1

Security MethodologyRichard Baskerville

Georgia StateUniversity

2

PSecurity Method Design Theories

PSecurity Method Adaptation

Outline

3

Basic Design Theory in Secure InformationSystems Methodology

TFO Assumed in Many Security Method Designs

T1

T2

T3

T4

Tn

O1

O2

O3

Om

T O

T1

T2

T3

T4

Tn

F1

F2

F3

Fl

O1

O2

O3

Om

T F O

4

PCobIT - Governance

POctave - Risk Learning (TFO)

PGeneric - Cost-Benefit (TFO)

PNIST RMF - Risk-Centered Design

P ISO/IEC 27001 - Quality Improvement

P ITIL - Security as a Service

PCRAMM - Integrated Security (TFO)

Security Design MethodsDesign Theories

5

CobIT Method Component

Design Theory: Governance

Monitor &Evaluate

Deliver &Support

Plan &Organize

Acquire &Implement

IT Resources

Information

Business Objectives &IT Governance

ControlObjectives

ControlObjectives

ControlObjectives

ControlObjectives

6

Octave Method Component

Design Theory: Risk Learning (TFO)

(From Christopher Alberts, Audrey Dorofee, James Stevens,Carol Woody, Introduction to the OCTAVE® Approach, August2003, Software Engineering Institute,http://www.cert.org/octave/pubs.html)

7

Generic Security Design Model

Cost-Benefit TFO

Identify and evaluatesystem assets

Identify and evaluatethreats

Identify possiblecontrols

Risk analysis

Prioritize controls forimplementation

Implement andmaintain controls

Scenarios

Checklistsor Models

8

NIST Risk Management Framework

Risk-Centered Security Design

TIERED RISK MANAGEMENT APPROACH - From NIST SP 800-37 Rev 1

9

NIST Risk Management Framework

NIST SP800-37r1

10

This standard has evolved toward thedevelopment of management systems forinformation security and provides a strongerbasis for third party audit and certification. Itoffers a managerially-oriented complement tooperatd the technologically-oriented ISO27002.

ISO/IEC 27001

11

P Leadership - top management must demonstrate leadership andcommitment to the ISMS, mandate policy, and assign information securityroles, responsibilities and authorities.

P Planning - outlines the process to identify, analyze and plan to treatinformation security risks, and clarify the objectives of information security.

P Support - adequate, competent resources must be assigned, awarenessraised, documentation prepared and controlled.

P Operation - a bit more detail about assessing and treating informationsecurity risks, managing changes, and documenting things (partly so thatthey can be audited by the certification auditors).

P Performance evaluation - monitor, measure, analyze andevaluate/audit/review the information security controls, processes andmanagement system in order to make systematic improvements whereappropriate.

P Improvement - address the findings of audits and reviews (e.g.nonconformities and corrective actions), make continual refinements tothe ISMS

Structure of the Information SecurityManagement System (ISMS)

ISO 27001

From: http://www.iso27001security.com/html/27001.html

12

PBest practices and guidelinesfor managing informationtechnology services

P Integrated, process-basedapproach

POriginated as a 1980's UKgovernment drive

PFocus on quality, efficient, cost-effective delivery of IT services

ITIL (IT Infrastructure Library)Design Theory: Security as a Service

13

P Software asset management

P Service support

P Service delivery

P Planning to implement servicemanagement

P ICT infrastructure management

P Application management

P Security management

P The business perspective

Major ITIL Components

14

ITIL Structure

“Best Practices”

15

ITIL Securiity Service

Process Framework

adapted from Weil, Steven, (2004) "How ITIL Can Improve InformationSecurity" Security Focus (http://www.securityfocus.com/infocus/1815)

16

CRAMM

Design Theory: Integrated Security (TFO)

Vulnerabilities

Countermeasures

Risks

Implementation

Audit

Assets Threats

CCTA Risk Analysis and Management Method

17

P Identify and value physical/hardware, software, data &location assets

P Value physical asset replacement cost

P Value data and software impacts if unavailable,destroyed, disclosed or modified

CRAMM

Asset identification and valuation

Vulnerabilities

Countermeasures

Risks

Implementation

Audit

Assets Threats

18

P Identify likelihood and calculate underlying or actual riskof deliberate and accidental threats, eg,< Hacking< Viruses< Failures of equipment or software< Wilful damage or terrorism< Errors by people

CRAMM

Threat and vulnerability assessment

Vulnerabilities

Countermeasures

Risks

Implementation

Audit

Assets Threats

19

P Library of 3000 countermeasures in70 logical groupings

P CRAMM compares risk measureswith security level

P Automated vulnerability-countermeasure matching

P Sufficient risks justify particularcountermeasures

P Includes backtracking, What If?,prioritization, and reporting

CRAMM

Countermeasure selection and recommendation

Vulnerabilities

Countermeasures

Risks

Implementation

Audit

Assets Threats

20

Security Method Adaptation

Simple Action Research Approach

21

P Roles< CIO< Security Analyst< Project Manager

P Information Structures< Inventories< Analyses< Recommendations

P Processes< Linear< Life-cycle< Iterative

P Events< Milestones< Triggers

P Criteria< Quantitative< Qualitative

Types of Method Fragments

Examples

22

Adopting/Adapting/Adjusting Methods

Adopt

Adapt

Substitutefrom adifferentmethod

Adapt

Invent &substitute

Adopt

23

Security MethodologyRichard Baskerville

Georgia StateUniversity

24