Establish and document security engineering guidelines for information system engineering. Design security on each level and analyze new technology for security purposes. Principles should include safe session controls, valid data, and authentication techniques. Analyze each security control, their capabilities, any needed controls required by business processes, places needing security controls, and how to enact them. Consider integrating with security architecture, including technical security. Take into account the organization’s capability to support technology, its costs, the time available, complexity, and existing best practices. Use security-specific reviews of the design, documentation, official recognition of controls, and system hardening. Consider “no trust” guidelines such as never trusting and always verifying access, encrypting requests, using least privilege, and always authenticating and validating. Apply principles to outsourced development and regularly review to combat potential threats and remain applicable to technology advances.