Assumptions of Secure Operation University of Sunderland CIT304 Harry R. Erwin, PhD.

Slides:

Advertisements

Similar presentations

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Advertisements

Personal Info 1 Prepared by: Mr. NHEAN Sophan  Presenter: Mr. NHEAN Sophan  Position: Desktop Support  Company: Khalibre Co,. Ltd 

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

Firewalls & VPNs Terry Gray UW Computing & Communications 13 September 2000.

Information Security Policies and Standards

1 An Overview of Computer Security computer security.

How to Prepare for the Fall Exam COM380/CIT304 Harry Erwin, PhD University of Sunderland.

VoIP – Security Considerations An Examination Ricardo Estevez CS 522 / Computer Communication Fall 2003.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Security expenditure should be determined by security risk. What is the financial risk to UNC of undetected modification of bioresearch data? theft and.

Factors to be taken into account when designing ICT Security Policies

Session 3 – Information Security Policies

Fraud Prevention and Risk Management

Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.

Introduction to Network Defense

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Security Policies University of Sunderland CSEM02 Harry R. Erwin, PhD.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

The Security Analysis Process University of Sunderland CSEM02 Harry R. Erwin, PhD.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Security Mechanisms University of Sunderland CSEM02 Harry R. Erwin, PhD.

General Awareness Training Security Awareness Module 3 Take Action! Where To Go for Help.

Information Systems Security Operational Control for Information Security.

Files are at risk from loss if your computer breaks or if you get a virus. Files can also become corrupted. Solutions: Make regular back ups of files Use.

H UMAN R ESOURCES M ANAGEMENT Beki Webster Director, HR, Intelligence Systems Division Northrop Grumman Information Systems July 31, 2009.

CPT 123 Internet Skills Class Notes Internet Security Session A.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

COMP1321 Networks in Organisations Richard Henson March 2014.

Privacy Engineering for Digital Rights Management Systems By XiaoYu Chen.

Engineering Essential Characteristics Security Engineering Process Overview.

Note1 (Admi1) Overview of administering security.

SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

Module 9: Designing Security for Data. Overview Creating a Security Plan for Data Creating a Design for Security of Data.

Introduction to Information Security

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

Policy 2 Dr.Talal Alkharobi. 2 Create Appropriate Policy Each organization may need different policies. Policy templates are useful to examine and to.

Audit COM380 University of Sunderland Harry R. Erwin, PhD.

CONTROLLING INFORMATION SYSTEMS

INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.

Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

© 2013 Toshiba Corporation B2B PC Training Mailer - Toshiba Device Access Control.

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

Assumptions of Secure Operation University of Sunderland CSEM02 Harry R. Erwin, PhD.

The NIST Special Publications for Security Management By: Waylon Coulter.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.

Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.

Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University

Welcome to the ICT Department Unit 3_5 Security Policies.

INSIDER THREATS BY: DENZEL GAY COSC 356. ROAD MAP What makes the insider threat important Types of Threats Logic bombs Ways to prevent.

Issues and Protections

UNIT V QUALITY SYSTEMS.

Security in Networking

Final HIPAA Security Rule

Managing the Security Function

Presentation transcript:

Assumptions of Secure Operation University of Sunderland CIT304 Harry R. Erwin, PhD

Definition When you do a security analysis, you identify security objectives—what you think the target of evaluation (TOE—i.e., the ‘system’) should do. Some of these objectives do not require specific security mechanisms because the system operates securely for other reasons. Those other reasons are the ‘assumptions of secure operation’. We will examine typical ones from US Department of Defense sources. If you don’t think about these assumptions, you won’t be aware that you’re making them.

Assumption Categories Administrators—what can we assume about the administrators? Users—what can we assume about the users? Assumed Protection—what can we assume about the protection of security data? Procedural Security—what can we assume about administrative procedures? Communications Security—what can we assume about the security of data in transit? Physical Security—what can we assume about the physical security of the system and facility?

Administrator Assumptions Are the administrator staff authenticated and held responsible for their actions? (good idea) Is remote security administration supported? (bad idea) Are administrators trusted, hostile, or negligent? (trusted is preferred) Are administrators competent, improperly trained, or error-prone? (competent is preferred) Can administrators be trusted to be well-behaved and to act constructively? (Answer ‘yes’.)

User Assumptions Are users cooperative? (hard to say) Do they have access to security data? Can they access the system remotely? Are they competent, hostile, or error-prone? Can they bypass security? How competent are the hackers? Are viruses a concern?

Assumed Protection How secure are the password files? Can they be accessed outside of their use in identification and authentication? Do system administrators have the ability to corrupt data transiting to/from the system? (unlikely) Are programs, log files, and system data protected from corruption by users?

Procedural Security Do security administrators follow documented policies and procedures? Do security administrators review audit trails and security logs on a regular basis? Do security administrators remove user data properly from the system when user access is removed? (Discuss…) Do security administrators follow procedures to enforce proper user management of passwords? Do security administrators follow procedures to prevent the spread of computer viruses?

Communications Security Are communications media physically protected? (unlikely) Can outsiders read communications traffic? Are the systems interfacing to the TOE under the same management control, and do they follow the same security policies? (Trust, again!)

Physical Security Can hackers gain physical access to the system? Are TOE security functions physically protected? Is the system protected against natural disaster? Is the system protected against sudden loss of power? Are system communications protected from sudden loss of service?

Conclusions Clearly, it is easier to secure a system that operates in a benign or safe environment. Deploying a system in an unprotected environment makes security much more difficult, but may be required. (E.g., FAA radars and communications antennae are not physically protected.) Consider the operational environment in assessing costs and benefits.

Worked Example Consider my neuroscience wiki—let’s do a security analysis for it… Threats Policies Trust relationships Resulting objectives Assumptions of secure operation

Discussion