIA. Additionally, hardware and software is properly disposed to prevent it from being salvaged by unauthorized individuals.
I thought the disposal section of the SDLC was particularly interesting, since I tend to just hoard my old devices “just in case.” However, for an organization that is working with a new system, they must go through certain procedures to ensure that their system has been properly phased out- this includes having a disposal plan, archiving data, wiping out media, and finally disposing of the hardware/software. While I didn’t think that legitimate organizations would just throw their systems in the trash, I found it interesting that NIST suggests that a possible disposal method is to donate equipment to schools or nonprofits. This reiterates the importance of properly purging files on these systems, so that a.) the organization can retain their important data and b.) ensure that any files have been wiped from the system before donating equipment that will be reused by an outside source.
In the pages between 32 and 39 of NIST “Security Considerations in the SDLC,” the NIST article introduces the concept of operations and maintenance phase of the SDLC. In this phase, systems are in place and operating, enhancements and/or modifications to the system are developed and tested, and hardware and/or software is added or replaced. In this phase, there are four key security activities: conduct an operational readiness review, manage the configuration of the system, institute processes and procedures for assured operations and continuous monitoring of the information system’s security controls, and perform reauthorization as required.
Imran Jordan Kharabsheh says
After I read the NIST 800-64 publication on “Security Considerations in the Software Development Life Cycle”, particularly the segment focusing on the operations and maintenance phase, I felt that I had taken in a lot of information to process all at once in regards to security considerations for operations and maintenance. After reading through a second time, I understand now why they go into so much detail, as the idea of discontinuing a once-important software for an organization can be a daunting task in regards to information security. The primary reasons that cause organizations to enter the disposal phase of the software development life cycle is when the information systems become obsolete, are no longer being supported by updates from the manufacturer, become inoperative, or are simply replaced by a newer system. In order for an organization to dispose of their information systems, the NIST article explains that a Disposal and Transition Plan need to be in place to ease the process. This is often followed by a properly indexed information preservation function, followed by a well-documented sanitization of all the outdated information systems. The next phase has multiple decisions that could be taken and is often decided at the discretion of the organization, developer, or regulation, which is the physical disposal of the information system. An interesting note that was included in this step was that property accountability requirements should still be considered as important, even during the disposal phase. The disposal phase ends on the official closure of the system, where all relevant parties are notified and closure documentation is archived.
Feng Gao says
Operations and maintenance phase are the fourth phase of the SDLC where systems are present and in operations at the same time. In this stage, it is very important to understand that for the systems to operate efficiently there is need for continuous maintenance, modifications and also enhancements. This has the meaning that during the operations time, assessments on the existing system are done to check for the necessity of innovations and corrections or rather modifications in case of any inadequacy.
Shuyue Ding says
The disposal of a system is interesting which is new to me, and the purpose of the system disposal is to properly protect the data and information that may be reactivated in the future, so those data can be migrated into other systems or managed properly for future use. In other words, the data in a disposable system, the data is the most important thing that needs to take care of for future use as well as keep the data safe. The process of disposal of a system needs to be well planned and documented, sanitization of media, and disposal of hardware and software. It would be important for organizations to deal with system disposal properly, even most of the times systems can be updated instead of just disposal, and one example I could think of is the Symbian system which would need to disposal.
Haixin Sun says
This part focuses on how to manage the inevitable changes to the project due to the fact that poor change control is a frequent cause of projects going wrong. In the first section, one point I took is that the challenge of the change management is to get people to comply with this policy for all changes to configurations, systems, application software, access rights and system privileges and project plans. The conflicts between people and lack of communication have a huge impact on that. Thus, it is necessary to be patient, keep employees up-to-speed, show how change will contribute to company and create a successful and create a successful timeline for change.
Deepa Kuppuswamy says
I agree to your point. Resilence to change is one of the biggest problem in change management process. Change is one of the inevitable aspects of business and life. Some find it difficult to deal with change, and their attitude toward it limits their growth. Others embrace change and handle it constructively.
Haixin Sun says
In this part, it introduces the fourth phase, operations and maintenance, and the last phase, disposal, in the System Development Life Cycle. In operations and maintenance, the system operates under monitor for periodical assessment to make it more effective, secure and efficient as well as maintain the agreed risk level. By monitoring the system continuously, it needs to ensure that the production environment is fully functional and performs, and then it is necessary to monitor phase performance by gathering information about all changes to baseline system performance, change management information, activity progress with status details, activities initiated and finished, testing results and deliverable acceptance and resource utilization data. Daily operations also contain identifying and implementing modifications in order to to function optimally and correctly. All maintenance and enhancements are part of a continuous improvement process for the system.
Xinye Yang says
hey Haixin
I also studied the “operation and maintenance” phase in SDLC cycle, I think this phase is a critical step. First of all, the purpose of the Operations and Maintenance Phase is to ensure the information system is fully functional and performs optimally until the system reaches its end of life. Also, during the maintenance phase, errors or defects may exist, which would require repairs during additional testing of the software.
Xinye Yang says
After I finished reading NIST “Security Considerations in the SDLC”, I learn that Operations and Maintenance is the fourth phase of the SDLC. In this phase, systems are in place and operating, enhancements to the system are developed and tested, and hardware and software is added or replaced. To deeply understand operation and maintenance, we need to obtain an understanding on its main activities in this phase. The main activities include: Conduct an operational readiness review; Manage the configuration of the system ; Institute processes and procedures for assured operations and continuous monitoring of the information system’s security controls; and Perform reauthorization as required.
Mei X Wang says
Hi Xinye,
The four main security activities you’ve noted are important to ensure proper operation and maintenance in the fourth phase of the system lifecycle. These audit techniques are needed to successfully navigate this phase.
Zhu Li says
In the software development life cycle, a system is removed from production which is the disposal phase. In this phase, plans are developed for discarding system information, hardware, and software and making the transition to a new system. The information, hardware, and software may be moved to another system, archived, discarded, or destroyed. If performed improperly, the disposal phase can result in the unauthorized disclosure of sensitive data. When archiving information, organizations should consider the need for and the methods for future retrieval. Usually, there is no definitive end to a system. System normally evolve or transition to the next generation because of changing requirements or improvements in technology. System security plans should continually evolve with the system. Much of the environmental, management, and operational information for the original system should still be relevant ad useful when the organization develops the security plan for the follow-on system.
Feng Gao says
Good points. Also, I wan to talk about advantage of the SDLC. The biggest advantages are that it provides some level of control of the development process to ensure that the ultimate solution is consistent with the original requirements and to ensure that the design process and testing process leading to release of a solution is sound and well-managed. It also has the advantage that it is a repeatable process. If you develop something with a given SDLC and a similar project comes along, you should be able to use the same process with some level of confidence of success.
Yuqing Tang says
Disposal is what we really need to focus on. When scrapping or replacing system components, a risk assessment is performed to ensure that the hardware and software are properly disposed of and residual information is properly processed. The company has to ensure that the replacement of the system can be done in a safe and systematic way.
Yuchong Wang says
What I took away from this reading is Build and Execute a Disposal/Transition Plan. Building a disposal/transition plan ensures that all stakeholders are aware of the future plan for the system and its information. This plan should account for the disposal/transition status for all critical components, services, and information. Some implementation’s tips are consulting with the agency to make sure compliance with laws and applicable policy; plan ahead, do not wait until the event comes. Plan for disposal/transition throughout all phases of the life cycle. This is best done as part of the requirements phase so full resource requirements for disposal/transition are understood and planned for. Throughout the life cycle, this can be done as hardware and software become obsolete or damaged.
Yuan Liu says
Operations and Maintenance is the fourth phase of the SDLC. In this phase, systems are in place and operating, enhancements and/or modifications to the system are developed and tested, and hardware and/or software is added or replaced. The system is monitored for continued performance in accordance with security requirements and needed system modifications are incorporated. The operational system is periodically assessed to determine how the system can be made more effective, secure, and efficient. Operations continue as long as the system can be effectively adapted to respond to an organization’s needs while maintaining an agreed-upon risk level. When necessary modifications or changes are identified, the system may reenter a previous phase of the SDLC.
Ryu Takatsuki says
In the Security Considerations in the SDLC, I think Conduct Continuous Monitoring is an interesting topic. In this part, there are four expected outputs: documented results of continuous monitoring, POA&M review, security reviews, metrics, measures, and trend analysis, and updated security documentation and security re-accreditation decision. According to what I found, the Plan of Actions & Milestones is a key document in the security authorization package and for continuous monitoring activities. The POA&M facilitates a disciplined and structured approach to tracking risk mitigation activities. It incorporates security discoveries for the framework from consistent checking exercises and intermittent security evaluations, for example, the Annual Assessment. Moreover, for continuous monitoring, the processes should be evaluated periodically to review changes in threats and how this could affect the ability of controls to protect a system.
Yuqing Tang says
Operations and maintenance is the last phase of SDLC. In order to eliminate the faults and errors in the system operation, the software and hardware maintenance personnel should make necessary modifications and improvements to the system. In order to make the system adapt to the changes of the user environment, to meet the new needs, but also to the original system to do some local updates. Software maintenance is the longest phase of the lifecycle. After the system is developed and put into use, due to various reasons, the system cannot continue to adapt to the requirements of users. To extend the service life of system, system must be maintained. According to the NIST document, system maintenance includes review operational readiness, perform configuration management and control and conduct continuous monitoring.
Alexander Reichart-Anderson says
In NIST “Security Considerations in the SDLC” p. 32-39 we begin by exploring the operations and maintenance of systems in the SDLC. Immediately off the bat, the article speaks of how this stage of the SDLC can offer “enhancements” to the system or products that has recently been deployed. Especially in a security context — this is extremely relevant. I know that when Microsoft/HP has an update appear on my computer it is often imperative to undergo that update. Same goes with Apple and apps in the app store. The main reason my be “bug fixes” or enhancements; in addition, there could be a security patch or new firewall that will be extremely beneficial. In moving through the article, we get into controls and change control requests. This is also an important aspect as the “change process” will impact all of the users down the line. A part of maintenance is improving the overall user experience. Through having a smooth change process this can be achieved.
Zhu Li says
Who are the key participants in the SDLC will depending on the nature and scope of the system and organization; however, key roles include the chief information officer (CIO), contracting officer, IT investment board, information security program manager, information system security officer, program manager, and legal advisor/contract attorney.
Yuchong Wang says
Hi Alex,
Great job pointing out Microsoft/HP are relevant to our reading about enhancement for security. This reading offers a good amount of guidelines and controls for security considerations for the system. I would also like to add that planning ahead is very important for the security of the system because you do not want to wait until the problem surfaces.
Mei X Wang says
Operations/Maintenance phase is the fourth phase of the SDLC, in this phase, systems are now in place and are consistently modified and tested. The operating enhancements, and modifications are developed and tested, and new hardware and software is added or replaced. The system is then monitored on performance in accordance with the security requirements and whatever needed system modifications are incorporated. There are 4 key security activities for this phase:
Conduct an operational readiness review;
• Manage the configuration of the system ;
• Institute processes and procedures for assured operations and continuous monitoring of the
information system’s security controls; and
• Perform reauthorization as required.
Panayiotis Laskaridis says
Hello Mei,
I agree. The key security takeaways are very important in this article about security considerations. Of course, security considerations are very important whenever there is a change.
Raisa Ahmed says
Good explanation, Mei! During the maintenance phase, the system performance is monitored, applications are updated as needed and bugs are corrected. Changes to the system are requested via the Request for Change (RFC). This is a formal process that requires all changes to be documented.
Panayiotis Laskaridis says
Operations and Maintenance is my main takeaway from this reading. To begin this phase, systems have to be in place and running. In terms of security maintenance, you have to be able to operate a readiness report, manage the configuration of the system, etc… Your control gates have to be established.
“Continuous monitoring activities can provide useful data to support security performance plans and measures of security return on investment (ROI). ”
The line I just quoted stuck out to me because it shows that everything you do in the process should always be tied back to the business purpose and return on investment. If you weren’t going to make money or reduce losses, you wouldn’t be doing it at all. Because, of course, time is money.
Penghui Ai says
Hi Panayiotis,
Great comments. Thank you for sharing your thoughts on the NIST reading. I agree with you that the process should be implemented by satisfying the business purpose. If the return does not make up the cost, the process should be reviewed.
Alexander Reichart-Anderson says
Howdy Panayiotis, operations and maintenance are the main points of this article. When I went through this article, I also noted the importance of control and control gates. Controls are vital to attempting to control the security and usability of the system. In addition, best practice is continuous and ongoing monitoring the system in its entirety.
Deepa Kuppuswamy says
Incorporating security into the SDLC section in NIST SP 800-64 R4 includes a brief explanation about the five different phases of SDLC which includes Initiation, Development/Acquisition, Implementation, Maintenance and Disposal. It describes a number of security considerations that will help integrate information security into the SDLC. The fourth phase that is Operations and Maintenance which is our current week discussion topic emphasizes on system monitoring for the continued performance in accordance with security requirements and periodic assessment of system to assess the efficiency, security and effectiveness of the system.
This document helps the IS audit to understand the following general types of control gates and security gates to consider for this phase – Operational Readiness Review, Change Control Board Review of Proposed Changes, Review of POA&Ms and Accreditation Decisions.
Raisa Ahmed says
Section 3.5.1: The standard way of deleting data on many types of systems are inadequate as it will leave its contents recoverable. Hence, the secure disposal of an information system and archiving data and assets is an important part of the SDLC cycle. This phase ensures that information is retained to conform to legal requirements and to accommodate future technology changes. During this phase, media is sanitized to prevent the loss of CIA. Additionally, hardware and software is properly disposed to prevent it from being salvaged by unauthorized individuals.
Sarah Puffen says
I thought the disposal section of the SDLC was particularly interesting, since I tend to just hoard my old devices “just in case.” However, for an organization that is working with a new system, they must go through certain procedures to ensure that their system has been properly phased out- this includes having a disposal plan, archiving data, wiping out media, and finally disposing of the hardware/software. While I didn’t think that legitimate organizations would just throw their systems in the trash, I found it interesting that NIST suggests that a possible disposal method is to donate equipment to schools or nonprofits. This reiterates the importance of properly purging files on these systems, so that a.) the organization can retain their important data and b.) ensure that any files have been wiped from the system before donating equipment that will be reused by an outside source.
Penghui Ai says
In the pages between 32 and 39 of NIST “Security Considerations in the SDLC,” the NIST article introduces the concept of operations and maintenance phase of the SDLC. In this phase, systems are in place and operating, enhancements and/or modifications to the system are developed and tested, and hardware and/or software is added or replaced. In this phase, there are four key security activities: conduct an operational readiness review, manage the configuration of the system, institute processes and procedures for assured operations and continuous monitoring of the information system’s security controls, and perform reauthorization as required.