Design & Build Support

Overview

Security in design and build of your IT infrastructure

When you are designing and building your IT infrastructure, it is all about making sure that your organization can meet your business and security objectives. Through a build/buy approach we help you pro-actively design security into your IT infrastructure.

Standards & Requirements

To help guide subsequent Design & Build Support activities, a natural start is to look at the organization’s current IT security program, to see what standards, policies and best practices are implemented today to support your organization. Compliance requirements, where relevant and applicable, will also be taken into consideration, as they can play a significant role.

UL will consider wider IT security management, but with expertise in software security, also emphasize you implement a Secure Software Development Lifecycle, using well-accepted methodologies such as from the Open Software Assurance Maturity Model (OpenSAMM). We can help you building security in and achieving meaningful software security assurance.

UL will consider wider IT security management, but with expertise in software security, also emphasize you implement a Secure Software Development Lifecycle, using well-accepted methodologies such as from the Open Software Assurance Maturity Model (OpenSAMM). We can help you building security in and achieving meaningful software security assurance.

Architecture & Design Review

A security architecture and design review aims to determine if an existing or proposed IT architecture can, in fact, meet the organization’s business and security objectives. UL’s preferred approach to architecture development is based on SABSA and related models. This methodology provides an efficient architecture development process linked to an organization’s security requirements.

The focus areas of an architecture review by UL are the following:

    • The correct design of security policies and procedures across the organization to satisfy the business and the security needs.
    • The correct design of security controls in the organization’s IT infrastructure, related to the critical business assets and based on the well-known security triad of Confidentiality, Integrity and Availability.
    • The use of a layered security architecture to harden security defenses, also known as security-in-depth.

SDLC Processes

The function of a Secure Software Development Lifecycle (SDLC) is to understand software security risks and how to manage them, knowing and understanding common problems (including language-based flaws and pitfalls), design for security, and subjecting all software code through security risk analysis and testing. UL can support building and rolling out SDLC processes, ensuring effective security management across the entire software lifecycle.

UL offers Secure Software Development Lifecycle (SDLC) guidance and consulting services, risk analysis and testing, as well as developer training and security review during code development and implementation phases. UL aims for a holistic security approach for its customers, that helps avoid expensive redesign and coding efforts associated with insecure design and systemic code implementation flaws, which are all too regularly discovered too late in the development lifecycle.

Security Vendor Sourcing and RFP Support

Best-in-class security involves working with the right solutions from trusted vendors. If cybersecurity is not your day-to-day business, it is hard to evenhandedly evaluate proposals from vendors eager to sell you their security products and services. Working with UL ensures you can leverage the right set of security requirements and have the knowledge and experience to select the right solution from the right vendor. We follow industry best practices developing RFP requirements and documents, evaluating and scoring proposals, to provide guidance on vendor short lists. UL as a neutral, independent, trusted party, we will in most cases limit ourselves to technical evaluations and always providing objective input only.

Configuration Management

Once your IT architecture has been designed and you have sourced the security technology and solutions you need, you must ensure that configuration management is done properly. Solutions such as routers, switches, firewalls, Data Loss Prevention (DLP), Digital Rights Management (DRM), Identity and Access Management (IAM), Network Access Control, Intrusion Prevention and Detection (IPS/IDS) and Security Information and Event Management (SIEM) systems need to be properly provisioned, patched and configured. Also, policies for key and certificate management and rules sets will need to be reviewed and updated to ensure appropriate risk mitigation. All of this requires in-depth knowledge and experience, which UL is happy to provide you with.



RELATED INDUSTRIES AND SOLUTIONS