Presentation is loading. Please wait.

Presentation is loading. Please wait.

Key System Engineering Processes for (Cost) Effective Cyber Security in a Dynamic Threat Environment. Kevin Stoffell September 11, 2015.

Published byGregory Lee Bruce Modified over 9 years ago

Similar presentations

Presentation on theme: "Key System Engineering Processes for (Cost) Effective Cyber Security in a Dynamic Threat Environment. Kevin Stoffell September 11, 2015."— Presentation transcript:

1 Key System Engineering Processes for (Cost) Effective Cyber Security in a Dynamic Threat Environment. Kevin Stoffell September 11, 2015

2 Introduction  Cyber Environment Challenges  Cyber Engineering as a Specialty  Effectiveness of Cyber Security Measures  High value return SE activities  Summary  Resources  Questions

3 Cyber Environment Challenges  Speed/Flexibility of change requirements are generated by the dynamic Cyber environment.  Complexity of system/component interactions  Frequency of component refresh/update  Time/Resource constraints for security requirements in software/IT development  Inherent limitations in end-user operator skills

4 Cyber Engineering as a Specialty  Cyber Security vs. Information Assurance vs. Computer Security  Information System Security Engineering Often incorrectly applied to System Administrators and technicians.  “Cyber Security Engineering is simply System Engineering with a healthy does of paranoia.”

5 Effectiveness of Cyber Security Measures  Confidentiality, Integrity, Availability  Common Trade-off decision conflicts Confidentiality vs. cost/schedule/performance Availability vs. cost/schedule/performance  Security requirements as functional requirements  Security requirements as design constraints

6 High Value Return SE Activities

7 Human Resource Management  Quality Cyber Security Professionals are costly  Continuous Training/Education is required  Individual skills are inherently constrained Grow your own customized skill sets  Intellectual engagement is critical for retention

8 Configuration Management  Configuration Item selection can be challenging NOT asset management  Change process must allow for rapid changes  Impact Analysis prior to change is critical  Post-Change follow-up and testing  Audit, Audit, Audit

9 Risk Management  Critical for cost management  Avoid the ‘solid gold wall’  Requires intelligence input to be effective  Critical tie-ins to: Human Resource Management Configuration Management Requirements Analysis Architectural Design Maintenance

10 Requirement Analysis/Architectural Design  Careful allocation of functional requirements is critical Challenge: Avoiding overlaps and gaps.  Must support and coordinate with: Rapid Configuration Management Verification/Validation Maintenance Human Resource Management

11 Verification/Validation  Documented test procedures are critical  Must be highly automated  Must Support Rapid Verification/Validation after change Configuration Management Audits Human Resource capabilities Continuous Monitoring during Maintenance phases

12 Maintenance  “Sustain a Capability to Provide a Service”  Cyber maintenance is distinctly different from physical world maintenance Continuous Monitoring  Challenge: Overburdening of Maintenance (monitoring) requirements on staff results in degradation of capability  Personnel discipline during troubleshooting/repair activities to support Configuration Management  Access to appropriate human skill sets critical

13 Summary  Cyber Environment Challenges  Cyber Engineering as a Specialty  Effectiveness of Cyber Security Measures

14 Resources  INCOSE Systems Engineering Handbook version 3.2.1  National Institute of Standards and Technology Special Publication 800-37 Rev 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach”  National Institute of Standards and Technology Special Publication 800-53 Rev 3, “Recommended Security Controls for Federal Information Systems and Organizations”  Department of Defense Instruction 8500.2, “Information Assurance Implementation”  Project Management Institute, “Project Management Body of Knowledge (PMBOK)” Fourth Edition.  Information Assurance Technical Framework ver 3.1, National Security Agency

15 QUESTIONS?

Download ppt "Key System Engineering Processes for (Cost) Effective Cyber Security in a Dynamic Threat Environment. Kevin Stoffell September 11, 2015."

Similar presentations

Software Quality Assurance Plan

Software Quality Assurance Plan
1 PROJECT MANAGEMENT ROLE OF KEY PERSONNEL Bernd Madauss International Space University Strasbourg February, 2011

1 PROJECT MANAGEMENT ROLE OF KEY PERSONNEL Bernd Madauss International Space University Strasbourg February, 2011
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz

Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz
ORGANIZATION. 2 Purchasing & Inventory Assessment Occurrence Management Information Management Process Improvement Customer Service Facilities & Safety.

ORGANIZATION. 2 Purchasing & Inventory Assessment Occurrence Management Information Management Process Improvement Customer Service Facilities & Safety.
Prepared for: DISA September 17, 2003 Establishing a Government Information Security System Presented to the IT AND COMMUNICATIONS SYSTEMS SECURITY CONFERENCE.

Prepared for: DISA September 17, 2003 Establishing a Government Information Security System Presented to the IT AND COMMUNICATIONS SYSTEMS SECURITY CONFERENCE.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Adopt & Adapt Tips on Enterprise Data Management Annette Pence September 10, 2009 MITRE.

Adopt & Adapt Tips on Enterprise Data Management Annette Pence September 10, 2009 MITRE.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
1 IS112 – Chapter 1 Notes Computer Organization and Programming Professor Catherine Dwyer Fall 2005.

1 IS112 – Chapter 1 Notes Computer Organization and Programming Professor Catherine Dwyer Fall 2005.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Managing the Information Technology Resource Course Introduction.

Managing the Information Technology Resource Course Introduction.
Sylnovie Merchant, Ph.D MIS 210 Fall 2004 Lecture 1: The Systems Analyst Project Management MIS 210 Information Systems I.

Sylnovie Merchant, Ph.D MIS 210 Fall 2004 Lecture 1: The Systems Analyst Project Management MIS 210 Information Systems I.
Purpose of the Standards

Purpose of the Standards
Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.

Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.
1 ECE 453 – CS 447 – SE 465 Software Testing & Quality Assurance Case Studies Instructor Paulo Alencar.

1 ECE 453 – CS 447 – SE 465 Software Testing & Quality Assurance Case Studies Instructor Paulo Alencar.
INCOSE 1 st reactions. One other area that struck me has the sheer number of levels of proficiency—in ours we are going with 5 and the first one is limited.

INCOSE 1 st reactions. One other area that struck me has the sheer number of levels of proficiency—in ours we are going with 5 and the first one is limited.
Configuration Management for Transportation Management Systems Establishing and Maintaining System Integrity.

Configuration Management for Transportation Management Systems Establishing and Maintaining System Integrity.
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Similar presentations

Ads by Google