Assumptions of Secure Operation University of Sunderland CSEM02 Harry R. Erwin, PhD.

Slides:

Advertisements

Similar presentations

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Advertisements

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.

Professional Behaviour

The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

Information Security Policies and Standards

SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.

How to Prepare for the Fall Exam COM380/CIT304 Harry Erwin, PhD University of Sunderland.

VoIP – Security Considerations An Examination Ricardo Estevez CS 522 / Computer Communication Fall 2003.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Security expenditure should be determined by security risk. What is the financial risk to UNC of undetected modification of bioresearch data? theft and.

Session 3 – Information Security Policies

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

Fraud Prevention and Risk Management

Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.

Introduction to Network Defense

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Security Policies University of Sunderland CSEM02 Harry R. Erwin, PhD.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

The Security Analysis Process University of Sunderland CSEM02 Harry R. Erwin, PhD.

Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?

Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Today’s Lecture Covers < Chapter 6 - IS Security

Security Mechanisms University of Sunderland CSEM02 Harry R. Erwin, PhD.

General Awareness Training Security Awareness Module 3 Take Action! Where To Go for Help.

Files are at risk from loss if your computer breaks or if you get a virus. Files can also become corrupted. Solutions: Make regular back ups of files Use.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Engineering Essential Characteristics Security Engineering Process Overview.

Note1 (Admi1) Overview of administering security.

Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.

College Reviews An Overview Presented by Howard Lutwak, CIA Director of Internal Audit January 2004.

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

Introduction to Information Security

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

Assumptions of Secure Operation University of Sunderland CIT304 Harry R. Erwin, PhD.

Policy 2 Dr.Talal Alkharobi. 2 Create Appropriate Policy Each organization may need different policies. Policy templates are useful to examine and to.

Audit COM380 University of Sunderland Harry R. Erwin, PhD.

CONTROLLING INFORMATION SYSTEMS

INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.

Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.

© 2013 Toshiba Corporation B2B PC Training Mailer - Toshiba Device Access Control.

Security Objectives University of Sunderland CSEM02 Harry R. Erwin, PhD.

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

The NIST Special Publications for Security Management By: Waylon Coulter.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.

Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.

Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University

Welcome to the ICT Department Unit 3_5 Security Policies.

Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)

TCSEC: The Orange Book.

Identity and Access Management

Issues and Protections

Final HIPAA Security Rule

Managing the Security Function

County HIPAA Review All Rights Reserved 2002.

IT OPERATIONS Session 7.

Presentation transcript:

Assumptions of Secure Operation University of Sunderland CSEM02 Harry R. Erwin, PhD

Definition When you do a security analysis, you identify ‘security objectives’—what the target of evaluation (TOE—i.e., the ‘system’) should do. For example, the recommendations of a risk analysis are security objectives. Some of these objectives do not require specific security mechanisms because the system operates securely for other reasons. Those other reasons are the ‘assumptions of secure operation’. We will examine typical ones from US Department of Defense sources.

Assumption Categories (from CCTool) Administrators—what can we assume about the administrators? Users—what can we assume about the users? Assumed Protection—what can we assume about the protection of security data? Procedural Security—what can we assume about administrative procedures? Communications Security—what can we assume about the security of data in transit? Physical Security—what can we assume about the physical security of the system and facility?

Administrator Assumptions Are the administrator staff authenticated and held responsible for their actions? (good idea) Is remote security administration supported? (bad idea) Are administrators trusted, hostile, or negligent? (trusted is preferred) Are administrators competent, improperly trained, or error-prone? (competent is preferred) Can administrators be trusted to be well-behaved and to act constructively? (Answer ‘yes’.)

User Assumptions Are users cooperative? (hard to say) Do they have access to security data? Can they access the system remotely? Are they competent, hostile, or error-prone? Can they bypass security? How competent are the hackers? Are viruses a concern?

Assumed Protection How secure are the password files? Can they be accessed outside of their use in identification and authentication? Do system administrators have the ability to corrupt data transiting to/from the system? (unlikely) Are programs, log files, and system data protected from corruption by users?

Procedural Security Do security administrators follow documented policies and procedures? Do security administrators review audit trails and security logs on a regular basis? Do security administrators remove user data properly from the system when user access is removed? (Discuss…) Do security administrators follow procedures to enforce proper user management of passwords? Do security administrators follow procedures to prevent the spread of computer viruses?

Communications Security Are communications media physically protected? (unlikely) Can outsiders read communications traffic? Are the systems interfacing to the TOE under the same management control, and do they follow the same security policies? (Trust, again!)

Physical Security Can hackers gain physical access to the system? Are TOE security functions physically protected? Is the system protected against natural disaster? Is the system protected against sudden loss of power? Are system communications protected from sudden loss of service?

Conclusions Clearly, it is easier to secure a system that operates in a benign or safe environment. Deploying a system in an unprotected environment makes security much more difficult, but may be required. (E.g., FAA radars and communications antennae are not physically protected.) Consider the operational environment in assessing costs and benefits.