CISSP - ISSEP Notes.

The Certified Information Systems Security Professional (CISSP) offers three advanced courses, each focusing on a specialized area of cybersecurity:

• ISSEP — Information Systems Security Engineering ProfessionalSecure systems engineering and integrationSystems engineers, architects, and security integration professionals
• ISSMP — Information Systems Security Management ProfessionalLeadership and management of security programsCISOs, program managers, and senior security officers
• ISSAP — Information Systems Security Architecture ProfessionalDesigning and architecting security solutionsSecurity architects, analysts, and consultants

This articles focuses on ISSEP which integrates security into systems engineering from basic concept through to disposal.

Domains.

1. Systems Security Engineering Foundations
2. Risk Management
3. Security Planning and Design
4. Systems Implementation, Verification and Validation
5. Secure Operations, Change Management, and Disposal

Domain 1: Systems Security Engineering Foundations

Focus:

• Fundamentals of system engineering and the principles.
• Integration of security into each phase of the system life cycle
• Processes such as Software Assurance, Acquisition, talent management, trusted systems and networks.

Key Concepts:

• CIA Triad and Security Attributes (Availability, Integrity, Confidentiality)
• System Life Cycle (SLC) vs Software Development Life Cycle (SDLC)
• Importance of security integration from concept to disposal
• Stakeholder Identification and Engagement
• Includes users, sponsors, maintainers, acquirers, certifiers, accreditors
• Crucial for gathering accurate security requirements and acceptance criteria
• Security policies, models, and baseline architectures
• System constraints: legal, regulatory, technical, and operational
• The scope, Cost and Time Triangle, Supply chain Risk and TSNs.

Important Standards:

• NIST SP 800–160 Vol. 1 & 2
• ISO/IEC 15288 — System Life Cycle Processes
• IEEE 1220
• Trusted Systems and Networks.
• ISO/IEC 21827 (SSE-CMM)
• DoD Instruction 5000.87 (Software Acquisition Pathway)

Domain 2: Risk Management

Focus:

• Enterprise risk management. — The business and the mission.
• Risk context, Analysis and remediation. — Risk appetite and Risk attitude.
• Risk findings and Decisions. — Communicate the results.

Key Concepts:

• Risk = Threat x Vulnerability x Impact
• Risk = Probability of occurence x Consequences.
• Risk categories: mission, business, safety, privacy
• Security Categorization (FIPS 199)
• Risk Management Framework Steps: Categorize → Select → Implement → Assess → Authorize → Monitor
• Trusted Systems and Networks (TSNs) — Specific DoD implementation guidance
• Threat modeling.
• The importance of stakeholder tolerance to risk r
• Plan of Action and Milestones (POA&M):
• Risk register — Document used to track known threats, vulnerabilities and impact.
• Managing residual risk.

Important Standards:

• NIST SP 800–30 — Risk Assessments
• NIST SP 800–37 Rev. 2 — RMF
• NIST SP 800–39 — Risk Management Strategy
• FIPS 199, FIPS 200
• CNSSP-22 — National Security Systems

Domain 3: Security Planning and Design

Focus:

• Translating requirements into secure architecture and design.
• Stakeholders in secure planning and designs.
• System security principles.

Key Concepts:

• Security Requirements Derivation — from mission, laws, regulations, and policies
• Stakeholder Requirements Definition (SRD)
• System Requirements Specification (SRS)
• Architectural patterns: Defense-in-depth, Segmentation, Zero Trust
• Trade-off analysis in architecture: performance vs security vs cost
• Triple Constraint Triangle:
• Cost, Schedule, Scope (Quality is the balancing factor)
• Changes in one affect the others
• Use of architectural frameworks; DoDAF, TOGAF and Zachman
• Design artifacts; Operational View (OV), System View (SV), Technical Standards View (TV)
• Security Functional vs Assurance Requirements

Functional = What the system does

Assurance = Confidence it does it correctly

• Verification and validation of systems.

Security Design Principles

1. Simplest Solution
2. Fail securely
3. Logging to Audit
4. Obscurity is NOT a method.
5. Defense in Depth
6. Least Privilege
7. Resiliency.

Important Standards:

• NIST SP 800–160 Vol. 1 & 2
• ISO/IEC 15408 (Common Criteria)
• DoD STIGs
• CVSS and NVDs
• ISO/IEC 27001/27002

Domain 4: Systems Implementation, Verification and Validation

Focus:

• Verifying that security is correctly implemented and validates that it meets needs.
• Integration to meet requirements.

Key Concepts:

• Verification: Did we build the system right (vs. specs)?
• Validation: Did we build the right system (vs. user needs)?
• Methods; Static/dynamic analysis, Code reviews, Security Test & Evaluation (ST&E) Penetration testing and red teaming
• Test and Evaluation Master Plan (TEMP)
• Defines how security testing is done across development and operations
• Test Plans and Test Cases linked to requirements
• Configuration control and deviation tracking
• Functional Testing vs Security Testing
• Use of TSNs and mission-specific criteria for security acceptability

Important Standards:

• NIST SP 800–53A — Security Assessment.
• ISO/IEC 15288 — System Life Cycle Processes.
• NIST SP 800–115 — Security Testing.
• ISO/IEC 29147 — Vulnerability Disclosure.
• ISO/IEC 15408 (Common Criteria).
• DoD 5000.87 Testing Requirements.

Domain 5: Secure Operations, Change Management, and Disposal

Focus:

• Keeping systems secure after deployment and ensuring secure retirement.

Key Concepts:

• Continuous Monitoring and Security Alerts
• Configuration Management (CM) and Change Control.
• Secure maintenance and Supply chain.
• Patch and Vulnerability Management.
• System Decommissioning; Data Sanitization (media and hardware) and Secure disposal (per NIST SP 800–88)
• Continuity Planning; Continuity of Operations Plan (COOP), Disaster Recovery Plan (DRP), Incident Response and Forensic Readiness
• Authority to Operate (ATO), Interim ATO
• Use of POA&Ms in ongoing authorization

Important Standards:

• NIST SP 800–88 Rev. 1 — Media Sanitization
• NIST SP 800–137 — Continuous Monitoring
• NIST SP 800–34 — Contingency Planning
• NIST SP 800–61 Rev. 2 — Incident Handling
• ITIL — Change/Incident/Problem Management
• DoD 5200.1-R — Information Security Program

ISSE Processes.

These are the different tasks expected from the Information system security engineer when performing the day to day roles.

1. Information Protection Policy

• Develop, review, and maintain organizational policies to safeguard information assets.
• Ensure alignment with applicable standards, regulations, and compliance requirements.

2. Context of Operations

• Understand the operational environment, including system dependencies, threat landscape, and stakeholder requirements.
• Maintain situational awareness of security posture in line with operational needs.

3. System Security Architecture

• Design secure system architectures that integrate security controls at all layers.
• Ensure architectural decisions support confidentiality, integrity, and availability.
• Broken down into Functional decomposition, component element design, security mechanisms, interface allocation, residual risk assessment and risk analysis.

4. Detailed Security Design with Lifecycle Management

• Create detailed technical security designs for systems, applications, and infrastructure.
• Incorporate security throughout the system development lifecycle (SDLC).

5. System Security and Risk Management Framework

• Implement and maintain risk management frameworks (e.g., NIST RMF, ISO 27005).
• Identify, assess, and mitigate risks across system components.

6. Assess Information Protection Effectiveness

• Conduct regular audits, penetration tests, and vulnerability assessments.
• Measure the effectiveness of implemented security controls and recommend improvements.

ISSE Principles

• Separate Problems and solutions spaces to avoid scope creep.
• Problem space is identified by the customer mission and Business needs.
• Solutions space belongs to the system engineers.

System Development Lifecycle

1. Initiation.

2. Development / Acquisition. — Buy or Build decisions.

3. Implementations and Assessments — Deploying / Integrations and Authority to Operate.

4. Operations and Maintenance — Configuration management, Policy and procedures.

5. Disposal — How data is stored, system EOL and Archiving.

References.

1. https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final
2. https://www.iso.org/obp/ui/#iso:std:iso-iec-ieee:15288:ed-2:v1:en
3. https://standards.ieee.org/ieee/1220/3372/
4. https://rt.cto.mil/wp-content/uploads/2019/06/Trusted-Systems-and-Networks-TSN-Analysis.pdf
5. https://www.iso.org/obp/ui/#iso:std:iso-iec:21827:ed-2:v1:en
6. https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/500087p.PDF
7. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf
8. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
9. https://www.theknowledgeacademy.com/blog/change-control-vs-configuration-management/
10. https://csrc.nist.gov/glossary/term/poaandm
11. https://en.wikipedia.org/wiki/Evaluation_Assurance_Level
12. https://digital.gov/resources/an-introduction-to-ato
13. https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2
14. https://rt.cto.mil/wp-content/uploads/2019/06/Trusted-Systems-and-Networks-TSN-Analysis.pdf
15. https://csrc.nist.gov/glossary/term/poaandm
16. https://legal.thomsonreuters.com/en/insights/articles/what-is-a-suspicious-activity-report#:~:text=A%20Suspicious%20Activity%20Report%20(SAR,of%20money%20laundering%20or%20fraud.
17. https://www.fedramp.gov/assets/resources/documents/CSP_POAM_Template_Completion_Guide.pdf
18. https://arxiv.org/html/2405.03513v1