Picking up where we left off on the security-by-design thinking offered by NIST 800-160 Volume 1, we move onward in Chapter 3, focusing on the technical management processes. Let’s look at some security design principles at the technical processes level.
Technical Management Processes
Chapter 3.3 shows us eight processes. Like we did in Part 2 of this mini series, let’s briefly look at the purpose and outcomes of each process. Each fit into a good security-by-design mindset. The following is a summary of each process in this family found in Chapter 3.3, with the reminder that these are very brief captions.
- Project Planning Process: This process produces and coordinates the security aspects of a project, including the security scope and associated metrics and deliverables. At the end of this process you’ll ideally define security objectives and aspects of the project plans. You’ll also have associated roles, responsibilities, accountabilities and authorities. All resources and services will be available, and execution plans will be activated.
- Project Assessment and Control Process: This process evaluates the progress and achievements of the projects. At the same time, it lays out methods for communicating specific actions that require resolution for any variances that could impact security objectives. By the end of this process you’ll have performance measurements, adequate roles and associated tasks and adequate resources. You’ll also have mechanisms to handle deviations, including investigation and analysis. It also provides guidelines for communication to stakeholders, recording lessons learned, tracking security aspects and achieving project security objectives.
- Decision Management Process: This process finds, studies, characterizes and evaluates a set of security-based and security-informed alternatives. It guides you in judging and finding security aspects of decision management, alternative analysis and alternative courses of action. It also guides you in setting security-driven preferred courses of action and identifying assumptions. A note: decision criteria here should consider vulnerability, susceptibility, assurance, regulatory concerns, cost, constraints, implications and quality control.
- Risk Management Process: This process identifies, analyzes, treats and monitors security risks within the context of the risk profile. By the end of it you should define security aspects of the risk management strategy; define, prioritize and select options; and implement risk treatment. It also helps in making sure you evaluate security risks on an ongoing basis, and maintain and record security risks in the risk profile.
- Configuration Management Process: This process ensures security considerations are addressed in system elements, configurations and associated data and information over the system life cycle. By the end, you should be able to define and manage security aspects of configuration management strategy and items, hold security criteria to the configuration baselines, control changes per security guidelines and control and approve system releases and deliveries.
- Information Management Process: This process ensures all stakeholder protection needs and associated security considerations, constraints and concerns are addressed. The intended outcome is that you will have found protections for information and secured information throughout acquisition, development, transformation, storage, validation, presentation and disposal. The information should be available to certain stakeholders with the correct controls.
- Measurement Process: This process collects, analyzes and reports security-relevant data for effective management. It involves finding security-relevant information. You should know the appropriate measures or start developing them by the end of this process. You should be able to analyze, interpret, collect, verify and store security-relevant data. In addition, security-relevant information will be able to support decisions.
- Quality Assurance Process: This process conducts proactive quality assurance to ensure application of the security aspects to a level of confidence that ensures the desired quality. It involves defining, implementing and establishing security aspects of quality assurance. By the end, you should be performing evaluations of products, services and processes in a manner consistent with security quality management guidelines. From there, you can provide these evaluations to stakeholders, and prioritize and treat security-relevant problems.
Security by Design for a Better Future
Security design principles and system security engineering can foster invention and growth. Build it right and it will be more secure. That, in turn, leads to a brighter future of security. In the next and final installment of the mini-series, we’ll close out Chapter 3 of NIST 800-160 Volume 1 with a similar summary of the chapter contents.