Only $2.99/month

Terms in this set (88)

• Prepare a security plan: Ensure that security is considered during all phases of the IT system
life cycle and that security activities are accomplished during each of the phases.
• Initiation: The need for a system is expressed and the purpose of the system is documented.
• Conduct a sensitivity assessment: Look at the security sensitivity of the system and the information to be processed.
• Development/acquisition: The system is designed, purchased, programmed, or developed.
• Determine security requirements: Determine technical features, like access controls; assurances, like background checks for system developers; or operational practices, like awareness and training.
• Incorporate security requirements in specifications: Ensure that the previously gathered
information is incorporated in the project plan.
• Obtain the system and related security activities: May include developing the system's security features, monitoring the development process itself for security problems, responding to changes, and monitoring threats.
• Implementation: The system is tested and installed.
• Install/turn-on controls: A system often comes with security features disabled. These need
to be enabled and configured.
• Security testing: Used to certify a system; may include testing security management, physical facilities, personnel, procedures, the use of commercial or in-house services such as networking services, and contingency planning.
• Accreditation: The formal authorization by the accrediting (management) official for system
operation and an explicit acceptance of risk.
• Operation/maintenance: The system is modified by the addition of hardware and software and
by other events.
• Security operations and administration: Examples include backups, training, managing cryptographic keys, user administration, and patching.
• Operational assurance: Examines whether a system is operated according to its current
security requirements.
• Audits and monitoring: A system audit is a one-time or periodic event to evaluate security. Monitoring refers to an ongoing activity that examines either the system or the users.
• Disposal: The secure decommission of a system.
• Information: Information may be moved to another system, or it could also be archived,
discarded, or destroyed.
• Media sanitization: There are three general methods of purging media: overwriting,
degaussing (for magnetic media only), and destruction.