SECURE
ENGINEERING
PRINCIPLES
1
© Distributed by Resilify.io under a Creative Commons Share Alike License.
�Secure Engineering Principles
Version Control
Owner Version Edited By Date Change History
IS Rep 0.1 Assent 14/07/2016 First Draft
Distribution
Held Format Location Comments
By
User Digital / Physical
Status
X Status Approved By Date
Working DD/MM/YYYY
X Draft
Provisional Approval
Publication
Classification
X Confidential
Restricted
Unclassified
Relevance to Standard
Standard Clause Title
[ISO 27001:2013] [A14.2.1] [Secure Engineering Principles]
License
Licensed by Assent Risk Management via Resilify.io Under a Creative Commons Share Alike License.
2
© Distributed by Resilify.io under a Creative Commons Share Alike License.
�Contents
Secure Engineering Principles____________________________________________________________________2
Contents_______________________________________________________________________________________________3
Secure Engineering Principles____________________________________________________________________4
1.0 Overview______________________________________________________________________________________4
2.0 Policy___________________________________________________________________________________________4
2.1 Security Foundation___________________________________________________________________________________4
2.2 Risk Based_____________________________________________________________________________________________4
2.3 Ease of Use_____________________________________________________________________________________________5
2.4 Increase Resilience____________________________________________________________________________________5
2.5 Reduce Vulnerabilities________________________________________________________________________________6
2.6 Design with Network in Mind________________________________________________________________________6
3.0 Related Policies_______________________________________________________________________________7
4.0 Further reading______________________________________________________________________________7
3
© Distributed by Resilify.io under a Creative Commons Share Alike License.
�Secure Engineering Principles
1.0 Overview
This policy sets out the organization’s approach to engineering secure systems.
The following principles are based on SP 800-160 Vol. 1
Systems Security Engineering: Considerations for a Multidisciplinary
Approach in the Engineering of Trustworthy Secure Systems.
These principles are intended to support the secure engineering and
development of information systems within the business.
2.0 Policy
2.1 Security Foundation
Establish a policy including security objectives as the foundation of the
design.
Treat security as an integral part of the system.
Clearly define the physical and logical boundaries governed by associated
security policies.
Ensure developers are competent to develop secure software.
2.2 Risk Based
Reduce risk to an acceptable level.
Identify potential trade-offs between reducing risk, increased costs and
decreased operational affected.
4
© Distributed by Resilify.io under a Creative Commons Share Alike License.
� Assume that external systems are insecure.
Implemented tailored system security measures to meet organisational
(ISMS) goals.
Protect information during processing, transit, and storage.
Consider custom products to achieve adequate security.
Protect against all likely types of attack.
2.3 Ease of Use
Where possible, base security on open standards for portability and
interoperability.
Use common language in developing security requirements.
Design security to allow for adoption of new technology.
Strive for operational ease of use.
2.4 Increase Resilience
Implement layered security (No single point of Vulnerability).
Design and operate an IT system to limit damage and to be resilient in
response.
Provide assurance that the system is and continues to be resilient to expected
threats.
Limit or contain vulnerabilities.
5
© Distributed by Resilify.io under a Creative Commons Share Alike License.
� Isolate public access systems from critical resources.
Use logs to detect unauthorised use and to support incident investigation.
Use audits to detect unauthorised use and to support incident investigation.
Develop and test business continuity and/or Disaster Recovery procedures.
2.5 Reduce Vulnerabilities
Aim for simplicity.
Minimize the trusted system elements.
Implement least privilege.
Do not implement unnecessary security mechanisms.
Ensure proper security in the shutdown or disposal of a system.
Identify and prevent common errors and vulnerabilities.
2.6 Design with Network in Mind
Implement security through a combination of measures both physically and
logically.
Formulate security measures to address multiple overlapping information
domains.
Authenticate users and process to ensure appropriate access control.
Use unique identities to ensure accountability.
6
© Distributed by Resilify.io under a Creative Commons Share Alike License.
�3.0 Related Policies
Password Policy.
Access Control Policy
Patching Policy
4.0 Further reading
http://en.wikipedia.org/wiki/Security_engineering#Web_applications
http://msdn.microsoft.com/en-us/library/ff648105.aspx
7
© Distributed by Resilify.io under a Creative Commons Share Alike License.
