Picking up where we left off on the security-by-design thinking offered by NIST 800-160 Volume 1, we move onward in Chapter 3, focusing on the technical management processes. Let’s look at some security design principles at the technical processes level.

Technical Management Processes

Chapter 3.3 shows us eight processes. Like we did in Part 2 of this mini series, let’s briefly look at the purpose and outcomes of each process. Each fit into a good security-by-design mindset. The following is a summary of each process in this family found in Chapter 3.3, with the reminder that these are very brief captions.

  • Project Planning Process: This process produces and coordinates the security aspects of a project, including the security scope and associated metrics and deliverables. At the end of this process you’ll ideally define security objectives and aspects of the project plans. You’ll also have associated roles, responsibilities, accountabilities and authorities. All resources and services will be available, and execution plans will be activated.
  • Project Assessment and Control Process: This process evaluates the progress and achievements of the projects. At the same time, it lays out methods for communicating specific actions that require resolution for any variances that could impact security objectives. By the end of this process you’ll have performance measurements, adequate roles and associated tasks and adequate resources. You’ll also have mechanisms to handle deviations, including investigation and analysis. It also provides guidelines for communication to stakeholders, recording lessons learned, tracking security aspects and achieving project security objectives.
  • Decision Management Process: This process finds, studies, characterizes and evaluates a set of security-based and security-informed alternatives. It guides you in judging and finding security aspects of decision management, alternative analysis and alternative courses of action. It also guides you in setting security-driven preferred courses of action and identifying assumptions. A note: decision criteria here should consider vulnerability, susceptibility, assurance, regulatory concerns, cost, constraints, implications and quality control.
  • Risk Management Process: This process identifies, analyzes, treats and monitors security risks within the context of the risk profile. By the end of it you should define security aspects of the risk management strategy; define, prioritize and select options; and implement risk treatment. It also helps in making sure you evaluate security risks on an ongoing basis, and maintain and record security risks in the risk profile.
  • Configuration Management Process: This process ensures security considerations are addressed in system elements, configurations and associated data and information over the system life cycle. By the end, you should be able to define and manage security aspects of configuration management strategy and items, hold security criteria to the configuration baselines, control changes per security guidelines and control and approve system releases and deliveries.
  • Information Management Process: This process ensures all stakeholder protection needs and associated security considerations, constraints and concerns are addressed. The intended outcome is that you will have found protections for information and secured information throughout acquisition, development, transformation, storage, validation, presentation and disposal. The information should be available to certain stakeholders with the correct controls.
  • Measurement Process: This process collects, analyzes and reports security-relevant data for effective management. It involves finding security-relevant information. You should know the appropriate measures or start developing them by the end of this process. You should be able to analyze, interpret, collect, verify and store security-relevant data. In addition, security-relevant information will be able to support decisions.
  • Quality Assurance Process: This process conducts proactive quality assurance to ensure application of the security aspects to a level of confidence that ensures the desired quality. It involves defining, implementing and establishing security aspects of quality assurance. By the end, you should be performing evaluations of products, services and processes in a manner consistent with security quality management guidelines. From there, you can provide these evaluations to stakeholders, and prioritize and treat security-relevant problems.

Security by Design for a Better Future

Security design principles and system security engineering can foster invention and growth. Build it right and it will be more secure. That, in turn, leads to a brighter future of security. In the next and final installment of the mini-series, we’ll close out Chapter 3 of NIST 800-160 Volume 1 with a similar summary of the chapter contents.

More from Risk Management

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today