Introduction to Systems Security Engineering

There are many books, articles and websites on System Engineering in general, but relatively few on Systems Security Engineering. In the not so distant past, I spent more than a decade implementing IT security, developing policy and procedure for IT security and auditing / assessing IT security in the Federal space. As part of that I spent a significant amount of time with FIPS standards and NIST Special Publications. The FIPS standards are more useful in that they define the the structure of the solution and the scope of what is compliant / certifiable and what is not, which tends to encourage (but not ensure) interoperability. The NIST Special Publications on the other hand are much more educational, instuctional and tutorial in nature. A recent example of this is the NIST SP800-160 Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems.

The document provides a relatively brief overview of what Systems Security Engineering in chapter 2, and how it is in alignment with ISO/IEC 15288 (ISO standard for Systems Engineering processes and life cycles ). This chapter really provides the most useful content of this document at this time.

Chapter 3 goes into detailed lifecycle processes for systems security engineering and happens to map those directly to ISO/IEC15288, which is a good thing to help develop an understanding of how System Security Engineering integrates with the general Systems Engineering processes. These are not separate or disjointed processes, and that needs to be explicit and clear.

The appendices are simply placeholders in the draft, but show promise. I will be extremely curious to see what goes in those in the release version.

Overall – I think this document (when completed) may integrate and update the better parts of several aging Special Publications.