ISA 562 Internet Security Theory & Practice

Slides:



Advertisements
Similar presentations
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Advertisements

Chapter 10 Accounting Information Systems and Internal Controls
IT Security Evaluation By Sandeep Joshi
TI BISNIS ITG using COBIT &
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
OS Fall ’ 02 Introduction Operating Systems Fall 2002.
CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Stephen S. Yau CSE , Fall Evaluating Systems for Functionality and Assurance.
OS Spring’03 Introduction Operating Systems Spring 2003.
Modified from Silberschatz, Galvin and Gagne Lecture 15 Chapter 8: Main Memory.
Chapter 2: Impact of Machine Architectures What is the Relationship Between Programs, Programming Languages, and Computers.
Information Systems Security Security Architecture Domain #5.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
The Origin of the VM/370 Time-sharing system Presented by Niranjan Soundararajan.
Fraud Prevention and Risk Management
Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
SEC835 Database and Web application security Information Security Architecture.
Operating System A program that controls the execution of application programs An interface between applications and hardware 1.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 20 October 28, 2004.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
Systems Security & Audit Operating Systems security.
Trusted System? What are the characteristics of a trusted system?
 What is OS? What is OS?  What OS does? What OS does?  Structure of Operating System: Structure of Operating System:  Evolution of OS Evolution of.
Operating Systems.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Chapter Three IT Risks and Controls.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Fall 2000M.B. Ibáñez Lecture 01 Introduction What is an Operating System? The Evolution of Operating Systems Course Outline.
CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
Committee of Sponsoring Organizations of The Treadway Commission Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting “Internal.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
INVITATION TO COMPUTER SCIENCE, JAVA VERSION, THIRD EDITION Chapter 6: An Introduction to System Software and Virtual Machines.
The Structure of Processes (Chap 6 in the book “The Design of the UNIX Operating System”)
Computers Operating System Essentials. Operating Systems PROGRAM HARDWARE OPERATING SYSTEM.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
G53SEC 1 Reference Monitors Enforcement of Access Control.
OSes: 3. OS Structs 1 Operating Systems v Objectives –summarise OSes from several perspectives Certificate Program in Software Development CSE-TC and CSIM,
Silberschatz, Galvin and Gagne  Operating System Concepts Operating Systems 1. Overview 2. Process Management 3. Storage Management 4. I/O Systems.
Domain 6 Security Architecture and Models Domain Objective The objective of this domain is to understand: security models in terms of confidentiality,
COBIT®. COBIT® - Control Objectives for Information and related Technology. C OBI T was initially created by the Information Systems Audit & Control Foundation.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
C OBI T and slides © 2007 IT Governance Institute. Used with permission. An Overview of C OBI T ®
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
Operating Systems.
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
The NIST Special Publications for Security Management By: Waylon Coulter.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 5: Security Architecture and Models.
1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.
CSCI/CMPE 4334 Operating Systems Review: Exam 1 1.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Security Architecture and Design. 2 Domain Objectives Benefits of a Security Architecture System Level Security Architecture vs. Enterprise Security Architecture.
Introduction to Operating Systems Concepts
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
Chapter 19: Building Systems with Assurance
Chapter 15, Exploring the Digital Domain
THE ORANGE BOOK Ravi Sandhu
Operating Systems: A Modern Perspective, Chapter 3
Outline Operating System Organization Operating System Examples
Chapter 2 Operating System Overview
Presentation transcript:

ISA 562 Internet Security Theory & Practice 11. Security Architecture & Evaluation Domain 5

Objectives Security Architecture Description and benefits Definition of Trusted Computing Base (TCB) System level and Enterprise Security Architectures Trusted Systems 2 2

Introduction Security architecture describes how system security is integrated to satisfy security requirements. Balance requirements  capability, flexibility, , security, performance… Security architecture is one aspect of system architecture Security requirements are not just added steps to the development process but they are specifications or guidelines influencing the life cycle 3 3

Major Concepts Security related terminology ISMS ( Information Security Management System) ISA ( Information Security Architecture) Trusted Computing Base (TCB) Security model Enterprise Security Architecture Objectives in any enterprise security architecture Guidance Aligning business and security objectives Using security best practices 4 4

Major Concepts Benefits Components Perspectives Manage IT risk at a reduced cost Interoperability, integration, and ease-of-access. Components Architecture model Language to be used Use of some architectural framework Perspectives People, process, and Technology 5 5

Process framework for a Security Architecture 6 6

Good and bad architectures Good security architecture Strategic, holistic, allows multiple implementations. Manages the process of setting the architecture, Implementation, Compliance, and Monitoring Bad architectural planning can result in No support for new business services Security breaches and vulnerabilities Poor understanding by usersof security goals and objectives 7 7

A High-Level Design 8 8

Enterprise Architecture Frameworks PDCA Approach ( ISO 17799 or ISO 27001 ) TQM and ISO 9001:2000 Total Quality Management 9 9

Enterprise Architecture Frameworks What is an ISMS? ISMS = Information Security Management System. What is for? Incorporate process into a business which Influences the quality of the system Increases product and service quality Aligns process with business objectives Implementing an ISMS Define the IS policy Define the Scope of ISMS coverage Go through a security Risk assessment Identify risks and manage them Select security controls Prepare a statement of applicability 10 10

Enterprise Architecture Frameworks - 1 Zachman Framework Aligns business and IT objectives ITIL (Information technology infrastructure Library) Published in the UK: British Standard 15000 IT Services delivery COBIT (Control Objectives for information Technology) Emphasizes regularity compliance Basel II (Financial Risk Management Framework) Establishes basic requirements for risk management Guarantees financial stability standards 11 11

Enterprise Architecture Frameworks - 2 Six Sigma (process variance control framework) Data driven and measurement based DMAIC DMADV COSO (Committee of Sponsoring Organizations) The importance of Identifying and managing risk CMMI (Capability Maturity Model Integration) Based on TQM Improving process Different Maturity levels 12 12

System Level Architectural Concepts Components which provide basic security services Integrity of computing processes Controlled access to system resources Predictable computing services Two components: Hardware Software Computer layers include End user Application, which sits on top of Utilities, that sit on top of Operating systems, which sit on top of 13 13

System Level Architecture Concepts Some of the operating system services are Process execution Input and output processing Error detection and handling Communication Security kernel provides critical security services CPU - two different privilege states Supervisor state where system programs execute Application state where application programs and non-privileged programs execute Process states Stopped, running, waiting, etc 14 14

System Level Architecture Concepts Applications Current applications are portable and execute in a multi-threaded OS. System approaches Open or Closed systems Single level or multi-level systems System architectures Centralized vs. Distributed 15 15

System Level Architecture Concepts Memory management requirements Protection: users cannot generate address, users can share access, etc Relocation and Sharing Logical and Physical organization Memory Addressing Logical: requires translation to a physical address Relative: location relative to known point ( ex: array) Physical: absolute address or actual location 16 16

System Level Architecture Concepts Virtual memory A process uses more memory than what is available in the physical memory Limited by swap space on disk Uses the concept of pages and segments I/O Inter-process communication which involves locating and relocation data and instructions between a number of storage facilities ( I/O controller, managing memory, etc) 17 17

Basic System Security Concepts Trusted Computing base (TCB) Includes all the components and their operating processes and procedures that ensure the security policy of the organization is enforced It should also be simple and testable Enforces security policy Monitors Process activation Execution Domain Switching Memory protection Input/output Operations 18 18

Basic System Security Concepts Objects that require protection Anything on the system such as: Memory, Operating system tables, Directory files, Data structures, etc Reference Monitor Concept Abstract machine Tamperproof Verifiable Always invoked (cannot bypass) Includes Subjects and objects What is a Security Kernel? Hardware, firmware, and software elements of a trusted computing base that implements the reference monitor 19 19

Establishing Confidence in Trusted Systems Evaluation criteria are standardized methods for establishing confidence that products satisfy the functional and assurance requirements of the organization Trusted Computer System Evaluation Criteria (TCSEC) – The Orange book (1983-1999) Information Technology Security Evaluation Criteria (ITSEC) (1991-2001) Federal criteria 1992 FIPS 140-1 of 1994 and FIPS-2 of 2001 Common Criteria (ISO 15408) (1998-present) 20 20

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.