Picking up where we left off on the security-by-design thinking offered by NIST 800-160 Volume 1, we move onward in Chapter 3, focusing on the technical management processes. Let’s look at some security design principles at the technical processes level.

Technical Management Processes

Chapter 3.3 shows us eight processes. Like we did in Part 2 of this mini series, let’s briefly look at the purpose and outcomes of each process. Each fit into a good security-by-design mindset. The following is a summary of each process in this family found in Chapter 3.3, with the reminder that these are very brief captions.

  • Project Planning Process: This process produces and coordinates the security aspects of a project, including the security scope and associated metrics and deliverables. At the end of this process you’ll ideally define security objectives and aspects of the project plans. You’ll also have associated roles, responsibilities, accountabilities and authorities. All resources and services will be available, and execution plans will be activated.
  • Project Assessment and Control Process: This process evaluates the progress and achievements of the projects. At the same time, it lays out methods for communicating specific actions that require resolution for any variances that could impact security objectives. By the end of this process you’ll have performance measurements, adequate roles and associated tasks and adequate resources. You’ll also have mechanisms to handle deviations, including investigation and analysis. It also provides guidelines for communication to stakeholders, recording lessons learned, tracking security aspects and achieving project security objectives.
  • Decision Management Process: This process finds, studies, characterizes and evaluates a set of security-based and security-informed alternatives. It guides you in judging and finding security aspects of decision management, alternative analysis and alternative courses of action. It also guides you in setting security-driven preferred courses of action and identifying assumptions. A note: decision criteria here should consider vulnerability, susceptibility, assurance, regulatory concerns, cost, constraints, implications and quality control.
  • Risk Management Process: This process identifies, analyzes, treats and monitors security risks within the context of the risk profile. By the end of it you should define security aspects of the risk management strategy; define, prioritize and select options; and implement risk treatment. It also helps in making sure you evaluate security risks on an ongoing basis, and maintain and record security risks in the risk profile.
  • Configuration Management Process: This process ensures security considerations are addressed in system elements, configurations and associated data and information over the system life cycle. By the end, you should be able to define and manage security aspects of configuration management strategy and items, hold security criteria to the configuration baselines, control changes per security guidelines and control and approve system releases and deliveries.
  • Information Management Process: This process ensures all stakeholder protection needs and associated security considerations, constraints and concerns are addressed. The intended outcome is that you will have found protections for information and secured information throughout acquisition, development, transformation, storage, validation, presentation and disposal. The information should be available to certain stakeholders with the correct controls.
  • Measurement Process: This process collects, analyzes and reports security-relevant data for effective management. It involves finding security-relevant information. You should know the appropriate measures or start developing them by the end of this process. You should be able to analyze, interpret, collect, verify and store security-relevant data. In addition, security-relevant information will be able to support decisions.
  • Quality Assurance Process: This process conducts proactive quality assurance to ensure application of the security aspects to a level of confidence that ensures the desired quality. It involves defining, implementing and establishing security aspects of quality assurance. By the end, you should be performing evaluations of products, services and processes in a manner consistent with security quality management guidelines. From there, you can provide these evaluations to stakeholders, and prioritize and treat security-relevant problems.

Security by Design for a Better Future

Security design principles and system security engineering can foster invention and growth. Build it right and it will be more secure. That, in turn, leads to a brighter future of security. In the next and final installment of the mini-series, we’ll close out Chapter 3 of NIST 800-160 Volume 1 with a similar summary of the chapter contents.

More from Risk Management

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today