Comparing SE and ISSE Activities

Video Activity

Join over 3 million cybersecurity professionals advancing their career

Required fields are marked with an *

View all SSO options

Already have an account? Sign In »

Information Systems Security Engineering Professional (ISSEP)

Course

Time

5 hours 58 minutes

Difficulty

Intermediate

CEU/CPE

Video Transcription

00:00

>> Welcome back to Cybrary's ISSE course,

00:00

I'm your instructor, Brad Rhodes.

00:00

Let's compare systems engineering,

00:00

SE and, ISSE,

00:00

Information System Security Engineering activities.

00:00

In this lesson, pretty straightforward,

00:00

we're going to compare SE and ISSE activities.

00:00

I'm going to talk about key documents

00:00

for each because those are important,

00:00

because we talk about

00:00

these key documents for several reasons.

00:00

One, you will ultimately write some of those as an SE,

00:00

but two, you'll probably

00:00

see them throughout the use of content.

00:00

Then finally, we're going to talk

00:00

about a really important thing,

00:00

the concept of problem space.

00:00

There's a couple of charts

00:00

here that we're going to talk about.

00:00

When we talk about ISSE versus SE,

00:00

so on the left-hand side is SE,

00:00

on the right-hand side is ISSE.

00:00

In discover needs, the systems engineer in

00:00

an information management or

00:00

information security product is going to be

00:00

focused on the information management model.

00:00

The ISSE is going to be focused on the IPP,

00:00

the Information Protection Policy.

00:00

Both right at CONOPS,

00:00

but obviously the ISSE's CONOPS

00:00

is focused on the security side of things.

00:00

We then look at the architecture design,

00:00

whereas the SEs do that system security architecture,

00:00

and they're looking at the different potential mechanisms

00:00

that might be used from a security perspective.

00:00

Next, we have the next six things.

00:00

We have the detailed design.

00:00

Obviously the detailed design for an ISSE is focused on

00:00

security and figuring out what are the trade-offs,

00:00

components, design, life-cycle support, all that stuff.

00:00

Life-cycle, probably we've touched on that previously.

00:00

Please, as an SE know

00:00

that you've got to do life-cycle management.

00:00

We've struggled with this in the cybersecurity and

00:00

information security industries in

00:00

terms of when should we get rid of systems?

00:00

We talked about disposal previously and decommissioning,

00:00

you got to factor that in.

00:00

The next thing we do in both sides

00:00

of the house is we implement.

00:00

We are going to implement that system security,

00:00

and this is where we're going to get to

00:00

that authority to operate

00:00

or what we used to turn

00:00

certification and accreditation C&A.

00:00

Then finally, we're going to assess,

00:00

we're going to assess along the way

00:00

the information protection effectiveness.

00:00

Is the system meeting

00:00

the CIA triad, confidentiality,

00:00

>> integrity, availability?

00:00

>> Are we doing the IAAA, identification,

00:00

authentication, authorization, and auditing?

00:00

Are we doing non-repudiation, all of those things?

00:00

Are we doing all of

00:00

the information processing that we

00:00

need to meet mission success for either it's a system,

00:00

controls whatever it is.

00:00

That's all part of what the SE does,

00:00

they're in assessing information

00:00

, perfect protection effectiveness.

00:00

Here's the key documents.

00:00

This is another one of those charts you'll

00:00

probably should memorize for the ISSEP exam.

00:00

You need to know needs,

00:00

you've got IMM and mission needs statements, versus IPP.

00:00

You got CONOPS, you've got the functional analysis,

00:00

you've got the requirements,

00:00

traceability and design, and the interface specs,

00:00

which is the same for both,

00:00

except obviously the ISSE is focused on security.

00:00

You need to understand that

00:00

the implementation is about test planning,

00:00

and for the ISSE its risk management framework,

00:00

which we're going to talk about later.

00:00

Then finally, an assess and it's the stakeholder reports

00:00

that go out from the SE or from the ISSE.

00:00

Then for the ISSE, it's

00:00

the interim authority to operate,

00:00

the authority to operate that terminology

00:00

that we've used to call certification and accreditation.

00:00

Got to know these documents for the ISSEP content.

00:00

Let's talk real briefly

00:00

about the concept of problem space.

00:00

This is one of those things you need to know.

00:00

Principle Number 1 in problem Space 1,

00:00

we want to keep the problem space

00:00

and the solution space separate.

00:00

Remember that, super important.

00:00

Problem Number 2, is the customer.

00:00

Guess what the customer does?

00:00

They get to tell you what the problem space is.

00:00

They get to tell you that because

00:00

they define the mission or business need.

00:00

That's what they do, that's their role in problem space.

00:00

Next principle is the solution space. Who does that?

00:00

The SE for the entirety of the data system

00:00

and the ISSE for this security portions of the system.

00:00

Guess who should not be driving the solution space?

00:00

The customer, and that's hard.

00:00

Especially in a development model like

00:00

Agile where you have customers involved a lot.

00:00

They really want to get involved and

00:00

roll their sleeves and get

00:00

their hands dirty and say this is how we

00:00

want the problem solved.

00:00

But guess what, that's not their domain.

00:00

They need to be spot on and defining that mission,

00:00

and business need that problem space,

00:00

and they need to stay out of

00:00

the solution space or you're going to have problems.

00:00

Then the last one, and this is the one that

00:00

I add is collaboration.

00:00

We really need to work hand in glove with the customer,

00:00

so that no matter what development model we're doing,

00:00

that the customer doesn't think they

00:00

need to get in and micromanage.

00:00

They're resistant, the need

00:00

or the feeling that they've got to

00:00

jump in and fix stuff that

00:00

the engineer's aren't doing right.

00:00

That's a real challenge in complex systems.

00:00

Customers want to be involved,

00:00

they want to drive the train,

00:00

so to speak and say

00:00

the Agile model and those Azure release trains.

00:00

But when we allow them to do that,

00:00

it muddies the waters.

00:00

That's where we see scope creep,

00:00

that's where we see additional requirements

00:00

that have nothing to do with the functionality

00:00

the system get added and we wonder why we

00:00

don't meet schedule and cost and scope.

00:00

In this video, we compared

00:00

systems engineering and ISSE activities.

00:00

We looked at the key documents that you

00:00

need to know as an SE and ISSE,

00:00

and you need to memorize those documents,

00:00

at least for the ISSE stuff.

00:00

Then we talked about the concept of problem space

00:00

and the fact that

00:00

the problem space is the domain of

00:00

the customer and the solution space is

00:00

the domain of the engineers. We'll see you next time.

Up Next

Discover Information Protection Needs (Discover Needs)

Define System Security Requirements (Define System Requirements)

Define System Security Architecture (Define System Architecture)

Develop Detailed Security Design (Develop Detailed Design)

Implement System Security (Implement System)

View All

Instructed By

Brad Rhodes

Head of Cybersecurity, zvelo & Lieutenant Colonel, Cyber Warfare

Instructor