DEVELOPMENT OF INFORMATION SYSTEM SECURITY REQUIREMENTS FROM A SYSTEMS ENGINEERING PERSPECTIVE

Modern systems, regardless of their design or purpose, rely on a wide variety of mission assets and resources. One of those assets, information (specifically for this paper, data information) may require protection due to its sensitive nature. If security is necessary, then the system developer may need to identify security services (such as confidentiality) and may require protection mechanisms (such as encryption) to be included as part of the overall system design and development. Information System Security (INFOSEC) requirements should be an integral part of the systems engineering process. In the systems engineering process, the initial activity is the identification of requirements. That is also the topic for security requirements, i.e., determining what data needs to be protected. Further development of related topics follows and includes threat assessment, policy and doctrinal (procedural) guidance, and risk analysis. These security‐related concepts contribute to the identification of system security objectives, e.g., the mission data that requires protection in accordance with the postulated threat and applicable policy guidance. Finally, doctrinal and technology concepts are presented such that architectural decisions can be made to implement security mechanisms for the system security requirements.