Homexnetd.com
xnetd.com

3.13 SYSTEM AND COMMUNICATIONS PROTECTION

3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems | NIST 800-171 control 3.13.2 emphasizes building security into systems from the ground up. This helps protect information confidentiality, integrity, and availability by reducing security risks and improving regulatory compliance. Organizations are accountable for implementing these security controls, with system owners responsible and auditors assessing their effectiveness. Implementing secure coding practices, access controls, and data encryption are some examples of this control in action.

3.13 SYSTEM AND COMMUNICATIONS PROTECTION
Back to "3.13 SYSTEM AND COMMUNICATIONS PROTECTION"
3.13 SYSTEM AND COMMUNICATIONS PROTECTION
🖨️

3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems

By wnoble2005@gmail.com (William Noble) 📅 2024-03-03
NIST 800-171 control 3.13.2 emphasizes building security into systems from the ground up. This helps protect information confidentiality, integrity, and availability by reducing security risks and improving regulatory compliance. Organizations are accountable for implementing these security controls, with system owners responsible and auditors assessing their effectiveness. Implementing secure coding practices, access controls, and data encryption are some examples of this control in action.



Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions.[SP 800-160-1] provides guidance on systems security engineering.

Benefits:

Reduced risk of breaches: By prioritizing security from the ground up, organizations can minimize vulnerabilities in systems and software. This proactive approach makes it harder for attackers to gain access to sensitive information.

Improved system resilience: Secure design principles like least privilege and defense in depth create layered protections. This makes it more difficult for attackers to succeed, even if they exploit one weakness.

Enhanced compliance: Implementing control 3.13.2 demonstrates an organization's commitment to information security and helps meet various regulatory requirements.

Accountability:

Senior Management: Sets the tone: Defines the organization's information security posture, allocates resources, and champions security initiatives.


Approves security policies and procedures: Ensures they are aligned with business objectives and regulatory requirements.

Provides oversight: Monitors progress, identifies and addresses security gaps.

IT Security Team: Develops and implements security controls: Selects, configures, and maintains technical safeguards aligned with Control 3.13.2 principles like least privilege and defense in depth. Conducts security assessments: Identifies vulnerabilities, recommends mitigation strategies, and monitors ongoing security posture. Provides security awareness and training: Educates users on secure practices and their role in protecting information.

System Owners: Owns and manages specific systems: Responsible for understanding system security requirements, implementing controls, and reporting security incidents. Ensures system configurations and processes adhere to security policies: Maintains system integrity and minimizes risks. Collaborates with the IT security team: Coordinates security activities and leverages their expertise.

Individual Users: Complies with security policies and procedures: Follows established practices for password management, data handling, and reporting suspicious activity. Reports security incidents: Promptly informs relevant stakeholders of any suspected breaches or vulnerabilities. Participates in security awareness training: Continuously updates their knowledge and understanding of cyber threats and best practices.

Implementation:

Security-focused architecture: Design systems with security in mind, incorporating features like data encryption, access controls, and intrusion detection.

Secure coding practices: Train developers on secure coding techniques to minimize vulnerabilities in software development. Utilize tools like static code analysis and penetration testing to identify and address potential security issues.

Threat modeling: Identify potential threats and attack vectors early in the development process. This allows for implementing appropriate security controls to mitigate risks.

Integration with SDLC (Software Development Life Cycle): Embed security considerations into all phases of the SDLC, from requirements gathering to deployment and maintenance.


Go to docs.google.com

About "3.13.2 Employ architectur...stems" 🡃
Category:Cybersecurity Maturity Model
Family:System and Communications Protection (AC 3.13)
Type:Basic Security Requirements
#CybersecurityMaturityModel #BasicSecurityRequirements
⬅ Back to 3.13 SYSTEM AND COMMUNICATIONS PROTECTION

More on q4q.com

Q4Q Technical Solutions

© q4q.com 1999-2024