Skip to end of metadata
Go to start of metadata

Table of Contents

Overview

Security can be incorporated into information systems acquisition, development and maintenance by implementing effective security practices in the following areas.

  • Security requirements for information systems
  • Correct processing in applications
  • Cryptographic controls
  • Security of system files
  • Security in development and support processes
  • Technical vulnerability management

Information systems security begins with incorporating security into the requirements process for any new application or system enhancement. Security should be designed into the system from the beginning. Security requirements are presented to the vendor during the requirements phase of a product purchase. Formal testing should be done to determine whether the product meets the required security specifications prior to purchasing the product.

Correct processing in applications is essential in order to prevent errors and to mitigate loss, unauthorized modification or misuse of information. Effective coding techniques include validating input and output data, protecting message integrity using encryption, checking for processing errors, and creating activity logs.

Applied properly, cryptographic controls provide effective mechanisms for protecting the confidentiality, authenticity and integrity of information. An institution should develop policies on the use of encryption, including proper key management. Disk Encryption is one way to protect data at rest. Data in transit can be protected from alteration and unauthorized viewing using SSL certificates issued through a Certificate Authority that has implemented a Public Key Infrastructure.

System files used by applications must be protected in order to ensure the integrity and stability of the application. Using source code repositories with version control, extensive testing, production back-off plans, and appropriate access to program code are some effective measures that can be used to protect an application's files.

Security in development and support processes is an essential part of a comprehensive quality assurance and production control process, and would usually involve training and continuous oversight by the most experienced staff.

Applications need to be monitored and patched for technical vulnerabilities. Procedures for applying patches should include evaluating the patches to determine their appropriateness, and whether or not they can be successfully removed in case of a negative impact.

Top of page

Standards

ISO NIST COBIT PCI DSS
27002: Information Security Management
Chapter 12: Information Systems Acquisition, Development, and Maintenance
800-53: Recommended Security Controls for Federal Information
Systems and Organizations
800-23: Guidelines to Federal Organizations on Security Assurance
and Acquisition/Use of Tested/Evaluated Products
800-64: Security Considerations in the System Development Life Cycle
800-111: Guide to Storage Encryption Technologies for End User Devices
800-144: Guidelines on Security and Privacy in Public Cloud Computing
PO8
PO9
Requirement 2
Requirement 3
Requirement 4
Requirement 6
Requirement 11

Top of page

Getting Started

Introductory material for the entire category. (Optional section)

Top of page

Security Requirements for Information Systems (ISO 12.1)

Objective: To ensure that security requirements are established as an integral part of the development or implementation of an information system.

The acquisition of a system or application often includes a Request for Proposals (RFP), which is a formal procurement process. During this process, security requirements need to be identified. Indiana University includes both a security review and a security questionaire as part of the RFP process. Learn more about this effective practice by viewing Building Security into the RFP Process, from the 2010 Security Profesionals Conference.

The University of Illinois Urbana-Champaign has developed a procurement process for evaluating whether an electronic service is considered to be low-risk, and potentially eligible for purchase using a P-Card. The criteria are included in Purchasing Software and Electronic Services with a P-Card.

Many institutions are looking to the cloud for information system solutions.  Cloud Computing Security considerations are essential! Security professionals from EDUCAUSE member institutions published an excellent article, Cloud Services: Policy and Assessment, in the EDUCAUSE Review. Evaluating Cloud Risk for the Enterprise: A Shared Assessments Guide provides information to consider in evaluating the risk of moving applications to the cloud. Institutions need to perform due diligence to assess the security of cloud service providers. The Cloud Security Alliance has also published several resources to help assess security of cloud services. The Cloud Controls Matrix may prove particulary beneficial to those who are evaluating services prior to purchase.

George Mathew outlined security considerations for applications in the cloud at the 2011 Security Professionals conference. His Application Security in the Cloud session was recorded. Navigating the Clouds with an Enterprise IT Strategy, presented at the 2013 Security Professionals Conference, offers guidance from Furman University on creating a cloud security strategy. The University of Pennsylvania shared experience, lessons learned, and recommendations for creating a cloud policy, contracted solutions, and security assessments in Bring Your Own Cloud: Data management challenges in a click-through world, a presentation at the 2013 Security Professionals Conference.

As applications are developed for mobile computing, security requirements need to be included from the begining.  Developing a Campus Mobile Strategy: Guidelines, Tools, and Best Practices is an EDUCAUSE resource that offers an excellent strategy for mobile devices, including security considerations. The Hot Topic page on Mobile Device Security also contains numerous tips and links on how to secure mobile devices.

Applications often include data bases for backend processing. In the following case study, UC, Irvine provides a security checklist for data base administrators.
Campus Case Study: Application Security for Database Administrators - UC, Irvine

An important aspect of overall information systems design involves the credentials that will be used to access the system. The InCommon Identity Assurance Profiles Bronze and Silver (IAP) document specifies requirements that Identity Provider Operators must meet in order to be eligible to include InCommon Identity Assurance Qualifiers in Identity Assertions that they offer to Service Providers. The IAP provides excellent security requirements for identity management systems. In particular, Section 4.2.3, Credential Technology specifies requirements for issuing and securing credentials. Further guidance involving credential technology can be found in NIST SP 800-63.   

Top of page

Correct Processing in Applications (ISO 12.2)

Objective: To ensure that application design includes controls such as those to validate input/output data, internal processing, and message integrity, in order to prevent errors and preserve data integrity.

Web applications are inherently vulnerable to security flaws. The OWASP Top Ten Project is a baseline for addressing the most prevelant risks. Application developers should be well trained in coding techniques that control these risks, and software purchasers should require that products not be susceptible to them. Effective security practices for ensuring correct processing in applications are offered by UC, Irvine in the Campus Case Study: Application Security for Developers and Quality Assurance Personnel - UC, Irvine.
Top of page

Cryptographic Controls (ISO 12.3)

Objective: To describe considerations for an encryption policy in order to protect information confidentiality, integrity, and authenticity.

Certain data, by their nature, require particular confidentiality protection that can be provided by encryption techniques. Additionally, there may be contractual or other legal penalties for failure to maintain proper confidentiality - when Social Security Numbers are involved, for example. Parties who may acquire unauthorized access to the data but who do not have access to the encryption key - the "password" that encrypted the data - cannot feasibly decipher the data.
 
Data exist in one of three states: at rest; in transit; or undergoing processing. Data are particularly vulnerable to unauthorized access when in transit or at rest. Portable computers (holding data at rest) are a common target for physical theft, and data in transit over a network may be intercepted. Unauthorized access may also occur while data are being processed, but here the security system may rely on the processing application to control, and report on, such access attempts. When used appropriately, encryption is a powerful tool to prevent unauthorized access to data at rest or in transit.
 
The following campus case studies are included in Encryption 101, a basic guide to encryption concepts.
Campus Case Study: Implementing Whole Disk Encryption with Microsoft Windows Vista Bitlocker - McIntire School of Commerce, UVA
Campus Case Study: Whole Disk Encryption Evaluation and Deployment - Baylor University
Campus Case Study: Developing a Certification Authority for PKI - Virginia Tech

Full disk encryption (FDE) can be used to mitigate the risk of data exposure, but the security is only in place when the computer is turned off. FDE may be most effective when used on laptops that, when stolen or lost, are often powered off. See Introduction to Full Disk Encryption (FDE) for an overview of FDE.
Top of page

Security of System Files (ISO 12.4)

Objective: To ensure that system files and sensitive data in testing environments are protected against unauthorized access, and that secure code management systems and processes are in place for configurations, software, and source code.

Documented procedures and revision control systems should be utilized to control software implementation for both applications and operating systems. New York University described their approach in the presentation, Mastering Puppet: Using Puppet to Centrally Manage IT Security Infrastructure, at the 2010 Security Professionals Conference.
Data used for testing should not contain personally identifiable information. Guidelines for Data De-Identification should be followed to remove sensitive information or to modify it beyond recognition when used for testing purposes.

The integrity of system files can be compromised as a result of a security exploit. Running a package such as Tripwire can help detect unautohorized changes to system files. Tripwire is available in both commercial and open source versions.
Top of page

Security in Development and Support Processes (ISO 12.5)

Objective: To ensure that change management and verification procedures are in place to maintain the security of project and support environments.

One of the security layers that can expose serious vulnerabilities is the application layer. Inventorying and securing all applications, software interfaces, or integration points that "touch" sensitive data is crucial in any organization that handles personal identity data, HIPAA, PCI, or any data that can lead to identifying confidential information. Unfortunately, this layer is subject to extensive variations and stretches across many technologies, human competencies, and organizational controls, practices, and standards. As such, it is difficult to secure and sustain, usually requiring departments to re-evaluate much of their software development, acquisition, and production control organization, staffing, and practices. Moreover, since applications are enhanced to adapt to changing business needs relatively often, even while the technology they depend on may also be changing, a consistent and "routinized" approach to maintaining their security must be adopted. Fortunately, there are many excellent resources to help organizations get started.

The Information Technology Infrastructure Library (ITIL) is one of the oldest and most mature frameworks for IT service management, and offers a wealth of best practice documents.

JIRA is a project tracking tool that is very useful for bug tracking and change management. Jira workflows can be customized and used to formalize testing procedures.

 
The following institutional case studies break down application security by the respective audience - management and architects, developers and QA staff, and the database administrator. Each area is instrumental in providing the comprehensive approach to ensure application layer security.
Campus Case Study: Application Security for Management, Project Managers, and Architects - UC, Irvine
Campus Case Study: Application Security for Developers and Quality Assurance Personnel - UC, Irvine

The need for highly skilled developers and support personnel cannot be emphasized enough. Security training is expensive, but can save the institution both dollars and reputation in the long run. The SysAdmin, Audit, Networking, and Security (SANS) EDU program is a partnership that helps to lower the cost of training for higher education security professionals. Relevant courses for software developers are listed in the SANS Secure Software Development Training Curriculum. System administrators will benefit from the SANS System Administration Training Curriculum.

At the 2013 Security Professionals Conference, the University of Pennsylvania presented a valuable methodology for securing web applications in Proven Strategies for Web Application Security.

Top of page

Technical Vulnerability Management (ISO 12.6)

Objective: To ensure that procedures are implemented to mitigate and/or patch technical vulnerabilities in systems and applications.

Three approaches to managing technical vulnerabilities in application software are described in the Application Security and Software Development Life Cycle presentation from the 2010 Security Professionals Conference.

Campus Case Study: Enhancing Application Security With a Web Application Firewall - UC, Irvine
Top of page

Vulnerabilities should be monitored, and one way to do that is with a web application scanner. An article from the August, 2011, Security Tools Benchmarking blog lists web application scanners, both open source and commercial, and enumerates their features. Windows system vulnerabilities allow hackers to gather information from applications. Rapid Windows Analysis, presented at the 2013 Security Professionals Conference, describes tools for detecting Windows vulnerabilities.

Resources

Campus Case Studies On This Page
Implementing Whole Disk Encryption with Microsoft Windows Vista Bitlocker - McIntire School of Commerce, UVA
Whole Disk Encryption Evaluation and Deployment - Baylor University
Developing a Certification Authority for PKI - Virginia Tech
Application Security for Management, Project Managers, and Architects - UC, Irvine
Application Security for Developers and Quality Assurance Personnel - UC, Irvine
Application Security for Database Administrators - UC, Irvine
Enhancing Application Security With a Web Application Firewall - UC, Irvine

EDUCAUSE Resources

Initiatives, Collaborations, & Other Resources

Top of page


Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

Labels:
mobile mobile Delete
requirement requirement Delete
application application Delete
development development Delete
process process Delete
system system Delete
support support Delete
security security Delete
cryptography cryptography Delete
encryption encryption Delete
vulnerability vulnerability Delete
cloud cloud Delete
procurement procurement Delete
educause educause Delete
heisc heisc Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.