没有合适的资源?快使用搜索试试~ 我知道了~
Systems Security Engineering PDF
需积分: 0 18 下载量 108 浏览量
2016-09-26
16:42:41
上传
评论
收藏 2.97MB PDF 举报
温馨提示
试读
307页
Systems Security Engineering-Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems May 2016 RON ROSS MICHAEL McEVILLEY JANET CARRIER OREN U.S. Department of Commerce National Institute of Standards and Technology
资源推荐
资源详情
资源评论
NIST Special Publication 800-160
Second Public Draft
Systems Security Engineering
Considerations for a Multidisciplinary Approach in the
Engineering of Trustworthy Secure Systems
RON ROSS
MICHAEL McEVILLEY
JANET CARRIER OREN
This publication contains a set of systems
security engineering process extensions for
International Standard ISO/IEC/IEEE 15288:
Systems and software engineering — System
life cycle processes. It provides security-related
implementation guidance for the standard and
should be used in conjunction with and as a
complement to the standard.
NIST Special Publication 800-160
Second Public Draft
Systems Security Engineering
Considerations for a Multidisciplinary Approach in the
Engineering of Trustworthy Secure Systems
RON ROSS
Computer Security Division
National Institute of Standards and Technology
MICHAEL McEVILLEY
The MITRE Corporation
JANET CARRIER OREN
PricewaterhouseCoopers
May 2016
U.S. Department of Commerce
Penny Pritzker, Secretary
National Institute of Standards and Technology
Willie May, Under Secretary of Commerce for Standards and Technology and Director
Special Publication 800-160 Systems Security Engineering
Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
________________________________________________________________________________________________
PAGE ii
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3541 et seq.,
Public Law (P.L.) 113-283. NIST is responsible for developing information security standards
and guidelines, including minimum requirements for federal information systems, but such
standards and guidelines shall not apply to national security systems without the express approval
of appropriate federal officials exercising policy authority over such systems. This guideline is
consistent with the requirements of the Office of Management and Budget (OMB) Circular A-
130.
Nothing in this publication should be taken to contradict the standards and guidelines made
mandatory and binding on federal agencies by the Secretary of Commerce under statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This
publication may be used by nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-160
Natl. Inst. Stand. Technol. Spec. Publ. 800-160, 307 pages (May 2016)
CODEN: NSPUE2
Public comment period: May 4 through July 1, 2016
All comments are subject to release under the Freedom of Information Act (FOIA).
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
Electronic Mail: sec-cert@nist.gov
Certaincommercialentities,equipment,ormaterialsmaybeidentifiedinthisdocumentinorder
todescribeanexperimentalprocedureorconceptadequately.Suchidentificationisnotintended
toimplyrecommendationorendorsementbyNIST,norisitintendedtoimplythattheentities,
materials,orequipmentarenecessarilythebestavailable
forthepurpose.
Theremaybereferencesinthispublicationtootherpublicationscurrentlyunderdevelopmentby
NISTinaccordancewithitsassignedstatutoryresponsibilities.Theinformationinthispublication,
includingconcepts,practices,andmethodologies,maybeusedbyfederalagenciesevenbefore
thecompletionofsuchcompanionpublications.Thus,
untileachpublicationiscompleted,current
requirements,guidelines,andprocedures,wheretheyexist,remainoperative.Forplanningand
transitionpurposes,federalagenciesmaywishtocloselyfollowthedevelopmentofthesenew
publicationsbyNIST.
Organizationsareencouragedtoreviewdraftpublicationsduringthedesignatedpubliccomment
periodsandprovidefeedback
toNIST.ManyNISTcybersecuritypublications,otherthantheones
notedabove,areavailableathttp://csrc.nist.gov/publications.
Special Publication 800-160 Systems Security Engineering
Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
________________________________________________________________________________________________
PAGE iii
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analyses to advance the
development and productive use of information technology (IT). ITL’s responsibilities include
the development of management, administrative, technical, and physical standards and guidelines
for the cost-effective security and privacy of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research,
guidelines, and outreach efforts in information systems security and its collaborative activities
with industry, government, and academic organizations.
Abstract
This publication addresses the engineering-driven actions necessary to develop more defensible
and survivable systems—including the components that compose and the services that depend on
those systems. It starts with and builds upon a set of well-established International Standards for
systems and software engineering published by the International Organization for Standardization
(ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and
Electronics Engineers (IEEE) and infuses systems security engineering techniques, methods, and
practices into those systems and software engineering processes. The ultimate objective is to
address security issues from a stakeholder requirements and protection needs perspective and to
use established engineering processes to ensure that such requirements and needs are addressed
with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of
the system.
Keywords
Assurance; developmental engineering; disposal; engineering trades; field engineering;
implementation; information security; information security policy; inspection; integration;
penetration testing; protection needs; requirements analysis; resiliency; review; risk assessment;
risk management; risk treatment; security architecture; security authorization; security design;
security requirements; specifications; stakeholder; system-of-systems; system component; system
element; system life cycle; systems; systems engineering; systems security engineering;
trustworthiness; validation; verification.
Special Publication 800-160 Systems Security Engineering
Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
________________________________________________________________________________________________
PAGE iv
Acknowledgements
The authors gratefully acknowledge and appreciate the significant contributions from individuals
and organizations in the public and private sectors, whose thoughtful and constructive comments
improved the overall quality, thoroughness, and usefulness of this publication. In particular, we
wish to thank Beth Abramowitz, Max Allway, Kristen Baldwin, Dawn Beyer, Deb Bodeau, Paul
Clark, Keesha Crosby, Judith Dahmann, Kelley Dempsey, Jennifer Fabius, Daniel Faigin, Jeanne
Firey, Jim Foti, Robin Gandhi, Rich Graubart, Daryl Hild, Peggy Himes, Danny Holtzman,
Cynthia Irvine, Ken Kepchar, Stephen Khou, Thuy Nguyen, Elizabeth Lennon,
Alvi Lim, Logan
Mailloux, Dennis Mangsen, Rosalie McQuaid, Joseph Merkling, John Miller, Lisa Nordman,
Paul Popick, Thom Schoeffling, Matt Scholl, Gary Stoneburner, Glenda Turner, Mark Winstead,
and William Young for their individual contributions to this publication.
We would also like to extend our sincere appreciation to the National Security Agency; Naval
Postgraduate School; Department of Defense Office of Acquisition, Technology, and Logistics;
United States Air Force; Department of Homeland Security Science and Technology Office,
Cyber Security Division; Air Force Institute of Technology; International Council on Systems
Engineering, and The MITRE Corporation, for their ongoing support for the systems security
engineering project.
Finally, the authors also respectfully acknowledge the seminal work in computer security that
dates back to the 1960s. The vision, insights, and dedicated efforts of those early pioneers in
computer security serve as the philosophical and technical foundation for the security principles,
concepts, and practices employed in this publication to address the critically important problem of
engineering trustworthy and secure systems.
剩余306页未读,继续阅读
资源评论
hh216
- 粉丝: 0
- 资源: 2
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功