A successful Accreditation effort isn't merely documentation, testing and writing a Plan of Actions and Milestones. Through our hands-on approach, we will help you design, engineer and remediate security issues.
Information Systems Security Engineering (ISSE) is the art and science of discovering users’ information protection needs and then designing and making information systems, with economy and elegance, so they can safely resist the forces to which they may be subjected. The ISSE process should be an integral part of systems engineering (SE) and should support certification and accreditation (C&A) processes, such as the DITSCAP and DIACAP.
Discover Information Protection Needs is the first activity of the ISSE process. I-Assure will perform the following tasks:
Develop an understanding of the customer’s mission or business.
Help the customer determine what type of information management is needed to support the mission or business.
Create an information management model based on customer needs.
Document the results as the basis for defining information systems that will satisfy the customer’s needs.
In this activity, I-Assure will consider one or more solution sets that can meet the information protection needs expressed by the customer. With customer involvement, one solution set is chosen and its system context, CONOPS, and requirements are documented. This activity can result in the need to modify existing systems or to develop more than one target system.
In Design System Architecture, I-Assure executes functional decomposition, choosing the types of components that will perform specific system functions. I-Assure will analyze functions by decomposing higher-level functions identified through requirements analysis into lower level functions. The performance requirements associated with the higher level are allocated to lower level functions. The result is a description of the product or item in terms of what it does logically and in terms of the performance required. Our analysis includes candidate system architectures, function and process, interfaces (internal and external), elements (components), information transfers, environments, and users/accesses.
The development of the information protection design is iterative, involving interactions between the SE and ISSE teams and between systems and component engineers within the teams. Decisions leading to the recommended design involve continuous assessments by the I-Assure team to compare the expected risk with the system security requirements.
In Develop Detailed Security Design, I-Assure will ensure compliance with the security architecture, perform trade-off studies, and define system security design elements, including:
Allocating security mechanisms to system security design elements.
Identifying candidate commercial off-the-shelf (COTS)/government off-the-shelf (GOTS) security products.
Identifying custom security products.
Qualifying element and system interfaces (internal and external).
Developing specifications (e.g., Common Criteria protection profiles).
The objective of the Implement System SE activity is to acquire, integrate, configure, test, document, and train. Implement System moves the system from design to operations. This activity concludes with a final system effectiveness assessment in which evidence is presented that the system complies with the requirements and satisfies the mission needs. Issues across all SE primary functions must be considered and any interdependency or trade-off issues resolved.
During Implement Systems Security, I-Assure provides:
Inputs to C&A process activities.
Verification that the system as implemented does protect against the threats identified in the original threat assessment.
Tracking of, or participation in, application of information protection assurance mechanisms related to system implementation and testing practices.
Inputs to and review of evolving system life cycle support plans, operational procedures, and maintenance training materials.
A formal information protection assessment in preparation for the final system effectiveness assessment.
Participation in the multidisciplinary examination of all system issues.
These efforts and the information each produces support the final system effectiveness assessment. Security accreditation approval typically occurs shortly after the conclusion of the final system effectiveness assessment. I-Assure will help configure the components to ensure that the security features are enabled and the security parameters are set to provide the required security services.