During the initiation phase, the existing architecture and security systems are documented, and a preliminary risk assessment is conducted. Applicable laws and regulations are identified. The documentation and analysis done during this phase are crucial to identifying what type of security system is needed and how it will work with existing systems.

During the acquisition and development phase, a more complete risk assessment is completed, and a baseline security level is established. Once this is done, the security team establishes security goals and meets with vendors to choose specific solutions to meet those goals.

Once a new system has been purchased, it must be installed. This occurs during the implementation and testing phase. Unit and integration tests ensure that the product performs as expected and works with existing systems. User training is a significant part of this phase.

This is the longest of the five phases. During this phase, the system is continuously monitored, incidents are dealt with, and the security team creates or modifies an existing business continuity plan.

Eventually, every security system becomes either unnecessary or obsolete and can no longer be upgraded. At that point, a new security system must be purchased and the old one removed. This happens during the sunset phase. The key to this phase is that the old system must be removed without exposing the organization to additional risk during the migration to a new system.

After a new security system has been installed, the old one must be disposed of securely because it could retain information that an attacker could use to gain entry into the organization’s facilities. Physical components must be disposed of or destroyed, electronic media wiped clean, and paper documentation shredded or securely archived.