cnes security development process. 2 basic rules high level principles for iss activities on...
TRANSCRIPT
CNES security development process
2
Basic rules
High level principles for ISS activities on projects are:■Decisions dealing with security risks must be approved on relevant
functional/hierarchical level.■For each project, ISS must be integrated in the project management.■Each project must integrate CNES security requirements.■CNES ISS authorities (independent of project team) must be
involved in each key event of the project.■Security requirements must be function of functional sensitivity and
security risks.
3
ISS approach 1/6
■ ISS approach for project development must be integrated in the global approach of the project.
■The following slides describe the main stages (V cycle) of a project and, for each of them, what are the relevant security items.
■Two security activities are dealt with: security of target IS to be developed, security of development environment.
4
ISS approach 2/6
Phase ISS actions Documents involved in ISS
identification of IS functional sensitivity
Expressions of the needs
Expression of functional needs
Expression of security needs and objectives (EBIOS method – Expression of Security Needs and Identification of Security Objectives)
MoU
MoA
5
ISS approach 3/6
Phase ISS actions Documents involved in ISS
development of security requirements to be included in system requirements document
Requirements System requirements document
development of requirements for securing development environment
Environment security requirements
MoU, MoA
6
ISS approach 4/6
Phase ISS actions Documents involved in ISS
Project specific ISS training Management plan
Design /
Development
Testing plan
ISS follow-up (auditing, validation of documents, validation of project milestones)
Design document
Security directory
Audit report
7
ISS approach 5/6
Phase ISS actions Documents involved in ISS
testing results
Testing testing compliance between security requirement and IS implementation
ISS assessment
Maintenance, operation and support manuals
Audit report
8
ISS approach 6/6
Phase ISS actions Documents involved in ISS
Operation /
Maintenance
ISS follow-up, Survey (auditing, ISS advisories management, …)
Reporting document