To aid in designing a secure information system, NIST compiled a set of engineering principles
for system security. These principles provide a foundation upon which a more consistent and
structured approach to the design, development, and implementation of IT security capabilities
can be constructed.
While the primary focus of these principles is the implementation of technical controls, these
principles highlight the fact that, to be effective, a system security design should also consider
non-technical issues, such as policy, operational procedures, and user education and training.
The principles described here do not apply to all systems at all times. Yet, each principle should
be carefully considered throughout the life-cycle of every system. Moreover, because of the
constantly changing information system security environment, the principles identified are not
considered to be a static, all-inclusive list. Instead, this document is an attempt to present in a
logical fashion fundamental security principles that can be used in today’s operational
environments. As technology improves and security techniques are refined, additions, deletions,
and refinement of these security principles will be required.
Each principle has two components. The first is a table that indicates where the principle should
be applied during the system life-cycle. The second is an explanatory narrative further
amplifying the principle.
The five life-cycle planning phases used are defined in the Generally Accepted Principles and
Practices for Securing Information Technology Systems, SP 800-14:
Održavanje tehničkih sistema