A comparison of Systems Engineering and Security Engineering practices and professionals Or maybe a commercial for the INCOSE working group!
BIO 35 Engineering Experience 27 in Systems Engineering 20+ in Security Engineering BSCS, MBA, ABD PhD (IST) CDP, GSEC, CISSP, ISSEP, DTM SE (adult ed certified) trainer Process Champion (IPPD, CMMI)
Outline Issues Possible Causes Comparing the Cycles SDLC/RMF Lust to Dust (all dust no lust) Comparing the Professionals Next Steps
So what the issue? Security Engineering struggling Consistent complaint of lack of involvement! Active INCOSE WG New Standards evolving Extremely broad BOK (very little build focus) CISSP – 10 categories from physical to crypto ISSEP – 4 categories Discipline struggles to maintain currency
Possible causes and is systems engineering the cure? Incomplete Models? No V No Gates Continuous monitor mentality Technician/Manager focus BOK is Broke
Comparing the Cycles The familiar one(s)
Comparing the Cycles In a simpler form Design Operations Retirement Definition Development Deployment
Comparing the Cycles The Security Engineering forms Regardless – it is all about Risk Management Viewed by many models/frameworks – IATF – RMF – ISO – Custom Lets look at NIST
Comparing the Cycles The RMF CATEGORIZE Information System SELECT Security Controls IMPLEMENT Security Controls MONITOR Security Controls AUTHORIZE Information System ASSESS Security Controls Starting Point Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems). Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Continuously track changes to the information system that may affect security controls and reassess control effectiveness.
Comparing the Cycles Both CATEGORIZE Information System SELECT Security Controls IMPLEMENT Security Controls MONITOR Security Controls AUTHORIZE Information System ASSESS Security Controls Starting Point Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems). Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Design Operations Retirement Definition Development Deployment
From Concept to Creation WITH GATES AND REVIEWS !!! MISSION and Real World ICDs CONOPS Specs Docs Conceptual Model SY ST EM Captured in Built as Used to Create
Comparing the Cycles Wheres the gates? Wheres the focus? CATEGORIZE Information System SELECT Security Controls IMPLEMENT Security Controls MONITOR Security Controls AUTHORIZE Information System ASSESS Security Controls Starting Point Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems). Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Post SDR Post PDR Post CDR Before TRR Before AT O&M
Comparing the Cycles Recap SSE has a cycle but no feedback In theory yes, in practice – mostly no SSE has a cycle but no real gates In practice triage, IATT, some form of AO SSE is driven by the CDLC The SSE cycle is stuck in Monitor most of the time
Comparing the professionals Some common ground Scientist: A scientist is one engaging in a systematic activity to acquire knowledge. Scientists perform research toward increasing understanding of nature, including physical, mathematical and social realms. Scientists use empirical methods to study things. Engineer: An engineer is applies knowledge of applied science and applied mathematics to develop solutions for technical problems. Engineers design materials, structures, technology, inventions, machines and systems. Engineers use ingenuity to create things. Technician: A technician is a worker in a field of technology who is proficient in the relevant skills and techniques of that technology. Technicians apply methods and skill to build, operate and maintain things. Manager: One who handles, controls, or directs an activity or other enterprise, including allocation of resources and expenditures. A manager uses qualitative methods to control the build, operation, and maintenance of things.
Comparing the Professionals A sampling of SE - notice the mix Chief Engineer/LSE Systems Architect/Designer Requirements Engineer Functional Analyst Systems Analyst IV&V engineer O&M Support Engineers Specialty Engineers Notice the feedbacks
Comparing the Professionals (The RMF/ICD 503) CATEGORIZE Information System SELECT Security Controls IMPLEMENT Security Controls MONITOR Security Controls AUTHORIZE Information System ASSESS Security Controls Starting Point Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems). Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Information System Owner Information Owner/Steward Risk Executive (Function) Authorizing Official AO Designated Representative Chief Information Officer Senior Information Security Officer Information System Security Officer Information Security Architect Common Control Provider Information System Security Engineer Security Control Assessor
ISSE per ICD 503 (RMF) Information System Security Engineer (ISSE) (or Information Security Architect) Identify security controls that are provided by the organization as common controls for organizational informational systems and document the controls in a Security Plan. Select security controls for the IS.
ISO per ICD 503 (RMF) Information System Owner (or Program Manager) Categorize the IS and document the results in the Security Plan. Describe the IS in the Security Plan. Register the IS with the appropriate organizational program management offices. Select security controls for the IS and document the controls in the Security Plan. Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the IS and its operational environment. Implement the security controls specified in the Security Plan. Document the security control implementation in the Security Plan. Provide a functional description of the control implementation. Conduct initial remedial actions on security controls based on the findings and recommendations of the SAR and reassess remediated controls as appropriate. Prepare the POA&M based on the findings and recommendations of the SAR excluding any remedial actions taken. Assemble the Security Authorization artifacts and submit to the Authorizing Official for adjudication. Determine the security impact of proposed or actual changes to the IS and its operational environment. Conduct remedial actions based on the results of ongoing monitoring activities, risk assessment, and outstanding items in the POA&M. Update the Security Plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process. Report the security status of the information system (including the effectiveness of security controls employed within and inherited by the system) to the AO and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy. Implement an information system decommissioning strategy, when needed, which executes required actions when a system, or system component, is removed from service or transferred to another system.
Comparing the Professionals RECAP Incomplete Models? No V No Gates Continuous monitor mentality Technician/Manager focus BOK is Broke In systems engineering, there is active leadership from the engineers In SSE, the ISSEs are primarily advisor SEs are pro-active SSEs react SEs are builders, SSEs are advisors to passive risk managers Risk managers should be pro-active
Next steps? NIST SP800 series evolving (leads the way) INCOSE WG is creating handbook NICE QUESTIONS?