SYSTEMS SECURITY ENGINEERING

Similar documents
System Security Engineering

Cyber Security Solutions Integrated. Proactive. Resilient.

FREQUENTLY ASKED QUESTIONS

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology

Introduction to NICE Cybersecurity Workforce Framework

UNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 16 R-1 Line #145

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

NICE and Framework Overview

DoD Software Assurance (SwA) Overview

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South

Implementing Program Protection and Cybersecurity

Get Confidence in Mission Security with IV&V Information Assurance

Microsoft s cybersecurity commitment

Enterprise Security Tactical Plan

Rethinking Cybersecurity from the Inside Out

DoD Strategy for Defending Networks, Systems, and Data

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

Overview TECHIS Carry out risk assessment and management activities

Overview. FedRAMP CONOPS

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

Software Development: The Next Security Frontier

Opening Up a Second Front for Cyber Security and Risk Management

Strategic Plan On-Demand Services April 2, 2015

Information in the Cloud: What s in the Future

CyberSecurity Solutions. Delivering

Raytheon Cybersecurity and Small Business Engagement. Raytheon Jeff Jacoby

Cybersecurity Delivering Confidence in the Cyber Domain

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.

The Information Assurance Process: Charting a Path Towards Compliance

Cyber R &D Research Roundtable

Securing the Cloud Infrastructure

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

U.S. Defense Priorities OSD PA&E

A Comprehensive Cyber Compliance Model for Tactical Systems

Information Security for Managers

The Comprehensive National Cybersecurity Initiative

Business Continuity Position Description

NICE Cybersecurity Workforce Framework Tutorial

Capabilities for Cybersecurity Resilience

INCOSE System Security Engineering Working Group Charter

Security Risk Management For Health IT Systems and Networks

How To Write A Cybersecurity Framework

Security Certification & Accreditation of Federal Information Systems A Tutorial

Bellevue University Cybersecurity Programs & Courses

An Overview of Large US Military Cybersecurity Organizations

Case Studies in Systems Engineering Central to the Success of Applied Systems Engineering Education Programs

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

National Security & Homeland Security Councils Review of National Cyber Security Policy. Submission of the Business Software Alliance March 19, 2009

Preventing and Defending Against Cyber Attacks November 2010

Preventing and Defending Against Cyber Attacks October 2011

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

The HIPAA Security Rule: Theory and Practice

Logical Operations CyberSec First Responder: Threat Detection and Response (CFR) Exam CFR-110

DoD CIO s 10-Point Plan for IT Modernization. Ms. Teri Takai DoD CIO

Cybersecurity Throughout DoD Acquisition

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

CONSULTING IMAGE PLACEHOLDER

Business Continuity for Cyber Threat

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Triangle InfoSeCon. Alternative Approaches for Secure Operations in Cyberspace

Operational security for online services overview

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Cybersecurity: Mission integration to protect your assets

Developing Secure Software in the Age of Advanced Persistent Threats

THE drop cap white spread is the chartacter style to use for the drop cap. Use this masater

Preventing and Defending Against Cyber Attacks June 2011

Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience

state of south dakota Bureau of Information & Telecommunications Provide a Reliable, Secure & Modern Infrastructure services well-designed innovative

Written Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security.

Building Security In:

National Initiative for Cyber Security Education

FISMA Implementation Project

How small and medium-sized enterprises can formulate an information security management system

How To Write A National Cybersecurity Act

Integrating Project Management and Service Management

Applying Framework to Mobile & BYOD

Cybersecurity Framework: Current Status and Next Steps

Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel

DHS IT Successes. Rationalizing Our IT Infrastructure

Value to the Mission. FEA Practice Guidance. Federal Enterprise Architecture Program Management Office, OMB

Cybersecurity and internal audit. August 15, 2014

Click to edit Master title style

ESKISP Direct security testing

SECTION A: DESCRIPTION/SPECIFICATIONS/WORK STATEMENT

UNITED STATES AIR FORCE. Air Force Product Support Enterprise Vision

Why you should adopt the NIST Cybersecurity Framework

A Systems Approach to Protecting the U.S. Air Traffic Control System Against Cyber-Terrorism

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

SECTION C: DESCRIPTION/SPECIFICATIONS/WORK STATEMENT Article C.1 Introduction This contract is intended to provide IT solutions and services as

Cyber Governance Preparing for the Inevitable Perimeter Breach

Consolidated Afloat Networks and Enterprise Services (CANES)

Risk Management Guide for Information Technology Systems. NIST SP Overview

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

State of South Carolina Policy Guidance and Training

System Security Engineering and Comprehensive Program Protection

Cybersecurity Converged Resilience :

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

Transcription:

SYSTEMS SECURITY ENGINEERING

Mission Statement Integrating Security into Every Solution We Deliver Reducing Risk and Providing Fully Reliable and Trusted Solutions Utilizing Best Practices and Rigorous Processes LM Employs a System Security Engineering Process that employs, Cyber security/ia, Anti-Tamper and Secure Supply Chain Integrated. Proactive. Resilient. 2014 Lockheed Martin Corporation 2

Why SSE? Our customers demand secure solutions Our main areas of focus are in defense, space, intelligence, homeland security, and information technology, including cyber security Aeronautics Information Systems & Global Solutions Missiles & Fire Control Mission Systems & Training Space Systems We Never Forgot Who We Are Working For And Neither Do Our Adversaries 2014 Lockheed Martin Corporation 3

Anti-Tamper (Hardware Security) Cyber Security/Information Assurance Secure Supply Chain Secure Processing Privacy Advanced Research Security is an Enterprise-Wide Concern Lockheed Martin System Security Engineering Systems security engineering is comprised of the following sub disciplines: Operations Security Information Security Network Security Physical Security Personnel Security Administrative Security Communications Security Emanation Security Computer Security ISO/IEC 21827 LM has developed a strong, multi-disciplinary approach 2014 Lockheed Martin Corporation 4

Lockheed Martin Strategy System Security Engineering Anti-Tamper (Hardware Security) Information Assurance / Cyber Security Secure Supply Chain Secure Processing Privacy Advanced Research LM Strategy Next Gen Product Base DoD Funding (CRAD / Program) LM Investment (IRAD/ Other Funding) 2014 Lockheed Martin Corporation 5

LM SSE Timeline 2011 Establish SSE IPT for collaboration 2013 Identify technology that needs to be developed 2013 Implement SSE process across programs & captures 2014 Invest in developing the key technology and leverage into DoD Lab CRAD wins 2010 Reduce stove-pipe approach to solving System Security 2012 Create Process that can be used across the corporation 2014+ Leverage CRAD wins into LM s Product Base Enterprise-Wide 2014 Lockheed Martin Corporation 6

Security Development Challenges Understaffed Unclear whose job security is Lack of domain expertise Lack of training & outdated training Heavyweight development approaches Buried in regulations & process compliance Outdated security practices Complexity of large system designs Lack of information sharing No situational awareness Lack of internal & external collaboration No lessons learned Challenge keeping up with new & changing technology Stove piped solutions Time to market 2014 Lockheed Martin Corporation 7 Lockheed Martin Corporation 2012

Security Engineering Procedure LM has implemented a Security Engineering Procedure for use across all lines of business Identifies the security engineering activities, milestones, and work products performed and created throughout the engineering lifecycle from concept to retirement Illustrates how security engineering work products integrate into systems engineering deliverables throughout the engineering lifecycle 2014 Lockheed Martin Corporation 8

Security Engineering Activities & Products throughout the Life Cycle Security Needs Assessment Security Cost Estimates Security RFI Security Technical Solution Security & Privacy Risk Analysis Proposal Security & Privacy Requirements System Security Policy Security Test Cases Security RTVM Requirements Secure Builds & Configuration Static Analysis Security Test Planning Development Approved Security Baseline Sustainment Incident Response Plan Deployment Security Retirement and Transition Plan Safeguard of System Data Retirement Planning Security Operational Concept Security Plan Secure Coding Standards Threat & Vulnerability Analysis C&A Planning POA&M Contingency and DR Planning Design Secure Component Design Secure System Design Attack Surface Analysis/Reduction Test Functional System Security Testing Dynamic Analysis Specialty Security Testing Attack Surface Review Security Test Results & Discrepancy Mitigation SRA Report C&A Package O&M Control Monitoring Secure Upgrades Security Metrics & Reporting Security Reviews, Testing & Scans Contingency & DR Incident Response Security Policy & Plan C&A SATE 2014 Lockheed Martin Corporation 9

Integration of SSE process into other domain s processes for success Business Development /Capture Process RS-BDEV-0009 Program Management Process PM-001-1 SSE Process S-ENGP-0668 Proposal/Program Review Process (PPRP) representatives Risk Review Board 2014 Lockheed Martin Corporation 10

A model created to SEAM together people, process and tools across a system life cycle/organization to reduce cyber security risk to system/program Security Engineering best practices, processes, standards, and checklists/tools Integrates security throughout a systems life cycle Develops a culture of security responsibility within all program and engineering disciplines Rooted in community- and corporaterecognized standards and industry best practices Agile and constantly evolving process to respond to dynamic cyber-threat environment Constant feedback loop where operations provides information back into development as new threats are identified Policy RS-ENGP-0044, System Security Procedure SAT for PPRs & Tech Reviews S-ENGP-0668, Security Engineering Standards Secure Application Development Security Risk Assessment Threat Modeling Security Testing Checklists Checklist Checklist Checklist Checklist SEAM breaks down the Security Engineering policy & procedure into standards and checklists applicable to all program staff (eg. Business development, Program managers, Capture managers, software developers, system engineers) 2014 Lockheed Martin Corporation 11

Security Engineering Domain Advocates CIS SPACE AERO SECURITY ENGINEERING IPT ATL MST IS&GS MFC Security Engineering IPT in place to foster communication & collaboration across all business areas security focused SMEs IPT used to develop, review and communicate system security engineering efforts (eg. Security procedure, standards, SEAM tools) Various eforums, portals and groups for outreach LM Security Engineering Community of Practice Info-Assurance eforum Cyber Fellows Action Team(FACT) eforum AT COE Secure SW Engineering eforum Info System Security WG 2014 Lockheed Martin Corporation 12

What Can NDIA Do? Help Develop Risked-Based Candidate Measures Include leading indicators to help proactive insight Can be tailored for each program (case-by-case) Focus on specific program vulnerabilities Span the types of issues Build on previous measurement efforts (NIST, PSM, INCOSE, NDIA) Work with other industry associations (e.g., INCOSE) to integrate SSE into SE guidance and standards Work with SERC and others on research and pilots, providing industry insight and experience Work with DoD to help with Intelligence awareness of emerging threats Continue to reduce compartmentalization across activities, when appropriate 2014 Lockheed Martin Corporation

Describe what you think SSE needs to be in 5 years It needs to be a more Proactive organization with more agility. Recognized rigorous scientific discipline and supported as such Standard set of base requirements with advanced features implemented/tailorable on a program by program basis. Security Measurement framework developed to inform security engineering and risk management processes Actionable Threat model for risk management & sec engr Must be able to communicate, translate and integrate security engineering to non-technical workforce as well program managers, business development, etc. Foster a security mindset across all disciplines 2014 Lockheed Martin Corporation

Lockheed Martin is Proactive and Mission-Focused with Security Engineering LOCKHEED MARTIN and the STAR DESIGN are either registered marks in the U.S. Patent and Trademark Office and/or other countries throughout the world, or are trademarks and service marks of Lockheed Martin Corporation in the U.S. and/or other countries. All rights reserved. 2014 Lockheed Martin Corporation VF01493_05-07-2014

Definitions Systems Security Engineering Systems Security Engineering is a specialty engineering field strongly related to systems engineering. It applies scientific, engineering, and cybersecurity/information assurance principles to deliver trustworthy security solutions that satisfy stakeholder requirements. Anti-Tamper Systems Engineering Activity intended to impede countermeasure development, unintended technology transfer, or alteration of a system Information Assurance / Cyber Security The measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Supply Chain Risk Management The implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity Secure Processing Design of components that grant a secure environment for processing of information Privacy Appropriate management (data protection) & use of personal information under the circumstances Advanced Research Development of Next Generation Solutions 2014 Lockheed Martin Corporation 16

Security Engineering CoP Portal 2014 Lockheed Martin Corporation 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information