The Security System Development Life Cycle (SecSDLC) is a variant of SDLC which can be used in developing an Information Security Policy.
- Investigation Phase
- Analysis Phase
- Design Phase
- Implementation Phase
- Maintenance Phase
The phases are not different than the standard SDLC, aren't they? Well, the differences come in the tasks involved in each of the phases.
The Investigation Phase is where the Development Team should obtain the support from the senior management and CIO, as well as the involvement of the various members/representatives of the organization. During this phase, an outcome is the thorough outline of the policy development plan with the details of scope, cost and schedule.
During the Analysis Phase, a fresh risk assessment can be carried out to identify the current InfoSec needs of the organization. All the relevant documents and reference materials should be collated during this phase.
In the Design Phase, the dissemination of the policies must be planned to make sure that the policies are distributed properly. It is to be ensured that all members of the organization will receive, read and understand the policies. It is a good practice to include a policy to get the members to agree to the policies by affirmation.
Implementation Phase is where the policies are written. It can be a daunting task to prepare a policy from the scratch. Fortunately, there are a number of ways and references to write the policies, among which are; searching for policies alike on the Internet, government sites, professional literature and peer networks. By referring to the available policies, the InfoSec Team can customize and write its own polices tailored to the organization.
In the last phase, the Maintenance Phase, the activities of monitoring, maintaining and modifying the policies as and when required are carried out. This is to meet the objectives of keeping the policies effective and relevant. It is important to include a mechanism where members of the organization can bring up problems with regards to the policies. Usually this reporting process allows for anonymity.
