Picking up where we left off on the security-by-design thinking offered by NIST 800-160 Volume 1, we move onward in Chapter 3, focusing on the technical management processes. Let’s look at some security design principles at the technical processes level.

Technical Management Processes

Chapter 3.3 shows us eight processes. Like we did in Part 2 of this mini series, let’s briefly look at the purpose and outcomes of each process. Each fit into a good security-by-design mindset. The following is a summary of each process in this family found in Chapter 3.3, with the reminder that these are very brief captions.

  • Project Planning Process: This process produces and coordinates the security aspects of a project, including the security scope and associated metrics and deliverables. At the end of this process you’ll ideally define security objectives and aspects of the project plans. You’ll also have associated roles, responsibilities, accountabilities and authorities. All resources and services will be available, and execution plans will be activated.
  • Project Assessment and Control Process: This process evaluates the progress and achievements of the projects. At the same time, it lays out methods for communicating specific actions that require resolution for any variances that could impact security objectives. By the end of this process you’ll have performance measurements, adequate roles and associated tasks and adequate resources. You’ll also have mechanisms to handle deviations, including investigation and analysis. It also provides guidelines for communication to stakeholders, recording lessons learned, tracking security aspects and achieving project security objectives.
  • Decision Management Process: This process finds, studies, characterizes and evaluates a set of security-based and security-informed alternatives. It guides you in judging and finding security aspects of decision management, alternative analysis and alternative courses of action. It also guides you in setting security-driven preferred courses of action and identifying assumptions. A note: decision criteria here should consider vulnerability, susceptibility, assurance, regulatory concerns, cost, constraints, implications and quality control.
  • Risk Management Process: This process identifies, analyzes, treats and monitors security risks within the context of the risk profile. By the end of it you should define security aspects of the risk management strategy; define, prioritize and select options; and implement risk treatment. It also helps in making sure you evaluate security risks on an ongoing basis, and maintain and record security risks in the risk profile.
  • Configuration Management Process: This process ensures security considerations are addressed in system elements, configurations and associated data and information over the system life cycle. By the end, you should be able to define and manage security aspects of configuration management strategy and items, hold security criteria to the configuration baselines, control changes per security guidelines and control and approve system releases and deliveries.
  • Information Management Process: This process ensures all stakeholder protection needs and associated security considerations, constraints and concerns are addressed. The intended outcome is that you will have found protections for information and secured information throughout acquisition, development, transformation, storage, validation, presentation and disposal. The information should be available to certain stakeholders with the correct controls.
  • Measurement Process: This process collects, analyzes and reports security-relevant data for effective management. It involves finding security-relevant information. You should know the appropriate measures or start developing them by the end of this process. You should be able to analyze, interpret, collect, verify and store security-relevant data. In addition, security-relevant information will be able to support decisions.
  • Quality Assurance Process: This process conducts proactive quality assurance to ensure application of the security aspects to a level of confidence that ensures the desired quality. It involves defining, implementing and establishing security aspects of quality assurance. By the end, you should be performing evaluations of products, services and processes in a manner consistent with security quality management guidelines. From there, you can provide these evaluations to stakeholders, and prioritize and treat security-relevant problems.

Security by Design for a Better Future

Security design principles and system security engineering can foster invention and growth. Build it right and it will be more secure. That, in turn, leads to a brighter future of security. In the next and final installment of the mini-series, we’ll close out Chapter 3 of NIST 800-160 Volume 1 with a similar summary of the chapter contents.

More from Risk Management

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why consumer drones represent a special cybersecurity risk

3 min read - Cybersecurity staff at an East Coast financial services company last summer detected unusual activity on its internal Atlassian Confluence page originating inside the company’s network. The MAC address used locally belonged to an employee known to be currently using the same MAC address remotely, according to a security specialist named Greg Linares, who had secondhand information about the attack. So, the team used a Fluke AirCheck Wi-Fi Tester device to identify the device logged in, which led the team to…