Information Technology Reference
In-Depth Information
able consists of workflows that include inputs, trigger events for action, processing
of inputs, production of some result, and the delivery of some output; procedures
(formal representation of a process) assist with the performance of the workflow.
Procedures consist of prescribed tasks, either automated or assigned to personnel.
A person may then perform a manual task (carry out a routine procedure) or a
cognitive task (e.g., decide upon an action). An automated service may substitute
for a person, or enhance manual and cognitive tasks performed by a person. The
IA
2
F provides a discipline to identify risks associated with business processes by
reviewing each business process and the elements of each business process with
respect to the nine IA core principles.
2.5.4
Systems and Applications
he IA
2
development view addresses the software development process. Many
information technology implementations require custom software. IA
2
ensures that
development takes place in a controlled manner and that the final product provides
secure operations. The goals inherent in the IA
2
development view include mini-
mizing the effects on software quality by such development errors as buffer over-
flows, Trojans, backdoors, and memory leaks. During application development,
IA
2
practices integrate security measures from inception, as opposed to safeguards
bolted on as discrete mechanisms after the fact.
An example of secure development methodology is SEI-CMMI, http://www.
sei.cmu.edu/. Included in the Carnegie Mellon philosophy is preventive security
management through software development quality control. This philosophy treats
application security holes like any other software bug, bugs that could be prevented
by sound development practices.
he IA
2
acquisitions view addresses the purchase of or otherwise acquiring
secure solutions. What makes a solution secure? What makes a solution secure
enough? These are all contingent upon the organization and its tolerance for risk.
Some considerations for secure acquisition include:
n
Secure development environment; controlled environment for coding, test-
ing, producing final product
Solution development country of origin; known adversary of the
government
Solution development organization; known adversary of your organization
Proof of secure development process that includes software quality assurance
(SQA)
n
n
n
Addressing IA in solution acquisition is ever more critical given the number
of hardware and software components of foreign development. Foreign develop-
ment is of course a relative term and applicable to all countries. If you work for a
