Security Design Review (SDR)

In any environment, security is necessary. In the context of application development, some security can be implemented within an application. In a client/server environment, users may and will have access to the data outside of an application (e.g. ODBC, MS Access, MS Excel, etc.). Therefore, minimal security must be planned at the database level.

A Security Design Review can help to identify information obtained during the processing of a project  that could negatively impact the K&J as a result of inappropriate access, modification, or unavailability.  Additionally, security must be built into the application code, procedures and training to ensure the appropriate controls are present to address confidentiality, integrity and availability.

Security Design Review
Process Flow

• Presenters
• Participants
• Time
• Agenda
• Material Distribution
• Key Issues to be Addressed
• Security Design Review Questionnaire

Presenters
Software development team

Participants

• Application Architect
• Business Analysts
• DBA
• QA representatives
• Security Administrator
• Technical Services representatives
• User representatives

Attendees should be familiar with the project background, requirements, and design.

Time
After the Preliminary Design Review has been completed.

Agenda
Complete the Security Design Review Questionnaire.�� 

Materials Distribution
The Security Design Review Questionnaire will be distributed to the project team, by the Security Administrator in advance of the Security Design Review meeting. 

Key Issues to Be Addressed

• Identify impact on the firewall configuration – new IP port numbers, etc.
• Identify impact on server (host) security – OS login requirements, etc.
• Identify implications to network security – encryption, etc.
• Identify auditing and/or logging requirements.
• Identify the minimal security that must be provided by the database.
• Identify impact on security tables.
• Will this project require new security applications?
• Will this project require new security sub-applications?
• Will this project require new security roles or changes to current security roles?
• For each role – identify each table associated with that role and the access (SUID select, update, insert, and delete) that is required for that role.