Level 2
Description:
Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. [SP 800-60-] provides guidance on systems security engineering.
Priority: High
Domain: SYSTEM AND COMMUNICATIONS PROTECTION (SC)
Category: Security Architecture
Services Associated with AWS:
- AWS Well-Architected Tool, AWS CloudFormation, AWS Identity and Access Management (IAM)
- AWS CodeStar, AWS CodeCommit, AWS CodeBuild, AWS CodeDeploy, AWS CodePipeline
- AWS Systems Manager, AWS CloudFormation, AWS Identity and Access Management (IAM), AWS Shield
Services Associated with Azure:
- Azure Key Vault
- Azure Security Center
- Azure Policy
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Administrative: supporting documentation of threat intelligence feeds to maintain situational awareness
- Administrative: supporting documentation of role-based security training being performed
- Administrative: supporting documentation of professional competence by individual(s) performing security / IT architecture roles
Possible Technology Considerations :
NA
What needs to be answered :
Are the company’s information security policies designed to promote information security? Do the policies meet needs of the company? Are system security engineering principles applied in the specification, design, development, and implementation of the system? Is the system managed using a system development life-cycle methodology that includes security considerations?
Checks for AWS
- Employment of Architectural Designs for Information Security
Description: This check ensures that architectural designs employed by the organization promote effective information security. This includes principles such as developing layered protections and establishing security policies, architecture, and controls as the foundation for design. - Software Development Techniques for Security
Description: This check verifies the use of software development techniques that promote effective information security. This includes incorporating security requirements into the system development life cycle and ensuring that developers are trained on how to build secure software. - Systems Engineering Principles for Security
Description: This check confirms the application of systems engineering principles that promote effective information security. This includes delineating physical and logical security boundaries and performing threat modeling to mitigate risk.
Checks for Azure
- Restrict Public Network Access to CUI Systems
Description: This policy ensures that Azure resources containing CUI are not publicly accessible from the internet. It enforces the principle of establishing security controls to protect sensitive data from unauthorized access. - Enforce Role-Based Access Control (RBAC) on CUI Resources"
Description: This policy mandates the use of Azure RBAC to manage access to CUI resources. It ensures that access rights are granted based on the principle of least privilege and helps prevent unauthorized access to sensitive data. - Enable Threat Intelligence Integration for CUI Systems
Description: This policy verifies that Azure services used for hosting CUI systems are integrated with threat intelligence feeds. It ensures that the organization maintains situational awareness of potential threats and vulnerabilities. - Implement Data Encryption for CUI Data at Rest" Description: This policy mandates the use of Azure Storage Service Encryption or Azure Disk Encryption for any storage or disk containing CUI data. It enforces the principle of data protection to safeguard sensitive information.
- Enforce Multi-Factor Authentication (MFA) for CUI Access
Description: This policy ensures that users accessing CUI resources in Azure are required to authenticate using Multi-Factor Authentication. It enhances the security of user accounts and reduces the risk of unauthorized access.
More Details: Sound architectural design for company systems containing CUI.
More Details: Sound architectural design for company systems containing CUI.