SA-08-727 Security Engineering Principles

Security Engineering Principles

Control ID

SA-08-727

Control Name

Security Engineering Principles

Control Category

Security Assessment and Authorization

Functional Areas

Protect

Sub-Areas

Secure System Services, Acquisition and Development

NIST Baseline Level(s)

MOD, HIGH

NIST Priority

State Implementation Required

Agency Last Implemented Date

Risk Statement

Programming errors or misconfiguration leads to vulnerabilities that can be exploited.

Control Description

The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

Control Example

Code updates are reviewed for security gaps/concerns.

State Implementation

No statewide control

Testing Procedures

Obtain system and services acquisition policy; procedures addressing security engineering principles used in the development and implementation of the information system; NIST Special Publication 800-27; information system design documentation; security requirements and security specifications for the information system; other relevant documents or records and ascertain if : (I)the organization designs and implements the information system using security engineering principles. (ii)the organization considers the security design principles in NIST Special Publication 800-27 in the design, development, and implementation of the information system.