The Security Lifecycle


In my last column I introduced you to the role of a typical security analyst, and explained that security is a part of the business lifecycle. In this column, I will dive into that concept, and I will highlight some of the areas a security analyst might play in determining the risk to an asset throughout its life span.

So what is a ‘lifecycle’ in business terms? There are many definitions, and if you ask any modern analyst you will get their own tweaked version of that answer. For our sake, let’s say a lifecycle is the cycle of life of a business asset from birth through to an end stage.

A business asset is typically something in an electronic format like a business plan, architectural drawing, actuarial formula, proposal, employee records, and so forth.

These assets are created from many disperse avenues such as a word processor, web application, data entry program, or even imported from a 3rd party service.

Assets are the core of any business, and as such, information security needs to play a part in the assets lifecycle. Where and when security plays a role depends on several factors, but you can general say that security starts at the life of the asset and continues until it’s termination.

As with other lifecycles, a security lifecycle has phases in which certain types of tasks are carried out. These phases can often be categorized into five phases:

  • Phase 1 -Initiation/Concept
  • Phase 2 - Acquisition/Development
  • Phase 3 - Implementation/Assessment
  • Phase 4 - Operations/Maintenance
  • Phase 5 - Termination/Disposition

Each of these phases has an objective that will relate back to the fundamental principles of security; maintain confidentiality, integrity, and availability of the asset.

Let’s look through an example project and see where security fits into the lifecycle of the project.

Suppose a business wants to develop and implement a web based portal to allow its business partners to transfer proposals and other related documents in a secure manner.

P1 Tasks – Consult the business on any security policy, business standards, regulation, etc that might have a role in the interaction of the assets.

A corporate policy states that all electronic data coming into the organization must be protected from unauthorized disclosure between business partners.

The security analyst would advise the business when setting up a new partnership that they need to advise the partnership of the requirement to encrypt their documentation before sending it to the business.

The analyst would also advise on industry standards around encryption and what technologies the business and partners may utilize to facilitate the service.

P2 Tasks – Consult to business of the rules of engagement, perform risk analysis, return on investment for specific controls being considered, and establish a baseline of acceptable security.

The business is developing a new Internet facing portal for business partners to upload their proposals. The above policy statement requires a function to handle encrypting and decrypting of the files which a system architect has designed.

The security analyst would perform a risk analysis on the design, looking for exposure to the business processes, vulnerabilities in the controls throughout the design, and threats to the service that may prevent it from operating as designed.

The assessment would be reported to, and reviewed by, the business. Their level of acceptance for risk will determine the security baseline for the service. The analyst will use this in the next phase.

P3 Tasks – Evaluate the effectiveness of the controls protecting the asset, sign off implementation, or, if the controls are not meeting expectation, go back to phase 2.

The portal is now in pre-production and going through a Q&A review.
The security analyst will test the effectiveness of the security control protecting the assets, in this case partnership proposal documentation, to ensure the risk tolerance is within spec, in addition to meeting the requirements of any policies or regulation identified in phase 1.

If the analyst determines that partner A can gain access to partner B documentation library, then the implementation of the control is not within spec and a risk finding would be presented to the business. The business will then decide based on a number of factors (time, money) if correcting this finding is worth the effort or will they accept this risk and move on.

P4 Tasks – Monitor and maintain an acceptable level of security as identified in phase 2 and potentially adjusted in phase 3, report on anything that could or is impacting the security of the asset, and maintain availability of the asset.

The portal is up and running with over a 100 partners. 65% of those partners are using Adobe Acrobat to create the documentation, and new vulnerabilities have just be discovered in Acrobat.

The security analyst would perform a risk assessment to determine the acceptable level of risk these new vulnerabilities have on the documentation library. Considering the large population of partners that could be impacted, the analyst recommends applying a patch to the Acrobat component of the portal within 48 hours as a new Internet worm is on the loose trying to exploit these vulnerabilities.

Once approved, the security analyst needs to ensure business continuity of the documentation library, so they follow a change control process to have the patch implementation reviewed and signed off by the business.

P5 Tasks – Provide services to archive off out of date information, ensure that all used media is properly disposed of to protect confidential information from being leaked, plan for, and evaluate termination of a service that is being phased out.

It has been 5 years since the partnership portal has been in operation, the business wants the next generation of service that is learner and meaner than ever.

The security analyst would do yet another risk assessment to determine what would happen when the current portal is phased out of production. They are most interested in what happens to the business assets hosted by the portal as the portal will be taken offline.

The analyst will consider partnership agreements, regulations such as those mandating specific retention periods, corporate policy, as well as the affect of disclosure of the information should the existing media be utilized someone else.

So, hopefully you can see that security has a role in all phases of an assets lifecycle, from the initial concept through to its final use. Unfortunately, not every organization has a dedicated role for a security analyst to evaluate the asset in each phase, so what happens then?

In my next column I will show you where common roles like a business analyst or project manager can be substituted in place of a dedicated resource and what questions to ask that will help expose potential security weak points in your project.

Author: Stewart Allen is a certified Information Security Consultant based out of Toronto, Ontario, Canada. If you would like to comment on this article or make contact he can be contacted on LinkedIn at

Posted in: Security Analysis
Like this article:
  9 members liked this article


Only registered users may post comments.



Copyright 2006-2024 by Modern Analyst Media LLC