Security Standards and Threat Evaluation
Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification and accreditation
IT Governance A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.
C & A The certification and accreditation (C&A) process focuses on federal IT systems processing, storing, and transmitting sensitive information, the associated tasks and subtasks, security controls, and verification techniques and procedures, have been broadly defined so as to be universally applicable to all types of IT systems, including national security or intelligence systems, if so directed by appropriate authorities.
Standards in Assessing Risk Need a way to measure risk consistently Need to cover multiple geographies Needs to scale Newly forming Teaching
Methodologies A Body of Practices, procedures and rules used by those who engage in an inquiry Can include multiple frameworks Overall approach used to measure something Repeatable Utilizes standards
Standards Something that is widely recognized or employed, especially because of its excellence An acknowledged measure of comparison for qualitative or quantitative value Many different types of standards- even for the same elements needing to be measured
Framework A set of assumptions, concepts, values and practices that constitutes a way of viewing reality Building block for crafting approach Encapsulates elements for performing a task Acts as a guide- details can be plugged in for specific tasks
Standards CoBit ISO17999 Common Criteria NIST
COBIT Control Objectives for Information and related Technology Framework, Standard or Good practice? Includes: –Maturity models –Critical Success factors –Key Goal Indicators –Key Performance Indicators
COBIT COBIT is structured around four main fields of management implying 34 processes of management associated with information technology: 1.Planning and organization 2.Acquisition and implementation 3.Delivery and Support 4.Monitoring
ISO17999 “A detailed security Standard” Ten major sections: –Business Continuity Planning –System Access Control –System Development and Maintenance –Physical and Environmental Security –Compliance –Personnel Security –Security organization –Computer and Network Management –Asset Classification –Security Policy
ISO17999 Most widely recognized security standard Based on BS7799, last published in May 1999 Comprehensive security control objectives UK based standard
SSECMM CIA Triad Defines the “triad” as the following items: Confidentiality Integrity Availability Accountability Privacy Assurance
Common Criteria Developed from TCSEC standard in 1980’s (Orange book) International Standard ISO took ITSEC (UK) TCSEC and CTCPEC (Canada) and combined them into CC (1996) NIAP –National Information Assurance Partnership –
Common Criteria 11 Functionality Classes: –Audit –Cryptographic Support –Communications –User Data Protection –Identification and Authentication –Security Management –Privacy –TOE Security functions –Resource utilization –TOE Access –Trusted Paths
Threat Approach
Threat Evaluation Evaluation of level of threat to an asset Based on: –Visibility, inherent weakness, location, personal/business values Method: –Determine threats to assets (and their importance) –Determine cost of countermeasures –Implement countermeasures to reduce threat
Threats Activity that represents possible danger Can come in different forms Can come from different places Can’t protect from all threats Protect against most likely or most worrisome such as: –Business mission –Data (integrity, confidentiality, availability)
Vulnerability Assessment Evaluation of weakness in asset Based on: –Known published weakness –Perceived / studied weakness –Assessed threats Method: –Determined threats relevant to asset –Determined vulnerability to those threats –Determine vulnerability to theoretical threats –Fortify / accept vulnerabilities