SA-08 Security Engineering Principles

Control: The organization designs and implements the information system using security engineering principles.

Supplemental Guidance: NIST Special Publication 800-27 provides guidance on engineering principles for information system security. The application of security engineering principles is primarily targeted at new development information systems or systems undergoing major upgrades and is integrated into the system development life cycle. For legacy information systems, the organization applies security engineering principles to system upgrades and modifications, to the extent feasible, given the current state of the hardware, software, and firmware components within the system.

Control Enhancements: (0) None.

Baseline: LOW Not Selected MOD SA-8 HIGH SA-8

Family: System And Services Acquisition

Class: Management

ISO 17799 mapping: 12.1

COBIT 4.1 mapping: AI2.4

PCI-DSS v2 mapping: 6.3