What Is Information Systems Security Engineering?
- The art and science of discovering users’ information protection needs.
- Designing systems with economy and elegance, so they safely resist the forces to which they will be subjected.
- Building and testing such systems.
Information Security Systems Engineering Principles
Nothing is more inefficient than solving the wrong problem and building the wrong system. Below are three important principles that will help avoid this inefficiency. These principles are:
- Always keep the problem and solution spaces separate.
- The problem space is defined by the customer’s mission or business needs.
- The systems engineer and information systems security engineer define the solution space, driven by the problem space.
Principle 1: Always keep the problem and the solution spaces separate.
- The problem is what we want the system to do. The solution is how the system will do what we want it to do. When we focus on the solution, it is easy to lose sight of the problem. This can lead to solving the wrong problem and building the wrong system. Nothing is more inefficient than solving the wrong problem and building the wrong system.
Principle 2: The problem space is defined by the customer’s mission or business needs.
- Often customers talk to engineers in terms of technology and their notion of solutions to their problems, rather than in terms of the problem. Systems engineers and information systems security engineers set these notions aside and discover the customer’s underlying problem.
- If the user requirements are not based on the customer’s mission or business needs, the resulting system solution is not likely to respond to those needs. Again, this will lead to building the wrong system, and nothing is more inefficient than solving the wrong problem and building the wrong system.
Principle 3: The systems engineer and information systems security engineer define the solution space, driven by the problem space.
- The systems engineer, not the customer, is the expert on system solutions. If the customer were the design expert, there would be no need to hire the systems engineer. A customer who insists on intervening in the design process may place constraints on the solution and limit the flexibility of the systems engineer in developing a system that supports the mission or business goals and meets the users’ requirements. One of the greatest challenges an organization faces is being objective, and that’s where the ISSE brings the greatest value.
The Information Security Systems Engineering process is comprised of the following activities:
- Discover Information Protection Needs.
- Define System Security Requirements.
- Design System Security Architecture.
- Develop Detailed Security Design.
- Implement System Security
- Assess Information Protection Effectiveness
An Information Systems Security Engineer who follows the steps above will bring about a methodically designed information protection infrastructure that aligns with the customer’s mission, addresses current & future threats, and is scalable to meet future growth.
If you’d like to read more, this framework is thoroughly described in the IATF Chapter 3.
GRAVICOM employs a certified Information Security Systems Engineer (CISSP-ISSEP), who would be happy to consult with you. Our senior engineer is only 1 of 800 CISSP-ISSEPs worldwide, so you know that your organization will be getting expert assistance. Contact us today!