security methodology - j. mack robinson college of business · psecurity method design theories...
TRANSCRIPT
1
Security MethodologyRichard Baskerville
Georgia StateUniversity
2
PSecurity Method Design Theories
PSecurity Method Adaptation
Outline
3
Basic Design Theory in Secure InformationSystems Methodology
TFO Assumed in Many Security Method Designs
T1
T2
T3
T4
Tn
O1
O2
O3
Om
T O
T1
T2
T3
T4
Tn
F1
F2
F3
Fl
O1
O2
O3
Om
T F O
4
PCobIT - Governance
POctave - Risk Learning (TFO)
PGeneric - Cost-Benefit (TFO)
PNIST RMF - Risk-Centered Design
P ISO/IEC 27001 - Quality Improvement
P ITIL - Security as a Service
PCRAMM - Integrated Security (TFO)
Security Design MethodsDesign Theories
5
CobIT Method Component
Design Theory: Governance
Monitor &Evaluate
Deliver &Support
Plan &Organize
Acquire &Implement
IT Resources
Information
Business Objectives &IT Governance
ControlObjectives
ControlObjectives
ControlObjectives
ControlObjectives
6
Octave Method Component
Design Theory: Risk Learning (TFO)
(From Christopher Alberts, Audrey Dorofee, James Stevens,Carol Woody, Introduction to the OCTAVE® Approach, August2003, Software Engineering Institute,http://www.cert.org/octave/pubs.html)
7
Generic Security Design Model
Cost-Benefit TFO
Identify and evaluatesystem assets
Identify and evaluatethreats
Identify possiblecontrols
Risk analysis
Prioritize controls forimplementation
Implement andmaintain controls
Scenarios
Checklistsor Models
8
NIST Risk Management Framework
Risk-Centered Security Design
TIERED RISK MANAGEMENT APPROACH - From NIST SP 800-37 Rev 1
9
NIST Risk Management Framework
NIST SP800-37r1
10
This standard has evolved toward thedevelopment of management systems forinformation security and provides a strongerbasis for third party audit and certification. Itoffers a managerially-oriented complement tooperatd the technologically-oriented ISO27002.
ISO/IEC 27001
11
P Leadership - top management must demonstrate leadership andcommitment to the ISMS, mandate policy, and assign information securityroles, responsibilities and authorities.
P Planning - outlines the process to identify, analyze and plan to treatinformation security risks, and clarify the objectives of information security.
P Support - adequate, competent resources must be assigned, awarenessraised, documentation prepared and controlled.
P Operation - a bit more detail about assessing and treating informationsecurity risks, managing changes, and documenting things (partly so thatthey can be audited by the certification auditors).
P Performance evaluation - monitor, measure, analyze andevaluate/audit/review the information security controls, processes andmanagement system in order to make systematic improvements whereappropriate.
P Improvement - address the findings of audits and reviews (e.g.nonconformities and corrective actions), make continual refinements tothe ISMS
Structure of the Information SecurityManagement System (ISMS)
ISO 27001
From: http://www.iso27001security.com/html/27001.html
12
PBest practices and guidelinesfor managing informationtechnology services
P Integrated, process-basedapproach
POriginated as a 1980's UKgovernment drive
PFocus on quality, efficient, cost-effective delivery of IT services
ITIL (IT Infrastructure Library)Design Theory: Security as a Service
13
P Software asset management
P Service support
P Service delivery
P Planning to implement servicemanagement
P ICT infrastructure management
P Application management
P Security management
P The business perspective
Major ITIL Components
14
ITIL Structure
“Best Practices”
15
ITIL Securiity Service
Process Framework
adapted from Weil, Steven, (2004) "How ITIL Can Improve InformationSecurity" Security Focus (http://www.securityfocus.com/infocus/1815)
16
CRAMM
Design Theory: Integrated Security (TFO)
Vulnerabilities
Countermeasures
Risks
Implementation
Audit
Assets Threats
CCTA Risk Analysis and Management Method
17
P Identify and value physical/hardware, software, data &location assets
P Value physical asset replacement cost
P Value data and software impacts if unavailable,destroyed, disclosed or modified
CRAMM
Asset identification and valuation
Vulnerabilities
Countermeasures
Risks
Implementation
Audit
Assets Threats
18
P Identify likelihood and calculate underlying or actual riskof deliberate and accidental threats, eg,< Hacking< Viruses< Failures of equipment or software< Wilful damage or terrorism< Errors by people
CRAMM
Threat and vulnerability assessment
Vulnerabilities
Countermeasures
Risks
Implementation
Audit
Assets Threats
19
P Library of 3000 countermeasures in70 logical groupings
P CRAMM compares risk measureswith security level
P Automated vulnerability-countermeasure matching
P Sufficient risks justify particularcountermeasures
P Includes backtracking, What If?,prioritization, and reporting
CRAMM
Countermeasure selection and recommendation
Vulnerabilities
Countermeasures
Risks
Implementation
Audit
Assets Threats
20
Security Method Adaptation
Simple Action Research Approach
21
P Roles< CIO< Security Analyst< Project Manager
P Information Structures< Inventories< Analyses< Recommendations
P Processes< Linear< Life-cycle< Iterative
P Events< Milestones< Triggers
P Criteria< Quantitative< Qualitative
Types of Method Fragments
Examples
22
Adopting/Adapting/Adjusting Methods
Adopt
Adapt
Substitutefrom adifferentmethod
Adapt
Invent &substitute
Adopt
23
Security MethodologyRichard Baskerville
Georgia StateUniversity
24