Systems engineering is a term that connotes the application of engineering concepts while designing application systems that are complex and large.
A system may be defined as the combination of elements or parts that work together to produce an output. In other words, systems are used to achieve an objective. In a system, parts or elements are interrelated.
Many organizations in the world publish standards, models, principles, and practices pertaining to systems engineering. One of them is the International Council on Systems Engineering (INCOSE), which is a not-for-profit membership organization, founded to develop and disseminate the interdisciplinary principles and practices that enable the realization of successful systems. Software Engineering Institute (SEI) at Carnegie Mellon University develops and maintains a Capability Maturity Model (CMM) pertaining to software development process maturity.
According to INCOSE, Systems Engineering is an interdisciplinary approach and means to enable the realization of successful systems. It focuses on defining customer needs and the required functionality early in the development cycle, documenting requirements, then proceeding with design synthesis and system validation while considering the complete problem.
When a system is developed using the system engineering processes, then development activities go through a life cycle model and are called System Development Life Cycle (SDLC). Software development is an activity in system development life cycle models.
A system development life cycle model consists of many processes. It starts from establishing the needs (initiation) and runs to archiving or destruction (disposal).
The National Institute of Standards and Technology (NIST) special publication 800-14 titled Generally Accepted Principles and Practices for Securing Information Technology (IT) Systems defines five phases in terms of the system development life cycle.
The following diagram illustrates the five phases of the System Development Life Cycle as defined in the NIST 800-14:
System Development Life Cycle
The initiation phase establishes the need for the system and creation of the associated documentation. It is necessary to conduct a sensitive assessment at this phase, and the scope of the assessment is to look at the sensitivity of the information to be processed as well as the sensitivity of the system itself. Sensitive assessment establishes the data protection needs in the developed or acquired system.
The second phase is the development/acquisition phase. During this phase, a system is designed, purchased, programmed, developed, or otherwise constructed. This phase requires three activities to be performed:
- Determining security requirements
- Incorporating security requirements into specifications
- Obtaining the system and related security activities
The third phase is the implementation phase. This phase emphasizes the testing and installation of the systems. There are very few primary requirements in this phase pertaining to security:
- Installing and/or turning-on controls, such that security features are enabled and configured
- Performing security testing on some particular parts of the system that are developed or acquired
- Security testing the entire system
- Obtaining system security accreditation
The fourth phase is the operation/maintenance phase. In this phase the system is operational and performs its work. In this phase, the system may be modified or upgraded based on the requirements.
Some of the important security considerations in this phase are as follows:
- Security operations
- Security administration
- Operational assurance
- Monitoring
- Auditing