Presentation is loading. Please wait.

Presentation is loading. Please wait.

A comparison of Systems Engineering and Security Engineering practices and professionals Or maybe a commercial for the INCOSE working group!

Published byPrince Dabney Modified over 10 years ago

Similar presentations

Presentation on theme: "A comparison of Systems Engineering and Security Engineering practices and professionals Or maybe a commercial for the INCOSE working group!"— Presentation transcript:

1 A comparison of Systems Engineering and Security Engineering practices and professionals Or maybe a commercial for the INCOSE working group!

2 BIO 35 Engineering Experience 27 in Systems Engineering 20+ in Security Engineering BSCS, MBA, ABD PhD (IST) CDP, GSEC, CISSP, ISSEP, DTM SE (adult ed certified) trainer Process Champion (IPPD, CMMI)

3 Outline Issues Possible Causes Comparing the Cycles SDLC/RMF Lust to Dust (all dust no lust) Comparing the Professionals Next Steps

4 So what the issue? Security Engineering struggling Consistent complaint of lack of involvement! Active INCOSE WG New Standards evolving Extremely broad BOK (very little build focus) CISSP – 10 categories from physical to crypto ISSEP – 4 categories Discipline struggles to maintain currency

5 Possible causes and is systems engineering the cure? Incomplete Models? No V No Gates Continuous monitor mentality Technician/Manager focus BOK is Broke

6 Comparing the Cycles The familiar one(s)

7 Comparing the Cycles In a simpler form Design Operations Retirement Definition Development Deployment

8 Comparing the Cycles The Security Engineering forms Regardless – it is all about Risk Management Viewed by many models/frameworks – IATF – RMF – ISO – Custom Lets look at NIST

9 Comparing the Cycles The RMF CATEGORIZE Information System SELECT Security Controls IMPLEMENT Security Controls MONITOR Security Controls AUTHORIZE Information System ASSESS Security Controls Starting Point Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems). Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Continuously track changes to the information system that may affect security controls and reassess control effectiveness.

10 Comparing the Cycles Both CATEGORIZE Information System SELECT Security Controls IMPLEMENT Security Controls MONITOR Security Controls AUTHORIZE Information System ASSESS Security Controls Starting Point Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems). Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Design Operations Retirement Definition Development Deployment

11 From Concept to Creation WITH GATES AND REVIEWS !!! MISSION and Real World ICDs CONOPS Specs Docs Conceptual Model SY ST EM Captured in Built as Used to Create

12 Comparing the Cycles Wheres the gates? Wheres the focus? CATEGORIZE Information System SELECT Security Controls IMPLEMENT Security Controls MONITOR Security Controls AUTHORIZE Information System ASSESS Security Controls Starting Point Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems). Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Post SDR Post PDR Post CDR Before TRR Before AT O&M

13 Comparing the Cycles Recap SSE has a cycle but no feedback In theory yes, in practice – mostly no SSE has a cycle but no real gates In practice triage, IATT, some form of AO SSE is driven by the CDLC The SSE cycle is stuck in Monitor most of the time

14 Comparing the professionals Some common ground Scientist: A scientist is one engaging in a systematic activity to acquire knowledge. Scientists perform research toward increasing understanding of nature, including physical, mathematical and social realms. Scientists use empirical methods to study things. Engineer: An engineer is applies knowledge of applied science and applied mathematics to develop solutions for technical problems. Engineers design materials, structures, technology, inventions, machines and systems. Engineers use ingenuity to create things. Technician: A technician is a worker in a field of technology who is proficient in the relevant skills and techniques of that technology. Technicians apply methods and skill to build, operate and maintain things. Manager: One who handles, controls, or directs an activity or other enterprise, including allocation of resources and expenditures. A manager uses qualitative methods to control the build, operation, and maintenance of things.

15 Comparing the Professionals A sampling of SE - notice the mix Chief Engineer/LSE Systems Architect/Designer Requirements Engineer Functional Analyst Systems Analyst IV&V engineer O&M Support Engineers Specialty Engineers Notice the feedbacks

16 Comparing the Professionals (The RMF/ICD 503) CATEGORIZE Information System SELECT Security Controls IMPLEMENT Security Controls MONITOR Security Controls AUTHORIZE Information System ASSESS Security Controls Starting Point Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems). Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Information System Owner Information Owner/Steward Risk Executive (Function) Authorizing Official AO Designated Representative Chief Information Officer Senior Information Security Officer Information System Security Officer Information Security Architect Common Control Provider Information System Security Engineer Security Control Assessor

17 ISSE per ICD 503 (RMF) Information System Security Engineer (ISSE) (or Information Security Architect) Identify security controls that are provided by the organization as common controls for organizational informational systems and document the controls in a Security Plan. Select security controls for the IS.

18 ISO per ICD 503 (RMF) Information System Owner (or Program Manager) Categorize the IS and document the results in the Security Plan. Describe the IS in the Security Plan. Register the IS with the appropriate organizational program management offices. Select security controls for the IS and document the controls in the Security Plan. Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the IS and its operational environment. Implement the security controls specified in the Security Plan. Document the security control implementation in the Security Plan. Provide a functional description of the control implementation. Conduct initial remedial actions on security controls based on the findings and recommendations of the SAR and reassess remediated controls as appropriate. Prepare the POA&M based on the findings and recommendations of the SAR excluding any remedial actions taken. Assemble the Security Authorization artifacts and submit to the Authorizing Official for adjudication. Determine the security impact of proposed or actual changes to the IS and its operational environment. Conduct remedial actions based on the results of ongoing monitoring activities, risk assessment, and outstanding items in the POA&M. Update the Security Plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process. Report the security status of the information system (including the effectiveness of security controls employed within and inherited by the system) to the AO and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy. Implement an information system decommissioning strategy, when needed, which executes required actions when a system, or system component, is removed from service or transferred to another system.

19 Comparing the Professionals RECAP Incomplete Models? No V No Gates Continuous monitor mentality Technician/Manager focus BOK is Broke In systems engineering, there is active leadership from the engineers In SSE, the ISSEs are primarily advisor SEs are pro-active SSEs react SEs are builders, SSEs are advisors to passive risk managers Risk managers should be pro-active

20 Next steps? NIST SP800 series evolving (leads the way) INCOSE WG is creating handbook NICE QUESTIONS?

Download ppt "A comparison of Systems Engineering and Security Engineering practices and professionals Or maybe a commercial for the INCOSE working group!"

Similar presentations

PROJECT RISK MANAGEMENT

PROJECT RISK MANAGEMENT
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
More CMM Part Two : Details.

More CMM Part Two : Details.
Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.

Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.
ITIL: Service Transition

ITIL: Service Transition
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,

Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
Adaptive Processes Comparing CMMI 1.2 vs. CMMI 1.1 LN Mishra Adaptive Processes Consulting.

Adaptive Processes Comparing CMMI 1.2 vs. CMMI 1.1 LN Mishra Adaptive Processes Consulting.
Systems Engineering Management

Systems Engineering Management
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Assessment Frameworks

Risk Assessment Frameworks
Risk Management Framework

Risk Management Framework
Federal IT Security Professional - Manager FITSP-M Module 1.

Federal IT Security Professional - Manager FITSP-M Module 1.
NIST SP 800-37, Revision 1 Applying Risk Management to Information Systems (Transforming the Certification and Accreditation Process) A Tutorial February.

NIST SP , Revision 1 Applying Risk Management to Information Systems (Transforming the Certification and Accreditation Process) A Tutorial February.
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 11 System Test Design ------------------------------------------------------------------

Handouts Software Testing and Quality Assurance Theory and Practice Chapter 11 System Test Design
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
2014 Workshop and Plenary Sandra Hoskins, I.S.P, ITCP, PMP, MBA CIPS – Canada’s IT Professional Organization IIBA – International Institute of Business.

2014 Workshop and Plenary Sandra Hoskins, I.S.P, ITCP, PMP, MBA CIPS – Canada’s IT Professional Organization IIBA – International Institute of Business.
INCOSE 1 st reactions. One other area that struck me has the sheer number of levels of proficiency—in ours we are going with 5 and the first one is limited.

INCOSE 1 st reactions. One other area that struck me has the sheer number of levels of proficiency—in ours we are going with 5 and the first one is limited.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)

Similar presentations

Ads by Google