Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182.

Slides:

Advertisements

Similar presentations

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Advertisements

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

Agenda COBIT 5 Product Family Information Security COBIT 5 content

Security Controls – What Works

Security+ Guide to Network Security Fundamentals

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

OPM Cybersecurity Competencies by Occupation (Technical Competencies) Information Technology Management Series Electronics Engineering.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

1 An Overview of Computer Security computer security.

Chapter 1  Introduction 1 Overview  What is a secure computer system?  Concerns of a secure system o Data: Privacy, Integrity, Availability o Users:

Risks, Controls and Security Measures

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

First Practice - Information Security Management System Implementation and ISO Certification.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Risk Management Vs Risk avoidance William Gillette.

Information Assurance and Security: Overview. Information Assurance “Measures that protect and defend information and information systems by ensuring.

Fraud Prevention and Risk Management

Gurpreet Dhillon Virginia Commonwealth University

SEC835 Database and Web application security Information Security Architecture.

11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 1.

Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.

Security Mark A. Magumba. Definitions Security implies the minimization of threats and vulnerabilities A security threat is a harmful event or object.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Engineering Essential Characteristics Security Engineering Process Overview.

Information Security What is Information Security?

Ingredients of Information Security. - Who has access the asset? - Is the asset correct? - Is the asset accessible? …uncorrupted? …authentic?

CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.

Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

Chapter 1 COMPUTER AND NETWORK SECURITY PRINCIPLES.

1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.

IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.

Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.

Quality of Information System (IS) reflecting local correctness and reliability of the operating system; the logical completeness of the hardware and software.

Csci5233 computer security & integrity 1 An Overview of Computer Security.

Ingredients of Security

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

Chapter 17: Information Management in Treasury Outline: Basics of E-Commerce EDI Infrastructure Treasury Management Systems (TMSes) Other Issues in Treasury.

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University

Web Database Security Session 12 & 13 Matakuliah: Web Database Tahun: 2008.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Introduction to Information Security Module 1. Objectives Definitions of information technology and information security Fundamental Security Concepts.

Security Issues in Information Technology

CS457 Introduction to Information Security Systems

Data and database administration

د. حنان الداقيز خريف /28/2016 Software Quality Assurance ضمان جودة البرمجيات ITSE421 5 – The components of the SQA.

Risk Assessment Richard Newman

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

INFORMATION SYSTEMS SECURITY and CONTROL

TOP MANAGEMENT BRIEFING

ISO/IEC Systems and software Quality Requirements and Evaluation

Presentation transcript:

Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id #

Security Engineering “Security engineering is a specialized field of engineering that deals with the development of detailed engineering plans and designs for security features, controls and systems.” Wikipedia It helps building systems resistant in the event of a malice or an error.

Most organizations tend to neglect the security requirements needed in order to keep their system safe. Security requirements are usually considered in the end and not during an early analysis of the design process.

Control Objectives Environmental context of the information system

Control Objectives (contd…) Information contained within the system

Control Objectives (contd..) Physical assets of the system

Information Security Objectives: Security Objectives Assurance Objectives

Security Control Objectives Confidentiality Authentication Availability Integrity Non-repudiation

Confidentiality Ensures information is not accessible by unauthorized users Protects assets of a computing system For example: Giving out confidential information over the phone to someone who’s not authorized

Authentication Ensures that the users are the right people. Information is in the right hands and the assets are being used in an authorized manner. For example: Passwords, digital certificates, smart cards

Availability Ensures information is accessible to authorized users and is available when needed. For example: Access to a database as and when required. DoS: Denial of service should not be there

Integrity Ensures that the data cannot be created, deleted or modified without authorized access to it. For example: When a database is not properly shutdown before maintenance is performed. Employee intentionally modifies or deletes important data.

Non-repudiation It is the proof of the identity of the sender and the recipient. For example: Ecommerce uses digital signatures and ecryption.

Assurance Control Objectives Management functions Involves security policies, information security plan, risk management and personal security.

gemgem

Assurance Control Objectives Configuration Management Personnel Management Vulnerability Management Software Development Management Verification Management

Requirements Legacy Systems: used by some organizations where anything else cannot be implemented. User’s Documentation: includes detailed system requirements. The engineer is supposed to look through the requirements specifications in order to derive any system security requirement.

Security Standards “Prescribed configuration and practices that improve the security of IT systems.” Wiki Standards are used by both government and user organizations.

Security Models

The Common Criteria Provides assurance on specification, implementation and evaluation process of a security product and makes sure it is conducted in a standard manner.

The Common Criteria (contd..)

Functional requirements include: Authentication Resource utilization Privacy Protection of TOE Trusted channels Security Management

ISO/IEC Addresses good security policies Doesn’t provide detailed instructions Superficial overview of the security requirements that act as a base

ISO/IEC (contd..) Personnel Security Compliance Access Control Organizational security infrastructure and policy Physical and environmental security Operations Management etc.

The Capability Maturity Model- Integrated (CMMI) Include practices for process improvement Manage development & maintenance of products Help periodically measure improvement ‘Assessment’ model: determines the level at which the organization currently stands

CMMI

SSE-CMM The System Security Engineering Capability Maturity Model Describes essential characteristics of an organization’s security engineering process Includes entire system life cycle of a product, concept definition, requirement analysis, design, development, integration, installation, maintenance etc.

SSE-CMM (contd..) Organization engineering activities Interactions within the organization such as with systems software, hardware, system management, operation as well as maintenance Interactions with other organizations such as system management, certification, evaluation of the policies

Cost-benefit analysis It is important for an organization to choose between effective security policies, optimal performance and affordable cost. Security policies are implemented depending upon how often an attack is expected.

Cost-benefit analysis (Contd..) It is difficult to analyze whether a certain investment in a security policy would give the expected returns.

References egrity pdf?isnumber= &prod=CNF&arnumber= &arSt=482&ared=488&arAuthor=Sung- il+Han%3B+Kab-seung+Kou%3B+Gang-soo+Lee gif pdf

References (Contd..) net/15408presentation.htm&h=405&w=542&sz=26 &hl=en&start=11&um=1&tbnid=uhRTB9CFgMm4XM:&t bnh=99&tbnw=132&prev=/images%3Fq%3DThe%2B common%2Bcriteria%26um%3D1%26hl%3Den%26 doc/arch/chap27.htmlsa%3DG

Thank You !