SECURITY ASSESSMENT

System Security Policy

Security Certification

Threat Identification

Threat Analysis

Vulnerability Identification and Assessment

Security Requirements Specification

Security Monitoring and Auditing

Why it is important?

  • Firewall installations
  • User discipline

To be successful

  • Have the backing of the organization top management
  • Involve every one in the organization
  • Precisely describe a clear vision of a secure environment
  • Set priorities and costs of what needs to be protected.
  • Be a good teaching tool for everyone in the organization about security and what needs to be protected, why, and how it is to be protected.
  • Set boundaries on what constitutes behavior as far as security and privacy
  • Create a security clearing house and authority.
  • Be flexible enough to adopt to new changes.
  • Be consistently implemented throughout the organization.

The 5 steps to achieve its goals

  • Determine the resources that must be protected and draw a profile of its characteristics.
  • For each identifiable resource determine the type of threat and the likelihood of such a threat.
  • For each identifiable resource determine what measures will protect it the best and from whom.
  • Develop a policy team consisting of at least one member from senior administration, legal staff, employees, member of IT department, and an editor or writer to help with drafting the policy.
  • Determine what needs to be audited.
  • Define the acceptable use of system resources such as Email, News, Web
  • Consider how to deal with each of the following: Encryption, Password, Key creation and distributions, Wireless devices that connect on the organization's network
  • Provide for remote access
  • schedule a time to review these structures regularly

For the user:
user name, location, and phone number of the responsible system owner, and data/application owner. The range of security clearance levels, the set of formal access approvals, and the need-to-know of users of the system.

For the resources:
resource type, document any special physical protection, brief description of a secure operating system.
if the resource is data then also do the following:

  • classification level: top secret, secret, confidential; and categories of data: restricted, formally restricted
  • any special access programs for the data
  • any special formal access approval necessary for access to the data o any special handling instructions
  • any need-to-know restrictions on users
  • any sensitive classification or lack of.

sources

Natural Disasters

Human factor

Infrastructure Failures

  • Communication
  • Human-machine interface
  • Data design, analysis and interpretation
  • New tools and technologies
  • Workload and user capacity
  • Work environment
  • Training
  • Performance
  • ways to plan for the natural disaster
    • up-to-date backups stored at different locations
    • Contingency plans

SW

HW

humanware

  • approaches to overcome hardware threats
    • Redundancy
    • Monitoring system
    • self-healing hardware
  • The human component in a computer system is so unpredictable and so unreliable
  • failer causes
    • human error
    • nature of software
    • the environment in which software is produced and used

Approaches

  • Threat Analysis by Annualized Loss Expectations
  • Schneierls Attack Tree Method

SW

humanware

HW

system security policies and procedures.

the 4 reasons

  • vulnerabilities areas
    • system software [most serious]
    • application software (3reasons) [largest number of vulnerabilities]
    • control software.(2 reasons)
  • policy is building blocks of an organization's security
  • When compared to a similar industry, weaknesses should be noted in quality, conformity, and comprehensiveness.

Attempts to achieve

  • Employs a set of structured verification techniques and verification procedures
  • Demonstrates that the security controls of the system are implemented correctly
  • Identifies risks to confidentiality, integrity, and availability of information and resources
  • monitoring tools categories
    • System Performance
    • Network Security
    • Network Performance and Diagnosis
    • Networking links
    • Dynamic IP and DNS event logger
    • Remote Control and File Sharing applications event logger
    • File Transfer Tools
  • report formats
    – Alert – Chart – Log – Report
  • Audit steps
    • Review all aspects of the system's stated criteria.
    • Review all threats identified.
    • Choose a frequency of audits whether daily, weekly, or monthly .
    • Review practices to ensure compliance to written guidelines.