Requirements and Design

Define and Tailor the Control Baseline and Security Architecture Design Based Upon a Threat and Risk Assessment

Determine Cyber Readiness Requirements

Designing a system with an appropriate set of controls that provide protection proportional to the value and risk associated with the system is a formidable task. However, by integrating security engineering practices into the SDLC, it doesn’t have to be. The key to defining a well-balanced control baseline is to frame a holistic view of the security posture by involving all stakeholders at the beginning of the SDLC.

For example, most would agree a system owner is appropriate for defining the security requirements for data in the given system. However, SecureForce engineers routinely come across systems whose requirements were defined in a vacuum. These requirements were created without validation or input from subject matter experts; those who fully understand the operating environment and the security architecture that would most effectively mitigate the risks posed to the system. Failure to seek appropriate validation may result in a security implementation that:

  • does not align with the organization’s enterprise architecture standards,
  • does not leverage common controls that are already implemented, and/or
  • is not effective because assumptions were made regarding the availability or robustness of common controls.

Stakeholder involvement is critical to effectively frame the security context of a system—including representation for the design and operations of all components and functions within the system.

 

Security Requirements Definition

It is commonly understood that security is a balance. To achieve balance an organization must define the boundaries and the protection requirements for the system based upon the data it processes and stores—and the missions it supports. Thoughtful scoping of system boundaries reduces the level of complexity of a given system while focusing control applicability to prevent excessive analysis.

From our numerous client engagements we know that discovering balance inevitably involves trade-offs and a holistic view of the enterprise. For example, multi-faceted system categorization is used to organize the components of the IT inventory into enterprise systems and common control providers; while considering factors such as system ownership, location, function, interconnections, data types, availability requirements, etc. Once system boundaries have been established and the systems appropriately categorized, the initial control baseline may be defined.

SecureForce works with its clients to analyze system-specific threat and risk assessment results while considering common control availability and security architecture recommendations to further refine the control baseline. Upon completion, we deliver a cost effective security control baseline aligned with a security architecture that incorporates layered security controls—from the system boundaries to component level configurations.

 

Threat and Risk Assessment

Performing threat mapping and risk assessment is essential to determining the effectiveness of the control baseline to provide a level of protection appropriate for the risk posed to the system. The data provided by threat mapping and risk assessment helps establish the context necessary to design an appropriate security architecture that incorporates a control baseline specifically tailored to the needs of the system. For example, specific threats that exploit vulnerabilities in critical systems may identify the need to implement compensating controls to protect and monitor the critical systems.

When coupled with SecureForce’s security posture assessment capabilities, our experience designing and implementing security architectures and control baselines provides us the unique perspective of both attacker and defender. This perspective enables us to objectively conduct trade-off and security impact analyses to recommend a tailored security control baseline that effectively balances cost against the necessary level of protection.

 

Security Architecture Design

We strive as an industry to have a standard security reference architecture that is inherently secure by design. The reality is that an effective security architecture must be organizationally specific and based upon intelligent trade-offs made between the level of residual risk and the allowable tolerances defined by the organization. Balancing security requirements, against constraints such as cost, size, or performance, mandates stakeholder involvement as the control baseline is inevitably tailored to suit system requirements or organizational risk tolerances. In our experience this is the pivotal point in the process. It is a point whereby, without a formal process, the architecture and controls are inadequate (in some cases overdone) as a result of not having the appropriate stakeholder involvement. Consequently, requirements may be “lost in translation” or simply ignored. In essence, the failure to formalize this process results in placing the proverbial cake into the oven without all the right ingredients—and the ability to “bake in” security is lost.

During an assessment, it is common to learn that business decisions were made without a complete understanding of the technical implications or alternatives. As security engineers, we typically find ourselves in the critical role of translator. Business requirements and constraints must be explained to the technical stakeholders and, conversely, the technical constraints, gaps, and alternatives are explained to the non-technical stakeholders. A deep understanding of the security requirements, business drivers, and the operating environment is necessary to balance the use of common controls, system controls, and compensating controls implemented to counter specific threats or mitigate risks to the system and organization.

Collectively, SecureForce security engineers have extensive technical backgrounds in design, development, administration, and assessment of systems, networks, databases, and applications. Our ability to thoroughly understand the components within the operating environment coupled with our extensive experience with industry standard control frameworks and assessment methodologies allows us to serve in a trusted advisor capacity. We partner with our clients to design a security architecture where security controls are balanced to provide affordable protection with an acceptable level of residual risk, while ensuring the system effectively and reliably supports the mission.

Get in touch