The Validity of Using Holistic Scoring to Evaluate Writing: A Critical ...
An Holistic model to evaluate the Information Security ...
Transcript of An Holistic model to evaluate the Information Security ...
An Holistic model to evaluate the Information Security Health State
Prof. Solange Ghernaouti-Hélie; Igli Tashi
Table of Contents
• Risk and Security Management Concepts
• The subject of the evaluation
• Information Security Assurance Structure
• Security Assurance Evaluation Model
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
2
• Conclusion
Risk Management
• Structure (ISO 31000)– identify – assess the consequences – likelihood of the occurrence– prioritize the risk to be treated and
– reduction actions to be
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
3
– reduction actions to be undertaken
• Process has to be in concordance with strategic and operational objectives
Source: ISO/TC-Std. 31000:2008, Risk Management - Principles and guidelines on implementation (draft), International Organization for Standardization (ISO), Switzerland, 2008
Security Management
• Information Security Management:– a system which is part of the overall management system
– based on business risk approach to:• establish, implement, operate, monitor, review, maintain, and improve information security
• Formal management framework:
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
4
• Formal management framework:– where the security controls are implemented and documented
– some records are maintained in order to:• evaluate security controls
• perform compliance
Source: ISO-Std. ISO/IEC TR 13335-1, Information Technology -Guidelines for the management of IT Security - Concepts and models for IT Security, International Organization for Standardization (ISO), Switzerland, 1996
Risk Management and Security Management
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
5
Risk Management is part of Information Security Management
Risk Management and Security Management
RM and ISM respond to the same objective:
ASSETS’ SAFETY
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
6
Both processes are necessary
Information Security Assurance Structure
• Common Criteria -Structure to evaluate and provide level of Assurance
– A functional class � security objectives
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
7
– A family � security problem
– A family’s components �component that solves a security problem
The subject of the evaluation
• Problem: piecemeal approach (and tools) for IS Evaluation– Trusting the system is not possible
• IS assurance � concept of trust and confidence – Meet some specific security requirements
• Evaluation � Metrics– RM Metrics → what is it done?
– IS Metrics → how is it done ?
IS assurance modelling concept
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
8
IS assurance modelling concept
Assurance ���� Argument ���� Claim ���� Evidence
IS Assurance Concepts
• TRUST– sufficient credible evidence leading to believe that a given system will meet a set of given requirements
• CONFIDENCE – mental attitude of trusting in OR– relying on a person/thing closely related to the concepts of reliance and faith
• IS CONFIDENCE– confidence that depends on security related properties and functionalities, as well as the operation and administration procedure
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
9
as well as the operation and administration procedure
• Trust and trustworthy � components of roots-of-trust
• Building confidence into the IS system in place– Requirements– Planning IS Evaluation MODEL
INPUTSINPUTS
Security Assurance Evaluation Model
• Model to assess IS by: – Providing less time consuming and labour intensive
– Reducing the effects on complexity
• Evaluation Model – Dimension � security
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
10
– Dimension � security class
• Focus area� security family– Specific factors�security component
• Semiformal model
• Nested Structure
First Layer of Evaluation
Dimension
Focus area
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
11
Specific factor
FIRST LEVEL
Class Example
• Organizational class � Governance family � components to be– IS risk management methodology
– IS strategy
– IS organisational structure
– IS policies
– IS security standards
– IS institutionalized monitoring processes
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
12
– IS institutionalized monitoring processes
– Process to ensure continued evaluation and update of security policies, standards, procedures and risks
• Evaluated according to a set of attributes, assuring that a formalized and assured continuous process is performed.
• Classi Structure’s Assurance level - First level of Evaluation
Model’s structure
• Semiformal model � a natural language based on specific method imposing a rigorous structure of the process
• 4 principal dimensions:
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
13
• 4 principal dimensions:– The Organizational dimension – The Operational– The Human dimension– The Legal dimension
• Nested structure
Second Layer of Evaluation
Dimension
Specific factor
Focus area
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
14
SECOND LEVEL
FIRST LEVEL
Quality attribute of evaluation
• Quality according to ISO 9000:2001– Degree to which a set of inherent characteristics fulfils requirements
• PDCA like model including: – Management responsibility
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
15
– Management responsibility– Resource management – Product realization– Measurement analysis and improvement
• IS � Process – Inherent feature AND– Degree of excellence
Source: ISO-Std. 9001:2000, Quality Management Systems -Requirements, International Organization for Standardization (ISO), Switzerland, 2000
Quality attribute of evaluation
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
16
Classi Structure’s Quality Level - Second level of Evaluation
Third Layer of Evaluation
Dimension
Specific factor
Focus area
FIRST LEVEL
Roots-of-Trust
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
17
SECOND LEVEL
FIRST LEVEL
THIRD LEVEL
Building confidence
Requirements attribute of the evaluation
• To define security requirements for each dimension (class):– More than a baseline
– Based on the current best practices or standards in Information Security Domain• ISO standards
• ISF standards
• CobiT
• ISM3
• CCE-SSM
• Etc.
– Defined or based on Maturity / Capability Models
• Structure: An example of HUI class
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
18
Classi Requirement's fulfilment level - Third level of Evaluation
CONCLUSION
• A subject to evaluation � Information Security Health State
• Three properties to evaluate:
1. Structure Assurance Level (structure)
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
19
1. Structure Assurance Level (structure)
2. Quality Assurance Level (process)
3. Security Posture Level (requirements)
INFORMATION SECURITY = A TRUSTED FUNCTION
THANK YOU FOR YOUR ATTENTION !THANK YOU FOR YOUR ATTENTION !
? QUESTIONS ?
[email protected]@unil.ch