Information Technology Reference
In-Depth Information
table 9.20 Applie
d iA
2
Summary: DQA
IA
2
Topic
Description
Mechanism
Development quality assurance (e.g., SQA)
Drivers
Business risk management; liability and operations;
protection against sloppy development practices as well as
the purposeful introduction of backdoors and malware;
global economy, including global competitive posture and
the use of non-domestic-manufactured information
technology
IA
2
view
Applicable IA
2
views: Systems and applications,
infrastructure (technical)
IA core principles
Applicable IA core principles:
Confidentiality-integrity-availability (CIA)
Possession-authenticity-utility (PAU)
Privacy-authorized use-nonrepudiation (PAN)
Compliance
requirements
Legislative, policy, guidelines, government directives, or
other requirement implying the need for a secure
information technology environment
ELCM application
Applicable ELCM elements: Concept, architect, engineer,
develop/acquire, implement, test, deploy, train, O&M, retire
Verification
Quality testing; the challenge lies with test thread design
and execution; regression testing on upgrades or
introduction of a new component; preemptive checks
vendor pedigree (not a guarantee, but a clue)
Operations
Applicable IA operations cycle phases: Anticipate, defend,
monitor, respond
9.17.1
Applied IA
2
: DQA Capability
The IA architect promotes integration of quality assurance (QA) with every infor-
mation assurance concept. The purpose and process of developing an IA
2
Frame-
work is to increase the consistent quality of IA architectures. A significant part of
IA
2
is aligning IA with the SDLC; the IA
2
Framework includes calling out specific
IA concerns for each SDLC phase. The DQA example focuses on the SDLC devel-
opment phase and specifically addresses software quality assurance (SQA); note
that SQA may also apply to software selection during the design phase in circum-
stances where COTS applications are preferable to building.
External guidelines to SQA include the Systems Engineering Institute Capa-
bility Maturity Model Integration (SEI-CMMI), Systems Security Engineering
