(Need 250 word response with one cited reference)
Class,
Good afternoon and welcome to week 2! I hope you all had a great weekend. For this week we were asked to review the elements of systems engineering and then select the one that is most often overlooks in our mind.
In our textbook we explored three separate concepts that are used systems engineering. To start with all systems engineering consists of a “methodological approach to specification, deign, creation, and operation of a function” (Jacobs, 2015, pp. 31). In laymen’s terms when engineering an information system there are overriding elements that need to including whichever methodology you choose to use. Keeping this in mind the most in-depth approach that was explored in our textbook was the SIMILAR approach.
SIMILAR stands for:
Each of processes was explored in detail, but the overall impression was that no one step was more important the previous. Each feeds into one another to help support the overall system, similar to how security management models feed into each to other from last week.
After laying the land for how engineering system are built (and the process for building them we looks how to manage the process of building these systems. This is an important distinction, because without understanding how to manage the system engineering process the overall goal can be lost. It helps keep the process running so to speak. Two different process management methods were identified: ISO 9000 series and the CMM model. The ISO 9000 series is a “family of standards maintained by ISO, for quality management systems” (Jacobs, 2015, pp 41). It essentially lays out the standards for maintaining quality throughout the systems engineering process. The CMM model is based off of psychology to help the system have conscious competence. CMM helps to identify “clusters of related activities when performed collectively, achieve a set of goals considered important” (Jacobs, 2015, 44). If continuous competence can be achieved during the systems engineering process then ever step of the process can be trusted. This is not to say that there shouldn’t be re-evaluated, but it helps improve and help focus the overall process of engineering a system.
The final section of our book helps to define the organization environment that system engineering takes place. The organization environment establishes the various external pressures that can shape how the information engineering systems is formed. For example Ian organization might find it easier to has less protection surrounding PHI, but the external pressure of HIPPA changes this thought process when engineering the system. Without taking into consideration outside pressures a information system is likely to fall apart, because the easiest path is often in-compliant with outside pressures (Jacobs, 2015, 46-59).
After reflecting on the various aspects of systems engineering (especially SIMILAR). I think that the most critical element of the process is the assessing performance of the system. This is because it asks the question of does this system accomplish what it needs to accomplish? Basically the underlying question of the process. If the answer to this question is no then it is in indicator that the engineer should go back and re-evaluate where in the system it went wrong. Unfortunately, in my experience, this step in SIMILAR is also the one most commonly overlooked. Granted I only have my own experiences to draw from, but there isn’t nearly enough evaluation on how systems perform with one another. Especially when it is done in non-optimal situations. For example I was responsible for a imagery suite (hardware/software) that hardly ever worked the way it was designed to. In my opinion this is was because widespread testing of this suite didn’t take into account when there are multiple failures. Or what the effect of consistent movement or shut down tear downs would have on the system. Many of these systems were designed not to be moved, but were still issued to unit operating in a tactical environment. If there had been a proper assessment on how these systems would be used on the ground then I feel like the current issue would easily have been found out.
I suppose this is a classic complaint of many enlisted personnel. There is a disconnect between conditions on the ground vs the overall purpose of orders as they are given. Speaking from a military perspective this is where jr leaders need to come into play to help support and guide orders as they are given. Bringing it back to system engineering jr leaders can be thought of as the process management models that help to guide and mold how the system is engineered. Anyway sorry I got a little off topic at the end. I just see many parallels between how engineering systems are built and the military operates. I hope everyone has a great week! As always if you need anything feel free to reach out.
Rob
References
Jacobs, S. (2015). Chapter 2: Systems Engineering In Engineering information security: The application of systems engineering concepts to achieve information assurance (Second ed., pp. 31-59). Hobokin, NJ: John Wiley & Sons.
(Need 250 word response with one cited reference)
Dr. McCracken and Classmates,
In our second forum we are asked to review the elements systems engineering discussed in Chapter 2 of Stuart Jacob’s book, Engineering Information Security, The Application of Systems Engineering Concepts to Achieve Information Assurance and discuss the most critical element that is most commonly overlooked. Jacobs outlines a systems engineering approach that he calls SIMILAR. It consists of 7 steps: “1) Stating the problem, 2) Investigating alternatives, 3)Modeling the system, 4) Integrating/developing the system, 5) Launching the system, 6) Assessing the performance of the system, and 7) Re-evaluating the system” (Jacobs, 2016). In A Systems Engineering approach to Information Assurance Operations, authors Curts and Cambell note that “past experience has shown that formal systems engineering methodologies have not always been successfully applied to large and complex information systems” (Curts & Campbell, 2002). The information assurance lifecycle described by Curts and Campbell is a framework of 5 basic operational phases that protect valuable information assets. Their 5 phases of the IA lifecycle are slightly different from the typical systems engineering lifecycle phases but incorporate the same functions and activities; the 5 phases are: “1) assess, 2) protect, 3) validate, 4) train, and 5) monitor/manage” (Curts & Campbell, 2002).
I believe that the most critical component of a systems engineering solution to IA is the post-deployment assessment (monitor/manage) element. Too many times organizations expend a lot of resources to develop and implement an IA strategy only to “set it and forget it”. Developing a comprehensive information security risk management (ISRM) is not a once and done activity. There is one universal truth and that is change. Change can create both technological and non-technological issues. Information security risks are inevitable. While metrics can be used to assess performance needs change as new technology, regulation and threats evolve. Partner systems may create 3rd party risks. The organization’s risk appetite may change. I would favor a more proactive risk management approach to information assurance. Re-evaluation is a basic engineering tool and should be a continual lifecycle process that involves reassessing the information security landscape not just the currently implemented solution. It is vital that organizations periodically reassess risks and reconsider the appropriateness and effectiveness of the policies and controls they have selected as part of their information security risk management (ISRM) program. Periodic risk assessment is not as easy as it sounds. Even as far back as 1999, the GAO notes that “reliably assessing information security risks can be more difficult than assessing other types of risks, because the data on the likelihood and costs associated with information security risk factors are often more limited and because risk factors are constantly changing” (GAO, 1999). It’s not possible to eliminate all risks but organizations need to identify and achieve an acceptable level of information security risk that aligns with the organization’s overall risk tolerance. This means that the actions taken to remediate, mitigate, avoid, accept, transfer or otherwise manage risks (risk treatment) will require revision. I get a great deal of push back from senior management on budget for periodic risk reassessment but when a breach occurs they are the first to complain never mind that they are trying to operate with outdated policies and procedures.
Regards, SueT
References
Curts, R.J. & Campbell, D.E. (2002). A Systems Engineering Approach to Information Assurance Operations. DOD Command and Control and Cyber Research Portal, International C2 Institute. Retrieved from http://www.dodccrp.org/events/2002_CCRTS/Tracks/pdf/002.PDF
GAO. (1999, November). Information Security Risk Assessment, Practices of Leading Organizations (GAO/AIMD-00-33). United States General Accounting Office, Accounting and Information Management Division. Retrieved from https://www.gao.gov/special.pubs/ai00033.pdf
Jacobs, S. (2016). Engineering Information Security, The Application of Systems Engineering Concepts to Achieve Information Assurance (2nd edition). IEEE Press, Institute of Electrical and Electronics Engineers, Inc. Hoboken, NJ: Wiley.