Monday, August 22, 2005

More on System Security Engineering - AFI 31-207

AFI 31-207, System Security Engineering was rescinded on 15 July 98. Guidelines for System Security Engineering can be found inChapter 3 of the AFPAM 63-1701.


I haven't found a lot of informaiton for what System Security Engineers actually do. Some times it seems like the field isn't quite nailed down since we do everything from penetration tests to business plans to aquisition system security.

Here is a formal description from chapter 3 of the AFPAM 63-1701 (1701 is a combination of some of the information previously contained in AFI 31-701, Program Protection Planning, AFI 31-702, System Security Engineering, and AFI 31-703, Product Security):


According to AFPAM 63-1701, the purpose of System Security Engineers (SSE) is to eliminate, reduce, or control, through engineering and design, any characteristics that could result in the deployment of systems with operational security deficiencies


Here are some of the things I've had to do as a System Security Engineer:

- SYSTEM SECURITY AUTHORIZATION AGREEMENT (SSAA)
- INFORMATION SUPPORT PLAN
- Security documentation for Information System Security Officers
- PROGRAM PROTECTION PLAN
- CONSULT ON SECURITY ISSUES FOR SMC PM’S
SYSTEM ENGINEERS
- PROVIDE ON-SITE ISSO TRAINING
- MAINTAIN TCNO DATABASE
- Security Tests and Evaluation (ST&E - write the plan and implement it)
- Certification Test and Evaluation (CT&E)
- Vulnerability Assessments (network etc)
- Physical Security Assessment


What kind of knowlege and skills does an SSE need?

Strong understanding of security, of course. I've noticed that only about 50% of the SSE's have degrees, but ALL have solid of experience in the fields of physical secuirty, information security, personel security, and/or network/computer security. Prior military are often drawn to this feild because service men are usually groomed for nearly every aspect of security and safety as a basic part of their job.

Strong writen and oral skills are needed as much as the understanding of security as SSE's often make very detail documented assesments of multimillion dollar systems and facilities and do presentations for managers and executives.


What kind of degrees and certifications do SSE's have?

Computer degrees such as BS/IT, BS/EE, Computer Science, and Information System degrees are the norm. But with universities creating all these new Information Assurance/Security degrees, I imagine the bar will be raised in the next 5-6 years. Experience will always out way a degree.

Without a degree and/or a lot of experience, an SSE can definitely get by on a Certified Information System Security Professional (CISSP) certification and some experience in a security related field. The ultimate certification for an SSE is and ISSEP, Information System Security Engineering Professional Certification from ISC2. Although this is one of the most prestigious certification that an SSE can achieve, there are other technical and security certs and licenses that could help enhance a resume. Security Resource manager training (for example) would be a great bullet to put on a resume although they do all physical security.

The types of certs, degrees and background you need are really dependent on the type of job you are going for. CISSP is such an all encompassing security certification (covering everything from circumstantial evidence to SSL) that as a SSE, you can not go wrong with it.

Other things SSE's do:

As mentioned above, I've been tasked to do an Information Support Plan (ISP) which is like a Business Continuity Plan. This is a management type document but since security, risk and vulnerability assessments have such an important role in the ISP, it is natural that an SSE be tasked to do one.

I've also been tasked to do penetration testing which involves hacking a system to see what kind of security features are effectively implemented on a system.