Overview:
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
Action Items:
3.13.2[a]
Determine if: architectural designs that promote effective information security are identified.
3.13.2[b]
Determine if: software development techniques that promote effective information security are identified.
3.13.2[c]
Determine if: systems engineering principles that promote effective information security are identified.
3.13.2[d]
Determine if: identified architectural designs that promote effective information security are employed.
3.13.2[e]
Determine if: identified software development techniques that promote effective information security are employed.
3.13.2[f]
Determine if: identified systems engineering principles that promote effective information security are employed.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Security planning policy; procedures addressing system security plan development and implementation; procedures addressing system security plan reviews and updates; enterprise architecture documentation; system security plan; records of system security plan reviews and updates; system and communications protection policy; procedures addressing security engineering principles used in the specification, design, development, implementation, and modification of the system; security architecture documentation; security requirements and specifications for the system; system design documentation; system configuration settings and associated documentation; other relevant documents or records].
2
Interview: Personnel with responsibility for determining information system security requirements; personnel with information system design, development, implementation, and modification responsibilities; personnel with security planning and system security plan implementation responsibilities; personnel with information security responsibilities].
3
Test: Organizational processes for system security plan development, review, update, and approval; mechanisms supporting the system security plan; processes for applying security engineering principles in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of security engineering principles in information system specification, design, development, implementation, and modification].
Related Documents (document name and content will vary by organization):
1) Security planning policy
2) procedures addressing system security plan development and implementation
3) procedures addressing system security plan reviews and updates
4) enterprise architecture documentation
5) system security plan
6) records of system security plan reviews and updates
7) system and communications protection policy
8) procedures addressing security engineering principles used in the specification, design, development, implementation, and modification of the system
9) security architecture documentation
10) security requirements and specifications for the system
11) system design documentation
12) system configuration settings and associated documentation
13) other relevant documents or records
Additional Guidance:
Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.
Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. NIST Special Publication 800-160 provides guidance on systems security engineering.
Article ID: 194
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-security-engineering-principles-3-13-2-194.html