NIST 800-160 Volume 1 features many guidelines of interest to cybersecurity experts looking to boost their defenses through security by design. As we saw in the first post in this series, the key principles of this document provide a good footing for security. Next, let’s take a look at how the security design principles laid out in chapter three can help your organization position itself well to minimize risk and have a resilient cybersecurity and information security program.

The Foundation: Systems and Software Engineering

The basis for chapter three comes from ISO/IEC/IEEE 15288 Systems and Software Engineering — System Life Cycle Process. This standard outlines processes and terminology from an engineering perspective. This security by design viewpoint is important because it gets different stakeholders talking to each other. Remember, speaking a common language is critical to any successful cybersecurity program. And ultimately, we want to use ISO/IEC/IEEE 15288 to achieve customer satisfaction, so both groups are working toward the same goal.

The systems life cycle process includes four families:

  • Agreement processes
  • Organizational project-enabling processes
  • Technical management processes
  • Technical processes

This piece gives an overview of the first two families, agreement and organizational project-enabling processes.

One of the keys to applying these processes is to understand that they do not necessarily map to a specific stage in the system life cycle. Rather, they can be recursive, iterative, concurrent, parallel or have sequenced execution. By design, the processes can be tailored and applied concurrently across life cycle stages: concept, development, production, utilization, support and retirement. This tailoring approach allows for optimization, concurrent application and use across a variety of methodologies, processes and models. It also accommodates unanticipated issues or variances. In this way, the security by design process remains flexible.

Life Cycle Process Basics for Security by Design

Before looking at the first two families, let’s look at each life cycle process. Each is made up of the following parts:

  • Purpose: Primary goals and objectives, with a summary of security-focused activities
  • Outcomes: What the security-focused activities achieve and what data the process generates
  • Activities and Tasks: The security-focused work and enhancements performed

Something that should be kept in mind throughout the entire process is that the goal of all of this is ultimately to minimize risk through trust. And by going through this process, you will better position yourself not only to protect your information security program, but have a better grasp of the costs involved to develop and maintain your program. This can even improve your organization’s overall cybersecurity mindset. If you set up the security by design system right, you will be better positioned to have a culture of security.

Agreement Processes

Let’s take a look at this family of processes from the top level. The acquisition process serves to ensure protections and security concerns are addressed per the acquirer’s requirements when used to obtain a product or service. It aims to make sure you address security considerations and requests to suppliers that validate security concerns. It also requires you to consider criteria to select a supplier, agreements between acquirer and supplier, compliance and obligations.

The supply process is similar to the acquisition process, ensuring you meet the acquirer’s requirements. It is intended to make sure security needs match with capabilities. In addition, you need to meet security criteria as part of the supply strategy. It also outlines that you must meet and define supply-related security criteria in an agreement, and must supply the product or service per security criteria.

Project-Enabling Processes for Security by Design

This family has six processes: life cycle model management, infrastructure management, portfolio management, human resource management, quality management and knowledge management. Here is a similar, brief ‘Spark Notes’ look at them:

  • Life Cycle Model Management: This process identifies and assesses security needs and considerations across the life cycle. Intended outcomes include: you should capture security considerations in organizational policies and procedures, assess and prioritize security needs for use and implementation and define responsibility, accountability and authority.
  • Infrastructure Management: A process that makes sure you have infrastructure and services supporting the organization in place, including facilities, tools, communication and information technology assets. After using this you should be able to define security requirements for the infrastructure, identify and specify capabilities and constraints and have a secure infrastructure in place.
  • Portfolio Management: This is a process to ensure security considerations are a factor in projects as well as a means to justify continued investment. Intended outcomes include: to properly scrutinize and prioritize business venture opportunities and investments, meet security objectives, allocate resources and budgets, redirect or terminate projects not meeting security requirements, make sure all projects that are closed meet all security requirements and define project management responsibilities, accountability and authorities.
  • Human Resource Management: A process to ensure personnel are qualified and meet the security requirements defined. Intended outcomes include: to identify skills required for projects, provide individuals with system engineering security skills with projects, and develop, maintain or enhance personnels’ skills.
  • Quality Management: This process ensures you meet security quality objectives and criteria. Intended outcomes include defining and implementing security quality objectives, having resources to support and maintain the project on hand, defining accountability and authority, taking appropriate action when quality objectives are not met, and defining policies, standards and procedures. In addition, by the end of this process, you should establish and improve evaluation criteria.
  • Knowledge Management: This process creates and manages a security knowledge base that can exploit opportunities and reapply existing knowledge. Intended outcomes include: a taxonomy, a means to ensure knowledge skills and assets, and a means to gather, analyze and use the data acquired.

More From NIST

Keep in mind, the above summaries are about as high-level as you can get. To really get into the details of the present and future of security with this document, you need to spend some time to understand it more deeply. We designed this mini-series just for that high-level understanding. Parts three and four of this series will provide similar overviews of additional processes as an introduction to the security by design principles in NIST 800-160 Volume 1.

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…