instituting controls in systems development
DESCRIPTION
Instituting Controls in Systems Development. Gurpreet Dhillon Virginia Commonwealth University. Types of Security Breaches. Unauthorized or Accidental Access Create Read Update Delete Execute (for Applications) All security breaches are the result of System Failures. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/1.jpg)
Instituting Controls in Systems Development
Gurpreet Dhillon
Virginia Commonwealth University
![Page 2: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/2.jpg)
Types of Security Breaches
Unauthorized or Accidental Access– Create– Read– Update– Delete– Execute (for Applications)
All security breaches are the result of System Failures
![Page 3: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/3.jpg)
Types of System Failures
Missing Function– System does not perform function that it should
Additional Function– System performs function that it should not
Incorrect Function– System performs a function that it should, but
using incorrect process
Brill, Alan E. Building Controls into Structured Systems.
![Page 4: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/4.jpg)
System Failures and Controls
Usually are the result of a design flaw, not a hardware or software malfunction
Controls to manage the occurrence of system failures– Audit Controls– Application Controls– Modeling Controls– Document Controls
![Page 5: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/5.jpg)
Audit Controls
Audit controls– Examine– Verify– Correct
Provide a structured framework with which to perform the audit function
Record information necessary to perform the audit function
![Page 6: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/6.jpg)
Application Controls
System Requirements– Accuracy– Completeness– Security
Type of application controls– Input– Processing– Output
![Page 7: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/7.jpg)
Model Without Controls
Although security can be assumed, the security control points are not represented within the model
User
On-Line Account
![Page 8: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/8.jpg)
Model with Control Point
The authentication security control point is included; however, no functionality is specified
On-Line Account
User Authentication
User
![Page 9: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/9.jpg)
Model with Full Control Included
The security control point is included, and all functionality of the control point is modeled
On-Line Account
User Authentication
User Accou
nt Locked?
Passed?
Process Failure
Locked Account Instructions
![Page 10: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/10.jpg)
Documentation Controls
Necessary for ALL stages of the development cycle
Answers– Who, what, when, how, and– WHY
![Page 11: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/11.jpg)
Process Improvement Software
Automated Learning and Discovery Program Management Environments Change Tracking Requirements Tracking
![Page 12: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/12.jpg)
The Systems Security Engineering Capability Maturity Model
![Page 13: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/13.jpg)
SSE - CMM Background
Early 1980s - Watts Humphrey @ IBM 1993 - National Security Agency (NSA) 1995 - Working Committees 1996 - SSE-CMM v 1.1 1999 - SSE-CMM v 2.0 & ISSEA 2002 - ISO-21827 2003 - SSE-CMM v 3.0
![Page 14: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/14.jpg)
ISSEA Mission Statement
Promote and enhance SSE-CMM
Promote mature security capability to developers, vendors and agencies and ensure integral security in life cycles
Education and networking for community
![Page 15: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/15.jpg)
Constructed to guide process improvement in the practice of security engineering
Objective: created to advance security engineering as a defined, mature, and measurable discipline
![Page 16: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/16.jpg)
A comparison of software & security engineering problems and their solutions…
-schedule overruns
-low quality results
Why assurance is important
What is ‘process assurance’
![Page 17: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/17.jpg)
![Page 18: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/18.jpg)
Level 1Initial or Informal No required processes
![Page 19: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/19.jpg)
Level 2Repeatable or Managed Assure policy compliance Manage requirements Plan and track projects Measure projects
![Page 20: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/20.jpg)
Level 3Well Defined Establish improvement infrastructure Identify required processes Identify common processes Deploy and manage processes Collect process-level data Conduct organization-wide training
![Page 21: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/21.jpg)
Level 4Quantitatively Managed/Controlled
Manage processes quantitatively
Establish capability baselines
![Page 22: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/22.jpg)
Level 5Optimizing
Develop change infrastructure Evaluate and deploy improvements Eliminate causes of defects
![Page 23: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/23.jpg)
SSE-CMM Performance Targets
Source: Gartner Group
![Page 24: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/24.jpg)
How processes play a part…..
process cabability: the range of expected results that can be achieved by following a process; a predictor of future
project outcomes.process performance: measure of the actual results
achieved by following a process.process maturity: the extent to which a specific process is
explicitly defined, managed, measured, controlled, and effective
![Page 25: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/25.jpg)
The SSE-CMM defines eleven security-related process areas:
■ PA01 – Administer Security Controls
■ PA02 – Assess Impact
■ PA03 – Access Security Risk
■ PA04 – Access Threat
■ PA05 – Access Vulnerability
■ PA06 – Build Assurance Argument
■ PA07 – Coordinate Security
■ PA08 – Monitor Security Posture
■ PA09 – Provide Security Input
■ PA10 – Specify Security Needs
■ PA11 – Verify and validate security
![Page 26: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/26.jpg)
Maturity Level
Objective of Security Engineering Process Maturity
Security Engineering PAs
1 n/a None
2 plan security aspects of projects - project planning
- project management
3 - coordinate security aspects with internal project groups (systems engineering, software engineering) and external groups (certification team, accreditation team)
- Security coordination
- Intergroup coordination
- External coordination
4 - establish quality metrics Quantitative Process Management
- quantify process management
5 Guarantee security aspects of system or product
Defect Prevention
Security Engineering PA Maturity Level Placement
![Page 27: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/27.jpg)
Using the SSE-CMM
Source Selection
Security Assessment SW Vendor
Services
HW Vendor
System Development
Operation and MaintenanceSSE-CMM
![Page 28: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/28.jpg)
10/24/96
ProcessAreas
CommonFeatures
BasePracticesGeneric
Practices
BasePractices
GenericPractices
CommonFeatures
BasePracticesBase
Practices
ProcessAreas
BasePractices
Continuously Improving
Planned & Tracked
Performed Informally
BasePractices
SSE-CMM Model Architecture
Security EngineeringProcess Areas
Organization
Project
InitialCapability Levels
Well Defined
Quantitatively Controlled
ProcessAreas
CapabilityDomain
![Page 29: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/29.jpg)
Some benefits…..• logical approach which provides a foundation for future changes flexible approach which can be molded to fit security needs of any project• covers the entire life cycle of any project, from initial architecture decisions to monitoring of the O/S• along with confidence, all aspects of the security spectrum have been met• this model provides a clear roadmap for generating security requirements
![Page 30: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/30.jpg)
The future of SSE-CMM…..
More plans to implement ideas discussed in SSAM (System Security Appraisal Methodology)
Further developments and release of training packages
Continue to support other activities such as other CMMs, procurement, and life-cycle support
![Page 31: Instituting Controls in Systems Development](https://reader034.vdocuments.net/reader034/viewer/2022051218/5681580c550346895dc57b78/html5/thumbnails/31.jpg)
References Brill, Alan E. Building Controls into Structured Systems. Ferraiolo, Karen, Williams, Jeffrey R., Landoll, Douglas J. “A Capability Maturity Model for
Security Engineering” Ferraiolo, Karen “Distinguishing Security Engineering Process Areas by Maturity Levels” Ferraiolo, Karen, Cheetham, Christina “The Systems Security Engineering Capability
Maturity Model” http://www.sse-cmm.org/index.html Gallagher, Lisa A., Thompson, Victoria “An Update on the Security Engineering Capability
Maturity Model Project” Hefner, Rick “System Security Engineering Capability Maturity Model” (1997 conference on
software process Improvement CoSPI) Menk, Charles “The SSE-CMM The Past, The Present and the Future”, October 1997 http://www.sse-cmm.org/index.html Phillips, Mike “Using a Capability Maturity Model to Derive Security Requirements”, March
2003 http://www.sans.org/rr/papers/8/1005.pdf “A Systems Engineering Capability Maturity Model, Version 1.1”, CMU/SEI-95-003,
November 1995 “System Security Engineering – Capability Maturity Model Description Document, Version
2.0”, April 1999 “System Security Engineering – Capability Maturity Model Description Document, Version
3.0”, June 2003 “Describing the Capability Maturity Model”, The Gartner Group, September 2004 http://www.sei.cmu.edu/cmm/ http://www.sse-cmm.org/index.html