Domain 3 of 8 · Chapter 10 of 10

System Lifecycle

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • The system life cycle as a security schedule
  • What each stage decides, and where security lives
  • Exam-pattern recognition

ISO/IEC/IEEE 15288 / SP 800-160 system life-cycle stages and the security focus of each

Life-cycle stageWhat happensPrimary security activity
Stakeholder needs & requirementsCapture what stakeholders need the system to doElicit protection needs and security constraints
Requirements analysisTurn needs into verifiable system requirementsDerive verifiable security requirements; set acceptance criteria
Architecture designDefine structure, components, and interfacesSelect security mechanisms and trust boundaries; threat-model the design
Implementation / developmentBuild or code the componentsApply secure-build practices; trace each control to a requirement
IntegrationAssemble components into the whole systemConfirm composed components do not introduce new weaknesses
Verification & validationConfirm the build meets spec, and meets the needProve security requirements are met (V) and mission is satisfied (V)
Transition / deploymentMove the system into operational useSecure configuration baseline; authorize to operate
Operation & maintenance (sustainment)Run and sustain the system over its lifePatch, monitor, manage configuration, reauthorize
Retirement / disposalDecommission the system at end of lifeSanitize data, revoke identities, update inventory

Cheat sheet

  • The system life cycle is an ordered set of stages, and security is engineered into each one
  • Security requirements are fixed before architecture because late defects cost far more to fix
  • Verification asks whether you built the system right; validation asks whether you built the right system
  • NIST defines verification as meeting specified requirements and validation as meeting the intended use
  • Retirement/disposal is a security stage, not a logistics task
  • Operation and maintenance (sustainment) is where security is kept, not established
  • ISO/IEC/IEEE 15288 defines the process framework; SP 800-160 Vol. 1 adds the security-engineering view
  • Architecture design is where security mechanisms and trust boundaries are selected and the design is threat-modeled
  • Trace every control back to a requirement during implementation
  • Integration must confirm that composing components introduces no new weaknesses
  • Transition/deployment establishes a secure baseline and obtains authorization to operate before go-live
  • The systems-engineering life cycle is not the software development life cycle
  • Life-cycle stages are concurrent and iterative, not a strict one-pass waterfall
  • Place a security activity in the stage that owns it, and prefer the earliest correct stage
  • The system disposal stage triggers media sanitization; the data lifecycle owns the sanitization mechanics

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. ISO/IEC/IEEE 15288:2015: Systems and software engineering. System life cycle processes
  2. NIST SP 800-160 Vol. 1 Rev. 1: Engineering Trustworthy Secure Systems Whitepaper
  3. NIST Glossary: verification Whitepaper
  4. NIST Glossary: validation Whitepaper
  5. NIST SP 800-88 Rev. 1: Guidelines for Media Sanitization Whitepaper