NIST 800-160 Volume 1 features many guidelines of interest to cybersecurity experts looking to boost their defenses through security by design. As we saw in the first post in this series, the key principles of this document provide a good footing for security. Next, let’s take a look at how the security design principles laid out in chapter three can help your organization position itself well to minimize risk and have a resilient cybersecurity and information security program.

The Foundation: Systems and Software Engineering

The basis for chapter three comes from ISO/IEC/IEEE 15288 Systems and Software Engineering — System Life Cycle Process. This standard outlines processes and terminology from an engineering perspective. This security by design viewpoint is important because it gets different stakeholders talking to each other. Remember, speaking a common language is critical to any successful cybersecurity program. And ultimately, we want to use ISO/IEC/IEEE 15288 to achieve customer satisfaction, so both groups are working toward the same goal.

The systems life cycle process includes four families:

  • Agreement processes
  • Organizational project-enabling processes
  • Technical management processes
  • Technical processes

This piece gives an overview of the first two families, agreement and organizational project-enabling processes.

One of the keys to applying these processes is to understand that they do not necessarily map to a specific stage in the system life cycle. Rather, they can be recursive, iterative, concurrent, parallel or have sequenced execution. By design, the processes can be tailored and applied concurrently across life cycle stages: concept, development, production, utilization, support and retirement. This tailoring approach allows for optimization, concurrent application and use across a variety of methodologies, processes and models. It also accommodates unanticipated issues or variances. In this way, the security by design process remains flexible.

Life Cycle Process Basics for Security by Design

Before looking at the first two families, let’s look at each life cycle process. Each is made up of the following parts:

  • Purpose: Primary goals and objectives, with a summary of security-focused activities
  • Outcomes: What the security-focused activities achieve and what data the process generates
  • Activities and Tasks: The security-focused work and enhancements performed

Something that should be kept in mind throughout the entire process is that the goal of all of this is ultimately to minimize risk through trust. And by going through this process, you will better position yourself not only to protect your information security program, but have a better grasp of the costs involved to develop and maintain your program. This can even improve your organization’s overall cybersecurity mindset. If you set up the security by design system right, you will be better positioned to have a culture of security.

Agreement Processes

Let’s take a look at this family of processes from the top level. The acquisition process serves to ensure protections and security concerns are addressed per the acquirer’s requirements when used to obtain a product or service. It aims to make sure you address security considerations and requests to suppliers that validate security concerns. It also requires you to consider criteria to select a supplier, agreements between acquirer and supplier, compliance and obligations.

The supply process is similar to the acquisition process, ensuring you meet the acquirer’s requirements. It is intended to make sure security needs match with capabilities. In addition, you need to meet security criteria as part of the supply strategy. It also outlines that you must meet and define supply-related security criteria in an agreement, and must supply the product or service per security criteria.

Project-Enabling Processes for Security by Design

This family has six processes: life cycle model management, infrastructure management, portfolio management, human resource management, quality management and knowledge management. Here is a similar, brief ‘Spark Notes’ look at them:

  • Life Cycle Model Management: This process identifies and assesses security needs and considerations across the life cycle. Intended outcomes include: you should capture security considerations in organizational policies and procedures, assess and prioritize security needs for use and implementation and define responsibility, accountability and authority.
  • Infrastructure Management: A process that makes sure you have infrastructure and services supporting the organization in place, including facilities, tools, communication and information technology assets. After using this you should be able to define security requirements for the infrastructure, identify and specify capabilities and constraints and have a secure infrastructure in place.
  • Portfolio Management: This is a process to ensure security considerations are a factor in projects as well as a means to justify continued investment. Intended outcomes include: to properly scrutinize and prioritize business venture opportunities and investments, meet security objectives, allocate resources and budgets, redirect or terminate projects not meeting security requirements, make sure all projects that are closed meet all security requirements and define project management responsibilities, accountability and authorities.
  • Human Resource Management: A process to ensure personnel are qualified and meet the security requirements defined. Intended outcomes include: to identify skills required for projects, provide individuals with system engineering security skills with projects, and develop, maintain or enhance personnels’ skills.
  • Quality Management: This process ensures you meet security quality objectives and criteria. Intended outcomes include defining and implementing security quality objectives, having resources to support and maintain the project on hand, defining accountability and authority, taking appropriate action when quality objectives are not met, and defining policies, standards and procedures. In addition, by the end of this process, you should establish and improve evaluation criteria.
  • Knowledge Management: This process creates and manages a security knowledge base that can exploit opportunities and reapply existing knowledge. Intended outcomes include: a taxonomy, a means to ensure knowledge skills and assets, and a means to gather, analyze and use the data acquired.

More From NIST

Keep in mind, the above summaries are about as high-level as you can get. To really get into the details of the present and future of security with this document, you need to spend some time to understand it more deeply. We designed this mini-series just for that high-level understanding. Parts three and four of this series will provide similar overviews of additional processes as an introduction to the security by design principles in NIST 800-160 Volume 1.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…