NIST 800-160 Volume 1 features many guidelines of interest to cybersecurity experts looking to boost their defenses through security by design. As we saw in the first post in this series, the key principles of this document provide a good footing for security. Next, let’s take a look at how the security design principles laid out in chapter three can help your organization position itself well to minimize risk and have a resilient cybersecurity and information security program.

The Foundation: Systems and Software Engineering

The basis for chapter three comes from ISO/IEC/IEEE 15288 Systems and Software Engineering — System Life Cycle Process. This standard outlines processes and terminology from an engineering perspective. This security by design viewpoint is important because it gets different stakeholders talking to each other. Remember, speaking a common language is critical to any successful cybersecurity program. And ultimately, we want to use ISO/IEC/IEEE 15288 to achieve customer satisfaction, so both groups are working toward the same goal.

The systems life cycle process includes four families:

  • Agreement processes
  • Organizational project-enabling processes
  • Technical management processes
  • Technical processes

This piece gives an overview of the first two families, agreement and organizational project-enabling processes.

One of the keys to applying these processes is to understand that they do not necessarily map to a specific stage in the system life cycle. Rather, they can be recursive, iterative, concurrent, parallel or have sequenced execution. By design, the processes can be tailored and applied concurrently across life cycle stages: concept, development, production, utilization, support and retirement. This tailoring approach allows for optimization, concurrent application and use across a variety of methodologies, processes and models. It also accommodates unanticipated issues or variances. In this way, the security by design process remains flexible.

Life Cycle Process Basics for Security by Design

Before looking at the first two families, let’s look at each life cycle process. Each is made up of the following parts:

  • Purpose: Primary goals and objectives, with a summary of security-focused activities
  • Outcomes: What the security-focused activities achieve and what data the process generates
  • Activities and Tasks: The security-focused work and enhancements performed

Something that should be kept in mind throughout the entire process is that the goal of all of this is ultimately to minimize risk through trust. And by going through this process, you will better position yourself not only to protect your information security program, but have a better grasp of the costs involved to develop and maintain your program. This can even improve your organization’s overall cybersecurity mindset. If you set up the security by design system right, you will be better positioned to have a culture of security.

Agreement Processes

Let’s take a look at this family of processes from the top level. The acquisition process serves to ensure protections and security concerns are addressed per the acquirer’s requirements when used to obtain a product or service. It aims to make sure you address security considerations and requests to suppliers that validate security concerns. It also requires you to consider criteria to select a supplier, agreements between acquirer and supplier, compliance and obligations.

The supply process is similar to the acquisition process, ensuring you meet the acquirer’s requirements. It is intended to make sure security needs match with capabilities. In addition, you need to meet security criteria as part of the supply strategy. It also outlines that you must meet and define supply-related security criteria in an agreement, and must supply the product or service per security criteria.

Project-Enabling Processes for Security by Design

This family has six processes: life cycle model management, infrastructure management, portfolio management, human resource management, quality management and knowledge management. Here is a similar, brief ‘Spark Notes’ look at them:

  • Life Cycle Model Management: This process identifies and assesses security needs and considerations across the life cycle. Intended outcomes include: you should capture security considerations in organizational policies and procedures, assess and prioritize security needs for use and implementation and define responsibility, accountability and authority.
  • Infrastructure Management: A process that makes sure you have infrastructure and services supporting the organization in place, including facilities, tools, communication and information technology assets. After using this you should be able to define security requirements for the infrastructure, identify and specify capabilities and constraints and have a secure infrastructure in place.
  • Portfolio Management: This is a process to ensure security considerations are a factor in projects as well as a means to justify continued investment. Intended outcomes include: to properly scrutinize and prioritize business venture opportunities and investments, meet security objectives, allocate resources and budgets, redirect or terminate projects not meeting security requirements, make sure all projects that are closed meet all security requirements and define project management responsibilities, accountability and authorities.
  • Human Resource Management: A process to ensure personnel are qualified and meet the security requirements defined. Intended outcomes include: to identify skills required for projects, provide individuals with system engineering security skills with projects, and develop, maintain or enhance personnels’ skills.
  • Quality Management: This process ensures you meet security quality objectives and criteria. Intended outcomes include defining and implementing security quality objectives, having resources to support and maintain the project on hand, defining accountability and authority, taking appropriate action when quality objectives are not met, and defining policies, standards and procedures. In addition, by the end of this process, you should establish and improve evaluation criteria.
  • Knowledge Management: This process creates and manages a security knowledge base that can exploit opportunities and reapply existing knowledge. Intended outcomes include: a taxonomy, a means to ensure knowledge skills and assets, and a means to gather, analyze and use the data acquired.

More From NIST

Keep in mind, the above summaries are about as high-level as you can get. To really get into the details of the present and future of security with this document, you need to spend some time to understand it more deeply. We designed this mini-series just for that high-level understanding. Parts three and four of this series will provide similar overviews of additional processes as an introduction to the security by design principles in NIST 800-160 Volume 1.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…