sam-101 standards and evaluation. sam-102 on security evaluations users of secure systems need...
TRANSCRIPT
SAM-10 1
Standards and Evaluation
SAM-10 2
On security evaluations
• Users of secure systems need assurance that products they use are secure
• Users can:– Trust manufacturer (not always a good idea)– Test system themselves (expertise may not
be available and costly)– Rely on impartial third party assessment
(evaluation)
SAM-10 3
Introduction
• The Trusted Computer Security Evaluation Criteria (TCSEC) were the first generally accepted criteria for evaluating secure products
• It provides method to rate products on a simple scale
• Other criteria developed since, but still relate their schemes back to Orange Book
SAM-10 4
Target of an evaluation
• Evaluating criteria over products (operating system) and systems (collection of products) for a specific use
• Product evaluation needs a set of generic requirements – provided by classes of TCSEC and profiles of ITSEC
• System evaluation needs requirements capture to be part of evaluation – covered by ITSEC
SAM-10 5
Purpose of an evaluation
• Orange Book distinguish between:
–Evaluation assessing whether a product has claimed security properties
–Certification to establish the extent in which a particular design and implementation meets the set of specified security requirements.
SAM-10 6
Purpose of an evaluation
• Accreditation A formal declaration by a Designated Approving Authority (DAA) where an information system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.
SAM-10 7
Method of an evaluation
• Evaluation credibility depends on evaluation methods
• Need to prevent situations where– Evaluated product later found to contain a
serious flaw– Different evaluations of same product
disagree in assessment (requirement for repeatability and reproducibility in method)
SAM-10 8
Product-oriented versus process-oriented evaluation
• Evaluation methods can be product or process oriented
• Product-oriented evaluations test the product
• Process-oriented evaluations look at product development process
SAM-10 9
Structure of the evaluation criteria
• The product evaluated on aspects:– Functionality: secure features of the product,
MAC, DAC, authentication, auditing etc.– Effectiveness: the appropriateness of the
functionality for the security requirements– Assurance: degree of certainty in the
correctness of the implementation of the functionality
SAM-10 10
Structure of the evaluation criteria
• Orange Book looks at all aspects at the same time
• ITSEC is more flexible
SAM-10 11
Organizational framework
• Evaluation should give an independent verdict on products
• Independent evaluation facility can be a government agency or a licensed agency
• Both cases a government agency backs the evaluation process and issues certificate
SAM-10 12
Government versus commercial
• If done by government, result should be consistent but may take a long time
• If evaluation done privately, then checks need be carried out to ensure consistency. Precise formulation of criteria becomes very important. Danger of commercial pressures influence the end result.
SAM-10 13
Contracts and procedures
• Contractual relationship needed between the sponsor of the evaluation, the product manufacturer, and the evaluation facility
• Procedures needed for start of an evaluation, for issuing evaluation certificates, and for re-evaluation of modifications of evaluated products.
SAM-10 14
Costs and benefits
• The cost would include both the evaluation fee and the indirect costs (time to gather and produce evidence, liaise with evaluation teams)
• For off-the-shelf software, cost can spread over many customers
• For customised systems, the sponsor to bear all costs
SAM-10 15
Information Security Management System
• It provides a systematic approach to manage sensitive information in order to protect it.
• It encompasses employees, processes, and information systems
• It should include an evaluation method, safeguards and a documentation and revision process
SAM-10 16
Getting certified
• Compliance: a self assessment to check if the system implemented complies with a standard
• Certification (registration): confer by an accredited certification body when an organisation successfully completes an independent audit
SAM-10 17
Getting certified
• Accreditation: an authorised body (the accreditation body) officially recognises the authority of a certification body to evaluate, certify and register an organisation with regard to published standards
SAM-10 18
ISO/IEC 17799 and BS 7799
• The best reference for information security management system.
• A structured and internationally recognised guide with recommendations devoted to information security
• Not a product-oriented or technological standard
SAM-10 19
Contents
• Published in 2 parts:
• ISO/IEC 17799 Part 1: Code of Practice for Information Security Management
• BS 7799 Part 2: Information Security Management
SAM-10 20
10 domains of ISO/IEC 17799 (Part 1)
• Security policy
• Organisation policy
• Asset classification and control
• Personnel security
• Physical and environmental security
• Communications and operations management
SAM-10 21
10 domains of ISO/IEC 17799 (Part 1)
• Access control
• Systems development and management
• Business continuity management
• Compliance
SAM-10 22
Steps in implementing an ISMS
• Project initiation
• Definition of the ISMS
• Risk assessment
• Risk treatment
• Training and awareness
• Audit preparation
• Audit
• Control and Continual improvement
SAM-10 23
Documentation required
• Security manual: policy, scope, risk assessment, statement of applicability
• Procedures: who, what, when, where
• Working instructions, checklists, forms etc: describe how tasks and specific activities are done
• Records: provide objective evidence of compliance with ISMS requirements