The Phases of Security Engineering

 

Software engineering is an interdisciplinary approach to enable the realization of secured systems. Its focus is security protection requirements, defining customer needs, and planning the required functionality early on in the systems development lifecycle, documenting requirements, and then proceeding with design, synthesis, and system validation while considering the complete, overall problem (NIST, n.d.). Tobin (2023), states that security engineers are responsible for protecting the networks, data, and customer systems from security breaches and cyber-attacks. Most security engineering roles mainly focus on creating and maintaining these systems, analyzing traffic, monitoring networks, and running incident response. 

Systems security engineering (SSE) focuses on the cost-benefit decision tradeoffs of engineering out vulnerabilities and building in long term, cost savings security countermeasures (Akhgar & Arabnia, 2013). The DoD Acquisition Management Phases were developed to help protect overall systems security throughout the lifecycle of the system. According to Akhgar & Arabnia (2013), the DoD Acquisition Management Phases are as follows:

• Phase 0 – Concept exploration and definition – In this phase is the pre-work, create and describe the baseline for the system security design, develop the system security criteria, and conduct vulnerability and security threat studies.

• Phase 1 – Demonstration and validation – This phase is where the pre-work is needed and involves analyzing and validating the pre-established system security baseline. Preliminary performance specifications for the hardware and software are prepared and through system design and risk management techniques, threats and vulnerabilities are identified.

• Phase 2 – Engineering and manufacturing development – The overall system security is designed, integrated, designed, and acquired against the specifications created in Phases 0 -1.

• Phase 3 – Production and development – The implementation phase applies these design specifications via production and deployment planning. 

• Phase 4 – Operations and support – Via the program protection process, continual risk management is applied to address the operational and support security concerns.

Systems engineering encompasses a lot of work from planning, designing, implementing, and maintaining. In order to accomplish all of this work, sometimes with limited personnel and resources, priority must be placed on which tasks are the most crucial to the overall security of an organization. Arguments can be made for which of these phases and roles are the most important in a large enterprise. However this is a phased framework and without each phase being completed, the next one has nothing to continue on. Which makes the first phase the most important (Phase 0), without it, the other phases do not exist. This means importance must be placed on the creation of the system security baseline. The system security criteria must be developed, and the vulnerability and security threat studies must be conducted before any of the other security engineering can effectively be applied.

References

Akhgar, B. (2013). 1 System Security Engineering for Information Systems. In H. Arabnia (Ed.), Emerging Trends in ICT Security (Ser. 9780124104877). essay, Elsevier Wordmark. 

Security Engineering - Glossary: CSRC. CSRC Content Editor. (n.d.). Retrieved April 22, 2023, from https://csrc.nist.gov/glossary/term/security_engineering 

Tobin, J. M. (2023, January 17). Day in the life of a security engineer. Explore Cybersecurity Degrees and Careers. Retrieved April 22, 2023, from https://www.cyberdegrees.org/careers/security-engineer/day-in-the-life/#:~:text=Security%20engineers%20play%20a%20vital,traffic%2C%20and%20run%20incident%20response.