Operations Security - The Preliminary System Concept of Operations
Exam: ISC CISSP - Certified Information Systems Security Professional
Operations Security
The Preliminary System Concept of Operations (CONOPS)
The Preliminary System CONOPS is the first step in compiling the system context and system requirements into an initial document. The purpose of a System CONOPS is to bridge the gap between the user's needs and visions and the developer's technical specifications. The CONOPS is different from the system specifications, which is a formal statement of what the system must do and is written for the developers.
According to Fairley and Thayer (1996), a CONOPS is a user-oriented document that describes system characteristics for a proposed system from the users' viewpoint. IEEE Std 1362-1998 (1998) defines the CONOPS as an opportunity to communicate, in written form, the overall quantitative and qualitative system characteristics to the user, buyer, developer, and other organizational elements. It describes the existing system, operational policies, classes of users, interactions among users, and organizational objectives from an integrated systems point of view. The CONOPS should describe, in user's terminology, what the system should do to meet the users' needs for the system.
Kossiak off and Sweet (2003) define the CONOPS as an extension of the operational requirements that adds constraints and expresses the customer's expectation for the anticipated system development. They identify four components of a CONOPS (p. 147):
- Mission descriptions, with success criteria
- Relationships with other system or entities
- Information sources and destinations
- Other relationships or constraints
The CONOPS defines the general approach, not a specific implementation, to the desired system. In this way, the CONOPS clarifies the intended goal of the system. CONOPS includes the following provisions and definitions:
- Systems analysis discussion will later covers ways and approaches of describing a user's current situation and operational needs without going deep into technical details.
- To perform all necessary job functions comfortable and with utmost efficiency, the system needs to have an efficient mechanism for documenting characteristics, user's operational needs and current status reports. This mechanism should not require any additional knowledge from the user.
- A space where users can state their needs, vision and expectations from the system is required. These needs should be measured with a quantified specifications. For example, if a user is talking about having a 'reliable system', there have to be testable reliability requirements.
An important ingredient of a CONOPS is that it should not reflect design detail. The design of the system starts to occur in Phase 3, designing the System Architecture. Although it is not supposed to happen, in some instances it may not be possible to exclude some system design from the preliminary CONOPS. Thus, the SE and ISSEP should remain flexible in their approach. If necessary, the CONOPS can contain design strategies that are helpful in clarifying operational details of the proposed system.
Related IT Guides
- Access control - Basic SE and ISSE Principles
- Elements of Technical Management
- Information Security Governance and Risk Management - Security Management
- Security Architecture and Design - ISSE Activity-1
- Security Architecture and Design - system security requirements
- Security Services
- Software Development security - Defining System and Security Architecture
- Systems Engineering Activity
- Technical Management