Security by Design and NIST 800-160, Part 2: Life Cycle Processes

Security by Design and NIST 800-160, Part 2: Life Cycle Processes

NIST 800-160 Volume 1 features many guidelines of interest to cybersecurity experts looking to boost their defenses through security by design. As we saw in the first post in this series, the key principles of this document provide a good footing for security. Next, let’s take a look at how the security design principles laid out in chapter three can help your organization position itself well to minimize risk and have a resilient cybersecurity and information security program.

The Foundation: Systems and Software Engineering

The basis for chapter three comes from ISO/IEC/IEEE 15288 Systems and Software Engineering — System Life Cycle Process. This standard outlines processes and terminology from an engineering perspective. This security by design viewpoint is important because it gets different stakeholders talking to each other. Remember, speaking a common language is critical to any successful cybersecurity program. And ultimately, we want to use ISO/IEC/IEEE 15288 to achieve customer satisfaction, so both groups are working toward the same goal.

The systems life cycle process includes four families:

Agreement processes
Organizational project-enabling processes
Technical management processes
Technical processes

This piece gives an overview of the first two families, agreement and organizational project-enabling processes.

One of the keys to applying these processes is to understand that they do not necessarily map to a specific stage in the system life cycle. Rather, they can be recursive, iterative, concurrent, parallel or have sequenced execution. By de ..

Support the originator by clicking the read the rest link below.