Definition[edit | edit source]
Systems security engineering is
|“||a specialty engineering field strongly related to systems engineering. It applies scientific, engineering, and information assurance principles to deliver trustworthy systems that satisfy stakeholder requirements within their established risk tolerance.||”|
Overview[edit | edit source]
Systems security engineering focuses on the protection of stakeholder and system assets so as to exercise control over asset loss and the associated consequences. Such protection is achieved by carrying out the specific activities and tasks in the system life cycle processes with the objective of eliminating or reducing vulnerabilities and minimizing or constraining the impact of exploiting or triggering those vulnerabilities. The ability to minimize or constrain impact includes continued delivery of partial or full secure system function at some level of acceptable performance. This approach helps to reduce the susceptibility of systems to a variety of simple, complex, and hybrid threats including physical and cyber-attacks; structural failures; natural disasters; and errors of omission and commission. This reduction is accomplished by fundamentally understanding stakeholder protection needs and subsequently employing sound security design principles and concepts throughout the system life cycle processes. These life cycle processes, if properly carried out (to include the identified systems security engineering activities and tasks), result in systems that are adequately secure relative to the asset loss consequences and associated risk based on measurable assurance and trustworthiness in the systems security performance and effectiveness.
To accomplish the security objectives described above, systems security engineering, as a specialty discipline of systems engineering, provides several distinct perspectives and focus areas which set it apart from other engineering disciplines. These include the engineering of security functions; addressing the security aspects associated with the engineering of non-security functions; and protecting the intellectual property and otherwise sensitive data, information, technologies, and methods utilized as part of the systems engineering effort.
References[edit | edit source]
- NIST Special Publication 800-160, at B-15.
Source[edit | edit source]
- "Overview" section: NIST Special Publication 800-160, at 7.