因为对手不断寻求破坏, cause harm and wreak havoc on complex digital assets, 澳门赌场官方下载必须进行战略规划, 设计和构建安全, 信任的系统. The ever-evolving cyberthreat landscape and the increased ubiquity of systems present significant challenges to engineers responsible for constructing these systems. The modern cyberthreat environment requires a different mindset to establish and maintain resiliency in emerging systems. 如果澳门赌场官方下载想在网络空间生存, they must tailor their approach to focus on the fundamental principles of cybersecurity risk management and the adverse impacts to the enterprise rather than solely emphasizing technology-specific trends and solutions.
克服技术无法克服的缺陷
Many security weaknesses and architectural design flaws are introduced during system engineering efforts. Although a common approach may be to identify these issues during the security testing process, 识别和评估风险, and plan technical security measures or solutions to remediate or mitigate the risk, there are more efficient solutions to address the root cause of these flaws. 在系统工程过程的早期, 在任何技术实现之前, enterprises should conduct a business impact analysis (BIA) as a preventive measure to define the business context, significance and a shared common understanding of the system's purpose and its intended outcomes.
The Role of a Business Impact Analysis During System Security Engineering
太频繁, systems are designed and implemented without a true understanding of the purpose of the system, its relationship to the enterprise and the adverse effects that could be realized through a security incident. 为了解决这个问题, during the initiation phase of a system engineering project, key stakeholders should conduct a BIA to formally define and communicate the mission and business functions and processes that the system-of-interest will be designed to support. Not only should mission and business processes be determined, but they should also be prioritized based on the value those services provide and the impact on both strategic and tactical objectives. There are many benefits of a BIA during a system's initiation phase as shown in 图1.
Figure 1—好处 of a BIA for Systems Engineering
|
启动过程域 |
好处 |
|
资产识别与估值 |
A BIA can help easily map the mission and business processes to the assets that support the delivery of those services. This is specifically useful for complex systems that are managed, maintained and operated by multiple internal and external parties. |
|
授权边界定义 |
The BIA can help define the scope of protection by allowing organizations to uniquely identify the assets that support each mission and business process, determine security responsibilities and ultimately ensure accountability for each component within the authorization boundary. |
|
风险评估 |
为风险评估做准备, enterprises can gain added value by leveraging the BIA to provide the business context behind system engineering initiatives and develop risk response strategies that optimize the success of mission and business processes. |
关键的外卖
人们对建筑精美的房屋的需求日益增长, resilient systems that can withstand the complex attacks that adversaries execute against them. Although there is often a significant focus on the technical aspects of system engineering, emphasizing the business context behind security initiatives may lead to systems with more balanced, 相应的安全级别. 澳门赌场官方下载s must remain vigilant about the scope and drivers behind mission and business processes to determine the consequences of a security incident and maintain traceability of system protection needs. 通过利用BIA, enterprises can better understand the security aspects of the problem and opportunity space, achieve a shared understanding of the mission and business context, 提供更大的, 相称的安全保护.
编者按: For further insights on this topic, read Hunter Sekara’s recent Journal article, “A Strategic Risk-Based Approach to Systems Security Engineering,” ISACA杂志,第2卷,2022.
ISACA杂志 今年满50岁! Celebrate with us—and do not forget you can still receive the print copy by visiting your 偏好中心 选择加入!
