Implement System Security (Implement System)
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary's ISSE course,
00:00
I'm your instructor, Brad Rhodes.
00:00
Now let's talk about implementing system security.
00:00
After we've designed it, we're
00:00
actually going to actually build it implement it,
00:00
do all of that work.
00:00
In this lesson, we're going to talk about ISSE tasks,
00:00
we're going to talk about one
00:00
of those technical processes,
00:00
integration and we're going to talk about testing.
00:00
There's six tasks, the ISSE does per IATF
00:00
3.1 in our implementation area.
00:00
Inputs to CNA, or today we call it,
00:00
we are getting our authority to operate,
00:00
our interim authority to operate
00:00
CNAs certification and accreditation.
00:00
We're going to provide information to the assessors,
00:00
the folks that are going to be testing
00:00
the system, testing the controls.
00:00
We're going to provide a lot of
00:00
that support in the Information Protection assessment.
00:00
We're going to verify the system,
00:00
pretty straightforward. We're going to track and test.
00:00
As an information system security engineer
00:00
because you are in the systems engineering family,
00:00
you're going to do a lot of tracking and testing.
00:00
If that's not your shtick, [LAUGHTER] you probably
00:00
should get excited about
00:00
it because that's one of the things you're going to do.
00:00
You're going to spend a lot of
00:00
time looking at test plans,
00:00
operations procedures, and training materials.
00:00
Why? Because sometimes it's the ISSE that actually
00:00
builds the control itself and so guess what?
00:00
We have to do that good documentation work.
00:00
Then of course, we've talked about the fact that
00:00
systems engineering as a whole
00:00
is an interdisciplinary process.
00:00
Well, so is information system
00:00
security engineering and so we're going to look
00:00
at the system and issues and the services,
00:00
and the controls and
00:00
the elements and whatever
00:00
it is we're doing for our system,
00:00
we're going to look at all of
00:00
those from many different angles,
00:00
from that multi-disciplinary aspect.
00:00
There's three things you remember
00:00
when it comes to integration.
00:00
It's form, fit, and function.
00:00
Form is pretty straightforward.
00:00
Form is, does the product or
00:00
the capability or the whatever it is we're doing,
00:00
is it in the right form or format that we need?
00:00
So the way I like to remember this from a,
00:00
from a system security and
00:00
information system security perspective
00:00
is formed when we are building an API,
00:00
an Application Programming Interface and
00:00
let's say you're doing
00:00
cyber threat intelligence and the customer says,
00:00
I want that in sticks,
00:00
which is a standardized format
00:00
for sharing threat intelligence.
00:00
Or I want it to mist, but which is another format.
00:00
Well, that's the form, they're asking for the form.
00:00
Fit, again, back to our API model,
00:00
the folks are going to want that
00:00
>> to fit in a certain way.
00:00
>> Maybe they want it as a command line capability,
00:00
maybe they want it as a GUI,
00:00
so that's the fit and then
00:00
obviously the data that we're using out of our
00:00
threat intelligence feeds that are coming
00:00
in a particular form have to fit
00:00
into our extract via the API.
00:00
Then function, it has to work.
00:00
Function typically deals with the idea
00:00
that it's going to be up for a certain amount of time.
00:00
It's going to allow you to pick and choose what you want.
00:00
So remember, integration of
00:00
products, capabilities, services, whatever.
00:00
A lot of times comes down to form,
00:00
fit, and function.
00:00
When we're testing this is where we are
00:00
talking about the two
00:00
V's and we've talked about
00:00
these many times, verification and validation.
00:00
Remember, verification, especially
00:00
here in our systems engineering V construct,
00:00
is all about did we meet the requirements?
00:00
Did we build to the requirements?
00:00
If widget x was supposed to actuate 16 times in a second,
00:00
if widget x does that,
00:00
we have met the requirement.
00:00
If widget x fails directly after
00:00
that and has to be replaced, guess what?
00:00
We probably haven't validated it.
00:00
That's where we talk about validation.
00:00
Validation meets those customer needs and expectations.
00:00
Super important here you see
00:00
across the systems engineering V as an example,
00:00
is that we need to be
00:00
able to trace requirements up and down all
00:00
the way through from the needs to the requirements,
00:00
to the architecture, to the design,
00:00
to now the testing, verification,
00:00
and validation after we've
00:00
implemented that system and even when we're in
00:00
operations and maintenance so that we can
00:00
ensure the system continues to
00:00
work and meets the needs of the customer.
00:00
ISSE, activities in
00:00
the implementation side cover
00:00
the entire gamut of the system.
00:00
For the ISSE, we're focused on
00:00
those information system security requirements.
00:00
That could be threats and vulnerabilities.
00:00
That's going back and assuring that
00:00
our mitigations are meeting
00:00
the risk management items that we put in place.
00:00
We're looking at all of our lifecycles,
00:00
report all the procedures,
00:00
up maintenance, training needs,
00:00
all of that stuff.
00:00
Today, as we've morphed away
00:00
from the certification and accreditation processes,
00:00
we now look at the risk management framework, the RMF,
00:00
and that's where we find the discussions
00:00
of things like authority to operate or
00:00
interim authority to operate and so
00:00
RMF is a huge piece of what ISSEs need to know
00:00
today and I certainly encourage you to get
00:00
into that as you're studying for the ISSE exam.
00:00
In this lesson, we talked about
00:00
the ISSE tasks we find in system implementation.
00:00
We talked about integration,
00:00
which is where that form fit and function come in,
00:00
and then we talked about the testing piece,
00:00
which is our verification and validation,
00:00
which we've talked about many,
00:00
many times so you might get that that's
00:00
important. We'll see you next time.
Up Next
Similar Content
