Post on 16-Jan-2016
Security Standards and
Threat Evaluation
Main Topic of Discussion
Methodologies Standards Frameworks Measuring threats
– Threat evaluation– Certification and accreditation
IT Governance
A structure of relationships and processes to direct and
control the enterprise in order to achieve the
enterprise’s goals by adding value while balancing risk
versus return over IT and its processes.
C & A
The certification and accreditation (C&A) process
focuses on federal IT systems processing, storing,
and transmitting sensitive information, the
associated tasks and subtasks, security controls,
and verification techniques and procedures, have
been broadly defined so as to be universally
applicable to all types of IT systems, including
national security or intelligence systems, if so
directed by appropriate authorities.
Standards in Assessing Risk
Need a way to measure risk consistently Need to cover multiple geographies Needs to scale
Newly forming Teaching
Methodologies
A Body of Practices, procedures and rules used by those who engage in an inquiry
Can include multiple frameworks Overall approach used to measure something Repeatable Utilizes standards
Standards
Something that is widely recognized or employed, especially because of its excellence
An acknowledged measure of comparison for qualitative or quantitative value
Many different types of standards- even for the same elements needing to be measured
Framework
A set of assumptions, concepts, values and practices that constitutes a way of viewing reality
Building block for crafting approach Encapsulates elements for performing a task Acts as a guide- details can be plugged in
for specific tasks
Standards
CoBit ISO17999 Common Criteria NIST
COBIT
www.isaca.orgControl Objectives for Information and related
Technology Framework, Standard or Good practice? Includes:
– Maturity models– Critical Success factors– Key Goal Indicators– Key Performance Indicators
COBIT
COBIT is structured around four main fields
of management implying 34 processes of
management associated with information
technology: 1. Planning and organization
2. Acquisition and implementation
3. Delivery and Support
4. Monitoring
ISO17999
“A detailed security Standard” Ten major sections:
– Business Continuity Planning– System Access Control– System Development and Maintenance– Physical and Environmental Security– Compliance– Personnel Security– Security organization– Computer and Network Management– Asset Classification– Security Policy
ISO17999
Most widely recognized security standard Based on BS7799, last published in May
1999 Comprehensive security control objectives UK based standard
SSECMM CIA Triad
Defines the “triad” as the following items: Confidentiality Integrity Availability Accountability Privacy Assurance
Common Criteria
Developed from TCSEC standard in 1980’s (Orange book)
International Standard ISO took ITSEC (UK) TCSEC and CTCPEC
(Canada) and combined them into CC (1996) NIAP
– National Information Assurance Partnership
– http://niap.nist.gov/
Common Criteria
11 Functionality Classes:– Audit– Cryptographic Support– Communications– User Data Protection– Identification and Authentication– Security Management– Privacy– TOE Security functions– Resource utilization– TOE Access– Trusted Paths
Threat Approach
Threat Evaluation
Evaluation of level of threat to an asset Based on:
– Visibility, inherent weakness, location, personal/business values
Method:– Determine threats to assets (and their importance)– Determine cost of countermeasures– Implement countermeasures to reduce threat
Threats
Activity that represents possible danger Can come in different forms Can come from different places Can’t protect from all threats Protect against most likely or most worrisome such
as:– Business mission– Data (integrity, confidentiality, availability)
Vulnerability Assessment
Evaluation of weakness in asset Based on:
– Known published weakness
– Perceived / studied weakness
– Assessed threats
Method:– Determined threats relevant to asset
– Determined vulnerability to those threats
– Determine vulnerability to theoretical threats
– Fortify / accept vulnerabilities