Security Methodology

Transcription

1 Security Methodology Richard Baskerville Georgia State University 1 Outline PSecurity Method Design Theories PSecurity Method Adaptation 2

2 Basic Design Theory in Secure Information Systems Methodology TFO Assumed in Many Security Method Designs T 1 T 2 T 3 T 4 O 1 O 2 O 3 T n T O m O T 1 T 2 T 3 T 4 F 1 F 2 F 3 O 1 O 2 O 3 T n F l O m T F O 3 Security Design Methods Design Theories P CobIT - Governance POctave - Risk Learning (TFO) P Generic - Cost-Benefit (TFO) P NIST RMF - Risk-Centered Design P ISO/IEC Quality Improvement PITIL - Security as a Service P CRAMM - Integrated Security (TFO) 4

3 CobIT Method Component Design Theory: Governance Business Objectives & IT Governance Control Objectives Monitor & Evaluate Information IT Resources Plan & Organize Control Objectives Control Objectives Deliver & Support Acquire & Implement Control Objectives 5 Octave Method Component Design Theory: Risk Learning (TFO) (From Christopher Alberts, Audrey Dorofee, James Stevens, Carol Woody, Introduction to the OCTAVE Approach, August 2003, Software Engineering Institute, 6

4 Generic Security Design Model Cost-Benefit TFO Identify and evaluate system assets Identify and evaluate threats Identify possible controls Scenarios Checklists or Models Risk analysis Prioritize controls for implementation 7 Implement and maintain controls NIST Risk Management Framework Risk-Centered Security Design TIERED RISK MANAGEMENT APPROACH - From NIST SP Rev 1 8

5 NIST Risk Management Framework NIST SP800-37r1 9 ISO/IEC This standard has evolved toward the development of management systems for information security and provides a stronger basis for third party audit and certification. It offers a managerially-oriented complement to operatd the technologically-oriented ISO

6 Structure of the Information Security Management System (ISMS) ISO P Leadership - top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities. P Planning - outlines the process to identify, analyze and plan to treat information security risks, and clarify the objectives of information security. P Support - adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled. P Operation - a bit more detail about assessing and treating information security risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors). P Performance evaluation - monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate. P Improvement - address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS From: 11 ITIL (IT Infrastructure Library) Design Theory: Security as a Service P Best practices and guidelines for managing information technology services PIntegrated, process-based approach POriginated as a 1980's UK government drive P Focus on quality, efficient, costeffective delivery of IT services 12

7 Major ITIL Components P Software asset management P Service support P Service delivery P Planning to implement service management P ICT infrastructure management P Application management P Security management P The business perspective 13 ITIL Structure Best Practices 14

8 ITIL Securiity Service Process Framework adapted from Weil, Steven, (2004) "How ITIL Can Improve Information Security" Security Focus ( 15 CRAMM Design Theory: Integrated Security (TFO) CCTA Risk Analysis and Management Method Vulnerabilities Assets Risks Threats Countermeasures Implementation Audit 16

9 CRAMM Asset identification and valuation P Identify and value physical/hardware, software, data & location assets P Value physical asset replacement cost P Value data and software impacts if unavailable, destroyed, disclosed or modified Vulnerabilities Assets Risks Threats Countermeasures Implementation Audit 17 CRAMM Threat and vulnerability assessment P Identify likelihood and calculate underlying or actual risk of deliberate and accidental threats, eg, < Hacking < Viruses < Failures of equipment or software < Wilful damage or terrorism < Errors by people Vulnerabilities Assets Risks Threats Countermeasures Implementation Audit 18

10 CRAMM Countermeasure selection and recommendation P Library of 3000 countermeasures in 70 logical groupings P CRAMM compares risk measures with security level P Automated vulnerabilitycountermeasure matching P Sufficient risks justify particular countermeasures P Includes backtracking, What If?, prioritization, and reporting Assets Vulnerabilities Risks Countermeasures Implementation Audit Threats 19 Security Method Adaptation Simple Action Research Approach 20

11 P Roles < CIO < Security Analyst < Project Manager P Information Structures < Inventories < Analyses < Recommendations P Processes < Linear < Life-cycle < Iterative P Events < Milestones < Triggers P Criteria < Quantitative < Qualitative Types of Method Fragments Examples 21 Adopting/Adapting/Adjusting Methods Adapt Adopt Substitute from a different method Adapt Invent & substitute Adopt 22

12 Security Methodology Richard Baskerville Georgia State University 23 24