A comparison of Systems Engineering and Security Engineering practices and professionals Or maybe a...
-
Upload
prince-dabney -
Category
Documents
-
view
212 -
download
0
Transcript of A comparison of Systems Engineering and Security Engineering practices and professionals Or maybe a...
Bob MarchantSotera Defense Solutions
A comparison of Systems Engineering and Security Engineering practices and professionals
Or maybe a commercial for the INCOSE working group!
BIO35 Engineering Experience
27 in Systems Engineering20+ in Security Engineering
BSCS, MBA, ABD PhD (IST)CDP, GSEC, CISSP, ISSEP, DTMSE (adult ed certified) trainerProcess Champion (IPPD, CMMI)
OutlineIssuesPossible CausesComparing the Cycles
SDLC/RMFLust to Dust (all dust no lust)
Comparing the ProfessionalsNext Steps
So what the issue?Security Engineering struggling
Consistent complaint of lack of involvement!Active INCOSE WGNew Standards evolving
Extremely broad BOK (very little build focus)CISSP – 10 categories from physical to cryptoISSEP – 4 categories
Discipline struggles to maintain currency
Possible causesand is systems engineering the cure?Incomplete Models?
No VNo Gates
Continuous monitor mentalityTechnician/Manager focusBOK is Broke
Comparing the CyclesThe familiar one(s)
Comparing the CyclesIn a simpler form
Design
Operations
Retirement
Definition
Development
Deployment
Comparing the CyclesThe Security Engineering forms
Regardless – it is all about Risk Management
• Viewed by many models/frameworks – IATF– RMF– ISO– Custom
• Let’s look at NIST
Comparing the CyclesThe RMF CATEGORIZE
Information System
SELECTSecurity Controls
IMPLEMENT Security Controls
MONITORSecurity Controls
AUTHORIZEInformation System
ASSESS Security Controls
Starting Point
Define criticality/sensitivity of information system according to potential
worst-case, adverse impact to mission/business.
Select baseline security controls; apply tailoring
guidance and supplement controls as needed base on
risk assessment
Implement security controls within enterprise
architecture using sound systems engineering
practices; apply security configuration settings
Determine security control effectiveness (i.e., controls
implemented correctly, operating as intended, meeting security for
information systems).
Determine risk to organizational operations and
assets, individuals, other organizations, and the Nation;
if acceptable, authorize operation.
Continuously track changes to the information system that may affect security controls
and reassess control effectiveness.
Comparing the CyclesBoth CATEGORIZE
Information System
SELECTSecurity Controls
IMPLEMENT Security Controls
MONITORSecurity Controls
AUTHORIZEInformation System
ASSESS Security Controls
Starting Point
Define criticality/sensitivity of information system according to potential
worst-case, adverse impact to mission/business.
Select baseline security controls; apply tailoring
guidance and supplement controls as needed base on
risk assessment
Implement security controls within enterprise
architecture using sound systems engineering
practices; apply security configuration settings
Determine security control effectiveness (i.e., controls
implemented correctly, operating as intended, meeting security for
information systems).
Determine risk to organizational operations and
assets, individuals, other organizations, and the Nation;
if acceptable, authorize operation.
Continuously track changes to the information system that may affect security controls
and reassess control effectiveness.
Design
Operations
Retirement
Definition
Development
Deployment
Where’s the V?
From Concept to CreationWITH GATES AND REVIEWS !!!
MISSIONand Real
World
ICDsCONOPS
SpecsDocs
Conceptual
Model
S Y
S T
E M
Captured in
Built as
Used toCreate
Comparing the CyclesWhere’s the gates?Where’s the focus?
CATEGORIZE Information System
SELECTSecurity Controls
IMPLEMENT Security Controls
MONITORSecurity Controls
AUTHORIZEInformation System
ASSESS Security Controls
Starting Point
Define criticality/sensitivity of information system according to potential
worst-case, adverse impact to mission/business.
Select baseline security controls; apply tailoring
guidance and supplement controls as needed base on
risk assessment
Implement security controls within enterprise
architecture using sound systems engineering
practices; apply security configuration settings
Determine security control effectiveness (i.e., controls
implemented correctly, operating as intended, meeting security for
information systems).
Determine risk to organizational operations and
assets, individuals, other organizations, and the Nation;
if acceptable, authorize operation.
Continuously track changes to the information system that may affect security controls
and reassess control effectiveness.
Post SDR
Post PDR
Post CDR
Before TRR
Before AT
O&M
Comparing the CyclesRecapSSE has a cycle but no feedback
In theory yes, in practice – mostly noSSE has a cycle but no real gates
In practice triage, IATT, some form of AOSSE is driven by the CDLC The SSE cycle is stuck in Monitor most of the
time
Comparing the professionalsSome common ground
Scientist: A scientist is one engaging in a systematic activity to acquire knowledge. Scientists perform research toward increasing understanding of nature, including physical, mathematical and social realms. Scientists use empirical methods to study things.
Engineer: An engineer is applies knowledge of applied science and applied mathematics to develop solutions for technical problems. Engineers design materials, structures, technology, inventions, machines and systems. Engineers use ingenuity to create things.
Technician: A technician is a worker in a field of technology who is proficient in the relevant skills and techniques of that technology. Technicians apply methods and skill to build, operate and maintain things.
Manager: One who handles, controls, or directs an activity or other enterprise, including allocation of resources and expenditures. A manager uses qualitative methods to control the build, operation, and maintenance of things.
Comparing the ProfessionalsA sampling of SE - notice the mix
• Chief Engineer/LSE
• Systems Architect/Designer
• Requirements Engineer
• Functional Analyst
• Systems Analyst
• IV&V engineer
• O&M Support Engineers
• Specialty Engineers
Notice the feedbacks
Comparing the Professionals(The RMF/ICD 503)
CATEGORIZE Information System
SELECTSecurity Controls
IMPLEMENT Security Controls
MONITORSecurity Controls
AUTHORIZEInformation System
ASSESS Security Controls
Starting Point
Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business.
Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment
Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings
Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems).
Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation.
Continuously track changes to the information system that may affect security controls and reassess control effectiveness.
• Information System Owner• Information Owner/Steward• Risk Executive (Function)• Authorizing Official
• AO Designated Representative• Chief Information Officer• Senior Information Security
Officer• Information System Security
Officer• Information Security Architect• Common Control Provider• Information System Security
Engineer• Security Control Assessor
ISSE per ICD 503 (RMF)
Information System Security Engineer (ISSE)(or Information Security Architect)
Identify security controls that are provided by the organization as common controls for organizational informational systems and document the controls in a Security Plan.
Select security controls for the IS.
ISO per ICD 503 (RMF) Information System Owner (or Program Manager) Categorize the IS and document the results in the Security Plan. Describe the IS in the Security Plan. Register the IS with the appropriate organizational program management offices. Select security controls for the IS and document the controls in the Security Plan. Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes
to the IS and its operational environment. Implement the security controls specified in the Security Plan. Document the security control implementation in the Security Plan. Provide a functional description of the control
implementation. Conduct initial remedial actions on security controls based on the findings and recommendations of the SAR and
reassess remediated controls as appropriate. Prepare the POA&M based on the findings and recommendations of the SAR excluding any remedial actions taken. Assemble the Security Authorization artifacts and submit to the Authorizing Official for adjudication. Determine the security impact of proposed or actual changes to the IS and its operational environment. Conduct remedial actions based on the results of ongoing monitoring activities, risk assessment, and outstanding
items in the POA&M. Update the Security Plan, security assessment report, and plan of action and milestones based on the results of the
continuous monitoring process. Report the security status of the information system (including the effectiveness of security controls employed within
and inherited by the system) to the AO and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy.
Implement an information system decommissioning strategy, when needed, which executes required actions when a system, or system component, is removed from service or transferred to another system.
Comparing the ProfessionalsRECAPIncomplete Models?
No VNo Gates
Continuous monitor mentalityTechnician/Manager focusBOK is Broke
In systems engineering, there is active leadership from the engineers In SSE, the ISSEs are primarily advisor
SE’s are pro-active SSEs react
SE’s are builders, SSE’s are advisors to passive risk managers Risk managers should be pro-active
Next steps?NIST SP800 series evolving (leads the way)INCOSE WG is creating handbookNICE
QUESTIONS?