Security Standards and

Threat Evaluation

Main Topic of Discussion

Methodologies Standards Frameworks Measuring threats

– Threat evaluation– Certification and accreditation

IT Governance

A structure of relationships and processes to direct and

control the enterprise in order to achieve the

enterprise’s goals by adding value while balancing risk

versus return over IT and its processes.

C & A

The certification and accreditation (C&A) process

focuses on federal IT systems processing, storing,

and transmitting sensitive information, the

associated tasks and subtasks, security controls,

and verification techniques and procedures, have

been broadly defined so as to be universally

applicable to all types of IT systems, including

national security or intelligence systems, if so

directed by appropriate authorities.

Standards in Assessing Risk

Need a way to measure risk consistently Need to cover multiple geographies Needs to scale

Newly forming Teaching

Methodologies

A Body of Practices, procedures and rules used by those who engage in an inquiry

Can include multiple frameworks Overall approach used to measure something Repeatable Utilizes standards

Standards

Something that is widely recognized or employed, especially because of its excellence

An acknowledged measure of comparison for qualitative or quantitative value

Many different types of standards- even for the same elements needing to be measured

Framework

A set of assumptions, concepts, values and practices that constitutes a way of viewing reality

Building block for crafting approach Encapsulates elements for performing a task Acts as a guide- details can be plugged in

for specific tasks

Standards

CoBit ISO17999 Common Criteria NIST

COBIT

www.isaca.orgControl Objectives for Information and related

Technology Framework, Standard or Good practice? Includes:

– Maturity models– Critical Success factors– Key Goal Indicators– Key Performance Indicators

COBIT

COBIT is structured around four main fields

of management implying 34 processes of

management associated with information

technology: 1. Planning and organization

2. Acquisition and implementation

3. Delivery and Support

4. Monitoring

ISO17999

“A detailed security Standard” Ten major sections:

– Business Continuity Planning– System Access Control– System Development and Maintenance– Physical and Environmental Security– Compliance– Personnel Security– Security organization– Computer and Network Management– Asset Classification– Security Policy

ISO17999

Most widely recognized security standard Based on BS7799, last published in May

1999 Comprehensive security control objectives UK based standard

SSECMM CIA Triad

Defines the “triad” as the following items: Confidentiality Integrity Availability Accountability Privacy Assurance

Common Criteria

Developed from TCSEC standard in 1980’s (Orange book)

International Standard ISO took ITSEC (UK) TCSEC and CTCPEC

(Canada) and combined them into CC (1996) NIAP

– National Information Assurance Partnership

– http://niap.nist.gov/

Common Criteria

11 Functionality Classes:– Audit– Cryptographic Support– Communications– User Data Protection– Identification and Authentication– Security Management– Privacy– TOE Security functions– Resource utilization– TOE Access– Trusted Paths

Threat Approach

Threat Evaluation

Evaluation of level of threat to an asset Based on:

– Visibility, inherent weakness, location, personal/business values

Method:– Determine threats to assets (and their importance)– Determine cost of countermeasures– Implement countermeasures to reduce threat

Threats

Activity that represents possible danger Can come in different forms Can come from different places Can’t protect from all threats Protect against most likely or most worrisome such

as:– Business mission– Data (integrity, confidentiality, availability)

Vulnerability Assessment

Evaluation of weakness in asset Based on:

– Known published weakness

– Perceived / studied weakness

– Assessed threats

Method:– Determined threats relevant to asset

– Determined vulnerability to those threats

– Determine vulnerability to theoretical threats

– Fortify / accept vulnerabilities