The information security program should work with business and IT stakeholders to ensure that secure configuration guidance is established throughout the SDLC life cycle for all information system environments, including:

• Development: Development environments tend to have more freedom so that experimentation and creativity can be fostered. As a result, many security vulnerabilities exist.

Ensure that you protect your other information systems from your development environments and that you do not allow your development system to be inadvertently accessed from external parties.

Development systems often contain extensive intellectual property and need to be well protected.

• Testing: Testing environments may be as well secured as production, or they may be as open as development. It really depends on your organization. Either way, protection decisions must be made at the level of enterprise.
  There are plenty of examples where old test servers were left internet exposed causing an avenue of entry into the organization.

The Hackers breach security of HealthCare.gov article, dated September 04, 2014—https://www.nytimes.com/2014/09/05/us/hackers-breach-security-of-healthcaregov.html.

• Production: Ensure that your production environment is fully integrated with the guidance, benchmarks, and procedures developed to ensure secure configuration in your enterprise information systems. Deviations should never be based on convenience.
  If deviations need to occur because of business needs, mitigating/compensating controls should be applied to ensure the security of the enterprise information systems.
• SDLC integration: Integrating secure configuration as part of the SDLC will help to ensure that information systems are designed and configured in a secure fashion:
  • Initiation: conduct analysis of business needs:
    Working with your business and technology stakeholders you will develop a good understanding of what their needs are and what technologies will be used for their information system.
  • Requirements analysis: baseline review and development:
    At this point in time, you will be able to determine if you have the necessary baselines to support the required technology.
    Any baselines that do not exist should be developed to support the new information system's design process.
  • Design: incorporate baselines into the design:
    Ensure that the design fully incorporates the prescribed baselines. Deviations should never be based on convenience.
    If deviations need to occur because of business needs, mitigating/compensating controls should be applied to ensure the security of the enterprise's information systems.
  • Implementation: testing updates and emergency changes:
    Not all baseline settings will work in the production environment because of unforeseen complexities and interactions.
    Support your implementation team with mitigating/compensating controls if it is found that planned baseline controls will not work in the production environment.
  • Testing: conduct automated assessment:
    Validate that the baseline controls have been fully implemented and that they are functioning as expected using an automated assessment tool, such as a vulnerability scanner.
  • Operations: continued automated assessments:
    Periodically conduct an automated assessment of the information system's baseline security settings, ensuring that the settings stay configured as expected.
    Test any new updates and changes to the information systems, ensuring that baseline configuration settings are applied to these changes.
  • Disposition: sanitize and test media:
    Conduct media sanitization to ensure that organizational intellectual property and sensitive files are fully removed from the information system.
    Test the information system's media to validate that information is not forensically retrievable.