Systems Security Engineering An Updated Paradigm INCOSE Enchantment Chapter November 8, 2006 John W. Wirsbinski.

Slides:



Advertisements
Similar presentations
Conducting your own Data Life Cycle Audit
Advertisements

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
TACTICAL/OPERATIONAL PLANNING
CHAPTER 1 Basic Concepts of Strategic Management
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
1 System Engineers Toolbox 1 Compliance Automation, Inc. INCOSE: NM Enchantment Chapter By Cheryl Hill August 12, 2009.
1 Systems Security Engineering Working Group Activities at IW08 INCOSE Enchantment Meeting February 13, 2008 John W. Wirsbinski.
Ashutosh Pednekar, FCA, CISA, ISA (ICA), LLB (Gen), B.Com. Partner, M P Chitale & Co. November 6, 2007 IRDA – ICAI Round Table Meeting on Insurance Industry.
ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.
DNS Security and Stability Analysis Working Group (DSSA) DSSA Update Prague – June, 2012.
1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Module N° 7 – Introduction to SMS
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.
1 DOE Safety Committee Handbook. 2 Effective Safety Committee! Make it work for you!
0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
Modern Systems Analyst and as a Project Manager
Projects in Computing and Information Systems A Student’s Guide
ZMQS ZMQS
Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.
Site Safety Plans PFN ME 35B.
1 According to PETROSAFE safety policy, the company is keen that: Introduction All Egyptian Petroleum companies and foreign companies working in A.R.E.
BT Wholesale October Creating your own telephone network WHOLESALE CALLS LINE ASSOCIATED.
EMS Checklist (ISO model)
1 Dr. Ashraf El-Farghly SECC. 2 Level 3 focus on the organization - Best practices are gathered across the organization. - Processes are tailored depending.
Chapter 5 – Enterprise Analysis
ABC Technology Project
Project Management CHAPTER SIXTEEN McGraw-Hill/Irwin Copyright © 2011 by the McGraw-Hill Companies, Inc. All rights reserved.
VOORBLAD.
Checking & Corrective Action
Determining the Significant Aspects
COBIT 5 for Information Security Introduction
Environmental Management Systems Refresher
1 Vince Galotti Chief/ATMICAO 27 March 2007 REGULATING THROUGH SAFETY PERFORMANCE TARGETS.
Squares and Square Root WALK. Solve each problem REVIEW:
1 Functional Strategy – IS & IT Geoff Leese November 2006, revised July 2007, September 2008, August 2009.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 28 Slide 1 Process Improvement 1.
Chapter 5 Test Review Sections 5-1 through 5-4.
SIMOCODE-DP Software.
GG Consulting, LLC I-SUITE. Source: TEA SHARS Frequently asked questions 2.
Nation-Wide Board Engagement Survey Results July
Addition 1’s to 20.
25 seconds left…...
H to shape fully developed personality to shape fully developed personality for successful application in life for successful.
Controlling as a Management Function
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Week 1.
Internal Control and Control Risk
We will resume in: 25 Minutes.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.
Chapter 12: Project Management and Strategic Planning Copyright © 2013 Pearson Education, Inc. publishing as Prentice Hall Chapter
Database Administration
© Prentice Hall CHAPTER 15 Managing the IS Function.
1 Unit 1 Kinematics Chapter 1 Day
Chapter 11: Systems Development and Procurement Copyright © 2013 Pearson Education, Inc. publishing as Prentice Hall Chapter
Organization Theory and Health Services Management
Copyright © 2002 by The McGraw-Hill Companies, Inc. All rights reserved Chapter The Future of Training and Development.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2001 Chapter 16 Integrated Services Digital Network (ISDN)
Chapter 14 Fraud Risk Assessment.
SEC835 Database and Web application security Information Security Architecture.
SecSDLC Chapter 2.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Headquarters U.S. Air Force
Presentation transcript:

Systems Security Engineering An Updated Paradigm INCOSE Enchantment Chapter November 8, 2006 John W. Wirsbinski

2 Todays Experiment The purpose of the model is not to fit the data, but to sharpen the questions.

3 Outline What is Systems Security Engineering (SSE) What is Systems Security Engineering (SSE) The Dilemma The Dilemma Relationship with Systems Engineering Relationship with Systems Engineering Future Planning Future Planning

The Defenders Dilemma… Threats Resources Assets ? Guns, Guards, Gates & Technologies Emergent Technologies Emergent Design Basis Threats Including Technologies …a complex, dynamic resource allocation problem

5 What is Security Security is defined as freedom from danger or risk Security is defined as freedom from danger or risk –Focus is on Malevolent dangers –Benefits for natural and accidental dangers is considered, but not primary focus

6 What is SSE An element of system engineering that applies scientific and engineering principles to identify security vulnerabilities and minimize or contain risks associated with these vulnerabilities. It uses mathematical, physical, and related scientific disciplines, and the principles and methods of engineering design and analysis to specify, predict, and evaluate the vulnerability of the system to security threats. 1 1 Handbook for Systems Security Engineering Program Management Requirements, D.o. Defense, Editor. 1995, Headquarters Air Force Systems Command, Office of the Chief of Security Police.

7 Systems Security Engineering Management An element of program management that ensures system security tasks are completed. These tasks include developing security requirements and objectives; planning, organizing, identifying, and controlling the efforts that help achieve maximum security and survivability of the system during its life cycle; and interfacing with other program elements to make sure security functions are effectively integrated into the total system engineering effort. 2 2 Handbook for Systems Security Engineering Program Management Requirements, D.o. Defense, Editor. 1995, Headquarters Air Force Systems Command, Office of the Chief of Security Police.

8 Purpose of SSE? Provide systems engineered solution for asset protection investments Provide systems engineered solution for asset protection investments Protect Assets Protect Assets –Prevent Undesirable Events –Prevent Undesirable Consequences –Mitigate Undesirable Consequences –Disaster Recovery Facilitate Operations Facilitate Operations Meet Regulatory Requirements Meet Regulatory Requirements

9 SSE Applications Apply SE to Security problem Apply SE to Security problem Apply SE to integrate protection measures into non-security projects Apply SE to integrate protection measures into non-security projects

10 SSE Responsibilities Threat Assessment Threat Assessment Consequence Assessment Consequence Assessment Vulnerability Assessment Vulnerability Assessment Systems Analysis and Design Systems Analysis and Design Bridge Between SE and Security Disciplines Bridge Between SE and Security Disciplines

11 Threat assessment Two Types of Threat Assessment Two Types of Threat Assessment Threat Characterization Threat Characterization Threat Quantification Threat Quantification

12 Two Types of Threat Assessment Evaluation of a spanning set of threats relevant to an organization or asset Evaluation of a spanning set of threats relevant to an organization or asset Evaluation of one or more specific threats Evaluation of one or more specific threats

13 Threat Characterization Real Threat Real Threat Perceived Threat Perceived Threat Management Threat Management Threat –Acceptable Risk –Acceptable cost –Acceptable operational impact –Examples Design Basis Threat Design Basis Threat Postulated Threat Postulated Threat

14 Characterization Continued Capability Capability –Skills –Equipment –Knowledge –Organizational skills

15 Characterization Continued Motivation Motivation –Desired End State Tactically - mission objective Tactically - mission objective Strategic - purpose of mission Strategic - purpose of mission –Level of commitment Willing to die? Willing to die? Willing to kill? Willing to kill? –World view that supports committing the undesirable event –Triggering events

16 Threat Quantification Likelihood Likelihood Frequency Frequency

17 Vulnerability Assessment Characterize system vulnerabilities Characterize system vulnerabilities –Components –System –Skills needed –Equipment needed –Knowledge needed Map vulnerabilities to management threat Map vulnerabilities to management threat

18 Consequence Assessment Asset definition Asset definition Definition of the undesirable events Definition of the undesirable events Consequence definition Consequence definition Consequence rating/ranking Consequence rating/ranking

19 System Analysis & Design Traditional Methods Blast Effects Blast Effects Performance Testing Performance Testing –Systems –Subsystem –Component Red Teams Red Teams Balance Balance Defense in Depth Defense in Depth Fault Trees Fault Trees New Methods Complexity Theory Complexity Theory Agile Security Agile Security Network Theory Network Theory Risk Management Risk Management Soft Systems Methodology Soft Systems Methodology

20 The Bridge Enterprise Including Systems Engineering Security Engineering SSE

21 Security disciplines PhysSec PhysSec COMPUSEC/ Information Systems Security COMPUSEC/ Information Systems Security COMSEC COMSEC INFoSEc INFoSEc OPSEC OPSEC Prodsec Prodsec KeySEC KeySEC TSCM TSCM Counter-intelligence Counter-intelligence Psyops Psyops Insider Protection Insider Protection Anti-terrorism Anti-terrorism Counter-terrorism Counter-terrorism Business Continuity and Disaster Recovery Business Continuity and Disaster Recovery

22 PhysSec Intrusion Detection Intrusion Detection Contraband Detection Contraband Detection AC&D AC&D Access Delay Access Delay Access Control Access Control Response Response Investigations Investigations

23 COMPUSEC/ Information Systems security Cryptography Cryptography Access Control Access Control Application Security Application Security Information Security and Risk Management Information Security and Risk Management Legal, Regulations, Compliance and Investigations Legal, Regulations, Compliance and Investigations Security Architecture and Design Security Architecture and Design Telecommunications and Network Security Telecommunications and Network Security System Administration System Administration Audit and Monitoring Audit and Monitoring Data Communications Data Communications Malicious Code / Malware Malicious Code / Malware

24 Path Forward The Goal: SSE Working Group The Goal: SSE Working Group Possible Starting Points Possible Starting Points –Mil-Hdb-1785 –This Presentation Next Steps Next Steps –Identify Volunteers –January 2007, INCOSE IW The difference between 'involvement' and 'commitment' is like an eggs-and-ham breakfast: the chicken was 'involved' but the pig was 'committed'.

25 Questions - Discussion

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.