Type I certification focuses on Development Methodology. Its main focus is to develop a system that ensures security and assures information to its users. To address this issue, I will consider a learning institution that offers online degree programs as my hypothetical company. My essay focuses on software development and life cycle management and follows the NIACAP certification and accreditation phases as outlined below.
Phase I: Definition
My company, the Sussex Business School, is an online institution that offers online degree programs to students in different locations of the world. The students pay their school fees through online payment methods. The learning process is completely online, where students get access to learning resources, including online tutoring services, reading materials, and exams through the school’s website. To enable the smooth running of this process, the school has an integrated information system that is able to support transaction services and, at the same time, provide management services for the program.
Given the nature of this business, Sussex Business School has to beware of security threats such as denial of service attacks, website hacking, and cyber-terrorism. The institution recently suffered a denial of service attack, which lasted around six hours. Given these security requirements, there is a need to modify the existing operating system to make it as secure as possible. The modification will include strengthening the network system, modification of the institution’s website to make it more secure, and user regulation to ensure that only accredited members get access to the institution’s vital information. The institution thus requires a TOP SECRET certification level that will ensure the security of students’ confidential information; assure the availability of information at all times, and enable the smooth running of the program. These security requirements and recommendations will be presented for negotiation and agreement between the DAA, the institution’s administration, the school’s IT expert, and I, as the system certifier.
Phase II: Verification
After an agreement is reached in phase I, this phase assesses the system’s compliance with the risk management requirements outlined in the SSAA above (Hayden, 2000). This phase also verifies security requirements/modifications during system development.
The information system architecture of this business can be categorized into: the business process architecture, which governs the general network architecture of the business; systems architecture, which involves the institution’s internal operating system; and technical architecture, which involves the network connection between the institution and service providers. The system architecture involves a combination of hardware and software systems to complete the network and ensure the delivery of services to the end-user. From the analysis of the institution’s system architecture, there exists a loophole for security threats in the business process architecture. The institution’s website is accessible to all users, authorized or not, and does not have threat reporting backup. The network system is also weak and cannot sustain many users at the same time. There is thus a need to modify the existing system architecture and minimize its vulnerability to information security threats. My modified information system will have threat reporting backup and a strengthened network connection. To ensure that the new system is efficient in addressing the security requirements of the institution, I will use the waterfall model to undertake the system life cycle management analysis. This model will ensure that my modified information system is tested and proved competent before rolling it out. Through this model, I will also be able to come up with maintenance procedures for the new system.
Phase III: Validation
At this stage, I will be more concerned with validating the applicability of my modified system in the business environment. My system has to address the earlier identified security threats and, at the same time, be easy to access and use among its users. If it does not address these issues, then I have to go back to the drawing board and think of what amendments to make. It is at this stage that the life cycle management will become more applicable. If it addresses all the issues, then it becomes accredited.
Phase IV: Post accreditation
After my modified system has been certified and accredited as a TOP SECRET system, interest will be in the compliance, maintenance, and security operations. This phase ensures that the system complies with the requirements spelled out in SSAA. This phase will continue until the system is removed from the service. It is at this stage that I will also present monitoring and evaluation procedures to ensure the smooth running of the system as well as early detection and correction of any problem that might arise during the operation of the system.
References
Hayden, M. V. (2000). National information assurance certification and accreditation process (NIACAP). National Security Telecommunications and Information Systems Security Community, No. 1000. Web.