Context, CONOPS, and Requirements Documents

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary, ISIP course.
00:00
I'm your instructor, Brad Rhodes.
00:00
Let's talk about context,
00:00
CONOPS, and requirements documents.
00:00
In this lesson, in this video,
00:00
we're going to cover context,
00:00
what it is, where it comes from.
00:00
We're going to talk about a CONOPS,
00:00
the concept of operations document,
00:00
typically the first thing
00:00
written when we're building requirements for
00:00
a system and then we're going to talk about
00:00
other requirements documents that you will
00:00
be required to know as an SE or provide
00:00
inputs to or in the case of one of them, write it.
00:00
Context for an organization comes from these five areas.
00:00
First off is the mission and business.
00:00
What does the business do? What is its mission?
00:00
If you're a cybersecurity organization, for example,
00:00
you're probably going to be building
00:00
cybersecurity related products.
00:00
Probably you're not going to be making sponges.
00:00
[LAUGHTER] So you had to know that.
00:00
Users. Users could be consumers,
00:00
they could be operators,
00:00
linear organization, system owners, etc.
00:00
Users have a huge impact on context and
00:00
what products and what services are supposed to be.
00:00
Organizational culture is huge
00:00
when it comes to system context.
00:00
If you have an agile organization
00:00
that is always on the move
00:00
and always developing new things,
00:00
then that's awesome, that's great.
00:00
If you're in a very static,
00:00
very risk averse organizational culture,
00:00
then what you're doing
00:00
is probably going to go very slow,
00:00
if you're a fast mover.
00:00
Budgets. Budgets have a huge impact
00:00
on context for organizations.
00:00
If you want to build
00:00
the greatest crock-pot and
00:00
make it an IoT crock-pot that's
00:00
connects to the Internet and does amazing things and
00:00
is controlled from afar wherever you are in
00:00
the world to make sure your beef roast
00:00
is ready to go when you get home for dinner, awesome.
00:00
If you don't have the budget to build that,
00:00
you're not actually going to go to build it.
00:00
That's important. Last but not least is security.
00:00
Security is huge when it comes to context.
00:00
When we put a system
00:00
out in the world that is exposed to the internet
00:00
or is a service
00:00
or a product that does the same that consumers use,
00:00
we are as an organization ultimately responsible
00:00
for the goods and the bads of
00:00
that product and if a security breach happens,
00:00
that's our responsibility too.
00:00
Another piece of context is the system context.
00:00
As we talked about previously,
00:00
systems engineering takes a whole bunch of
00:00
different systems elements and modules and puts them
00:00
together into a system of interests that
00:00
importantly operates in a specific operating environment.
00:00
You have to understand the operational environment,
00:00
you have to understand the elements and
00:00
the enabling systems that
00:00
fit into this system and interests,
00:00
and then you need to understand
00:00
that context so that
00:00
as you're developing security controls,
00:00
they fit in and don't become a burden.
00:00
Next we have the CONOPS,
00:00
and you see the graphic on
00:00
the left-hand side of the screen there.
00:00
That graphic shows you that we find needs,
00:00
we find the operational environment,
00:00
we find what supports needed.
00:00
A lot of times we'll find operational scenarios.
00:00
This is typically for government systems,
00:00
always built as the first thing.
00:00
We need to define what is it we want
00:00
the system or the system of systems to do?
00:00
You find it in a CONOPS document.
00:00
You see this less frequently in the commercial space,
00:00
however, it's starting to catch on.
00:00
We're starting to see organizations frame things earlier,
00:00
which you might term as a CONOPS,
00:00
before they even start building
00:00
them so that they can identify
00:00
the appropriate requirements and resources and needs.
00:00
There's a whole lot of other requirements documents
00:00
that you're going to deal with as an SE,
00:00
but here's the four main ones.
00:00
First off is the SEMP,
00:00
the systems engineering master plan.
00:00
Remember, ISEM is Information Systems Security Engineer
00:00
and that's a nesting under the systems engineer.
00:00
Under the systems engineer,
00:00
they have to plan out how they're going to integrate
00:00
all of those system elements
00:00
to build the system of interest.
00:00
Well, guess what? They do that via a SEMP.
00:00
The next thing you see up there is the QMP,
00:00
the quality management plan.
00:00
Why do we have a QMP?
00:00
Because if we don't write down
00:00
what we're going to do for quality,
00:00
it doesn't get done, so you have to
00:00
do that and you actually have to document.
00:00
The next one is
00:00
something we've talked about quite frequently,
00:00
configuration management or change management, the CMP.
00:00
We need to start that very early in
00:00
the project of developing
00:00
a system or a service or a product.
00:00
That is where we do it. We start there at
00:00
the CMP and we start as early as possible.
00:00
Changes early are way less expensive than changes later.
00:00
Then finally, the one that is
00:00
most important to the SE's,
00:00
is the information protection policy or plan.
00:00
This comes out of the requirements analysis looking at
00:00
potentially harmful events and
00:00
harmful to information sessions.
00:00
So think threats and vulnerabilities that IPP is
00:00
our major contribution to
00:00
the overarching systems engineering requirements set.
00:00
But these are not all of
00:00
the requirements documents that you probably should know.
00:00
As we get towards the end of the course,
00:00
I'll provide you with
00:00
a specific reference that you should procure if you're
00:00
actually going to study for ISIP exam and take it
00:00
and it will list a whole bunch more documents
00:00
and we'll talk about that later.
00:00
In this lesson,
00:00
we covered the context, what it is.
00:00
Obviously lots of things that contribute to context.
00:00
We also talked about system context and
00:00
that system of interest and why that's important.
00:00
We reviewed that CONOPS,
00:00
for the very first requirements documents written,
00:00
then we talked about other requirements
00:00
including highlighting that the IPP is
00:00
the one that the SE most concerned
00:00
about. We'll see you next time.
Up Next