Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182.
-
Upload
beverly-johnson -
Category
Documents
-
view
214 -
download
0
Transcript of Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182.
Security EngineeringAssurance & Control
Objectives
Priyanka VanjaniASU Id # 993923182
Security Engineering “Security engineering is a
specialized field of engineering that deals with the development of detailed engineering plans and designs for security features, controls and systems.” Wikipedia
It helps building systems resistant in the event of a malice or an error.
Most organizations tend to neglect the security requirements needed in order to keep their system safe.
Security requirements are usually considered in the end and not during an early analysis of the design process.
Control Objectives
Environmental context of the information system
Control Objectives (contd…)
Information contained within the system
Control Objectives (contd..)
Physical assets of the system
Information Security Objectives:
Security Objectives
Assurance Objectives
Security Control Objectives
Confidentiality Authentication Availability Integrity Non-repudiation
Confidentiality
Ensures information is not accessible by unauthorized users
Protects assets of a computing system
For example: Giving out confidential information over the phone to someone who’s not authorized
Authentication
Ensures that the users are the right people.
Information is in the right hands and the assets are being used in an authorized manner.
For example: Passwords, digital certificates, smart cards
Availability
Ensures information is accessible to authorized users and is available when needed.
For example: Access to a database as and when required.
DoS: Denial of service should not be there
Integrity
Ensures that the data cannot be created, deleted or modified without authorized access to it.
For example: When a database is not properly shutdown before maintenance is performed.
Employee intentionally modifies or deletes important data.
Non-repudiation
It is the proof of the identity of the sender and the recipient.
For example: Ecommerce uses digital signatures and ecryption.
Assurance Control Objectives
Management functions
Involves security policies, information security plan, risk management and personal security.
gem
Assurance Control Objectives
Configuration Management Personnel Management Vulnerability Management Software Development
Management Verification Management
Requirements
Legacy Systems: used by some organizations where anything else cannot be implemented.
User’s Documentation: includes detailed system requirements. The engineer is supposed to look through the requirements specifications in order to derive any system security requirement.
Security Standards
“Prescribed configuration and practices that improve the security of IT systems.” Wiki
Standards are used by both government and user organizations.
Security Models
The Common Criteria
Provides assurance on specification, implementation and evaluation process of a security product and makes sure it is conducted in a standard manner.
The Common Criteria (contd..)
The Common Criteria (contd..)
Functional requirements include:
Authentication Resource utilization Privacy Protection of TOE Trusted channels Security Management
ISO/IEC 17799
Addresses good security policies Doesn’t provide detailed
instructions Superficial overview of the security
requirements that act as a base
ISO/IEC 17799 (contd..)
Personnel Security Compliance Access Control Organizational security
infrastructure and policy Physical and environmental
security Operations Management etc.
The Capability Maturity Model-Integrated (CMMI)
Include practices for process improvement
Manage development & maintenance of products
Help periodically measure improvement
‘Assessment’ model: determines the level at which the organization currently stands
CMMI
SSE-CMM The System Security Engineering
Capability Maturity Model Describes essential characteristics
of an organization’s security engineering process
Includes entire system life cycle of a product, concept definition, requirement analysis, design, development, integration, installation, maintenance etc.
SSE-CMM (contd..)
Organization engineering activities Interactions within the organization
such as with systems software, hardware, system management, operation as well as maintenance
Interactions with other organizations such as system management, certification, evaluation of the policies
Cost-benefit analysis
It is important for an organization to choose between effective security policies, optimal performance and affordable cost.
Security policies are implemented depending upon how often an attack is expected.
Cost-benefit analysis (Contd..)
It is difficult to analyze whether a certain investment in a security policy would give the expected returns.
References http://en.wikipedia.org/wiki/Security_engineering http://www.albion.com/security/intro-4.html http://en.wikipedia.org/wiki/Information_security#Integrity
http://ieeexplore.ieee.org/iel5/4021173/4021174/04021255.pdf?isnumber=4021174&prod=CNF&arnumber=402
1255&arSt=482&ared=488&arAuthor=Sung-il+Han%3B+Kab-seung+Kou%3B+Gang-soo+Lee
http://www.mantagroup.com/html/images/wp-0506102.gif
http://ieeexplore.ieee.org/iel5/4301108/4301109/04301148.pdf
http://www.cs.cmu.edu/~shawnb/SAEM-ICSE2002.pdf
References (Contd..) http://en.wikipedia.org/wiki/Information_security http://en.wikipedia.org/wiki/Legacy_system http://en.wikipedia.org/wiki/Common_Criteria http://images.google.com/imgres?imgurl=http://www.iso15408.net/pps18.gif&imgrefurl=http://www.iso15408.net/15408presentation.htm&h=405&w=542&sz=26&hl=en&start=11&um=1&tbnid=uhRTB9CFgMm4XM:&tbnh=99&tbnw=132&prev=/images%3Fq%3DThe%2Bcommon%2Bcriteria%26um%3D1%26hl%3Den%26
http://www.opengroup.org/architecture/togaf8-doc/arch/chap27.htmlsa%3DG
http://www.boldtech.com/images/cmmi.jpg http://www.sse-cmm.org/model/model.asp
Thank You !