Requests for IT systems are developed into a Project Plan through the steps delineated by the Project Management Office.
II. Initiation Phase
Identify IT System Security Responsibilities based on the Security Roles and Responsibilities Policy.
Security roles and responsibilities are assigned:
- The Information Security Officer (ISO) designates a system owner.
- The system owner designates the system administrator(s) and the data owner(s).
- The data owner(s) designate the data custodian.
- Identify Risks and Controls:
- The system and data owner(s) or their designees perform an initial risk analysis based on initial requirements and objectives to establish security guidelines for system developers.
- The data owner(s) classifies the types of data the IT system will process and classify the data's sensitivity.
- For any data classified as sensitive the need for collection and maintenance of that data is re-evaluated.
- Sensitivity of the IT system is determined by the sensitivity of the data.
- For any system identified as sensitive, the system owner develops an initial draft of the IT System Security Plan that documents the controls that the system will enforce to provide protection against identified risks.
Classes of security controls:
- Management Controls
- Operational Controls
- Technical Controls
- The IT System Security Plan is reviewed by the Information Security Office.
III. Definition and Construction Phase
- Design IT System Characteristics:
- The physical characteristics of the IT system are designed during this phase. The operating environment is established, inputs and outputs are defined and processes are allocated to resources.
- Design specifications for the security requirements of the IT System Security Plan are developed and documented.
- Everything requiring user input or approval is documented and reviewed by the user. The physical characteristics of the IT system are specified and a detailed design is prepared.
- Develop IT System:
- The detailed specifications produced during the design phase are translated into hardware, communications and executable software. Software components are unit tested, integrated and retested in a systematic manner. Hardware is assembled and tested.
- The incorporation of the security controls into the IT system design is verified and documented in the IT System Security Plan.
- At the discretion of the ISO, the ISO or his or her designee tests for proper and effective functioning of the security controls that may be tested prior to deployment. (Certain non-technical controls may not be effectively tested until the IT system is deployed.)
IV. Integration and Test Phase
- Integrate IT System Components:
All of the IT system components (hardware, communications, software, security controls) are incorporated and systematically tested.
- Test Functionality and Security:
- The user ensures that the IT system's functional requirements are satisfied by the developed system.
- The IT system undergoes any necessary certification and accreditation activities.
- The Information Security Office conducts an IT system security evaluation to ensure that the security requirements, as defined in the IT System Security Plan, are satisfied by the developed or modified IT system.
- The IT system security controls are accepted by the system owner.
V. Implementation Phase
- Make IT System Operational:
- The IT system or IT system modifications are installed and made operational in a production environment.
- This phase continues until the IT system is operating in a production environment in accordance with the defined design specifications and security requirements.
- Document Risks and Controls:
- The system owner and data owner(s) or their designees will conduct a risk assessment of the system.
- The system owner or his or her designees will document the final IT System Security Plan to document the security controls implemented.
- The completed IT System Security Plan is approved by the ISO.
VI. Operations and Maintenance Phase
- Continue Operation of IT System:
- With the IT system operation ongoing, the IT system is monitored for continued performance in accordance with design specifications and security requirements. Operations continue as long as the IT system can be effectively adapted to respond to an organization's needs.
- The IT system is periodically assessed through In-Process Reviews to determine how the IT system can be made more efficient and effective.
- The security controls are periodically assessed through security evaluations.
- Modify IT System:
- Needed modifications are incorporated into the IT system.
- When major modifications or changes are identified, the IT system may reenter the Planning Phase.
- The IT System Security Plan will be updated by the system owner to document any changes to security controls implemented for the system and approved by the ISO. The IT System Security Plan will be reviewed and approved no less than once a year for restricted systems and once every three years for non-restricted systems.
VII. Disposition Phase
When a decision is made to cease use of an IT system the following requirements must be met in the disposition:
- Make Data Retention Decisions:
Data handled by the IT system will be retained in accordance with University and/or Commonwealth of Virginia record retention requirements.
- Dispose of the IT System Components:
Electronic media will be sanitized and hardware and software disposed of in accordance with University and/or Commonwealth of Virginia requirements.
Data: Data is an arrangement of numbers, characters and/or images representing information, knowledge, facts, concepts or instructions.
Data Owner: A University employee designated as responsible for the policy and practice decisions regarding data.
Management Controls: A set of mechanisms designed to manage organizations to achieve desired objectives.
Operational Controls: IT security measures implemented through policies and procedures.
Risk Analysis: A systematic process to identify and quantify risks to IT systems and data and to determine the probability of the occurrence of those risks.
Risk Assessment (RA): The process of identifying and evaluating risks so as to assess their potential impact.
Security Evaluation: Procedures used in the analysis of security mechanisms to determine their effectiveness and to support or refute specific IT system weaknesses.
Sensitivity Classification: The process of determining whether and to what degree IT systems and data are sensitive.
Security Controls: The protection mechanisms prescribed to meet the security requirements specified for an IT system.
Sensitive Data: Sensitive data is any data in print or electronic form of which a compromise of confidentiality, integrity or availability would have a significant and noticeable impact on the University's achievement of its mission.
System: IT systems are interconnected sets of IT resources, including application systems which meet a defined set of business needs and support systems that provide services to other systems.
System Owner: A University employee designated as responsible for the operation and maintenance of a University IT system.
Technical Controls: IT security measures implemented through technical software or hardware.
Approved by the Chief Information Officer, November 18, 2008.