Systems Engineering: Confidence, Trust, and Assurance

Stakeholder and System Requirements
Stakeholder and System Requirements (NIST SP 800-160 V1)

Systems Engineering is an interdisciplinary approach to producing trustworthy systems as a solution, which may render confidence, trust, or assurance to stakeholders through claims or assertions supported by objective evidence and certified by an independent party.

Assurance is the confidence in the solution based on objective evidence certified by an independent party; trust is the confidence based on assertions by other parties; confidence can be belief or faith shaped without objective evidence.

Systems Engineering

Interdisciplinary approach governing the total technical and managerial effort required to transform a set of stakeholder needs, expectations, and constraints into a solution and to support that solution throughout its life.

Source: NIST SP 800-160 Vol. 1 from ISO/IEC/IEEE 24765

Systems Security Engineering

Systems security engineering is a specialty engineering discipline of systems engineering that applies scientific, mathematical, engineering, and measurement principles, concepts, and methods to coordinate, orchestrate, and direct the activities of various security engineering specialties and other contributing engineering specialties to provide a fully integrated, system-level perspective of system security.

Source: NIST SP 800-160 Vol. 1

Trust

– The willingness to take actions expecting beneficial outcomes, based on assertions by other parties.

Source: NIST SP 800-95 from Open Grid Services Architecture Glossary of Terms

– Degree to which a user or other stakeholder has confidence that a product or system will behave as intended

Source: ISO/IEC 25010:2011

Trustworthy

– The degree to which the security behavior of a component is demonstrably compliant with its stated functionality.
Source: NSIT SP 800-160 V1

– Trustworthy Information System: An information system that is believed to be capable of operating within defined levels of risk despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in its environment of operation.

Source: NIST SP 800-37 Rev. 2

Trustworthiness

– The attribute of a person or enterprise that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities.

Source: CNSSI 4009-2015

– Worthy of being trusted to fulfill whatever critical requirements may be needed for a particular component, subsystem, system, network, application, mission, enterprise, or other entity.
Note: From a security perspective, a trustworthy system is a system that meets specific security requirements in addition to meeting other critical requirements.

Source: NIST SP 800-160 V1

– The degree to which an information system (including the information technology components that are used to build the system) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system across the full range of threats.
A trustworthy information system is believed to operate within defined levels of risk despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in its environment of operation.

Source: NIST SP 800-53 Rev. 5

Assurance

1. Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.

Source: NIST SP 800-39 under Assurance from CNSSI 4009

2. Grounds for justified confidence that a claim has been or will be achieved.

Note 1: Assurance is typically obtained relative to a set of specific claims. The scope and focus of such claims may vary (e.g., security claims, safety claims) and the claims themselves may be interrelated.
Note 2: Assurance is obtained through techniques and methods that generate credible evidence to substantiate claims.

Source: NIST SP 800-160 Vol. 1 from ISO/IEC 15026

Assure, Ensure, and Insure

To assure someone is to remove someone’s doubts.
To ensure something is to make sure it happens—to guarantee it.
To insure something or someone is to cover it with an insurance policy.

Source: Grammarly

Leave a Reply