An Holistic model to evaluate the Information Security Health State

Prof. Solange Ghernaouti-Hélie; Igli Tashi

Table of Contents

• Risk and Security Management Concepts

• The subject of the evaluation

• Information Security Assurance Structure

• Security Assurance Evaluation Model

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

2

• Conclusion

Risk Management

• Structure (ISO 31000)– identify – assess the consequences – likelihood of the occurrence– prioritize the risk to be treated and

– reduction actions to be

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

3

– reduction actions to be undertaken

• Process has to be in concordance with strategic and operational objectives

Source: ISO/TC-Std. 31000:2008, Risk Management - Principles and guidelines on implementation (draft), International Organization for Standardization (ISO), Switzerland, 2008

Security Management

• Information Security Management:– a system which is part of the overall management system

– based on business risk approach to:• establish, implement, operate, monitor, review, maintain, and improve information security

• Formal management framework:

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

4

• Formal management framework:– where the security controls are implemented and documented

– some records are maintained in order to:• evaluate security controls

• perform compliance

Source: ISO-Std. ISO/IEC TR 13335-1, Information Technology -Guidelines for the management of IT Security - Concepts and models for IT Security, International Organization for Standardization (ISO), Switzerland, 1996

Risk Management and Security Management

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

5

Risk Management is part of Information Security Management

Risk Management and Security Management

RM and ISM respond to the same objective:

ASSETS’ SAFETY

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

6

Both processes are necessary

Information Security Assurance Structure

• Common Criteria -Structure to evaluate and provide level of Assurance

– A functional class � security objectives

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

7

– A family � security problem

– A family’s components �component that solves a security problem

The subject of the evaluation

• Problem: piecemeal approach (and tools) for IS Evaluation– Trusting the system is not possible

• IS assurance � concept of trust and confidence – Meet some specific security requirements

• Evaluation � Metrics– RM Metrics → what is it done?

– IS Metrics → how is it done ?

IS assurance modelling concept

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

8

IS assurance modelling concept

Assurance ���� Argument ���� Claim ���� Evidence

IS Assurance Concepts

• TRUST– sufficient credible evidence leading to believe that a given system will meet a set of given requirements

• CONFIDENCE – mental attitude of trusting in OR– relying on a person/thing closely related to the concepts of reliance and faith

• IS CONFIDENCE– confidence that depends on security related properties and functionalities, as well as the operation and administration procedure

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

9

as well as the operation and administration procedure

• Trust and trustworthy � components of roots-of-trust

• Building confidence into the IS system in place– Requirements– Planning IS Evaluation MODEL

INPUTSINPUTS

Security Assurance Evaluation Model

• Model to assess IS by: – Providing less time consuming and labour intensive

– Reducing the effects on complexity

• Evaluation Model – Dimension � security

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

10

– Dimension � security class

• Focus area� security family– Specific factors�security component

• Semiformal model

• Nested Structure

First Layer of Evaluation

Dimension

Focus area

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

11

Specific factor

FIRST LEVEL

Class Example

• Organizational class � Governance family � components to be– IS risk management methodology

– IS strategy

– IS organisational structure

– IS policies

– IS security standards

– IS institutionalized monitoring processes

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

12

– IS institutionalized monitoring processes

– Process to ensure continued evaluation and update of security policies, standards, procedures and risks

• Evaluated according to a set of attributes, assuring that a formalized and assured continuous process is performed.

• Classi Structure’s Assurance level - First level of Evaluation

Model’s structure

• Semiformal model � a natural language based on specific method imposing a rigorous structure of the process

• 4 principal dimensions:

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

13

• 4 principal dimensions:– The Organizational dimension – The Operational– The Human dimension– The Legal dimension

• Nested structure

Second Layer of Evaluation

Dimension

Specific factor

Focus area

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

14

SECOND LEVEL

FIRST LEVEL

Quality attribute of evaluation

• Quality according to ISO 9000:2001– Degree to which a set of inherent characteristics fulfils requirements

• PDCA like model including: – Management responsibility

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

15

– Management responsibility– Resource management – Product realization– Measurement analysis and improvement

• IS � Process – Inherent feature AND– Degree of excellence

Source: ISO-Std. 9001:2000, Quality Management Systems -Requirements, International Organization for Standardization (ISO), Switzerland, 2000

Quality attribute of evaluation

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

16

Classi Structure’s Quality Level - Second level of Evaluation

Third Layer of Evaluation

Dimension

Specific factor

Focus area

FIRST LEVEL

Roots-of-Trust

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

17

SECOND LEVEL

FIRST LEVEL

THIRD LEVEL

Building confidence

Requirements attribute of the evaluation

• To define security requirements for each dimension (class):– More than a baseline

– Based on the current best practices or standards in Information Security Domain• ISO standards

• ISF standards

• CobiT

• ISM3

• CCE-SSM

• Etc.

– Defined or based on Maturity / Capability Models

• Structure: An example of HUI class

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

18

Classi Requirement's fulfilment level - Third level of Evaluation

CONCLUSION

• A subject to evaluation � Information Security Health State

• Three properties to evaluate:

1. Structure Assurance Level (structure)

4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI

19

1. Structure Assurance Level (structure)

2. Quality Assurance Level (process)

3. Security Posture Level (requirements)

INFORMATION SECURITY = A TRUSTED FUNCTION

THANK YOU FOR YOUR ATTENTION !THANK YOU FOR YOUR ATTENTION !

? QUESTIONS ?

sgh@unil.chIgli.Tashi@unil.ch