Security

1. King Faisal University.
Management Information System.
Integrated Information System
Security systems
(System Acquisition, Development, and Maintenance Security Policy)
Team Members:
Amenah Mahdi Al-Qahtani (216097381)
Hadeel Ahmed Al-Awadhi (216097173)
Instructor:
Abdelnasser Abdelaal

2. (System Acquisition, Development, and Maintenance Security Policy)
The purpose of the system
The secure requirements
Secure Development
Restrictions on Changes to Software Packages
Secure System Engineering Principles
Secure development environment
System security testing

3. The purpose of the system
Information security is integrated into the
system development lifecycle. The purpose of
information security system is to provide
protection of the data used for testing. To achieve
the purpose of using this system, the Information
Owners and service owner must ensure their
protection in activity, contract dispute, and
unauthorized disclosure. Achieving great
protection can done by conducting an
information security requirements ,determining
the user notification and acceptance of terms
that go with government policies and standards;
and determining the multifactor authentication
that is used where applicable based on the data
classification .so, the Information Owners and
Service Owners must ensure that security
controls are implemented to prevent incomplete
transmission, misrouting, repudiation of
transactions, unauthorized message duplication
and replay.

4. This system is very beneficial to protect the government system and
service. The information security policy requires great changes. So, the
information system, Information Owners and Service Owners must: (1)
have clear Statement of Sensitivity to achieve their confidentiality in their
system ,(2) achieve integrity and availability level in their system ,(3) apply
security controls to avoid Threat and Risk during using this system;(4)
determine their roles and responsibilities related to information system
security management; (5) determine procedures and standards of risks in
the information systems, (6) develop communication procedures for
security-related events .(7)and be sure that information systems used for
processing payment card transactions or connected to payment card
transaction processing systems comply with the Payment Card Industry
(PCI) Data Security Standard.
The secure requirements

5. Secure Development
Secure development is a requirement to
support a secure service, architecture,
software and system. So, the Information
Owners and Service Owners must have a great
range of security such as security of the
development environment; security in the
software development lifecycle, security in the
design phase; security checkpoints within the
project milestones; security in version control;
and security application knowledge. When
applying or using new systems, there should
be great changes to existing systems,
Information Owners and Service Owners. They
have to follow a formal change control in
documentation, specification, testing, quality
control, approval, and a managed
implementation. Changes in control process
should include: determining the security
controls; being sure that existing security
controls are not compromised and determine
the required program source code libraries;
and getting a formal agreement and approval
for the change .

6. Restrictions on Changes to Software Packages
There are some Restrictions on Changes to Software
Packages that include updating the software that is applied
for commercial-off-the-shelf (COTS) software. Also, the
version of software used in the system must be supported
by the vendor. Documents should be presented if they are
required. The users and the vendors should be sure if
government will be responsible for maintenance of the
software system after the change. The software used must
be able to work with other software in use.

7. Secure development environment
The entire system while they are operating
.The “secure development environment” refers to
the people, processes and technology associated
with system development and its integration.. This
includes Data to be processed, stored and
transmitted by the system, the human resource
security; the degree of outsourcing; and
monitoring the process of changing codes.
Secure System Engineering Principles
Information Owners and Service Owners must
be sure of the engineering procedures of the
information system that are based on security
engineering. Also, the security system is designed
into all architecture layers: business, data, and
applications. Additionally, new technology for
security risks and review the design against known
attack should be analyzed. The security engineering
principles are reviewed and updated regularly.

8. System security testing
A detailed schedule of activities must be prepared for
the owners to be sure of the security level .so, test inputs
and expected outputs under a range of conditions should
be testing to be able to fix any difficulties in the system .
Tests must initially be performed by the development
team.
The criteria for testing the security of the system
include performance and resource requirements; plans
and procedures, operating procedures; implementation of
security controls, training requirements; an user
acceptance testing. All these criteria should be good for
testing the system