Any IT system change or modification or adjustment, no matter how "minor," has to be evaluated for its impact level. That's because, just as in "tipping point" theory, a small change can have dire consequences from a system and network security point-of-view.

For example, an application that collects SSNs (Social Security Numbers) is high risk. So special attention has to be given to all system application parameter; each aspect of the application has to be reviewed by the team, company and client security officers and certified for acceptance.

The following paragraphs outline RDMAX's approach to Team Engagement Security Evaluation Flow and the steps we complete for every significant system change:

Risk Assessment

RDMAX performs risk assessment in the requirement phase as part of its highly efficient development path. For example (not to be repetitive), if an application collects Society Security Numbers (SSNs), its security status is immediately HIGH (based on federal regulations). The High status immediately triggers another level of application development activities and by default, implies that the SSNs cannot be stored as plain text in the database. Therefore, a new mechanism has to be coded to store SSN attributes in a more secure manner. This results in a change management control procedure triggering a process for development, code reviews, and testing plan as part of quality control (including unit, system, integration, UA testing).

Certification, Accreditation and Security Assessments

If the security level changes, the application has to be evaluated for certification for its security level, and each component has to be evaluated independently and as part of the system. A new security assessment of the application has to be performed to ensure the integrity of the application itself and within the federal system enterprise.

System Services and Acquisition

If the security level changes the application, the system and server need to be assessed from an impact standpoint to ensure that system service and acquisition parameters are intact. The business model might have to be evaluated and an analysis performed. The deployment procedure would be reassessed.

Security Planning

Any application in the federal enterprise space has to have a security plan that reflects the specifics of the given application, the methodology to mitigate risks associated with an internal or external breach, and/or an active attack on the application itself. RDMAX provides plans evaluate the impacts of a system patch, configuration changes, and system upgrades.

Configuration Management

Any configuration change--the heart of a system's security--has to be rigorously evaluated. An exposed system due to misconfiguration can lead to unrecoverable consequences and situations. Again, based on tipping point theory, configuration change is a process wherein a small change can lead to a huge opening in the system’s or service security.

System and Communications Protection

All documentation related to our projects is securely stored and publicly inaccessible. Any system communication after changes take place is reviewed to prevent insecure communication within and outside system boundaries. RDMAX evaluates system and communication protection and compares it according to the requirements in place. Because of the redundant nature of production systems, RDMAX ensures that all changes are applied in the deployment process.

Personnel Security

Each RDMAX personnel participating in a federal contract is subject to a background review and standard federal contract procedures.  RDMAX INC. holds a federal certification and its status is “Secure.”

Awareness and Training

Each RDMAX employee, whether they are working on a federal contracting project or not, has to pass a mandatory security awareness training. This training provides our personnel with the knowledge of the latest security threats and social engineering tricks to prevent unwanted disclosure of system access or any disclosure of sensitive data.

Physical and Environmental Protection

All project related code and documents are stored securely and accessible only across a secure network (local or over VPN). Only designated personnel have access to the repositories (RDMAX has used some of the following repositories in the past: VSS, ClearQuest, ClearCase, Doors, PVCS, CSV, SVN).

Media Protection

RDMAX makes sure that all systems' media are secured in both on- and off-site storage. Redundant production systems are deployed.

Contingency Planning

RDMAX's procedure and team follow the NIST 800-34 contingency plan, which provides strategies and techniques for client/server, web servers, servers, LAN, WAN etc.

Maintenance

RDMAX's maintenance procedure is to list all items scheduled for maintenance and establish formal maintenance windows. The reason is that system changes can affect end user and system availability and therefore no critical activity should be scheduled during a maintenance window. We never perform BIA analysis, preventive control, recovery strategy or system update or change without a clear understanding of how to recover a system to its previous operation state. (Everyone recalls the Windows option “Boot to the last knows system.”) RDMAX creates a living maintenance document to reflect all current system enhancements.

System and Information Integrity

There are several levels of system and information integrity. Information integrity is related to and perceived through information transmission (in which no information bit is modified during transmission) and information storage (where it is not possible to modify or retrieve any sensitive information just by accessing the storage). On a case-to-case basis and in agreement with the client, RDMAX is capable of performing complete data masking for the development and system integration environments so that real data attribute values and/or patterns cannot be recovered.

Incident Response

Each incident is logged and assessed immediately and within 24 hours a response is mounted to critical system issues. To ensure the issue does not persist and is permanently resolved, a detailed report is created to document the issue and relate a hot fix. Consequently, a hot fix is merged into the code to pass through all levels of quality assurance.

Recovery and Reconstitution

The RDMAX team outlines all actions that can be taken to return the system to normal operating conditions in its deployment plans. 

Identification and Authentication

Each team member is assigned identification to track any and all changes made by a team member. This is important in system, integration test and UI tests.

Access Control

RDMAX utilizes strong change management controls, robust development methodology and strong code review capacity, all of which guarantee accountability associated with code changes. It is RDMAX INC.’s policty that each change, small or large, has to be traceable and documented. Furthermore, all changing requirement updates are reviewed in meetings with the client, whereas development starts upon an approved resolution.

Accountability and Audit

RDMAX believes that strong change management controls, strong development methodology and strong code review capacity guarantee accountability. We are capable of master audits associated with code changes, changing requirement updates are reviewed in meetings with the client, and development starts upon approved resolution.  

Each change, small or large, has to be traceable and documented. Every access to a given application and/or service is auditable. Every upload or change in the code management tool is traceable, auditable and reversible.

Reports

RDMAX teams can provide reports on a scheduled basis that track accomplished tasks, tracing code changes, and resolved issues (according to their severity) .

Written by Roman Vichr & DDV for RDMAX Inc.