NIST SP 800-160: Systems Security Engineering

Welcome back to CyberRays. This, of course. I'm your instructor. Brad Roads. Let's talk about NIST Special Pub 801 60 Systems security Engineering. Our objectives for this video are pretty straightforward. We're gonna talk about some key processes involving one and keep processes in volume to this documentation from nests on system security. Engineering is so complex they've had to break it into two modules. So you've seen this chart before? This is from NIST Special Pub 801 60. This is the system security engineering diagram where we show that system security engineering is a specialty engineering shop under systems engineering, and then they also under under system security. Engineering is all the different security specialties you could think of. These is the defense in depth there. Like dealing with, let's say, networks and data and operating systems and the perimeter. Whatever the case may be, all of these things come up through here.

‍

They then the system security engineer, makes them sure they're part of the systems enduring process. In general, this chart is great because it really defines what we do in system security engineering. It talks about the application of of the engineering and measurement and all of things to orchestrate all the different sub disciplines of security engineering that ultimately contributes to the systems engineering That helps us to build these incredibly complex systems we operate today.

‍

The next key process in volume one probably looks like something you've seen before. Do you remember our discussion about problem space and solution space? I hope you do, because this is what you see here. You see the problem. And the problem is where we define all the things that we need to know about the problem. Is it a what's the objectives we need? A requirements. You know what success and what's lack of success. Right? Um and then we get to the solution where we determine how we're going to solve that problem. But then we add another important word here in this chart, we talk about trustworthiness, right?Just because you solve a problem does not mean that the problem was solved in a trustworthy manner.

‍

So what do we talk about Previously, the evaluation assurance levels right in the common criteria. So that's where these come in, right to help us to establish the level of trustworthiness that we have reached with the system that we have designed. Another key process in Volume one is the system life cycle. And you see that here. So you see that chart concept development, production, utilization, supporting retirement. This chart is going to replace the system development life cycle. The system development life cycle has been around for a very long time. It hasn't really been modified very much, and it it doesn't necessarily account for everything we do today. But it's gonna be replaced and is in the process of being replaced by the life cycle stages and those were tied directly to the application of the processes theory mint processes the organization project enabling processes, tech management and technical processes.

‍

We've talked about the majority of these processes throughout. So as you're looking at at what you should know in terms of being an ISI and the ESOP content itself, you should probably know a little bit about each of these processes and you find them in volume one off missed 800 special public 801 60 on you got to know this chart. This chart is incredibly important for you. When you're planning for the SF exam key processes out of Volume two. There's really only one good chart out of Volume two. I wish there was more, but this is the one I think is the most important. And this is what we talk about. Cyber resiliency. This is why there's a second volume of 801. 60. Um, this is where we talk about that. The levels of risk management, right. This is This is where we talk about the goals we have in the objectives we have to potentially survive a significant issue with one of our systems or multiple systems.

‍

You know, whether it's a natural disaster and external threat and insider threat. Whatever the case may be, volume to address is a great deal of what we need to do first. Cyber resiliency. And remember, we've talked about resiliency before. If a system cannot take a hit, if you will and it falls over on the floor, you might not want to employ that system in your environment. And this chart defines how we look at a solution ing cyber resiliency. All right, what do we covering this lesson? We looked at the key processes from Volume one and highlighted some important areas on, We looked at the single chart. That is probably the most important key process out of Volume two of Nice Special Pub 801 60 System Security Engineering. We'll see you next time.