Picking up where we left off on the security-by-design thinking offered by NIST 800-160 Volume 1, we move onward in Chapter 3, focusing on the technical management processes. Let’s look at some security design principles at the technical processes level.

Technical Management Processes

Chapter 3.3 shows us eight processes. Like we did in Part 2 of this mini series, let’s briefly look at the purpose and outcomes of each process. Each fit into a good security-by-design mindset. The following is a summary of each process in this family found in Chapter 3.3, with the reminder that these are very brief captions.

  • Project Planning Process: This process produces and coordinates the security aspects of a project, including the security scope and associated metrics and deliverables. At the end of this process you’ll ideally define security objectives and aspects of the project plans. You’ll also have associated roles, responsibilities, accountabilities and authorities. All resources and services will be available, and execution plans will be activated.
  • Project Assessment and Control Process: This process evaluates the progress and achievements of the projects. At the same time, it lays out methods for communicating specific actions that require resolution for any variances that could impact security objectives. By the end of this process you’ll have performance measurements, adequate roles and associated tasks and adequate resources. You’ll also have mechanisms to handle deviations, including investigation and analysis. It also provides guidelines for communication to stakeholders, recording lessons learned, tracking security aspects and achieving project security objectives.
  • Decision Management Process: This process finds, studies, characterizes and evaluates a set of security-based and security-informed alternatives. It guides you in judging and finding security aspects of decision management, alternative analysis and alternative courses of action. It also guides you in setting security-driven preferred courses of action and identifying assumptions. A note: decision criteria here should consider vulnerability, susceptibility, assurance, regulatory concerns, cost, constraints, implications and quality control.
  • Risk Management Process: This process identifies, analyzes, treats and monitors security risks within the context of the risk profile. By the end of it you should define security aspects of the risk management strategy; define, prioritize and select options; and implement risk treatment. It also helps in making sure you evaluate security risks on an ongoing basis, and maintain and record security risks in the risk profile.
  • Configuration Management Process: This process ensures security considerations are addressed in system elements, configurations and associated data and information over the system life cycle. By the end, you should be able to define and manage security aspects of configuration management strategy and items, hold security criteria to the configuration baselines, control changes per security guidelines and control and approve system releases and deliveries.
  • Information Management Process: This process ensures all stakeholder protection needs and associated security considerations, constraints and concerns are addressed. The intended outcome is that you will have found protections for information and secured information throughout acquisition, development, transformation, storage, validation, presentation and disposal. The information should be available to certain stakeholders with the correct controls.
  • Measurement Process: This process collects, analyzes and reports security-relevant data for effective management. It involves finding security-relevant information. You should know the appropriate measures or start developing them by the end of this process. You should be able to analyze, interpret, collect, verify and store security-relevant data. In addition, security-relevant information will be able to support decisions.
  • Quality Assurance Process: This process conducts proactive quality assurance to ensure application of the security aspects to a level of confidence that ensures the desired quality. It involves defining, implementing and establishing security aspects of quality assurance. By the end, you should be performing evaluations of products, services and processes in a manner consistent with security quality management guidelines. From there, you can provide these evaluations to stakeholders, and prioritize and treat security-relevant problems.

Security by Design for a Better Future

Security design principles and system security engineering can foster invention and growth. Build it right and it will be more secure. That, in turn, leads to a brighter future of security. In the next and final installment of the mini-series, we’ll close out Chapter 3 of NIST 800-160 Volume 1 with a similar summary of the chapter contents.

More from Risk Management

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Too Much Caffeine? Phishing-as-a-Service Makes Us Jittery

Recently, investigators at Mandiant discovered a new software platform with an intuitive interface. The service has tools to orchestrate and automate core campaign elements. Some of the platform’s features enable self-service customization and campaign tracking. Sounds like a typical Software-as-a-Service (SaaS) operation, right? Well, this time, it’s Caffeine, the latest Phishing-as-a-Service (PhaaS) platform. A basic subscription costs $250 a month; all you need is an email to sign up. How Caffeine PhaaS is Different PhaaS vendors advertise and sell their…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…