SECURE

ENGINEERING
PRINCIPLES

1
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Secure Engineering Principles
Version Control
Owner Version Edited By Date Change History
IS Rep 0.1 Assent 14/07/2016 First Draft

Distribution
Held Format Location Comments
By
User Digital / Physical

Status
X Status Approved By Date
Working DD/MM/YYYY
X Draft
Provisional Approval
Publication

Classification
X Confidential
Restricted
Unclassified

Relevance to Standard

Standard Clause Title

[ISO 27001:2013] [A14.2.1] [Secure Engineering Principles]

License

Licensed by Assent Risk Management via Resilify.io Under a Creative Commons Share Alike License.

2
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Contents

Secure Engineering Principles____________________________________________________________________2

Contents_______________________________________________________________________________________________3
Secure Engineering Principles____________________________________________________________________4
1.0 Overview______________________________________________________________________________________4
2.0 Policy___________________________________________________________________________________________4
2.1 Security Foundation___________________________________________________________________________________4
2.2 Risk Based_____________________________________________________________________________________________4
2.3 Ease of Use_____________________________________________________________________________________________5
2.4 Increase Resilience____________________________________________________________________________________5
2.5 Reduce Vulnerabilities________________________________________________________________________________6
2.6 Design with Network in Mind________________________________________________________________________6

3.0 Related Policies_______________________________________________________________________________7

4.0 Further reading______________________________________________________________________________7

3
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Secure Engineering Principles

1.0 Overview

This policy sets out the organization’s approach to engineering secure systems.

The following principles are based on SP 800-160 Vol. 1

Systems Security Engineering: Considerations for a Multidisciplinary
Approach in the Engineering of Trustworthy Secure Systems.  

These principles are intended to support the secure engineering and

development of information systems within the business. 

2.0 Policy

2.1 Security Foundation

 Establish a policy including security objectives as the foundation of the

design.

 Treat security as an integral part of the system.

 Clearly define the physical and logical boundaries governed by associated

security policies.

 Ensure developers are competent to develop secure software.

2.2 Risk Based

 Reduce risk to an acceptable level.

 Identify potential trade-offs between reducing risk, increased costs and

decreased operational affected.

4
© Distributed by Resilify.io under a Creative Commons Share Alike License.
  Assume that external systems are insecure.

 Implemented tailored system security measures to meet organisational

(ISMS) goals.

 Protect information during processing, transit, and storage.

 Consider custom products to achieve adequate security.

 Protect against all likely types of attack.

2.3 Ease of Use

 Where possible, base security on open standards for portability and

interoperability.

 Use common language in developing security requirements.

 Design security to allow for adoption of new technology.

 Strive for operational ease of use.

2.4 Increase Resilience

 Implement layered security (No single point of Vulnerability).

 Design and operate an IT system to limit damage and to be resilient in

response.

 Provide assurance that the system is and continues to be resilient to expected

threats.

 Limit or contain vulnerabilities.

5
© Distributed by Resilify.io under a Creative Commons Share Alike License.
  Isolate public access systems from critical resources.

 Use logs to detect unauthorised use and to support incident investigation.

 Use audits to detect unauthorised use and to support incident investigation.

 Develop and test business continuity and/or Disaster Recovery procedures.

2.5 Reduce Vulnerabilities

 Aim for simplicity.

 Minimize the trusted system elements.

 Implement least privilege.

 Do not implement unnecessary security mechanisms.

 Ensure proper security in the shutdown or disposal of a system.

 Identify and prevent common errors and vulnerabilities.

2.6 Design with Network in Mind

 Implement security through a combination of measures both physically and

logically.

 Formulate security measures to address multiple overlapping information

domains.

 Authenticate users and process to ensure appropriate access control.

 Use unique identities to ensure accountability.

6
© Distributed by Resilify.io under a Creative Commons Share Alike License.
3.0 Related Policies

 Password Policy.
 Access Control Policy
 Patching Policy

4.0 Further reading

http://en.wikipedia.org/wiki/Security_engineering#Web_applications
http://msdn.microsoft.com/en-us/library/ff648105.aspx

7
© Distributed by Resilify.io under a Creative Commons Share Alike License.