Security Engineering 101

  • Systems Engineering is a discipline of applying knowledge to create or acquire a system that is composed of interrelated elements collaborating for a common purpose throughout the system development life cycle (SDLC), or system life cycle (SLC). A life cycle is a collection of predefined stages and processes.
  • Security Engineering is a specialty discipline of systems engineering. It addresses the protection needs or security requirements throughout the system life cycle.

Source: The Effective CISSP: Security and Risk Management

NIST SP 800-160 V1 and ISO 15288
NIST SP 800-160 V1 and ISO 15288
NIST SDLC and RMF

Development Life Cycle

A life cycle of a subject refers to its lifetime from the cradle to the grave. A development life cycle can be divided into a set of phases. There are a couple of processes or activities completed in each phase. The “development” life cycle can be misleading nowadays because a system or software is not only developed, but delivered for production, maintained, and finally disposed of. Moreover, “development” refers to both make/build and buy/acquisition in a broad sense.

SDLC
System SDLC vs Software SDLC

Requirements Engineering

Requirements engineering is a discipline of collecting, eliciting, recording, analyzing, specifying, validating, and tracing requirements and managing changes to them.

Stakeholder and System Requirements
Stakeholder and System Requirements (Source: NIST SP 800-160 V1)

Design

A design is a solution to the problems or requirements, formulated by disciplinary principles and represented by descriptions, drawings, diagrams, images, models, formulas, and so forth. Architectural design is one of the most significant design work, through which detailed designs will follow.

Architectural and Design Principles

Model

A very detailed description or scaled representation of one component of a larger system that can be created, operated, and analyzed to predict actual operational characteristics of the final produced component. (FIPS 201)

Architecture

A highly structured specification of an acceptable approach within a framework for solving a specific problem. An architecture contains descriptions of all the components of a selected, acceptable solution while allowing certain details of specific components to be variable to satisfy related constraints (e.g., costs, local environment, user acceptability).

Source: FIPS 201

4+1 Views with appropriate diagrams
4+1 Views with appropriate diagrams

Formal Methods

  • techniques based on well-established mathematical concepts for modelling, calculation, and predication used in the specification, design, analysis, construction, and assurance of hardware and software systems. (ISO/IEC 29128:2011)
  • Software engineering method used to specify, develop, and verify the software through application of a rigorous mathematically based notation and language. (CNSSI 4009-2015)
Common Criteria EAL

Framework

  • essential supporting or underlying structure (ISO 9001:2008)
  • documented set of guidelines to create a common understanding of the ways of working. (ISO 37500:2014)

Due diligence

Due diligence is the detailed assessment to inform decision making. For example, according to ISO 37500:2014 (Guidance on outsourcing), Outsourcing due diligence is the “detailed assessment of one or more business processes or production lines, culture, assets, liabilities, intellectual property, judicial and financial situation in order to make the outsourcing decisions.”

Leave a Reply