UNCLASSIFIED Security Metrics: Examples

UNCLASSIFIEDSecurity MetricsComputer System Security & Privacy Advisory BoardJune 13-14, 2000Dr. Stuart KatzkeChief Scientist, Information Assurance Solutions GroupNational Security Agency(410) 854-7308swkatzk@missi.ncsc.milUNCLASSIFIED

UNCLASSIFIEDSecurity Metrics: Examples • Measuring the effectiveness of a security program • Measuring an organizations/individuals ability to do security engineering & security assessment • Measuring how secure a system/product is • Measuring how good a security method/approach is • Measuring risk UNCLASSIFIED

UNCLASSIFIEDSecurity Metrics • Ambiguous • Immature Discipline • Uncertainty • Lack Precision • Good Examples Exist • FIPS 140 • TCSEC (Orange Book) • Sometimes Use IndirectMeasurement Methods (e.g., process as indicator) UNCLASSIFIED

UNCLASSIFIEDSecurity Metrics: Model • ? • direct/indirect • assurance/confidence Security Objectives (SOs) • Object Metrics UNCLASSIFIED

UNCLASSIFIEDSecurity Metrics: Model • Object • product • system • vpn • intranet • e-business • security program • professional competence • individual • organization • UNCLASSIFIED • ? (direct/indirect) • testing • functional • red team/penetration • green team • evaluation • assessment • risk/vulnerability • effectiveness • accreditation • training/education/competence • observation of performance (e.g., intrusion detection) • SOs • requirements • CC PPs • specs/stds • control objectives • best practice • baseline • due diligence • maturity models • SSE-CMM • IA-CMM Metrics

UNCLASSIFIEDSecurity Metrics (Who: Object; Description) • CSSPAB: CS Program; Effectiveness Assessment • CIO Council: CS Program; Maturity Framework • Private Sector: Organization; SSE-Capability Maturity Model • NIAP: Organization; Infosec Assessment-Capability Maturity Model • NIAP: Individual; Infosec Assessment Methodology (Ability/Capability) UNCLASSIFIED

UNCLASSIFIEDSecurity Metrics: Activities (cont.)(Who: Object; Description) • NSA: Individual; Infosec System Security Engineering • Many Sources: Products; Protection Profiles (Smartcard, Firewalls, VPNs, OS) • BITS: Products; PP-like functional specification • CIO Council: Organization; IT Privacy Impact Assessment (Draft: IRS Model) • DoD: Organization; Infosec Assurance Readiness Metrics (Draft: self assessment/check list) UNCLASSIFIED

UNCLASSIFIED Security Metrics: Examples

UNCLASSIFIED Security Metrics: Examples

Presentation Transcript

UNCLASSIFIED UNCLASSIFIED DRAFT 03 1505 EST May 04

Clearance Processing Updates

Security Policy: US Gov / DoD Examples

National Special Security Events (NSSE)

The Oil Security Metrics Model

MANAGEMENT of INFORMATION SECURITY Third Edition

Agile Metrics that Matter

UNCLASSIFIED ODCS, G-2, Counterintelligence, HUMINT, Disclosure Security Directorate

EXAMPLES OF METRICS PROGRAMS

Critical Vulnerability in Browser Security Metrics

Unclassified

UNCLASSIFIED

Sustainability

HR Metrics Database

UNCLASSIFIED

Metrics

UNCLASSIFIED

Security Measures and Metrics

Security Metrics - a brief introduction

THE 2nd SPACE OPERATIONS SQUADRON Capt Heather Eastlack

This Briefing is UNCLASSIFIED

Security Metrics