Systems Engineering: Confidence, Trust, and Assurance

Stakeholder and System Requirements
Stakeholder and System Requirements (NIST SP 800-160 V1)

Systems Engineering is an interdisciplinary approach to producing trustworthy systems as a solution, which may render confidence, trust, or assurance to stakeholders through claims or assertions supported by objective evidence and certified by an independent party.

Assurance is the confidence in the solution based on objective evidence certified by an independent party; trust is the confidence based on assertions by other parties; confidence can be belief or faith shaped without objective evidence.

Systems Engineering

Interdisciplinary approach governing the total technical and managerial effort required to transform a set of stakeholder needs, expectations, and constraints into a solution and to support that solution throughout its life.

Source: NIST SP 800-160 Vol. 1 from ISO/IEC/IEEE 24765

Systems Security Engineering

Systems security engineering is a specialty engineering discipline of systems engineering that applies scientific, mathematical, engineering, and measurement principles, concepts, and methods to coordinate, orchestrate, and direct the activities of various security engineering specialties and other contributing engineering specialties to provide a fully integrated, system-level perspective of system security.

Source: NIST SP 800-160 Vol. 1

Trust

The willingness to take actions expecting beneficial outcomes, based on assertions by other parties.

Source: NIST SP 800-95 from Open Grid Services Architecture Glossary of Terms

Trustworthy Information System

An information system that is believed to be capable of operating within defined levels of risk despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in its environment of operation.

Source: NIST SP 800-37 Rev. 2

Trustworthiness

The attribute of a person or enterprise that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities.

Source: CNSSI 4009-2015

Trustworthiness (system)

The degree to which an information system (including the information technology components that are used to build the system) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system across the full range of threats.

A trustworthy information system is believed to operate within defined levels of risk despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in its environment of operation.

Source: NIST SP 800-53 Rev. 5

Assurance

1. Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.

Source: NIST SP 800-39 under Assurance from CNSSI 4009

2. Grounds for justified confidence that a claim has been or will be achieved.

Note 1: Assurance is typically obtained relative to a set of specific claims. The scope and focus of such claims may vary (e.g., security claims, safety claims) and the claims themselves may be interrelated.
Note 2: Assurance is obtained through techniques and methods that generate credible evidence to substantiate claims.

Source: NIST SP 800-160 Vol. 1 from ISO/IEC 15026

Assure, Ensure, and Insure

To assure someone is to remove someone’s doubts.
To ensure something is to make sure it happens—to guarantee it.
To insure something or someone is to cover it with an insurance policy.

Source: Grammarly

Leave a Reply