To understand the whole note, there is a prerequisite. So. it is our recommendation to go through the Foundation for Information Technology Security. We referred NIST 800-27 document to compose this note. For any clarification. Kindly refer to the linked document.
The security should be embedded into the solution as early as possible rather than bolted after the design or implementation phase or overlay solutions to protect the solution or system from Cyberattacks. The NIST has proposed guidelines or principles that should be followed during the general software or system development life cycle. They explained which all the principles should be followed in which all the phases. In simple words, it is like a mapping of security principles on different phases of the system development life cycle.
The IT security principles apply to the design, development, and implementation of IT systems. These principles are very generic and can be customized for specific kinds of IT systems such as Operating System Design, Data Encryptors, etc.
Engineering Principles for Information technology security are having a total of 33 principles and 6 top categories.
- Security Foundation
- Risk-Based
- Easy to Use
- Increase Resilience
- Reduce Vulnerabilities
- Design with Network in mind
Will take a most common and simplified system development life cycle, consisting of 5 phases:
- Initiation
- Development
- Implementation
- Operational/Maintenance
- Disposal
Security Foundation
Principle 1: Establish a sound security policy as the “foundation” for design.
Principle 2: Treat security as an integral part of the overall system design.
Principle 3: Clearly delineate the physical and logical security boundaries governed by associated security policies.
Principle 4: Ensure that developers are trained in how to develop secure software.
Risk-Based
Principle 5: Reduce risk to an acceptable level.
Principle 6: Assume that external systems are insecure
Principle 7: Identify potential trade-offs between reducing risk and increased costs
Principle 8: Implement tailored system security measures to meet organizational security goals
Principle 9: Protect information while being processed, in transit, and in storage.
Principle 10: Consider custom products to achieve adequate security.
Principle 11: Protect against all likely classes of “attacks.”
Ease of Use
Principle 12: Where possible, base security on open standards for portability and interoperability.
Principle 13: Use common language in developing security requirements.
Principle 14: Design security to allow for regular adoption of new technology including a secure and logical technology upgrade process.
Principle 15: Strive for operational ease of use.
Increase Resilience
Principle 16: Implement layered security (Ensure no single point of vulnerability).
Principle 17: Design and operate an IT system to limit damage and to be resilient
Principle 18: Provide assurance that the system is, and continues to be, resilient in the face of expected threats.
Principle 19: Limit or contain vulnerabilities.
Principle 20: Isolate public access systems from mission-critical resources (e.g., data, processes, etc.)
Principle 21: Use boundary mechanisms to separate computing systems and network infrastructures.
Principle 22: Design and implement audit mechanisms to detect unauthorized use and to support incident investigations.
Principle 23: Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability.
Reduce Vulnerabilities
Principle 24: Strive for simplicity.
Principle 25: Minimize the system elements to be trusted.
Principle 26: Implement the least privilege.
Principle 27: Do not implement unnecessary security mechanisms.
Principle 28: Ensure proper security in the shutdown or disposal of a system.
Principle 29: Identify and prevent common errors and vulnerabilities
Design with Network in Mind
Principle 30: Implement security through a combination of measures distributed physically and logically
Principle 31: Formulate security measures to address multiple overlapping information domains.
Principle 32: Authenticate users and processes to ensure appropriate access control decisions both within and across domains.
Principle 33: Use unique identities to ensure accountability.
77 total views, 1 views today
