Security Solution Design For DevSecOps

SELECTED PROJECTS

 SECURITY SOLUTION DESIGN FOR DEVSECOPS

Client

Trusted Client


Categories

Security Awareness, IT Services


Completed

April 30, 2018


Project Budget

$75,000


Project length

4 months

Project Details

BACKGROUND


An Global organization needed an transformation of their Information Systems Security Controls Framework Roadmap based in 'DevSecOp' as a new standard. The purpose was to re-design systems to revoke or remediate vulnerabilities detected early in the design and development phases. The new framework required to include new configuration and system controls for building and implementation of new environment (hardware, platform system, databases, applications, network and network components).


The request also included to ensure that  IDS/IPS for all critical systems was included per default. It also needed to enable continuous review and follow-up on system alerts, updated risk managemnet process and tools, monitor system and privileged users activities, and, create procedures and work instructions for new DevSecOps that would be part of the Information System Security Controls Framework new standard.

CHALLENGE


The main challenge and goal was to verify the scope of the enviornments to be included for the new framework. An initial inventory and analysis of all hardware, platform system, databases, applications, network and network components was needed so that business justifications based on risk and organization strategy could identify the scope for the project. The inventory needed to be updated during the project, pending ongoing business and new systems introduced to the enviornment set as inside project scope.



  Security Solution Design 

  Review for DevSecOps

Do you need similar expert help?


Contact Fogel Consulting through the contact form to receive further information and possibility to present your own case and business needs.

SOLUTION


Due to complexity, a program consisting of 6 sub-projects was set up. The first solution was to define what to remediate an/or implement new requirements for, as agreed in project charter. The project solution included work for new security risk protection requirements on client system, network, data bases and application for data protection. The 6 project where;

  • Design of a new Information System Security Controls Framework including;
    •  Security Architectute in DevOps
    •  Logical and Privileged Access Logging
    •  Monitor and protect system from out and inside the organization 
  • Design and test a new IDS/IPS (intrusion detection and prevention service;
    •  External Networks & Firewalls
    •  External Commerical Website
    •  DMZ (demilitaries zone)
    •  Internet connected applications and databases 
  •  Design and implement new automated system monitor and control for system alteration and/or modifications outside agreed service windows
  • Design new real time monitor and alert for privileged users on curtical business systems.
  • Reformalize the design and functions of Information Systems Control Document (ISCD).

RESULT


The Security programs 6 sub-projects contributed with design and implementation, and remediation assessment that including:

- Re-design and implementation of a new Information System Security Control Strategy Architecture Road Map;                

- Design and implementation of IDP/IDS services; 

- Review and assessment of security risks monitoring process, including recommendations for process improvements.                                                                       - Design and implementation of new system security check procedure and tools for monitoring requirements on client system, network, data bases and applications for sustained data protection;                                                     - Design and implementation of new tools and processes for monitor of privileged users on all Windows, Unix & Linux  systems;  

- Develop and implementation of a detailed Information system Security Controls Document (ISCD) that defines client agreed security controls requirements, to be maintained by supplier and vendors in relation to services.