NIST SP 800-160: Systems Security Engineering

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
Welcome back to CyberRays. This, of course. I'm your instructor. Brad Roads. Let's talk about NIST Special Pub 801 60 Systems security Engineering.
00:11
Our objectives for this video are pretty straightforward. We're gonna talk about some key processes involving one and keep processes in volume to this documentation from nests on system security. Engineering is so complex they've had to break it into two modules.
00:26
So you've seen this chart before?
00:29
This is from NIST Special Pub 801 60. This is the system security engineering diagram where we show that system security engineering is a specialty engineering shop under systems engineering, and then they also under under system security. Engineering is all the different security specialties you could think of. These is
00:48
the defense in depth there. Like dealing with,
00:50
let's say, networks and data and operating systems and the perimeter. Whatever the case may be, all of these things come up through here. They then the system security engineer, makes them sure they're part of the systems enduring process. In general, this chart is great because it really defines what we do in system security engineering. It talks about
01:10
the application of
01:11
of the engineering and measurement and all of things to orchestrate all the different
01:17
sub disciplines of security engineering that ultimately contributes to the systems engineering That helps us to build these incredibly complex systems we operate today.
01:26
The next key process in volume one probably looks like something you've seen before. Do you remember our discussion about problem space and solution space? I hope you do, because this is what you see here. You see the problem. And the problem is where we define all the things that we need to know about the problem. Is it a
01:46
what's the objectives we need? A requirements. You know what success and what's lack of success. Right?
01:51
Um and then we get to the solution where we determine how we're going to solve that problem. But then we add another important word here in this chart, we talk about trustworthiness, right? Just because you solve a problem
02:04
does not mean
02:06
that the problem was solved in a trustworthy manner. So what do we talk about Previously,
02:10
the evaluation assurance levels right in the common criteria. So that's where these come in, right to help us to establish the level of trustworthiness that we have reached with the system that we have designed.
02:24
Another key process in Volume one
02:29
is the system life cycle. And you see that here. So you see that chart concept development, production, utilization, supporting retirement.
02:37
This chart
02:38
is going to replace the system development life cycle.
02:42
The system development life cycle has been around for a very long time. It hasn't really been modified very much, and it it doesn't necessarily account for everything we do today. But it's gonna be replaced and is in the process of being replaced by the life cycle stages and those were tied directly to the application of the processes theory mint processes
03:00
the organization project enabling processes, tech management and technical processes.
03:06
We've talked about the majority of these processes throughout. So as you're looking at at what you should know in terms of being an ISI and the ESOP content itself, you should probably know a little bit about each of these processes and you find them in volume one off missed 800 special public 801 60
03:24
on
03:24
you got to know this chart. This chart is incredibly important for you. When you're planning for the SF exam
03:34
key processes out of Volume two. There's really only one good chart out of Volume two. I wish there was more, but this is the one I think is the most important. And this is what we talk about. Cyber resiliency. This is why there's a second volume of 801. 60. Um, this is where we talk about that. The levels of risk management, right. This is
03:51
This is where we talk about the goals we have in the objectives we have to potentially survive a significant issue with one of our systems or multiple systems.
03:58
You know, whether it's a natural disaster and external threat and insider threat. Whatever the case may be, volume to address is a great deal of what we need to do first. Cyber resiliency. And remember, we've talked about resiliency before. If a system cannot take a hit, if you will and it falls over on the floor, you might not want to employ that system in your environment.
04:18
And this chart defines
04:19
how we look at a solution ing cyber resiliency.
04:28
All right, what do we covering this lesson? We looked at the key processes from Volume one and highlighted some important areas on, We looked at the single chart. That is probably the most important key process out of Volume two of Nice Special Pub 801 60 System Security Engineering.
04:43
We'll see you next time.
Up Next
Information Systems Security Engineering Professional (ISSEP)

This ISSEP course provides students with the foundational knowledge of the concentration area of the CISSP certification that includes a focus on the processes used to develop secure systems. Students will learn key concepts and skills of the five ISSEP domains.

Instructed By