SEC 3301, Security Application Development 1

Course Learning Outcomes for Unit VIII

Upon completion of this unit, students should be able to:

1. Analyze the relationship between application security and system development.
1.1 Differentiate the information areas that monitor the security maintenance management.
1.2 Define the processes related to the digital forensics and traditional forensics investigation.

3. Explain the best practices for securing an application and database.

4. Outline potential application security vulnerabilities.

4.1 Summarize the domains that support the recommended maintenance model that provides
monitoring as well as risk and vulnerability assessments.

5. Analyze the information technology (IT) physical security considerations for an organization.

Required Unit Resources

Module 12: Information Security Maintenance

Unit Lesson

The new or upgraded system is now in place and working like a charm. Whatever implementation phase was
used to install and replace the legacy systems seems to have been a success. Now, the question is, “Are we
done with the project?” The answer is no! The maintenance phase is the last phase of the project and
consists primarily of making sure the new or upgraded system is maintained and monitored daily during its life
cycle until such time the system is replaced by another new or upgraded system. Maintaining the system
includes the review of recommended security management models, which aid in the establishment of a full
maintenance program. Also in the maintenance program, we must identify the key factors that may influence
internal and external environments and how they affect system monitoring.

Most individuals believe that once the project has been completed, it is the end of the project. Earlier in the
course, we mentioned that all projects have a start date and an end date. The end date is not the completion
of the system development but, rather, is the end of the project, which includes the maintenance phase. To
easily clarify the project, allow us to consider National Aeronautical Space Administration (NASA) space
mission projects. NASA developed the Mercury, Apollo, and Shuttle programs. Once the space capsules and
shuttle were completed, the project did not end; these vehicles were maintained for the next space mission.

In the information security world, once a system is implemented, it is maintained to make sure the security is
always updated based on the current and future vulnerability risks. This includes periodic updates and
patches to ensure the system is protected and updated according to the current competitive market outlook.
The successful implementation and testing should include a new and improved security profile, but this may
provide a false sense of security for an organization. The security profile may provide a sense of confidence
about protection level, but the organization should always be on guard!

Another area in planning is to ensure that the system always remains online. Since this may not always be
feasible, it is important to develop disaster planning, risk assessment, vulnerability, assessment, and
remediation for a system’s outage. Also, once the system is implemented, there may have been upgrades
over time, which mandates that the environment and security should encompass additional refinements.

UNIT VIII STUDY GUIDE
Implementing Information Security,
Part 2

SEC 3301, Security Application Development 2

UNIT x STUDY GUIDE
Title

Within the security environment, there are well-established security management maintenance models that
managers can use to maintain the security of the systems. “The National Institute of Standards and
Technology’s (NIST) Information Security Handbook: A Guide for Managers (SP 800-100) has been produced
for managers to implement 13 information areas to monitor the security management of the systems. This
document is a guide that provides managerial guidance for the establishment and implementation of an
information security program, including information security governance. Whitman and Mattord (2022)
describe the 13 core areas that address the expected tasks of an information security manager after the
program is working and day-to-day operations are established; see below.

1. Information Security Governance
2. Systems Development Life Cycle
3. Awareness and Training
4. Capital Planning and Investment Control
5. Interconnecting Systems
6. Performance Management
7. Security Planning
8. Information Technology Contingency Planning
9. Risk Management

10. Certification, Accreditation, and Security Assessments
11. Security Systems and Products Acquisition
12. Incident Response
13. Configuration and Change Management

An organization should adopt the management maintenance model for its information security systems that
provides continuous improvements. Continuous improvements are essential to ensuring that the system is
most up-to-date to protect the information it has within it. Management models are frameworks that structure
the tasks of managing a particular set of activities or business functions. How to manage maintenance models
can be found in the International Standards Organization (ISO) 2700 series of standards and NIST’s
Information Security Handbook: A Guide for Managers (SP 800-100); however, Whitman and Mattord (2022)
also illustrate the maintenance model that depicts changes to information security maintenance (see Figure 1
below).

Figure 1. Maintenance Model Changes to Security Information Systems
(Whitman & Mattord, 2022)

SEC 3301, Security Application Development 3

UNIT x STUDY GUIDE
Title

These changes are reflected in the configuration and change management and the monitoring of the security
management of the systems. We know there are constant changes from the external monitoring, planning
and risk assessment, vulnerability assessment and remediation, readiness and review, and internal
monitoring. It is a must that the two databases shown in Figure 1 be updated continually to ensure the
security framework of the organization as a whole is protected from all threats and has knowledgeable facts
on the risks involved within the information system’s assets.

A recommended security maintenance model is dependent on external monitoring, internal monitoring,
planning and risk assessment, vulnerability assessment, remediation, and readiness and review. The security
maintenance model is an aid to focus an organization’s efforts to successfully maintain the system.

Let’s take a look at these in order. First up is the external monitoring domain. The objective of the external
monitoring domain process in the maintenance model is to provide early awareness of new and emerging
threats, threat agents, vulnerabilities, and attacks that are needed to mount an effective and timely defense.
The external monitoring entails collecting intelligence from data sources and using that intelligence context
and meaning for use by decision makers within the organization.

The internal monitoring domain is an informed awareness of the state of the organization’s networks,
information systems, and information security defenses. Internal monitoring domain builds and maintains an
inventory of network devices and channels, information technology (IT) infrastructure and applications, and
information security infrastructure elements monitoring the internal state of the organization’s networks and
systems.

The planning and risk assessment objective is to keep an eye on the entire information security program, in
part by identifying and planning ongoing information security activities to reduce risk over time. Here, the risk
assessment group also identifies and documents risks introduced by both IT projects and information security
projects. The group also identifies and documents risks that may be latent in the present environment.

The vulnerability assessment and remediation domain use document vulnerability assessment procedures to
safely collect intelligence about internal and public networks; platforms including servers, desktops, and
process control; and wireless network systems ensuring that the proper level of management is involved in
deciding to accept the risk of loss associated with unrepaired vulnerabilities.

An organization must also complete readiness and reviews to keep information security programs functioning
as they are designed over time. There are three tasks of policy reviews, program reviews, and rehearsals that
can accomplish the goal of keeping a domain ready and reviewed.

Physical access controls are additional protection efforts that define the concept of facility management and
its role in maintaining a secure facility where information is stored, housed, and transmitted. A secure facility
must implement multiple layers of defense should an attack occur.

Fire safety and security are used to recognize that fires account for more property damage, personal injury,
and death than any other threat to physical security. Physical security plans must implement strong measures
to detect and respond to fires and fire hazards.

Heating, ventilation, and air conditioning (HVAC) systems can have a dramatic impact on information,
information systems, and their protection. High temperature and improper filtration, humidity, and static
electricity can have a significant impact on information systems and security systems in place.

Power management and conditioning must be properly grounded when used to maintain an organization’s
physical environment. In areas where water accumulation is possible, computing and other electrical
equipment must be uniquely grounded using ground fault circuit interruption (GFCI) equipment. Also, backup
systems should be tested frequently, and documenting the facility’s configuration, operation, and function
should be integrated into disaster recovery plans and standard operating procedures.

Mobile and portable systems can have a cause-and-effect on an information security network, and, due to
their portability, they must have stronger levels of security than stationary counterparts, such as desktops. An
organization should review different software and hardware techniques that can be used to protect devices

SEC 3301, Security Application Development 4

UNIT x STUDY GUIDE
Title

that move in and out of an office. For instance, laptops must always remain secure and measure inaction to
help reduce the risk that a mobile computing device is stolen or damaged.

Ending this discussion, we should address the three types of data interception: direct observations,
interception of data transmissions, and electromagnetic interception (Whitman and Mattord, 2022).

• Direct observations require that a person be close enough to the information to breach confidentiality.
• Interception of data transmissions can occur from anywhere, as they are not restricted to a location

with the exception of tapping into a local area network (LAN), eavesdropping on a secure network, or
wiretapping.

• Electromagnetic interception is another type of interception, although it is unlikely to occur. Though
possible, it is difficult, impractical, and expensive to carry out.

Reference

Whitman, M. E., & Mattord, H. J. (2022). Principles of information security (7th ed.). Cengage Learning.

Suggested Unit Resources

In order to access the following resources, click the links below.

The following PowerPoint presentation will summarize and reinforce the information from Module 12 in your
textbook.

Module 12 PowerPoint presentation (PDF version of the Module 12 PowerPoint presentation)

The video below discusses system development, maintenance, and support of an entire IT system. The video
also discusses the importance of teamwork.

ClickView Pty Limited (Producer). (2009, November 2). System development, maintenance, and support

(Segment 7 of 7) [Video]. In Roles and responsibilities in IT. Films on Demand.
https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=https://fod.infobase.com/PortalPl
aylists.aspx?wID=273866&xtid=40210&loid=65571

To view a transcript of this video, click on the “Transcript” tab near the bottom of the video.

Learning Activities (Nongraded)

Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit
them. If you have questions, contact your instructor for further guidance and information.

Conducting your own research to further your learning and understanding can help you become a stronger
student and can help you to see what areas interest you. Additionally, you may find resources that can help
you complete your assignments.

Consider searching the Academic OneFile database of the CSU Online Library using a combination of the
following keywords or phrases: “InfoSec performance management,” “metric, planning, and risk assessment
domain,” “penetration testing,” “war driving,” “tailgating,” and “mantrap.” Please note: When searching,
remove the commas and capitalization, and use the top search box with “Subject” selected from the
dropdown. Once the results generate, use these search options to refine the results: “Peer Reviewed
Journals” and “Custom Date Range” between 2022 and the present to ensure that articles are scholarly and if
possible, less than 5 years old. Then, select and read two articles.

Access the Academic OneFile database.

SEC 3301, Security Application Development 5

UNIT x STUDY GUIDE
Title

Check Your Knowledge

Answer the review questions and exercises for the Module 12 Review Questions and Exercises. These
questions and exercises will help you assess whether or not you have mastered the unit content. Can you
answer them without looking back in the textbook?

After you have answered the questions and exercises, you can find out how well you did by checking the
answers.

Answers for Module 12 Review Questions and Exercises