An Holistic model to evaluate the Information Security Health State
Prof. Solange Ghernaouti-Hélie; Igli Tashi
Table of Contents
• Risk and Security Management Concepts
• The subject of the evaluation
• Information Security Assurance Structure
• Security Assurance Evaluation Model
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
2
• Conclusion
Risk Management
• Structure (ISO 31000)– identify – assess the consequences – likelihood of the occurrence– prioritize the risk to be treated and
– reduction actions to be
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
3
– reduction actions to be undertaken
• Process has to be in concordance with strategic and operational objectives
Source: ISO/TC-Std. 31000:2008, Risk Management - Principles and guidelines on implementation (draft), International Organization for Standardization (ISO), Switzerland, 2008
Security Management
• Information Security Management:– a system which is part of the overall management system
– based on business risk approach to:• establish, implement, operate, monitor, review, maintain, and improve information security
• Formal management framework:
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
4
• Formal management framework:– where the security controls are implemented and documented
– some records are maintained in order to:• evaluate security controls
• perform compliance
Source: ISO-Std. ISO/IEC TR 13335-1, Information Technology -Guidelines for the management of IT Security - Concepts and models for IT Security, International Organization for Standardization (ISO), Switzerland, 1996
Risk Management and Security Management
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
5
Risk Management is part of Information Security Management
Risk Management and Security Management
RM and ISM respond to the same objective:
ASSETS’ SAFETY
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
6
Both processes are necessary
Information Security Assurance Structure
• Common Criteria -Structure to evaluate and provide level of Assurance
– A functional class � security objectives
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
7
– A family � security problem
– A family’s components �component that solves a security problem
The subject of the evaluation
• Problem: piecemeal approach (and tools) for IS Evaluation– Trusting the system is not possible
• IS assurance � concept of trust and confidence – Meet some specific security requirements
• Evaluation � Metrics– RM Metrics → what is it done?
– IS Metrics → how is it done ?
IS assurance modelling concept
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
8
IS assurance modelling concept
Assurance ���� Argument ���� Claim ���� Evidence
IS Assurance Concepts
• TRUST– sufficient credible evidence leading to believe that a given system will meet a set of given requirements
• CONFIDENCE – mental attitude of trusting in OR– relying on a person/thing closely related to the concepts of reliance and faith
• IS CONFIDENCE– confidence that depends on security related properties and functionalities, as well as the operation and administration procedure
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
9
as well as the operation and administration procedure
• Trust and trustworthy � components of roots-of-trust
• Building confidence into the IS system in place– Requirements– Planning IS Evaluation MODEL
INPUTSINPUTS
Security Assurance Evaluation Model
• Model to assess IS by: – Providing less time consuming and labour intensive
– Reducing the effects on complexity
• Evaluation Model – Dimension � security
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
10
– Dimension � security class
• Focus area� security family– Specific factors�security component
• Semiformal model
• Nested Structure
First Layer of Evaluation
Dimension
Focus area
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
11
Specific factor
FIRST LEVEL
Class Example
• Organizational class � Governance family � components to be– IS risk management methodology
– IS strategy
– IS organisational structure
– IS policies
– IS security standards
– IS institutionalized monitoring processes
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
12
– IS institutionalized monitoring processes
– Process to ensure continued evaluation and update of security policies, standards, procedures and risks
• Evaluated according to a set of attributes, assuring that a formalized and assured continuous process is performed.
• Classi Structure’s Assurance level - First level of Evaluation
Model’s structure
• Semiformal model � a natural language based on specific method imposing a rigorous structure of the process
• 4 principal dimensions:
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
13
• 4 principal dimensions:– The Organizational dimension – The Operational– The Human dimension– The Legal dimension
• Nested structure
Second Layer of Evaluation
Dimension
Specific factor
Focus area
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
14
SECOND LEVEL
FIRST LEVEL
Quality attribute of evaluation
• Quality according to ISO 9000:2001– Degree to which a set of inherent characteristics fulfils requirements
• PDCA like model including: – Management responsibility
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
15
– Management responsibility– Resource management – Product realization– Measurement analysis and improvement
• IS � Process – Inherent feature AND– Degree of excellence
Source: ISO-Std. 9001:2000, Quality Management Systems -Requirements, International Organization for Standardization (ISO), Switzerland, 2000
Quality attribute of evaluation
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
16
Classi Structure’s Quality Level - Second level of Evaluation
Third Layer of Evaluation
Dimension
Specific factor
Focus area
FIRST LEVEL
Roots-of-Trust
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
17
SECOND LEVEL
FIRST LEVEL
THIRD LEVEL
Building confidence
Requirements attribute of the evaluation
• To define security requirements for each dimension (class):– More than a baseline
– Based on the current best practices or standards in Information Security Domain• ISO standards
• ISF standards
• CobiT
• ISM3
• CCE-SSM
• Etc.
– Defined or based on Maturity / Capability Models
• Structure: An example of HUI class
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
18
Classi Requirement's fulfilment level - Third level of Evaluation
CONCLUSION
• A subject to evaluation � Information Security Health State
• Three properties to evaluate:
1. Structure Assurance Level (structure)
4th ETSI Security Workshop 13-14 January 2009Prof. Solange Ghernaouti-Hélie, Igli TASHI
19
1. Structure Assurance Level (structure)
2. Quality Assurance Level (process)
3. Security Posture Level (requirements)
INFORMATION SECURITY = A TRUSTED FUNCTION
THANK YOU FOR YOUR ATTENTION !THANK YOU FOR YOUR ATTENTION !
? QUESTIONS ?
[email protected]@unil.ch