Security Methodology

Richard Baskerville

Outline

• Security Method Design Theories

• Security Method Adaptation

Basic Design Theory in Secure Information Systems

Methodology

TFO Assumed in Many Security Method Designs

T1

T2

T3

T4

Tn

. . .

O1

O2

O3

Om

. . .

T O

T1

T2

T3

T4

Tn

. . .

F1

F2

F3

Fl

. . .

O1

O2

O3

Om

. . .

T F O

Security Design Methods

• CobIT - Governance

• Octave - Risk Learning (TFO)

• Generic - Cost-Benefit (TFO)

• NIST RMF - Risk-Centered Design

• ISO/IEC 27001 - Quality Improvement

• ITIL - Security as a Service

• CRAMM - Integrated Security (TFO)

Design Theories

CobIT Method Component

Design Theory: Governance

Monitor & Evaluate

Deliver & Support

Plan & Organize

Acquire & Implement

IT Resources

Information

Business Objectives & IT Governance

Control Objectives

Control Objectives

Control Objectives

Control Objectives

Octave Method Component

Design Theory: Risk Learning (TFO)(From Christopher Alberts, Audrey Dorofee, James Stevens, Carol Woody, Introduction to the OCTAVE® Approach, August 2003, Software Engineering Institute, http://www.cert.org/octave/pubs.html)

Generic Security Design Model

Design Theory: Cost-Benefit TFO

Identify and evaluate system assets

Identify and evaluate threats

Identify possible controls

Risk analysis

Prioritize controls for implementation

Implement and maintain controls

Scenarios

Checklists or Models

NIST Risk Management Framework

Design Theory: Risk-Centered Security Design

TIERED RISK MANAGEMENT APPROACH - From NIST SP 800-37 Rev 1

NIST Risk Management Framework

Design Theory: Risk Centered Cybersecurity

NIST Framework for Improving Critical

Infrastructure Cybersecurity

Framework Core Notional Information and Decision Flows within an Organization

ISO/IEC 27001

This standard has evolved toward the

development of management systems for

information security and provides a stronger

basis for third party audit and certification. It

offers a managerially-oriented complement to

operatd the technologically-oriented ISO 27002.

Design Theory: Cybersecurity Quality Improvement

Structure of the Information Security

Management System (ISMS)

• Leadership - top management must demonstrate leadership and

commitment to the ISMS, mandate policy, and assign information security

roles, responsibilities and authorities.

• Planning - outlines the process to identify, analyze and plan to treat information security risks, and clarify the objectives of information security.

• Support - adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.

• Operation - a bit more detail about assessing and treating information security risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).

• Performance evaluation - monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate.

• Improvement - address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS

ISO 27001

From: http://www.iso27001security.com/html/27001.html

ITIL (IT Infrastructure Library)

• Best practices and guidelines for managing information technology services

• Integrated, process-based approach

• Originated as a 1980's UK government drive

• Focus on quality, efficient, cost-effective delivery of IT services

Design Theory: Security as a Service

Major ITIL Components

• Software asset management

• Service support

• Service delivery

• Planning to implement service management

• ICT infrastructure management

• Application management

• Security management

• The business perspective

ITIL Structure

“Best Practices”

ITIL Security Service

Initial Security Effort: Risk

AnalysisSecurity

Requirements

Minimum Security Baseline

Requirements Feasibility Analysis

Negotiate & Define SLA

SLA

Negotiate & Define OLA

Customer

IT Service Org.

OLAImplementMonitor

Report

Modify

adapted from Weil, Steven, (2004) "How ITIL Can Improve Information Security" Security Focus (http://www.securityfocus.com/infocus/1815)

CRAMMDesign Theory: Integrated Security (TFO)

Vulnerabilities

Countermeasures

Risks

Implementation

Audit

Assets Threats

CCTA Risk Analysis and Management Method

CRAMM

• Identify and value physical/hardware, software, data & location assets

• Value physical asset replacement cost

• Value data and software impacts if unavailable, destroyed, disclosed or modified

Asset identification and valuation

Vulnerabilities

Countermeasures

Risks

Implementation

Audit

Assets Threats

CRAMM

• Identify likelihood and calculate underlying or actual risk of deliberate and accidental threats, eg,

– Hacking

– Viruses

– Failures of equipment or software

– Wilful damage or terrorism

– Errors by people

Threat and vulnerability assessment

Vulnerabilities

Countermeasures

Risks

Implementation

Audit

Assets Threats

CRAMM

• Library of 3000 countermeasures in 70 logical groupings

• CRAMM compares risk measures with security level

• Automated vulnerability-countermeasure matching

• Sufficient risks justify particular countermeasures

• Includes backtracking, What If?, prioritization, and reporting

Countermeasure selection and recommendation

Vulnerabilities

Countermeasures

Risks

Implementation

Audit

Assets Threats

Security Method Adaptation

Simple Action Research Approach

Types of Method FragmentsExamples

Roles• CIO• Security Analyst• Project Manager

Information Structures• Inventories• Analyses• Recommendations

Processes• Linear• Life-cycle• Iterative

Events• Milestones• Triggers

Criteria• Quantitative• Qualitative

Adopting/Adapting/Adjusting Methods

Roles

Info Structures

Processes

Events

Criteria

Substitute from a different method

Invent & substitute

Adapt

Adapt

Adopt

Adopt

Security Methodology

Richard Baskerville