3.13.2 has a weight of -5 points

(System and Communication Protection Family) 2/16

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

Example of Sysytem Security Plan (SSP):

    Effective Information Security in Organizational Systems

    1. Policy Statement: The organization employs architectural designs, software development techniques, and systems engineering principles to promote effective information security within its systems.
    2. Systems Security Engineering: Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, the principles are applied to upgrades and modifications to the extent feasible.
    3. Trustworthy, Secure, and Resilient Systems: Systems security engineering concepts and principles are used to develop systems and components that are trustworthy, secure, and resilient, reducing susceptibility to disruptions, hazards, and threats.
    4. Examples of Concepts and Principles: Examples include implementing layered protections, establishing security policies and controls as the foundation for design, incorporating security requirements into the system development life cycle, and delineating physical and logical security boundaries.
    5. Security Training for Developers: Developers are trained on how to build secure software, enhancing the security posture of developed systems.
    6. Threat Modeling: Threat modeling is performed to identify use cases, threat agents, attack vectors, design patterns, and compensating controls to mitigate risk.
    7. Benefits: Applying security engineering concepts and principles facilitates the development of secure systems and components, reduces risk to acceptable levels, and enables informed risk-management decisions.
    8. Guidance: [SP 800-160-1] provides guidance on systems security engineering, aiding organizations in effectively integrating security into their systems development process.

    Example of Plan of Action and Milestones ( POA & M):

    Milestone 1: Policy Statement Development

    • Develop a comprehensive policy statement emphasizing the organization’s commitment to effective information security in its systems through architectural designs, software development techniques, and systems engineering principles. Clearly outline the purpose of applying systems security engineering principles to new development systems and upgrades. [Target Date]

    Milestone 2: Systems Security Engineering Training

    • Provide systems security engineering training to developers involved in new system development or major upgrades. Ensure that developers are equipped with the knowledge and skills to build secure software and apply security principles effectively. [Target Date]

    Milestone 3: Legacy Systems Assessment

    • Conduct a comprehensive assessment of legacy systems to determine the feasibility of applying systems security engineering principles to upgrades and modifications. Identify areas where security enhancements can be implemented to improve the security posture of legacy systems. [Target Date]

    Milestone 4: Implementation of Systems Security Engineering Concepts

    • Implement systems security engineering concepts and principles in the development of new systems and the upgrades of legacy systems. This may involve establishing layered protections, incorporating security requirements into the system development life cycle, and delineating physical and logical security boundaries. [Target Date]

    Milestone 5: Threat Modeling Implementation

    • Integrate threat modeling into the system development process to identify use cases, threat agents, attack vectors, design patterns, and compensating controls to mitigate risk effectively. Ensure that threat modeling is performed for all systems to proactively address potential security vulnerabilities. [Target Date]

    Milestone 6: Continuous Monitoring and Review

    • Implement continuous monitoring and review processes to assess the effectiveness of security engineering measures and principles. Regularly review security controls and architecture to identify and address emerging threats and potential vulnerabilities. [Target Date]

    Milestone 7: Alignment with [SP 800-160-1]

    • Align the organization’s systems security engineering practices with the guidance provided in [SP 800-160-1]. Ensure that the organization’s approach to integrating security into systems development follows best practices and industry standards. [Target Date]

    Milestone 8: Compliance and Reporting

    • Ensure compliance with the policy statement and systems security engineering principles. Regularly report on the progress and effectiveness of security engineering measures to appropriate stakeholders and management. [Target Date]

    Milestone 9: Collaboration and Knowledge Sharing

    • Encourage collaboration among different organizational entities, including developers, security personnel, and system owners, to ensure a coordinated approach to systems security engineering. Promote knowledge sharing and lessons learned to enhance the effectiveness of security measures. [Target Date]

    Milestone 10: Continuous Improvement

    • Foster a culture of continuous improvement by incorporating feedback from assessments, security incidents, and emerging threats into the organization’s systems security engineering practices. Regularly review and enhance security measures to adapt to changing security requirements and technologies. [Target Date]
    RELEVANT INFORMATION:

    Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. [SP 800-160-1] provides guidance on systems security engineering.



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.