security engineering assurance & control objectives priyanka vanjani asu id # 993923182
TRANSCRIPT
![Page 1: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/1.jpg)
Security EngineeringAssurance & Control
Objectives
Priyanka VanjaniASU Id # 993923182
![Page 2: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/2.jpg)
Security Engineering “Security engineering is a
specialized field of engineering that deals with the development of detailed engineering plans and designs for security features, controls and systems.” Wikipedia
It helps building systems resistant in the event of a malice or an error.
![Page 3: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/3.jpg)
Most organizations tend to neglect the security requirements needed in order to keep their system safe.
Security requirements are usually considered in the end and not during an early analysis of the design process.
![Page 4: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/4.jpg)
Control Objectives
Environmental context of the information system
![Page 5: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/5.jpg)
Control Objectives (contd…)
Information contained within the system
![Page 6: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/6.jpg)
Control Objectives (contd..)
Physical assets of the system
![Page 7: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/7.jpg)
Information Security Objectives:
Security Objectives
Assurance Objectives
![Page 8: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/8.jpg)
Security Control Objectives
Confidentiality Authentication Availability Integrity Non-repudiation
![Page 9: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/9.jpg)
Confidentiality
Ensures information is not accessible by unauthorized users
Protects assets of a computing system
For example: Giving out confidential information over the phone to someone who’s not authorized
![Page 10: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/10.jpg)
Authentication
Ensures that the users are the right people.
Information is in the right hands and the assets are being used in an authorized manner.
For example: Passwords, digital certificates, smart cards
![Page 11: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/11.jpg)
Availability
Ensures information is accessible to authorized users and is available when needed.
For example: Access to a database as and when required.
DoS: Denial of service should not be there
![Page 12: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/12.jpg)
Integrity
Ensures that the data cannot be created, deleted or modified without authorized access to it.
For example: When a database is not properly shutdown before maintenance is performed.
Employee intentionally modifies or deletes important data.
![Page 13: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/13.jpg)
Non-repudiation
It is the proof of the identity of the sender and the recipient.
For example: Ecommerce uses digital signatures and ecryption.
![Page 14: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/14.jpg)
Assurance Control Objectives
Management functions
Involves security policies, information security plan, risk management and personal security.
![Page 15: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/15.jpg)
gem
![Page 16: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/16.jpg)
Assurance Control Objectives
Configuration Management Personnel Management Vulnerability Management Software Development
Management Verification Management
![Page 17: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/17.jpg)
Requirements
Legacy Systems: used by some organizations where anything else cannot be implemented.
User’s Documentation: includes detailed system requirements. The engineer is supposed to look through the requirements specifications in order to derive any system security requirement.
![Page 18: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/18.jpg)
Security Standards
“Prescribed configuration and practices that improve the security of IT systems.” Wiki
Standards are used by both government and user organizations.
![Page 19: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/19.jpg)
Security Models
![Page 20: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/20.jpg)
The Common Criteria
Provides assurance on specification, implementation and evaluation process of a security product and makes sure it is conducted in a standard manner.
![Page 21: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/21.jpg)
The Common Criteria (contd..)
![Page 22: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/22.jpg)
The Common Criteria (contd..)
Functional requirements include:
Authentication Resource utilization Privacy Protection of TOE Trusted channels Security Management
![Page 23: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/23.jpg)
ISO/IEC 17799
Addresses good security policies Doesn’t provide detailed
instructions Superficial overview of the security
requirements that act as a base
![Page 24: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/24.jpg)
ISO/IEC 17799 (contd..)
Personnel Security Compliance Access Control Organizational security
infrastructure and policy Physical and environmental
security Operations Management etc.
![Page 25: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/25.jpg)
The Capability Maturity Model-Integrated (CMMI)
Include practices for process improvement
Manage development & maintenance of products
Help periodically measure improvement
‘Assessment’ model: determines the level at which the organization currently stands
![Page 26: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/26.jpg)
CMMI
![Page 27: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/27.jpg)
SSE-CMM The System Security Engineering
Capability Maturity Model Describes essential characteristics
of an organization’s security engineering process
Includes entire system life cycle of a product, concept definition, requirement analysis, design, development, integration, installation, maintenance etc.
![Page 28: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/28.jpg)
SSE-CMM (contd..)
Organization engineering activities Interactions within the organization
such as with systems software, hardware, system management, operation as well as maintenance
Interactions with other organizations such as system management, certification, evaluation of the policies
![Page 29: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/29.jpg)
Cost-benefit analysis
It is important for an organization to choose between effective security policies, optimal performance and affordable cost.
Security policies are implemented depending upon how often an attack is expected.
![Page 30: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/30.jpg)
Cost-benefit analysis (Contd..)
It is difficult to analyze whether a certain investment in a security policy would give the expected returns.
![Page 31: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/31.jpg)
![Page 32: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/32.jpg)
References http://en.wikipedia.org/wiki/Security_engineering http://www.albion.com/security/intro-4.html http://en.wikipedia.org/wiki/Information_security#Integrity
http://ieeexplore.ieee.org/iel5/4021173/4021174/04021255.pdf?isnumber=4021174&prod=CNF&arnumber=402
1255&arSt=482&ared=488&arAuthor=Sung-il+Han%3B+Kab-seung+Kou%3B+Gang-soo+Lee
http://www.mantagroup.com/html/images/wp-0506102.gif
http://ieeexplore.ieee.org/iel5/4301108/4301109/04301148.pdf
http://www.cs.cmu.edu/~shawnb/SAEM-ICSE2002.pdf
![Page 33: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/33.jpg)
References (Contd..) http://en.wikipedia.org/wiki/Information_security http://en.wikipedia.org/wiki/Legacy_system http://en.wikipedia.org/wiki/Common_Criteria http://images.google.com/imgres?imgurl=http://www.iso15408.net/pps18.gif&imgrefurl=http://www.iso15408.net/15408presentation.htm&h=405&w=542&sz=26&hl=en&start=11&um=1&tbnid=uhRTB9CFgMm4XM:&tbnh=99&tbnw=132&prev=/images%3Fq%3DThe%2Bcommon%2Bcriteria%26um%3D1%26hl%3Den%26
http://www.opengroup.org/architecture/togaf8-doc/arch/chap27.htmlsa%3DG
http://www.boldtech.com/images/cmmi.jpg http://www.sse-cmm.org/model/model.asp
![Page 34: Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182](https://reader036.vdocuments.net/reader036/viewer/2022062517/56649f155503460f94c2a6ac/html5/thumbnails/34.jpg)
Thank You !