NIST 800-160 Volume 1 features many guidelines of interest to cybersecurity experts looking to boost their defenses through security by design. As we saw in the first post in this series, the key principles of this document provide a good footing for security. Next, let’s take a look at how the security design principles laid out in chapter three can help your organization position itself well to minimize risk and have a resilient cybersecurity and information security program.
The Foundation: Systems and Software Engineering
The basis for chapter three comes from ISO/IEC/IEEE 15288 Systems and Software Engineering — System Life Cycle Process. This standard outlines processes and terminology from an engineering perspective. This security by design viewpoint is important because it gets different stakeholders talking to each other. Remember, speaking a common language is critical to any successful cybersecurity program. And ultimately, we want to use ISO/IEC/IEEE 15288 to achieve customer satisfaction, so both groups are working toward the same goal.
The systems life cycle process includes four families:
- Agreement processes
- Organizational project-enabling processes
- Technical management processes
- Technical processes
This piece gives an overview of the first two families, agreement and organizational project-enabling processes.
One of the keys to applying these processes is to understand that they do not necessarily map to a specific stage in the system life cycle. Rather, they can be recursive, iterative, concurrent, parallel or have sequenced execution. By design, the processes can be tailored and applied concurrently across life cycle stages: concept, development, production, utilization, support and retirement. This tailoring approach allows for optimization, concurrent application and use across a variety of methodologies, processes and models. It also accommodates unanticipated issues or variances. In this way, the security by design process remains flexible.
Life Cycle Process Basics for Security by Design
Before looking at the first two families, let’s look at each life cycle process. Each is made up of the following parts:
- Purpose: Primary goals and objectives, with a summary of security-focused activities
- Outcomes: What the security-focused activities achieve and what data the process generates
- Activities and Tasks: The security-focused work and enhancements performed
Something that should be kept in mind throughout the entire process is that the goal of all of this is ultimately to minimize risk through trust. And by going through this process, you will better position yourself not only to protect your information security program, but have a better grasp of the costs involved to develop and maintain your program. This can even improve your organization’s overall cybersecurity mindset. If you set up the security by design system right, you will be better positioned to have a culture of security.
Let’s take a look at this family of processes from the top level. The acquisition process serves to ensure protections and security concerns are addressed per the acquirer’s requirements when used to obtain a product or service. It aims to make sure you address security considerations and requests to suppliers that validate security concerns. It also requires you to consider criteria to select a supplier, agreements between acquirer and supplier, compliance and obligations.
The supply process is similar to the acquisition process, ensuring you meet the acquirer’s requirements. It is intended to make sure security needs match with capabilities. In addition, you need to meet security criteria as part of the supply strategy. It also outlines that you must meet and define supply-related security criteria in an agreement, and must supply the product or service per security criteria.
Project-Enabling Processes for Security by Design
This family has six processes: life cycle model management, infrastructure management, portfolio management, human resource management, quality management and knowledge management. Here is a similar, brief ‘Spark Notes’ look at them:
- Life Cycle Model Management: This process identifies and assesses security needs and considerations across the life cycle. Intended outcomes include: you should capture security considerations in organizational policies and procedures, assess and prioritize security needs for use and implementation and define responsibility, accountability and authority.
- Infrastructure Management: A process that makes sure you have infrastructure and services supporting the organization in place, including facilities, tools, communication and information technology assets. After using this you should be able to define security requirements for the infrastructure, identify and specify capabilities and constraints and have a secure infrastructure in place.
- Portfolio Management: This is a process to ensure security considerations are a factor in projects as well as a means to justify continued investment. Intended outcomes include: to properly scrutinize and prioritize business venture opportunities and investments, meet security objectives, allocate resources and budgets, redirect or terminate projects not meeting security requirements, make sure all projects that are closed meet all security requirements and define project management responsibilities, accountability and authorities.
- Human Resource Management: A process to ensure personnel are qualified and meet the security requirements defined. Intended outcomes include: to identify skills required for projects, provide individuals with system engineering security skills with projects, and develop, maintain or enhance personnels’ skills.
- Quality Management: This process ensures you meet security quality objectives and criteria. Intended outcomes include defining and implementing security quality objectives, having resources to support and maintain the project on hand, defining accountability and authority, taking appropriate action when quality objectives are not met, and defining policies, standards and procedures. In addition, by the end of this process, you should establish and improve evaluation criteria.
- Knowledge Management: This process creates and manages a security knowledge base that can exploit opportunities and reapply existing knowledge. Intended outcomes include: a taxonomy, a means to ensure knowledge skills and assets, and a means to gather, analyze and use the data acquired.
More From NIST
Keep in mind, the above summaries are about as high-level as you can get. To really get into the details of the present and future of security with this document, you need to spend some time to understand it more deeply. We designed this mini-series just for that high-level understanding. Parts three and four of this series will provide similar overviews of additional processes as an introduction to the security by design principles in NIST 800-160 Volume 1.