Integrating information security engineering with system engineering with system engineering tools

Abstract

Users of automated information systems (AISs) are becoming increasingly aware of the inherent risks associated with placing sensitive information on a system. Users are beginning to demand an assessment of the quality of security services offered because they need to make informed decisions on accepting certain levels of risk associated with protecting information they place on a system. By integrating an information system security engineering (ISSE) process into system development or system enhancement activities, system developers can satisfy user concerns. An ISSE process will identify the quality of security services needed by users; help identify security mechanisms to satisfy user needs; lead to an effective security design; identify the quality of security services offered by the actual system; and develop the documentation necessary to effectively market the security services offered by a system. An effective and cost efficient method for managing and providing discipline for the ISSE process is for system developers to use an automated system engineering tool. Such a tool significantly enhances the system security engineering team's ability to satisfy user security needs throughout the system design process.