Security Is Everyone’s Business: Role-Based Training for the System Development Life Cycle Federal...

Security Is Everyone’s Business:Role-Based Training for theSystem Development Life Cycle Federal Information System Security Educators Association

18th Annual Conference

March 22, 2005

Prepared by:

Margaret Spanninger

Booz Allen Hamilton

(703) 289-5471

[email protected]

2

Security is Everyone’s Business: Role-Based Training for the SDLC

Today’s Presentation Introduction

Federal Information Security Management Act (FISMA) Requirements and Business Drivers

System Development Life Cycle (SDLC)

Personnel with Significant Security Responsibility

Role-Based Training and Assurance

Implementing National Institute of Standards and Technology (NIST) Special Publication (SP) 800-16

3


Introduction

Security integration into the SDLC is one of the key elements required for resolving many of the long-standing weaknesses in information technology (IT) security and achieving sustainable performance improvements in IT security programs

Personnel at all levels must understand that “security is not an option” but an integral element of all IT systems

This presentation is based on the premise that security integration into organizational business processes, especially the system development life cycle (SDLC) is a fundamental requirement for FISMA compliance and achieving security performance goals.

4


FISMA Requirements and SDLC

FISMA states under §3544. Federal agency responsibilities (b) Agency Program— “Each agency shall develop, document, and implement an agency-wide information security program that includes…(2) policies and procedures that…(C) ensure that information security is addressed throughout the life cycle of each agency information system.”

5


Business Drivers Security is less expensive to implement if it is

planned from the beginning Building security controls into the system, rather

than adding them after the system is already built improves system performance

Security becomes an enabling factor rather than a barrier to success by reducing the need for expensive reengineering and reprogramming

It ensures success of certification and accreditation processes and keeps the project on schedule

6


Earlier is Better If security is not identified with other requirements,

it will not be addressed It is critical that security controls are planned in the earliest

phases (BEFORE implementation) to ensure—– Adequate and appropriate resources are allocated for

security throughout the system life cycle– The most cost-effective security controls are chosen and

implemented– A structured and consistent approach for developing and

maintaining security for information systems– Increased homogeneity among information systems

and security controls within an organization to reduce operational costs

– Certification and accreditation with minimal additional effort

7


Phases of the SDLC Initiation

someone has a need or an idea Development/acquisition

build or buy decision Implementation

system development and/or integration Operation/maintenance

system put into service Disposition

system removed from service

8


Security Tasks In the SDLC Initiation

– Needs Determination

– Security Categorization

– Risk Assessment

Development/Acquisition

– Risk Assessment

– Security Functional Requirements Analysis

– Security Assurance Requirements Analysis

– Cost Considerations

– Security Control Development

– Developmental Security Test and Evaluation

– Acquisition specifications

Implementation

– Inspection and Acceptance

– System Integration

– Certification & Accreditation

Operations & Maintenance

– Configuration Management and Control

– Continuous Monitoring

Disposition

– Information Preservation

– Media Sanitization

– Hardware and Software Disposal

9


Personnel with Significant Security Responsibilities

FISMA states under §3544. Federal agency responsibilities (a) In General.—The head of each agency shall— “(3) delegate to the agency Chief Information Officer…the authority to ensure compliance with the requirements imposed on the agency under this subchapter, including—…(D) training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; (4) ensure that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines;…”

10


OPM Clarifies Who Needs Trained OPM 5 CFR part 930.301 Computer security training

program states that the following positions must be trained in computer security basics and other domains – Executives– Program and functional managers– Chief Information Officers (CIO) – IT security program managers– Auditors– System and network administrators– System/application security officers– IT function management and operations personnel

11


Moving from Theory to Practice It is critical that personnel in positions with significant

security responsibilities actively participate in the SDLC Their participation provides assurance that—

1) security requirements have been addressed 2) countermeasures have been identified 3) controls have been properly implemented and tested 4) all changes to the operational system are reviewed

to ensure the integrity of the system and security solution that have been certified and accredited

5) the data, hardware, software, and documentation are disposed of properly

12


NIST 800-16 Provides Framework Three primary domains of security knowledge

– Laws and regulations– Security programs with two sub-categories– Security in the SDLC with six subcategories

Six functional roles associated with each of the primary categories– Manage– Acquire– Design and develop– Implement and operate– Review and evaluate– Use

Twenty-six positions with significant security responsibilities

13

Acquisition

Operations

User

Source Selection Board

Contracting Officer

COTR

System Designer/Developer

System/Program Analyst

Data Center Manager

Network Administrator

System Administrator

Database Administrator

Technical Support (Help Desk)

System Operator

Telecommunications Specialist

Any position that uses IT resources

Executive

Management

Compliance

Design and Development


Personnel With Significant Security Responsibilities Play Critical Role CIO

Sr. IRM Official

System Owner

Program Manager

Information Resource Manager

Records Mgt. Official

FOIA Official

Privacy Act Official

DAA

Certification Reviewer

ISO/ISM

Auditor, Internal

Auditor External

14


The NIST Core Body of Knowledge Laws and regulations IT security programs System environment System

interconnection (physical access)

Information sharing (logical access)

Sensitivity

Risk management Life cycle controls Management controls Operational controls Technical controls Awareness, training

and education

15


Stakeholders and the SDLC

CIO

Sr.

IR

M O

ffic

ial

Sy

ste

m O

wn

er

Pro

gra

m M

an

ag

er

Info

rma

tio

n R

es

ou

rce

Mg

r.

Re

co

rds

Mg

t. O

ffic

ial

FO

IA O

ffic

ial

Pri

va

cy

Ac

t O

ffic

ial

So

urc

e S

ele

cti

on

Bo

ard

Co

ntr

ac

tin

g O

ffic

er

CO

TR

Sy

ste

m D

es

ign

er/

De

ve

lop

er

Sy

ste

m/P

rog

ram

An

aly

st

Da

ta C

en

ter

Ma

na

ge

r

Ne

two

rk A

dm

inis

tra

tor

Sy

ste

m A

dm

inis

tra

tor

Da

tab

as

e A

dm

inis

tra

tor

Te

ch

nic

al

Su

pp

ort

(H

elp

de

sk

)

Sy

ste

m O

pe

rato

r

Te

lec

om

m.

Sp

ec

iali

st

DA

A

Ce

rtif

ica

tio

n R

ev

iew

er

ISO

/IS

M

Au

dit

or,

In

tern

al

Au

dit

or

Ex

tern

al

Us

ers

SDLC Phase

Initiation

Development/Acquisition

Implementation/Integration

Operations & Maintenance

Disposal

16


Role-Based Training and NIST SP 800-16

17


Manage Role, CBK, and Positions

ISO

/IS

M

Info

. R

es

ou

rce

Ma

na

ge

r

CIO

Se

nio

r IR

M O

ffic

ial

Pro

gra

m M

an

ag

er

Sy

ste

m O

wn

er

Sy

ste

m D

es

ign

er/

De

ve

lop

er

Ne

two

rk A

dm

inis

tra

tor

Sy

ste

m A

dm

inis

tra

tor

Da

ta C

en

ter

Ma

na

ge

r

Da

tab

as

e A

dm

inis

tra

tor

Positions

La

ws

an

d R

eg

ula

tio

ns

IT S

ec

uri

ty P

rog

ram

Sy

ste

m E

nv

iro

nm

en

t

Sy

ste

m I

nte

rco

nn

ec

tio

n

Info

rma

tio

n S

ha

rin

g

Se

ns

itiv

ity

Ris

k M

an

ag

em

en

t

Ma

na

ge

me

nt

Co

ntr

ols

Lif

e C

yc

le C

on

tro

ls

Op

era

tio

na

l C

on

tro

ls

Aw

are

ne

ss

an

d T

rain

ing

Te

ch

nic

al

Co

ntr

ols

Domains

Laws and Regulations

SP – Planning

SP – Management

SLCS – Initiation

SLCS – Development

SLCS – Test & Evaluation

SLCS – Implementation

SLCS – Operation

SLCS – Termination

SP = Security Program

SLCS = Sys Life Cycle Security

Cell

1A

2.1A

2.2A

3.1A

3.2A

NA

3.4A

3.5A

3.6A

Key:

Core Body of Knowledge

18


Behavioral Outcome for Manage (1 of 3)

1A, Laws and Regulations – Managers are able to understand applicable governing documents and their relationships and interpret and apply them to the manager’s area of responsibility.

2.1A, Security Program: Planning – Individuals involved in the management if IT security programs are able to understand principles and processes of program planning and can organize resources to develop a security program that meets organizational needs.

2.2A, Security Program: Management – Individuals in IT security program management understand and are able to implement a security program that meets their organization’s needs.

19



3.1A, Life Cycle: Initiation – Individuals with management responsibilities are able to identify steps in the SDLC where security requirements and concerns need to be considered and to define the processes to be used to resolve those concerns.

3.2A, Life Cycle: Development – Individuals with management responsibilities are able to ensure that the formal development baseline includes approved security requirements and that security-related features are installed, clearly identified, and documented.

3.3A, Life Cycle: Test & Evaluation – Not applicable.

20



3.4A, Life Cycle: Implementation – Individuals with management responsibilities are able to oversee the implementation and deployment of an IT system in a manner that does not compromise in-place and tested security safeguards.

3.5A, Life Cycle: Operations – Individuals with management responsibilities are able to monitor operations to ensure that safeguards are effective and have the intended effect on balancing efficiency with minimized risk.

3.6A, Life Cycle: Termination – Individuals with management responsibilities are able to understand the special IT security considerations and measures required during the shutdown of a system, and effectively plan and direct these activities.

21


Acquire Role, CBK, and Positions

ISO

/IS

M

CO

TR

Co

ntr

ac

tin

g O

ffic

er

So

urc

e S

ele

cti

on

Bo

ard

Se

nio

r IR

M O

ffic

ial

Te

lec

om

m S

pe

cia

lis

t

Info

. R

es

ou

rce

Ma

na

ge

r

Sy

ste

m D

es

ign

er/

De

ve

lop

er

Sy

ste

m O

wn

er

Pro

gra

m M

an

ag

er

Positions

La

ws

an

d R

eg

ula

tio

ns

IT S

ec

uri

ty P

rog

ram

Sy

ste

m E

nv

iro

nm

en

t

Sy

ste

m I

nte

rco

nn

ec

tio

n

Info

rma

tio

n S

ha

rin

g

Se

ns

itiv

ity

Ris

k M

an

ag

em

en

t

Ma

na

ge

me

nt

Co

ntr

ols

Lif

e C

yc

le C

on

tro

ls

Op

era

tio

na

l C

on

tro

ls

Aw

are

ne

ss

an

d T

rain

ing

Te

ch

nic

al

Co

ntr

ols

Domains


SP – Planning

SP – Management

SLCS – Initiation




SLCS – Operation




Cell

1B

2.1B

2.2B

3.1B

3.2B

NA

3.4B

3.5B

NA

Key:


22


Behavioral Outcome for Acquire (1 of 3)

1B, Laws and Regulations – Individuals involved in the acquisition of information technology resources have sufficient understanding of IT security requirements and issues to protect the government’s interests in such acquisitions.

2.1B, Security Program: Planning – Individuals involved in planning the IT security program can identify the resources required for successful implementation. Individuals recognize the need to include IT security requirements in IT acquisitions and to incorporate appropriate acquisition policy and oversight in the IT security program.

2.2B, Security Program: Management – Individuals involved in managing the IT security program have a sufficient understanding of IT security and the acquisition process to incorporate IT security program requirements into acquisition work steps.

23



3.1B, Life Cycle: Initiation – Individuals with acquisition responsibilities are able to analyze and develop acquisition documents and/or provide guidance which ensures that functional IT security requirements are incorporated.

3.2B, Life Cycle: Development – Individuals with acquisition responsibilities are able to monitor procurement actions to ensure that IT security requirements are satisfied.

3.3B, Life Cycle: Test & Evaluation – Not applicable.

24



3.4B, Life Cycle: Implementation – Individuals with acquisition responsibilities are able to ensure that the system, as implemented, meets all contractual requirements related to the security and privacy of IT resources.

3.5B, Life Cycle: Operations – Individuals with acquisition responsibilities are able to understand the IT security concerns associated with system operations and to identify and use the appropriate contract vehicle to meet current needs in a timely manner.

3.6B, Life Cycle: Termination – Not applicable.

25


Design/Develop Role, CBK, and Positions

ISO

/IS

M

Sy

s.

De

sig

ne

r/D

ev

elo

pe

r

Pro

gra

m/S

ys

An

aly

st

Pro

gra

m M

an

ag

er

Info

. R

es

ou

rce

Mg

r.

Au

dit

or,

In

tern

al

Pri

va

cy

Ac

t O

ffic

ial

Da

tab

as

e A

dm

inis

tra

tor

Ne

two

rk A

dm

inis

tra

tor

Sy

ste

m A

dm

inis

tra

tor

Sy

ste

m O

pe

rato

r

Position

ISO

/IS

M

Sy

s.

De

sig

ne

r/D

ev

elo

pe

r

Pro

gra

m/S

ys

An

aly

st

Pro

gra

m M

an

ag

er

Info

. R

es

ou

rce

Mg

r.

Au

dit

or,

In

tern

al

CIO

Se

nio

r IR

M O

ffic

ial

Sy

ste

m O

wn

er

Re

co

rds

Mg

t. O

ffic

ial

FO

IA O

ffic

ial

Positions

La

ws

an

d R

eg

ula

tio

ns

IT S

ec

uri

ty P

rog

ram

Sy

ste

m E

nv

iro

nm

en

t

Sy

ste

m I

nte

rco

nn

ec

tio

n

Info

rma

tio

n S

ha

rin

g

Se

ns

itiv

ity

Ris

k M

an

ag

em

en

t

Ma

na

ge

me

nt

Co

ntr

ols

Lif

e C

yc

le C

on

tro

ls

Op

era

tio

na

l C

on

tro

ls

Aw

are

ne

ss

an

d T

rain

ing

Te

ch

nic

al

Co

ntr

ols

Domains


SP – Planning

SP – Management

SLCS – Initiation




SLCS – Operation




Cell

1C

2.1C

2.2C

3.1C

3.2C

3.3C

3.4C

3.5C

NA

Key:


26


Behavioral Outcome for Design/Develop 1C, Laws and Regulations – Individuals responsible for the design

and development of automated information systems are able to translate IT laws and regulations into technical specifications which provide adequate and appropriate levels of protection

2.1C, Security Program: Planning – Individuals responsible for the design and development of an IT security program are able to create a security program specific to a business process or organizational entity.

2.2C, Security Program: Management – Individuals responsible for the design and development of an IT security program have sufficient understanding of the appropriate program elements and requirements to be able to translate them into detailed policies and procedure which provide adequate and appropriate protection for the organization’s IT resources in relation to acceptable levels of risk.

(1 of 3)

27


Behavioral Outcome for Design/Develop 3.1C, Life Cycle: Initiation – Individuals responsible for

the design and development of IT systems are able to translate IT security requirements into system-level security specifications.

3.2C, Life Cycle: Development – Individuals responsible for system design, development or modification are able to use baseline IT security requirements to select and install appropriate safeguards.

3.3C, Life Cycle: Test & Evaluation – Individuals are able to design tests to evaluate the adequacy of security safeguards in IT systems.

(2 of 3)

28


Behavioral Outcome for Design/Develop 3.4C, Life Cycle: Implementation – Individuals

responsible for system design and/or modification are able to participate in the development of procedures which ensure the safeguards are not compromised as they are incorporated into the production environment.

3.5C, Life Cycle: Operations – Individuals responsible for system development are able to make procedural and operational changes necessary to maintain the acceptable level of risk.

3.6C, Life Cycle: Termination – Not applicable.

(3 of 3)

29


Implement/Operate Role, CBK, and Positions

ISO

/IS

M

Sy

s.

De

sig

ne

r/D

ev

elo

pe

r

Pro

gra

m/S

ys

An

aly

st

Pro

gra

m M

an

ag

er

Info

. R

es

ou

rce

Mg

r.

Pro

gra

m M

an

ag

er

Sy

ste

m D

es

ign

er/

De

ve

lop

er

Da

tab

as

e A

dm

inis

tra

tor

Da

ta C

en

ter

Ma

na

ge

r

Ce

rtif

ica

tio

n R

ev

iew

er/

DA

A

Te

lec

om

Sp

ec

iali

st

Position

ISO

/IS

M

Ne

two

rk A

dm

inis

tra

tor

Sy

ste

m A

dm

inis

tra

tor

Sy

ste

m O

pe

rato

r

Te

ch

nic

al

Su

pp

ort

Pro

gra

m/S

ys

tem

An

aly

st

Au

dit

or,

In

tern

al

CIO

Info

rma

tio

n R

es

ou

rce

Mg

r

Sy

ste

m O

wn

er

Se

nio

r IR

M O

ffic

ial

Position

La

ws

an

d R

eg

ula

tio

ns

IT S

ec

uri

ty P

rog

ram

Sy

ste

m E

nv

iro

nm

en

t

Sy

ste

m I

nte

rco

nn

ec

tio

n

Info

rma

tio

n S

ha

rin

g

Se

ns

itiv

ity

Ris

k M

an

ag

em

en

t

Ma

na

ge

me

nt

Co

ntr

ols

Lif

e C

yc

le C

on

tro

ls

Op

era

tio

na

l C

on

tro

ls

Aw

are

ne

ss

an

d T

rain

ing

Te

ch

nic

al

Co

ntr

ols

Domains


SP – Planning

SP – Management

SLCS – Initiation




SLCS – Operation




Cell

1D

2.1D

2.2D

NA

3.2D

3.3D

3.4D

3.5D

3.6D

Key:


COTRRecords Mgt OfficialFOIA OfficialPrivacy Act Official

30


Behavioral Outcome for Implement/Operate

1D, Laws and Regulations – Individuals responsible for technical implementation and daily operations of an automated information system are able to understand IT security laws and regulations in sufficient detail to ensure that appropriate safeguards are in place and enforced

2.1D, Security Program: Planning – Individuals responsible for implementing and operating an IT security program are able to develop plans for countermeasures, security controls, and processes as required to execute the existing program.

2.2D, Security Program: Management – Individuals who are responsible for the implementation and daily operations of an IT security program have a sufficient understanding of the appropriate program elements and requirements to be able to apply them in a manner which provides adequate and appropriate levels of protection for the organization’s IT resources.

(1 of 3)

31



3.1D, Life Cycle: Initiation – Not applicable. 3.2D, Life Cycle: Development – Individuals responsible

for system implementation or operation are able to assemble, integrate, and install systems so that the functionality and effectiveness of safeguards can be tested and evaluated.

3.3D, Life Cycle: Test & Evaluation – Individuals responsible for system implementation of operation are able to conduct tests of the effectiveness of security safeguards in the integrated system.

(2 of 3)

32



3.4D, Life Cycle: Implementation – Individuals responsible for system implementation or operation ensure the approved safeguards are in place and effective as the system moves into production.

3.5D, Life Cycle: Operations – Individuals responsible for system implementation or operation are able to maintain appropriate safeguards continuously within acceptable levels of risk.

3.6D, Life Cycle: Termination – Individuals responsible for IT system operations are able to develop and implement the system termination plan, including security requirements for archiving/disposing of resources.

(3 of 3)

33


Review/Evaluate Role, CBK and Positions

ISO

/IS

M

Au

dit

or,

In

tern

al

Au

dit

or,

Ex

tern

al

Ce

rtif

ica

tio

n R

ev

iew

er

Info

. R

es

ou

rce

Ma

na

ge

r

Se

nio

r IR

M O

ffic

ial

CIO

Sy

ste

m O

wn

er

Pro

gra

m M

an

ag

er

DA

A

Re

co

rds

Mg

t. O

ffic

ial

Position

La

ws

an

d R

eg

ula

tio

ns

IT S

ec

uri

ty P

rog

ram

Sy

ste

m E

nv

iro

nm

en

t

Sy

ste

m I

nte

rco

nn

ec

tio

n

Info

rma

tio

n S

ha

rin

g

Se

ns

itiv

ity

Ris

k M

an

ag

em

en

t

Ma

na

ge

me

nt

Co

ntr

ols

Lif

e C

yc

le C

on

tro

ls

Op

era

tio

na

l C

on

tro

ls

Aw

are

ne

ss

an

d T

rain

ing

Te

ch

nic

al

Co

ntr

ols

Domains


SP – Planning

SP – Management

SLCS – Initiation




SLCS – Operation




Cell

1E

2.1E

2.2E

3.1E

3.2E

3.3E

3.4E

3.5E

3.6E

Key:


34


Behavioral Outcome for Review/Evaluate 1E, Laws and Regulations – Individuals responsible for the

review/evaluation of an automated information system are able to use IT security laws and regulations in developing a comparative baseline and determining the level of system compliance

2.1E, Security Program: Planning – Individuals responsible for the review/evaluation of an IT security program are able to review the program to determine its continuing capability to cost-effectively address identified requirements.

2.2E, Security Program: Management – Individuals responsible for the review/evaluation of an IT security program have adequate understanding of IT security laws, regulations, standards, guidelines, and the organizational environment to determine if the program adequately addresses all threats and areas of potential vulnerability.

(1 of 3)

35


Behavioral Outcome for Review/Evaluate 3.1E, Life Cycle: Initiation – Individuals are able to evaluate

planning documents associated with a particular system to ensure that appropriate IT security requirements have been considered and incorporated.

3.2E, Life Cycle: Development – Individuals responsible for review and evaluation are able to examine development efforts at specified milestones to ensure that approved safeguards are in place and documented.

3.3E, Life Cycle: Test & Evaluation – Individuals are able to evaluate the appropriateness of test methodologies, and conduct independent tests and evaluations to ensure that adequate and appropriate safeguards are in place, effective, and documented; and to prepare C&A documentation.

(2 of 3)

36


Behavioral Outcome for Review/Evaluate 3.4E, Life Cycle: Implementation – Individuals responsible for

review and evaluation are able to analyze system and test documentation to determine whether the system provides adequate and appropriate IT security to support C&A.

3.5E, Life Cycle: Operations – Individuals responsible for review and evaluation are able to examine the operational system to determine the adequacy and effectiveness of safeguards and to ensure that a consistent and appropriate level of security is maintained.

3.6E, Life Cycle: Termination – Individuals responsible for review and evaluation are able to verify the appropriateness of the termination plan and processes used to terminate the IT system securely.

(3 of 3)

37


Use Role, CBK and Positions (1 of 3)

ISO

/IS

M

Us

ers

Sy

ste

m O

wn

er

Info

. R

es

ou

rce

Ma

na

ge

r

Position

La

ws

an

d R

eg

ula

tio

ns

IT S

ec

uri

ty P

rog

ram

Sy

ste

m E

nv

iro

nm

en

t

Sy

ste

m I

nte

rco

nn

ec

tio

n

Info

rma

tio

n S

ha

rin

g

Se

ns

itiv

ity

Ris

k M

an

ag

em

en

t

Ma

na

ge

me

nt

Co

ntr

ols

Lif

e C

yc

le C

on

tro

ls

Op

era

tio

na

l C

on

tro

ls

Aw

are

ne

ss

an

d T

rain

ing

Te

ch

nic

al

Co

ntr

ols

Domains


SP – Planning

SP – Management

SLCS – Initiation




SLCS – Operation




Cell

1F

NA

NA

3.1E

3.2E

3.3E

3.4E

3.5E

NA

Key:


38


Behavioral Outcome for Use (1 of 3)

1F, Laws and Regulations – users understand individual accountability and applicable governing documents (e.g., Computer Security Act, Computer Fraud and Abuse Act, Copyright Act, Privacy Act)

2.1F, Security Program: Planning – Not applicable. 2.2F, Security Program: Management – Not applicable.

39



3.1F, Life Cycle: Initiation – Potential users are able to participate in needs analyses and understand the various points of view involved in setting the balance between IT security controls and system efficiency.

3.2F, Life Cycle: Development – Potential users are able to provide input to system development efforts to ensure that IT security safeguards are as transparent to the user as feasible and are balanced with ease of use.

3.3F, Life Cycle: Test & Evaluation – Users are able to participate in acceptance tests and evaluate the impact of security safeguards on the operational environment.

40



3.4F, Life Cycle: Implementation – Users are able to identify and report security and efficiency concerns encountered during normal operations.

3.5F, Life Cycle: Operations – Users are able to understand the objectives of and comply with the “rules of behavior” for the system.

3.6F, Life Cycle: Termination – Not applicable.

41


Final thoughts Training can promote cultural change

It can shift the workforce from being observers who show interest in security to becoming participants who demonstrate commitment to security

It is only through the understanding of these security roles and their relationships among each other and across the life cycle that total security integration can occur

Security Is Everyone’s Business:Role-Based Training for theSystem Development Life Cycle Federal Information System Security Educators Association

18th Annual Conference

March 22, 2005

Prepared by:

Margaret Spanninger

Booz Allen Hamilton

(703) 289-5471

[email protected]

Thanks for attending this

session!

Security Is Everyone’s Business: Role-Based Training for the System Development Life Cycle Federal...

Documents

Transcript of Security Is Everyone’s Business: Role-Based Training for the System Development Life Cycle Federal...