SECURITY - GOVERNANCE - RISK - COMPLIANCE
SECURITY SOLUTION DESIGN FOR DEVSECOPS
Security Awareness, IT Services
April 30, 2018
An Global organization needed an transformation of their Information Systems Security Controls Framework Roadmap based in 'DevSecOp' as a new standard. The purpose was to re-design systems to revoke or remediate vulnerabilities detected early in the design and development phases. The new framework required to include new configuration and system controls for building and implementation of new environment (hardware, platform system, databases, applications, network and network components).
The request also included to ensure that IDS/IPS for all critical systems was included per default. It also needed to enable continuous review and follow-up on system alerts, updated risk managemnet process and tools, monitor system and privileged users activities, and, create procedures and work instructions for new DevSecOps that would be part of the Information System Security Controls Framework new standard.
The main challenge and goal was to verify the scope of the enviornments to be included for the new framework. An initial inventory and analysis of all hardware, platform system, databases, applications, network and network components was needed so that business justifications based on risk and organization strategy could identify the scope for the project. The inventory needed to be updated during the project, pending ongoing business and new systems introduced to the enviornment set as inside project scope.
Contact Fogel Consulting through the contact form to receive further information and possibility to present your own case and business needs.
Due to complexity, a program consisting of 6 sub-projects was set up. The first solution was to define what to remediate an/or implement new requirements for, as agreed in project charter. The project solution included work for new security risk protection requirements on client system, network, data bases and application for data protection. The 6 project where;
The Security programs 6 sub-projects contributed with design and implementation, and remediation assessment that including:
- Re-design and implementation of a new Information System Security Control Strategy Architecture Road Map;
- Design and implementation of IDP/IDS services;
- Review and assessment of security risks monitoring process, including recommendations for process improvements. - Design and implementation of new system security check procedure and tools for monitoring requirements on client system, network, data bases and applications for sustained data protection; - Design and implementation of new tools and processes for monitor of privileged users on all Windows, Unix & Linux systems;
- Develop and implementation of a detailed Information system Security Controls Document (ISCD) that defines client agreed security controls requirements, to be maintained by supplier and vendors in relation to services.