To establish a successful security architecture program, it is extremely important to ensure that you are well integrated into your organizational systems development/engineering life cycle.

The SDLC/SELC lifecycle is used to ensure consistently repeatable processes as part of an engineering and/or development project. The information security architect must ensure that these life cycles are integrated into these repeatable processes and that they are working with the IT and development engineering and developer teams. The organization uses the processes that make up the SDLC/SELC to improve predictability and quality as part of the engineering or development process. The SDLC/SELC process combined with strong participation from the information security will help to ensure a well-designed system that has security built in to it from project initiation.

A typical SELC/SDLC process contains the following phases:

1. Initiation phase: During the initiation phase of a project, the organization defines the need for an information system. Information security planning begins in the initiation phase where the information security architect works with the project team to understand the security considerations that will need to be applied to the system:
   • Information security architect role: Work with project stakeholders to educate them on the role of information security and ensures:
     • For this to be best communicated, it is recommended that formalized education and training be developed to properly communicate the role of the information security architect to the project stakeholders and team members. The training does not need to be voluminous, but it should be developed to ensure that the message being communicated to the project team is repeatable and conforms to the vision and goals of the business and information security program management.
   • Work with project management to ensure that they are included in all appropriate project activities.
   • Conduct an initial security analysis of the project, considering the following elements and goals:
     • Purpose and description of the information system
     • Determine compliance requirements
     • Document key information system and project roles
     • Define the expected user types
     • Document interface requirements
     • Document external information systems access
     • Conduct a business impact assessment
     • Conduct an information data categorization
   • The purpose of the initial security analysis is to capture as much information about the project's goals upfront so that you can begin immediately making security recommendations. The project team may not have all of the answers at the beginning. That is perfectly acceptable, and is expected. As the information security architect, you will mature this information as the project matures, allowing you to have a well-documented view into the business and operational aspects of the information system that you are helping to design.

2. Requirements analysis phase: During the requirements analysis phase, the information security architect works with users and business stakeholders to develop the requirements necessary for the new system. It is the job of the information security architect to ensure that security requirements are included for the new system and that they are given high priority.
   • Information security architect role: Provide information security requirements to the project team for inclusion into the overall project's requirements.
     The security requirements should be tailored to the needs of the information system being implemented:
     • If the information system does not implement a technology, then the security requirements should not include a requirement for the unused technology
     • The information security architect should be prepared to discuss the requirements with the project team and to answer questions now, during the requirements phase, and at any point in the system's development.
3. Design phase: During the design phase, the requirements that where gathered during the requirements analysis phase are used to construct the new system. The role of the information security architect in this phase is to ensure that the correct information security controls are implemented as part of the system design. The design phase can be further broken down into subphases where the engineering team develops the following:
   • Concept of operation: A document that describes the characteristics of a system from a user perspective. This document is used to communicate how the system will operate to business stakeholders.
   • High-level design: A document that describes the logical components of a system and how they will interact. This document includes data flows and a description of how part of the system will interconnect.
   • Detailed design: A document that takes the high-level design and applies the specific configurations and costs that will be part of the system.
   • Proof of concept system: A proof of concept system takes the detailed design and implements a system that can be used to determine whether the design system meets the user and business stakeholder requirements. Often, the proof of concept is a scaled-down version of the proposed system to test functionality without incurring the full cost of the final system.
   • Information Security Architect role:
     • The information security architect will work closely with the engineering and development teams during this phase to ensure that information security requirements are implemented in the form of operational, management, and technical security controls.
     • The information security architect is responsible for ensuring that the final system design properly implements the organization's information security requirements, and that they are functioning as expected.
     • The information security architect will work with the engineering and design teams to develop mitigating security controls for any information security requirements that cannot be fully implemented.
4. Implementation phase: During the implementation phase, the project team builds the production information system based on the design defined in the previous phase. The role of the information security architect is to ensure that the designed security controls are properly implemented and working.

• • Information security architect role: The information security architect ensures that the finalized design is properly translated into the implemented production system.
    The information security architect works with the engineering and development teams to work through any production implementation issues that may necessitate a deviation from design:
    • Any changes that need to be made to the information system at implementation will be developed with the information systems security requirements in mind

5. Testing phase: During the testing phase, the project team executes an agreed-upon test plan to ensure that the system functions as expected. The information security architect must ensure that that the implemented security controls work as expected. If any deficiencies are discovered, the security control must be identified and flagged for repair.
   • Information security architect role: The information security architect will develop the security testing documentation for the information system. The testing document addresses operational, management, and technical security controls as they relate to people, the process, and technology.
     Ensure that all necessary compliance requirements are met.
     Any deficient security controls will be flagged for immediate repair or will be mitigated through a planned implementation.
6. Operations and maintenance phase: During this phase, the system is in production and is under configuration management. The information security architect must ensure that any recent changes to the system are thoroughly examined for their impact to the security controls that were applied during the implementation phase:
   • Information security architect role: The role of the information security architect does not end once the information system is in place. The information security architect:
     • Advises the information system owner as needed on the continuing security posture of the information systems
     • Reviews and provides recommendations regarding information system changes
     • Develops any necessary security controls for the information system if its functionality or scope changes
7. Disposition phase: During the disposition phase, the useful life of the system has been reached and the business has decided to decommission the system. It is the responsibility of the information security architect to ensure that the system has been properly archived and sanitized in accordance with organizational policy and applicable laws.
   • Information security architect role: The information security architect validates that all information has been removed from the information system in a way that resists forensic retrieval.
     It validates that any required data is saved so that it can be used by the organization in the future after the information system has been decommissioned.