Tags
Language
Tags
December 2024
Su Mo Tu We Th Fr Sa
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31 1 2 3 4

NIST 800-160: A Roadmap for 21st Century Systems Security Engineering Success

Posted By: AlenMiler
NIST 800-160: A Roadmap for 21st Century  Systems Security Engineering Success

NIST 800-160: A Roadmap for 21st Century Systems Security Engineering Success by Mark A Russo CISSP-ISSAP ITIL v3
English | December 14, 2018 | ASIN: B07KFSHGP6 | 172 pages | AZW3 | 2.46 MB

NIST SP 800-160 AND SYSTEMS SECURITY ENGINEERING
So why is secure system development so hard? It should not be difficult and should follow existing best practices that have been available for decades. It should follow the same path as normal software, hardware, or system development. At the core of the current break-down is the disconnect between security requirements, as formulated as a “security control,” and the systems engineering process. Systems engineering is the foundation of all development efforts. It translates the sought general functionality into a technical specification. For example, a possible function for a modern-day tank is to fire a round for a “threshold” distance of 5 kilometers with and “objective” range of 6 kilometers. The Systems Engineer takes the base functional requirement of “shooting a high explosive round” to a specified and measurable distance. In the case of security, an example of a specified security control would state that all “data at rest be encrypted.” The Systems Engineer would take this broad requirement and define it better with, for example, “employ a 256-bit AES symmetric encryption application.” Unfortunately, this obvious connection typically does not occur—until the very end when the system is already built!

NIST 800-160, Systems Security Engineering (SSE), provides the strategic overview of the SSE process; however, it fails to provide the pragmatic help and direction to users that desperately need better guidance than best practice suggestions. This is not a condemnation of NIST’s excellent work in this area for years but is an unfortunate rebuke. NIST’s works are too academic and strategic to be implemented by novice companies and agencies. This book is written to provide several major and minor tactical frameworks and approaches to include specifically the National Cybersecurity Framework (NCF) 1.1 and NIST 800-171 and 171A rev 1. It is designed to truly help businesses and agencies create a secure IT system, network, and environment.