210 likes | 414 Views
Bob Marchant Sotera Defense Solutions. A comparison of Systems Engineering and Security Engineering practices and professionals Or maybe a commercial for the INCOSE working group!. BIO. 35 Engineering Experience 27 in Systems Engineering 20+ in Security Engineering
E N D
Bob MarchantSotera Defense Solutions A comparison of Systems Engineering and Security Engineering practices and professionals Or maybe a commercial for the INCOSE working group!
BIO • 35 Engineering Experience • 27 in Systems Engineering • 20+ in Security Engineering • BSCS, MBA, ABD PhD (IST) • CDP, GSEC, CISSP, ISSEP, DTM • SE (adult ed certified) trainer • Process Champion (IPPD, CMMI)
Outline • Issues • Possible Causes • Comparing the Cycles • SDLC/RMF • Lust to Dust (all dust no lust) • Comparing the Professionals • Next Steps
So what the issue? • Security Engineering struggling • Consistent complaint of lack of involvement! • Active INCOSE WG • New Standards evolving • Extremely broad BOK (very little build focus) • CISSP – 10 categories from physical to crypto • ISSEP – 4 categories • Discipline struggles to maintain currency
Possible causesand is systems engineering the cure? • Incomplete Models? • No V • No Gates • Continuous monitor mentality • Technician/Manager focus • BOK is Broke
Comparing the CyclesIn a simpler form Definition Design Development Deployment Operations Retirement
Comparing the CyclesThe Security Engineering forms • Viewed by many models/frameworks • IATF • RMF • ISO • Custom • Let’s look at NIST Regardless – it is all about Risk Management
Comparing the CyclesThe RMF Starting Point CATEGORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. MONITOR Security Controls SELECT Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment IMPLEMENT Security Controls AUTHORIZE Information System Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. ASSESS Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems).
Comparing the CyclesBoth Starting Point CATEGORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. MONITOR Security Controls SELECT Security Controls Definition Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment Design Development Deployment IMPLEMENT Security Controls AUTHORIZE Information System Operations Retirement Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. ASSESS Security Controls • Where’s the V? Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems).
From Concept to CreationWITH GATES AND REVIEWS !!! MISSION and Real World ICDs CONOPS Specs Docs Captured in Used to Create Conceptual Model Built as
Comparing the CyclesWhere’s the gates?Where’s the focus? Starting Point Post SDR CATEGORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. MONITOR Security Controls SELECT Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment Post PDR O&M Post CDR IMPLEMENT Security Controls AUTHORIZE Information System Before TRR Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. ASSESS Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems). Before AT
Comparing the CyclesRecap • SSE has a cycle but no feedback • In theory yes, in practice – mostly no • SSE has a cycle but no real gates • In practice triage, IATT, some form of AO • SSE is driven by the CDLC • The SSE cycle is stuck in Monitor most of the time
Comparing the professionalsSome common ground • Scientist: A scientist is one engaging in a systematic activity to acquire knowledge. Scientists perform research toward increasing understanding of nature, including physical, mathematical and social realms. Scientists use empirical methods to study things. • Engineer: An engineer is applies knowledge of applied science and applied mathematics to develop solutions for technical problems. Engineers design materials, structures, technology, inventions, machines and systems. Engineers use ingenuity to create things. • Technician: A technician is a worker in a field of technology who is proficient in the relevant skills and techniques of that technology. Technicians apply methods and skill to build, operate and maintain things. • Manager: One who handles, controls, or directs an activity or other enterprise, including allocation of resources and expenditures. A manager uses qualitative methods to control the build, operation, and maintenance of things.
Comparing the ProfessionalsA sampling of SE - notice the mix • Chief Engineer/LSE • Systems Architect/Designer • Requirements Engineer • Functional Analyst • Systems Analyst • IV&V engineer • O&M Support Engineers • Specialty Engineers Notice the feedbacks
Comparing the Professionals(The RMF/ICD 503) Starting Point CATEGORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. • Information System Owner • Information Owner/Steward • Risk Executive (Function) • Authorizing Official • AO Designated Representative • Chief Information Officer • Senior Information Security Officer • Information System Security Officer • Information Security Architect • Common Control Provider • Information System Security Engineer • Security Control Assessor MONITOR Security Controls SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment Continuously track changes to the information system that may affect security controls and reassess control effectiveness. IMPLEMENT Security Controls AUTHORIZE Information System Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. ASSESS Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems).
ISSE per ICD 503 (RMF) • Information System Security Engineer (ISSE) • (or Information SecurityArchitect) • Identify security controls that are provided by the organization as common controls for organizational informational systems and document the controls in a Security Plan. • Select security controls for the IS.
ISO per ICD 503 (RMF) • Information System Owner (or Program Manager) • Categorize the IS and document the results in the Security Plan. • Describe the IS in the Security Plan. • Register the IS with the appropriate organizational program management offices. • Select security controls for the IS and document the controls in the Security Plan. • Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the IS and its operational environment. • Implement the security controls specified in the Security Plan. • Document the security control implementation in the Security Plan. Provide a functional description of the control implementation. • Conduct initial remedial actions on security controls based on the findings and recommendations of the SAR and reassess remediated controls as appropriate. • Prepare the POA&M based on the findings and recommendations of the SAR excluding any remedial actions taken. • Assemble the Security Authorization artifacts and submit to the Authorizing Official for adjudication. • Determine the security impact of proposed or actual changes to the IS and its operational environment. • Conduct remedial actions based on the results of ongoing monitoring activities, risk assessment, and outstanding items in the POA&M. • Update the Security Plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process. • Report the security status of the information system (including the effectiveness of security controls employed within and inherited by the system) to the AO and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy. • Implement an information system decommissioning strategy, when needed, which executes required actions when a system, or system component, is removed from service or transferred to another system.
Comparing the ProfessionalsRECAP • Incomplete Models? • No V • No Gates • Continuous monitor mentality • Technician/Manager focus • BOK is Broke • In systems engineering, there is active leadership from the engineers • In SSE, the ISSEs are primarily advisor • SE’s are pro-active • SSEs react • SE’s are builders, SSE’s are advisors to passive risk managers • Risk managers should be pro-active
Next steps? • NIST SP800 series evolving (leads the way) • INCOSE WG is creating handbook • NICE • QUESTIONS?