Security Design/Process - Project Management

advertisement
[Project Name]
Security Design & Process Overview
Document Overview
Prepared By:
Prepared For:
Date Created:
Last Updated:
(R)esponsible
(A)uthority
(S)upport:
(C)onsult:
(I)nform:
RASCI Alignment
Technical Lead/Technical Analyst
Technical Manager/Business
Owner
ITPD Team
Security Administrator, Director of
Enterprise Systems, Manager of
Network Security, Director of
Integration
Project Manager, Security
Administrator, Director of
Enterprise Systems, Manager of
Network Security, Director of
Integration
< Note that this deliverable is a joint Technical/Functional deliverable and the Functional Team should be
consulted regarding content>
Security Design
PROJECT NAME
Revision Log
Revision
Date
1.0
1.1
1.2
10/29/2008
10/6/2009
10/12/2009
Initials
AL
AK
1.3
8/16/10
LD
Description of Revision
Initial Draft
Technical team review changes
Minor updates, added business owner to RASCI, added
instruction verbiage changes, add reference to various security
acts that need to be considered.
Added note that this is a joint deliverable
File Name: QUAL017_PROJ _Security design and overview_20091009_v1 0_1.2.docx
Last Saved: 10/12/2009 8:34:00 AM
Page 2 of 9
Security Design
PROJECT NAME
Table of Contents
1) OVERVIEW: .................................................................................................................................................................. 4
1.1) PURPOSE..................................................................................................................................................................... 4
2) SECURITY DESIGN PRINCIPLES ............................................................................................................................ 4
2.1) NAMING STANDARDS ................................................................................................................................................. 4
2.2) SECURITY MODEL ...................................................................................................................................................... 5
2.3) INFRASTRUCTURE SECURITY ...................................................................................................................................... 5
2.4) APPLICATION SECURITY PROVISION........................................................................................................................... 5
3) INTERESTED PARTIES IN SECURITY AND RECOMMENDATIONS .............................................................. 6
3.1) RESPONSIBILITIES....................................................................................................................................................... 6
3.2) RECOMMENDATIONS .................................................................................................................................................. 6
3.3)RESPONSES.................................................................................................................................................................. 6
4) APPLICATION SPECIFIC SECURITY ADMINISTRATION ................................................................................ 7
4.1) OWNERSHIP ................................................................................................................................................................ 7
4.2) ROLES AND RESPONSIBILITIES ................................................................................................................................... 7
4.3) PROCESS FLOWS FOR SECURITY ACCESS..................................................................................................................... 7
4.4) SECURITY MAINTENANCE/AUDITS ............................................................................................................................. 7
5) SECURITY DEFINITIONS .......................................................................................................................................... 8
DOCUMENT SIGNOFF .................................................................................................................................................... 9
File Name: QUAL017_PROJ _Security design and overview_20091009_v1 0_1.2.docx
Last Saved: 10/12/2009 8:34:00 AM
Page 2 of 9
Security Design
PROJECT NAME
1) Overview:
1.1) Purpose
The intent of this document is to provide guidelines for ITPD projects in regards to security design
and associated work processes. Personnel, who support the design, implement or maintain any part
of application security should reference this document and all associated reference and support
documentation.
<Instructions for areas in question or requiring more details are provided at the beginning of each
section where appropriate and are colored in blue and should be deleted after completing the
document. This includes this particular paragraph. Remember, areas can always be flagged as N/A,
but be prepared to defend that decision.>
2) Security Design Principles
<The following are examples of the principles that should be considered when defining the Infrastructure
and Application Security models for each project.>

Design and implementation of access controls must support the rapid deployment of the applications.

Design of processes must specifically address requirements for authorization and authentication

The access controls to be designed must be closely aligned to the business processes. These
controls must facilitate and not hamper the business functions.

The extent of preventable access controls should be designed with due consideration to other
integrity controls that will be in place. Access controls should compensate and complement other
controls such as monitoring, remediation and/or mitigation of the current risks identified.

The Security Design deployed will comply with internal and external auditing guidance and
compliance, where known.

The access controls designed should be flexible and enable growth. Ease of future additions of new
organizational restrictions is desired. The design should also enable easy addition of other modules
in subsequent phases.

The design should always lead to efficiency in on-going application security maintenance and
administration. Therefore, we will always attempt to minimize the total number of customer-defined
roles within the system landscape.

The security role design should be easily migrated and upgradeable to enable smooth administration,
system performance and flexibility.
2.1) Naming standards
<Determine if the naming standards apply to this project.
A naming convention or standard has been used in developing the security roles and related
components. This standard assists in identifying the access privileges that are granted from an
intuitive or implied perspective.
File Name: QUAL017_PROJ _Security design and overview_20091009_v1 0_1.2.docx
Last Saved: 10/12/2009 8:34:00 AM
Page 2 of 9
Security Design
PROJECT NAME
Standards applicable to Security as defined by IT SERVICES Security area should be included in the
design document if applicable.
[Insert appropriate naming convention standards such as CNET ID, user role names, etc]>
2.2) Security Model
<The Security Model should contain guidelines and documents that address the security concerns
defined below. Make sure that if any of the appropriate security restrictions apply to this project
(HIPAA, FERPA, GLB, IPPA, etc.) then you explicitly should include items in the model that speak to
those particular items.>

Security Risks – An in depth risk assessment of security related risks needs to be conducted
to identify and define mitigation strategies for the following types of Risks:
o Audit provisions
o Ownership of mitigation
o Legal impacts of Security risks
<[Insert tables/reference diagrams to explain security model such as roles/profiles, etc. Ensure the
model addresses authorization and authentication needs]>
2.3) Infrastructure Security

Infrastructure Security – The security guidelines need to be specified for the area surrounding
and supporting the application. This will include items such as the Physical Architecture and
Logical Architecture design documents, and how security is addressed in each area. Security
access and enhancement forms should be defined to identify the processes to be followed for
gaining access and upgrading the Infrastructure.
o
o
o
o
o
o
o
How many environments will need to be supported and how does security differ
between them
Physical Architecture design guidelines and documents (e.g.firewall)
Logical architecture design guidelines and documents
Audit provisions
Process flows for Infrastructure enhancements
Change Control procedures must be defined and followed
Test case preparation for security validation
<[Insert schematics such as flows, tables, etc to describe infrastructure security from an authorization
and authentication perspective]>
2.4) Application Security Provision

Application Security -. The security guidelines for the application, the forms that will be used,
and the security roles should be defined in this area. <Examples are:>
o
o
o
o
o
Logical model of security in the native (out of the box) application framework,
including specific handling of authentication, authorization, etc…
Authorization components and procedures
Authentication procedures and roles
Roles, priorities, dependencies, and profiles associated with the security within the
application.
Audit provisions
File Name: QUAL017_PROJ _Security design and overview_20091009_v1 0_1.2.docx
Last Saved: 10/12/2009 8:34:00 AM
Page 2 of 9
Security Design
o
o
o
o
o
o
o
o
PROJECT NAME
University of Chicago existing guidelines should be defined if they will impact the
security model
Custom modifications made or anticipated for security related data or processes
Security team (members and roles)
Change Control procedures must be defined and followed
On-boarding of new users/administrators
Application Security Training
Test case preparation for security validation
Naming conventions for Security related items
<[Insert schematics such as flows, tables, etc to describe application security from an authorization and
authentication perspective]>
3) Interested parties in security and recommendations
<This section provides an overview of the technical aspects associated with security design and deployment.
The below paragraphs should include the people that you contact, their recommendations related to the
project and the Technical team responses to those recommendations. Currently the folks filling these roles in
IT SERVICES: Security admin: likely someone in the business, Manager of Network Security: Shelley Rust,
Director of Integration: Tom Barton. IT SERVICES has no director of enterprise systems, but consider talking
to David Trevvett (head of Admin Systems.)>
3.1) Responsibilities
Security Administrator
 Responsible for the maintenance of users.
 Responsible for proper retention of communications and request forms and signed audit
review reports
 Responsible for all actual build of all roles
 Responsible for the final verification of correct design approach
<Director of Enterprise Systems
 Provide strategy enabling security service to the internal and external security customer in
analysis, design, delivery and support.>
Manager of Network Security
 Provide advice to project team.
Director of Integration
 Provide advice to project team.
Other) placeholder)
 Provide advice to project team.
3.2) Recommendations
<Enter here the answers received from the meetings with people on 3.1>
3.3)Responses
<Enter here the actions that technical team will take based on recommendations on 3.2>
File Name: QUAL017_PROJ _Security design and overview_20091009_v1 0_1.2.docx
Last Saved: 10/12/2009 8:34:00 AM
Page 2 of 9
Security Design
PROJECT NAME
4) Application Specific Security Administration
4.1) Ownership
<Application Security Ownership must be assigned during the initial phases of the project to ensure
that the function is fully operational when the application is installed. Security Access rules and
procedures must be included in the design.
The University believes that business sponsors have ultimate responsibility for the applicable security
that relates to their area of ownership. This role can be delegated to a designee or designees.
However, business sponsors must be accountable for the actions of their designees.>
4.2) Roles and Responsibilities
<The Roles and Responsibilities of the Security team can vary by project, but the general functions
defined below should be included when defining responsibilities for both the application and the
Infrastructure supporting the application. The number of roles will increase or decrease accordingly
based on the size and complexity of the Security needs.>









Creation of new role
Delete role
Modify role
Adding Users
Deleting Users
Modify users
Transferring Users
Granting Additional Access
Exceptional Access
4.3) Process flows for Security access
<Insert diagrams for Process flows for gaining access to the system. Please make sure you include
the flows for System Administrators as well as everyone else.>
4.4) Security Maintenance/Audits
<The frequency of the Security maintenance, and the type of maintenance required to ensure that the
application and Infrastructure remain secure should be identified prior to the initial implementation of
the application. Minimally, the security of the application should be tested on a quarterly basis.
Maintenance for application platforms will impact the frequency and content of the maintenance.
Online applications may require more frequent security maintenance since the environment changes
more rapidly than other platforms.>
Perform ongoing self-audits on a regular basis using the automated Audit tools and processes.
These audits include the following:
 Review and sign-off by business owners of users that have access to their owned roles;
 Review and sign-off by business owners that contents of their owned roles are correct;
 Review and sign-off by business owners that users allocated to roles with audit transactions
are authorized and should have such access to these transactions.
 Conduct Source Code/penetration testing review and approval.
File Name: QUAL017_PROJ _Security design and overview_20091009_v1 0_1.2.docx
Last Saved: 10/12/2009 8:34:00 AM
Page 2 of 9
Security Design
PROJECT NAME
These self-audits are performed by providing reports to applicable security owners. The Business
Owner or Team Lead will review and sign-off on the results. The Security Administrator consults with
the stakeholders during the review process to advise or take action as might be necessary.
In addition to self-audits, other internal and external audit groups may also audit security.
5) Security Definitions
<The following are examples of the key terms that are used in Security design. Please add/delete items as
you see fit.>
 Role: A role is a collection of individual activities that are routinely performed together. This is the
combination of one or more transactions and authorization objects into a group recognized by the
system or are affiliated in some way.
 Data Element: Describes the role of a domain in a certain business context for the benefit of the
dependent fields and determines how these fields are to be displayed on the screen.


Authorizations: The basic building blocks of security and are implemented to allow access to
data elements
Authentication: The method used to confirm that access is granted to the correct individual.

Preventive Access Controls: Proactive and often programmatic measures that provision with
exclusivity or prohibit entirely the progression of certain actions or activities. Common examples
include: user exits, security, configuration, and workflow.

Detective Access Controls: Reactive and often manual measures to monitor historic actions or
activities which have transpired. Common examples of detective controls include: activity reports,
budget reviews, plan verses actual analysis & alerts. These controls when documented and
applied against a Segregation of Duties at the user or role level are referred to as Mitigating
Controls.

Position: Correspond to the various job functions found in the business. As multiple access
capabilities may be necessary to perform all the business functions/tasks within a position, a
position may contain one or many Roles, which together result in all the access capabilities
authorized and required. Positions and their relationships to roles are maintained outside the
SAP System.

Special Use Role: A role that often contains sensitive or restricted transactions and/or objects.
These roles are assigned directly to the user master and not associated with a position. These
are granted to users based on need and ability to perform some transactions.
File Name: QUAL017_PROJ _Security design and overview_20091009_v1 0_1.2.docx
Last Saved: 10/12/2009 8:34:00 AM
Page 2 of 9
Security Design
PROJECT NAME
Document Signoff
Phase: Plan and Analyze
The (Deliverable Name) document has been reviewed and found to be consistent with the specifications
and/or documented project requirements. The signature below documents acceptance of this document
and/or work product by the signing authority
Organization: University of Chicago________________
Contractor________________
Approved by:
Signature: ___________________________________________________________________
Name: ______________________________________________________________________
Title:
Date:
Organization: University of Chicago________________
Contractor________________
Approved by:
Signature: ___________________________________________________________________
Name: ______________________________________________________________________
Title:
Date:
Organization: University of Chicago________________
Contractor________________
Approved by:
Signature: ___________________________________________________________________
Name: ______________________________________________________________________
Title:
Date:
File Name: QUAL017_PROJ _Security design and overview_20091009_v1 0_1.2.docx
Last Saved: 10/12/2009 8:34:00 AM
Page 2 of 9
Download