1 / 12

Approaches to Security Metrics

Approaches to Security Metrics. Summary of Day One Fran Nielsen, NIST/ITL June 14, 2000. What are Security Metrics?. Katzke set the stage ambiguous, immature discipline, have different meanings

hslade
Download Presentation

Approaches to Security Metrics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Approaches to Security Metrics Summary of Day One Fran Nielsen, NIST/ITL June 14, 2000

  2. What are Security Metrics? • Katzke • set the stage • ambiguous, immature discipline, have different meanings • proposed a model showing the relationship of objects, security objectives, and the processes to measure them

  3. IA Readiness Assessment • Bartlett • designing an assessment process and pilot that is consistent, flexible, and relevant • using existence measurement points and integrating/aggregating results • 3 metric categories: people, operations & training, equipment & infrastructure

  4. SSE-CMM PAM WG • Jelen • Profiles, Assurance, and Metrics Committee, ISSEA • Overview of SSE-CMM appraisal as a metric • Two types of metrics • process - evidence of process maturity • security - extent to which security attribute is present

  5. FISCAM • Heim • Overview of FISCAM General Controls • Covers six control areas: • Security Program Planning/Management • Access Control • Application SW Development & Change Control • System Software • Segregation of Duties • Service Continuity

  6. CIO’s IT Security Assessment Framework • Gilligan • high level tool meant to be relevant to management • leverages existing mandates and guidance • can be implemented now • 5 assessment levels: incomplete, complete, implemented, measured, pervasive

  7. Audit-based Approach • Bayuk • application of industry standard control objectives to a locally-defined systems security framework • uses audit steps as a basis for metrics • results in recommended improvements

  8. Quantitative Risk Assessment • Tompkins • risk analysis as a metric for determining security program effectiveness = “close enough” • planning is what’s important, not the plan • understand that it may be cheaper to “clean up” rather than have a strong security program • deal with the future no matter how much we know about the past

  9. Cryptographic Metrics • Smith • Summary and review of metrics for determining cryptographic strength

  10. Concepts/Discussion Points • What are we trying to achieve? Need something simple and effective that “tells the story” • Sometimes we measure what we can measure. • How can we measure something that keeps moving?

  11. Concepts/Discussion Points • Need a new paradigm - not systems and networks; think about enclaves and perimeters • Measurements and metrics are different • Metrics are not statistics - need correlation point to measure effectiveness

  12. Concepts/Discussion Points • Many dimensions of protection underlie the problem of defining/using metrics • Need to differentiate between real new vulnerabilities and examples of vulnerabilities • Can we move from subjective to empirically-based objective measures?

More Related