outline - georgia state university
TRANSCRIPT
Security Methodology
Richard Baskerville
Outline
• Security Method Design Theories
• Security Method Adaptation
Basic Design Theory in Secure Information Systems
Methodology
TFO Assumed in Many Security Method Designs
T1
T2
T3
T4
Tn
. . .
O1
O2
O3
Om
. . .
T O
T1
T2
T3
T4
Tn
. . .
F1
F2
F3
Fl
. . .
O1
O2
O3
Om
. . .
T F O
Security Design Methods
• CobIT - Governance
• Octave - Risk Learning (TFO)
• Generic - Cost-Benefit (TFO)
• NIST RMF - Risk-Centered Design
• ISO/IEC 27001 - Quality Improvement
• ITIL - Security as a Service
• CRAMM - Integrated Security (TFO)
Design Theories
CobIT Method Component
Design Theory: Governance
Monitor & Evaluate
Deliver & Support
Plan & Organize
Acquire & Implement
IT Resources
Information
Business Objectives & IT Governance
Control Objectives
Control Objectives
Control Objectives
Control Objectives
Octave Method Component
Design Theory: Risk Learning (TFO)(From Christopher Alberts, Audrey Dorofee, James Stevens, Carol Woody, Introduction to the OCTAVE® Approach, August 2003, Software Engineering Institute, http://www.cert.org/octave/pubs.html)
Generic Security Design Model
Design Theory: Cost-Benefit TFO
Identify and evaluate system assets
Identify and evaluate threats
Identify possible controls
Risk analysis
Prioritize controls for implementation
Implement and maintain controls
Scenarios
Checklists or Models
NIST Risk Management Framework
Design Theory: Risk-Centered Security Design
TIERED RISK MANAGEMENT APPROACH - From NIST SP 800-37 Rev 1
NIST Risk Management Framework
Design Theory: Risk Centered Cybersecurity
NIST Framework for Improving Critical
Infrastructure Cybersecurity
Framework Core Notional Information and Decision Flows within an Organization
ISO/IEC 27001
This standard has evolved toward the
development of management systems for
information security and provides a stronger
basis for third party audit and certification. It
offers a managerially-oriented complement to
operatd the technologically-oriented ISO 27002.
Design Theory: Cybersecurity Quality Improvement
Structure of the Information Security
Management System (ISMS)
• Leadership - top management must demonstrate leadership and
commitment to the ISMS, mandate policy, and assign information security
roles, responsibilities and authorities.
• Planning - outlines the process to identify, analyze and plan to treat information security risks, and clarify the objectives of information security.
• Support - adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
• Operation - a bit more detail about assessing and treating information security risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).
• Performance evaluation - monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate.
• Improvement - address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS
ISO 27001
From: http://www.iso27001security.com/html/27001.html
ITIL (IT Infrastructure Library)
• Best practices and guidelines for managing information technology services
• Integrated, process-based approach
• Originated as a 1980's UK government drive
• Focus on quality, efficient, cost-effective delivery of IT services
Design Theory: Security as a Service
Major ITIL Components
• Software asset management
• Service support
• Service delivery
• Planning to implement service management
• ICT infrastructure management
• Application management
• Security management
• The business perspective
ITIL Structure
“Best Practices”
ITIL Security Service
Initial Security Effort: Risk
AnalysisSecurity
Requirements
Minimum Security Baseline
Requirements Feasibility Analysis
Negotiate & Define SLA
SLA
Negotiate & Define OLA
Customer
IT Service Org.
OLAImplementMonitor
Report
Modify
adapted from Weil, Steven, (2004) "How ITIL Can Improve Information Security" Security Focus (http://www.securityfocus.com/infocus/1815)
CRAMMDesign Theory: Integrated Security (TFO)
Vulnerabilities
Countermeasures
Risks
Implementation
Audit
Assets Threats
CCTA Risk Analysis and Management Method
CRAMM
• Identify and value physical/hardware, software, data & location assets
• Value physical asset replacement cost
• Value data and software impacts if unavailable, destroyed, disclosed or modified
Asset identification and valuation
Vulnerabilities
Countermeasures
Risks
Implementation
Audit
Assets Threats
CRAMM
• Identify likelihood and calculate underlying or actual risk of deliberate and accidental threats, eg,
– Hacking
– Viruses
– Failures of equipment or software
– Wilful damage or terrorism
– Errors by people
Threat and vulnerability assessment
Vulnerabilities
Countermeasures
Risks
Implementation
Audit
Assets Threats
CRAMM
• Library of 3000 countermeasures in 70 logical groupings
• CRAMM compares risk measures with security level
• Automated vulnerability-countermeasure matching
• Sufficient risks justify particular countermeasures
• Includes backtracking, What If?, prioritization, and reporting
Countermeasure selection and recommendation
Vulnerabilities
Countermeasures
Risks
Implementation
Audit
Assets Threats
Security Method Adaptation
Simple Action Research Approach
Types of Method FragmentsExamples
Roles• CIO• Security Analyst• Project Manager
Information Structures• Inventories• Analyses• Recommendations
Processes• Linear• Life-cycle• Iterative
Events• Milestones• Triggers
Criteria• Quantitative• Qualitative
Adopting/Adapting/Adjusting Methods
Roles
Info Structures
Processes
Events
Criteria
Substitute from a different method
Invent & substitute
Adapt
Adapt
Adopt
Adopt
Security Methodology
Richard Baskerville