SA-08-727 Security Engineering Principles

Security Engineering Principles

Security Engineering Principles
Security Assessment and Authorization
Secure System Services, Acquisition and Development
Programming errors or misconfiguration leads to vulnerabilities that can be exploited.
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.
Code updates are reviewed for security gaps/concerns.
No statewide control
Obtain system and services acquisition policy; procedures addressing security engineering principles used in the development and implementation of the information system; NIST Special Publication 800-27; information system design documentation; security requirements and security specifications for the information system; other relevant documents or records and ascertain if : (I)the organization designs and implements the information system using security engineering principles. (ii)the organization considers the security design principles in NIST Special Publication 800-27 in the design, development, and implementation of the information system.