Bob Marchant Sotera Defense Solutions
Download
Report
Transcript Bob Marchant Sotera Defense Solutions
A comparison of Systems Engineering
and Security Engineering
practices and professionals
Or maybe a commercial for the INCOSE working group!
BIO
35 Engineering Experience
27 in Systems Engineering
20+ in Security Engineering
BSCS, MBA, ABD PhD (IST)
CDP, GSEC, CISSP, ISSEP, DTM
SE (adult ed certified) trainer
Process Champion (IPPD, CMMI)
Outline
Issues
Possible Causes
Comparing the Cycles
SDLC/RMF
Lust to Dust (all dust no lust)
Comparing the Professionals
Next Steps
So what the issue?
Security Engineering struggling
Consistent complaint of lack of involvement!
Active INCOSE WG
New Standards evolving
Extremely broad BOK (very little build focus)
CISSP – 10 categories from physical to crypto
ISSEP – 4 categories
Discipline struggles to maintain currency
Possible causes
and is systems engineering the cure?
Incomplete Models?
No V
No Gates
Continuous monitor mentality
Technician/Manager focus
BOK is Broke
Comparing the Cycles
The familiar one(s)
Comparing the Cycles
In a simpler form
Definition
Design
Development
Deployment
Operations
Retirement
Comparing the Cycles
The Security Engineering forms
• Viewed by many models/frameworks
– IATF
– RMF
– ISO
– Custom
• Let’s look at NIST
Regardless – it is all about
Risk Management
Comparing the Cycles
The RMF
Starting Point
CATEGORIZE
Information System
MONITOR
Security Controls
Define criticality/sensitivity of
information system according
to potential worst-case,
adverse impact to
mission/business.
Continuously track changes to the
information system that may
affect security controls and
reassess control effectiveness.
Security Controls
Select baseline security
controls; apply tailoring
guidance and supplement
controls as needed base on risk
assessment
IMPLEMENT
AUTHORIZE
Security Controls
Information System
Determine risk to organizational
operations and assets, individuals,
other organizations, and the
Nation; if acceptable, authorize
operation.
SELECT
ASSESS
Security Controls
Determine security control
effectiveness (i.e., controls
implemented correctly, operating
as intended, meeting security for
information systems).
Implement security controls
within enterprise architecture
using sound systems
engineering practices; apply
security configuration settings
Comparing the Cycles
Starting Point
Both
CATEGORIZE
Information System
MONITOR
Security Controls
Continuously track changes to the
information system that may
affect security controls and
reassess control effectiveness.
Define criticality/sensitivity of
information system according
to potential worst-case,
adverse impact to
mission/business.
Definition
SELECT
Security Controls
Select baseline security
controls; apply tailoring
guidance and supplement
controls as needed base on risk
assessment
Design
Development
Deployment
AUTHORIZE
Operations
Information System
Determine risk to organizational
operations and assets, individuals,
other organizations, and the
Nation; if acceptable, authorize
operation.
Retirement
ASSESS
Security Controls
Determine security control
effectiveness (i.e., controls
implemented correctly, operating
as intended, meeting security for
information systems).
IMPLEMENT
Security Controls
Implement security controls
within enterprise architecture
using sound systems
engineering practices; apply
security configuration settings
From Concept to Creation
WITH GATES AND REVIEWS !!!
MISSION
and Real
World
Captured
in
ICDs
CONOPS
Specs
Docs
Used to
Create
S
Y
S
T
E
M
Built as
Conceptual
Model
Comparing the Cycles
Where’s the gates?
Where’s the focus?
Starting Point
Post SDR
CATEGORIZE
Information System
MONITOR
Security Controls
Continuously track changes to the
information system that may
affect security controls and
reassess control effectiveness.
Define criticality/sensitivity of
information system according
to potential worst-case,
adverse impact to
mission/business.
Post PDR
O&M
Post CDR
AUTHORIZE
Information System
Determine risk to organizational
operations and assets, individuals,
other organizations, and the
Nation; if acceptable, authorize
operation.
Security Controls
Select baseline security
controls; apply tailoring
guidance and supplement
controls as needed base on risk
assessment
IMPLEMENT
Security Controls
Before TRR
ASSESS
Security Controls
Before AT
SELECT
Determine security control
effectiveness (i.e., controls
implemented correctly, operating
as intended, meeting security for
information systems).
Implement security controls
within enterprise architecture
using sound systems
engineering practices; apply
security configuration settings
Comparing the Cycles
Recap
SSE has a cycle but no feedback
In theory yes, in practice – mostly no
SSE has a cycle but no real gates
In practice triage, IATT, some form of AO
SSE is driven by the CDLC
The SSE cycle is stuck in Monitor most of the time
Comparing the professionals
Some common ground
Scientist: A scientist is one engaging in a systematic activity to acquire
knowledge. Scientists perform research toward increasing
understanding of nature, including physical, mathematical and social
realms. Scientists use empirical methods to study things.
Engineer: An engineer is applies knowledge of applied science and
applied mathematics to develop solutions for technical problems.
Engineers design materials, structures, technology, inventions,
machines and systems. Engineers use ingenuity to create things.
Technician: A technician is a worker in a field of technology who is
proficient in the relevant skills and techniques of that technology.
Technicians apply methods and skill to build, operate and maintain
things.
Manager: One who handles, controls, or directs an activity or other
enterprise, including allocation of resources and expenditures. A
manager uses qualitative methods to control the build, operation, and
maintenance of things.
Comparing the Professionals
A sampling of SE - notice the mix
Notice the
feedbacks
•
Chief Engineer/LSE
•
Systems
Architect/Designer
•
Requirements
Engineer
•
Functional Analyst
•
Systems Analyst
•
IV&V engineer
•
O&M Support
Engineers
•
Specialty Engineers
Comparing the Professionals
(The RMF/ICD 503)
•
•
•
•
Starting Point
CATEGORIZE
Information System
Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business.
MONITOR
SELECT
Security Controls
Security Controls
Continuously track changes to the information system that may affect security controls and reassess control effectiveness.
Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment
IMPLEMENT
AUTHORIZE
Security Controls
Information System
Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration
settings
Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation.
ASSESS
Security Controls
Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems).
•
•
•
•
•
•
•
Information System Owner
Information Owner/Steward
Risk Executive (Function)
Authorizing Official
• AO Designated Representative
Chief Information Officer
Senior Information Security Officer
Information System Security Officer
Information Security Architect
Common Control Provider
Information System Security Engineer
Security Control Assessor
ISSE per ICD 503 (RMF)
Information System Security Engineer (ISSE)
(or Information Security Architect)
Identify security controls that are provided by the
organization as common controls for organizational
informational systems and document the controls in a
Security Plan.
Select security controls for the IS.
ISO per ICD 503 (RMF)
Information System Owner (or Program Manager)
Categorize the IS and document the results in the Security Plan.
Describe the IS in the Security Plan.
Register the IS with the appropriate organizational program management offices.
Select security controls for the IS and document the controls in the Security Plan.
Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes
to the IS and its operational environment.
Implement the security controls specified in the Security Plan.
Document the security control implementation in the Security Plan. Provide a functional description of the control
implementation.
Conduct initial remedial actions on security controls based on the findings and recommendations of the SAR and
reassess remediated controls as appropriate.
Prepare the POA&M based on the findings and recommendations of the SAR excluding any remedial actions taken.
Assemble the Security Authorization artifacts and submit to the Authorizing Official for adjudication.
Determine the security impact of proposed or actual changes to the IS and its operational environment.
Conduct remedial actions based on the results of ongoing monitoring activities, risk assessment, and outstanding
items in the POA&M.
Update the Security Plan, security assessment report, and plan of action and milestones based on the results of the
continuous monitoring process.
Report the security status of the information system (including the effectiveness of security controls employed within
and inherited by the system) to the AO and other appropriate organizational officials on an ongoing basis in
accordance with the monitoring strategy.
Implement an information system decommissioning strategy, when needed, which executes required actions when a
system, or system component, is removed from service or transferred to another system.
Comparing the Professionals
RECAP
Incomplete Models?
No V
No Gates
Continuous monitor mentality
Technician/Manager focus
BOK is Broke
In systems engineering, there is active leadership from the
engineers
In SSE, the ISSEs are primarily advisor
SE’s are pro-active
SSEs react
SE’s are builders, SSE’s are advisors to passive risk managers
Risk managers should be pro-active
Next steps?
NIST SP800 series evolving (leads the way)
INCOSE WG is creating handbook
NICE
QUESTIONS?