Full Program »
Towards the Application of Security Controls in a Systems Engineering Environment
Friday, 13 December 2013
08:30 - 10:00
Orleans A
Instructor: Michael McEvilley, MITRE Corporation
The use of security controls to express protection capability as part of organizational security risk management is becoming more widely adopted. The application of security controls typically follows the guidance outlined in SP800-53 and SP800-37. In parallel, there are increasing efforts to integrate systems security engineering into Systems Engineering (SE), to include the development of SP800-160 Systems Security Engineering (SSE). The integration of SSE into SE is based on SE processes defined in IEEE Std 15288. A recurring issue raised in the development of SP800-160 is the relationship between security controls and security requirements - Are they the same? Are they different, Can they be used interchangeably? - and neither the NIST Special Publications nor IEEE Std 15288 speaks to this issue.
This presentation will offer an approach for the application of security controls specifically in a systems engineering environment. The presentation will describe the separate activities to develop security control sets and to develop engineering requirements, and will discuss the interactions and traceability opportunities between engineering requirements and security controls that offer cost-savings in verification, validation, and in the assessment of security controls.