1. Security Objectives University of Sunderland CSEM02 Harry R. Erwin, PhD

2. What are Security Objectives? Security objectives are the things you do to: –Enforce security policies –Mitigate risks Security objectives may be met by: –Things the system does to protect itself, and –Things you can assume the environment does for the system.

3. CCTool An expert system to aid in security analysis. No longer supported by NIAP/NIST/NSA. Still available from the module website. Discusses security objectives and requirements. Available at Sunderland as the UoSTool

4. The Security Mapping Process CCTool Manual

5. Security Analysis Relationships CCTool Manual

6. Security Objectives Result in Security Requirements CCTool Manual

7. Security Objectives “The results of the analysis of the security environment can then be used to state the security objectives that counter the identified threats and address identified organizational security policies and assumptions. The security objectives should be consistent with the stated operational aim or product purpose of the system, and any knowledge about its physical environment.” CCTool Manual

8. Intent of the Objectives “The intent of determining security objectives is to address all of the security concerns and to declare which security aspects are either addressed directly by the system or by its environment. This categorization is based on a process incorporating engineering judgment, security policy, economic factors and risk acceptance decisions.” CCTool Manual

9. Example Objectives O.AC_Label_Export: Object security attributes and exportation. O.Access_History: Access history for user session O.Admin_Code_Val: Administrative validation of executables O.Admin_Guidance: Administrator guidance docummentation

10. To Explore This Further Run CCTool (available on the terraces)