1 / 19

A Comprehensive View Of Information Security

A Comprehensive View Of Information Security. Hasan Sayani, Ph.D. Jim Chen, Ph.D. Mary Hoferek, Ph.D. Introduction. Addressing the View Point of Development Not Conventional Operational View Protection, Intrusion Detection, Forensics Build a More Secure Information System.

nigel
Download Presentation

A Comprehensive View Of Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Comprehensive View Of Information Security Hasan Sayani, Ph.D. Jim Chen, Ph.D. Mary Hoferek, Ph.D.

  2. Introduction • Addressing the View Point of Development • Not Conventional Operational View • Protection, Intrusion Detection, Forensics • Build a More Secure Information System

  3. Life Cycle of Development

  4. Basis for Discussion • Life Cycle of Development • Classical • Variations (evolutionary, iterative, RAD, Re-Use Based, Domain Engineered, Extreme) • Perspective in This Paper

  5. Meta Model of IS

  6. Basis For Discussion (Contd.) • Conceptual Meta Model of Information Systems by Their Dominant Characteristic • Data • Activity • Control • Constraint • Strategy for Selecting a Characteristic as a Starting Point, or a Surrogate

  7. Boundaries of a System

  8. Boundaries of a System and Its Activities • Processes are Activities Inside the System • Externals are Activities Outside the System • Distinction between Processes and Interfaces • Locus of Control

  9. Boundaries of a System and Its Activities (Contd.) • Variations Due to Service-Oriented Applications (SOA) • Impact on Views Sent and Received • Treatment of physical devices • Computers (Servers, Clients), Storage Devices, Networks, People, and the housing of these)

  10. Focus by Following Data View as System Gets Developed • Definition of Data View • Intrinsic (“Atomic”) View of an “Entity” with Properties & Identifier(s) • Super/Sub Types/Classes • The Contents Matrix • Associative View (Contextual) – Affected by Roles Played by an Entity • (View Meta-meta Model)

  11. Focus by Following Data View as System Gets Developed Contd.) • Interaction of Data View with Activities • The Data/Activity Interaction Matrix + Mode • C R U D

  12. Security Driven by the Need to Handle Threats • Definition of a Threat • Risk Posed by Threat • Computation of Risk • Probability of Occurrence X Cost of Occurrence • Risk Management Principles • Identify • Rate • Monitor • Mitigate

  13. Thesis of Paper • Data View as the Target of a Threat • Identify Vulnerabilities at Earliest Phase of the Life Cycle • External • e.g., via Use Cases • Internal • e.g., via Incidence Matrix (Process vs. View)

  14. Thesis of Paper (Contd.) • Cross-check by Using • ConOps (Story Telling!) • Requirements Reading

  15. Thesis of Paper (Contd.) • Follow them as the System Goes Through its Life Cycle • Views May be Synthesized, or Projections Formed • Activities May be Grouped or partitioned • Use of Patterns to Reduce New Errors • Activities May be Assigned to external Service Providers (as in SOA) • Other Physical Allocations • Threats Must be Followed Across Development • To Assure That no New Vulnerabilities are Created, • Or, if so, They are Analyzed and Mitigated • Existing Vulnerabilities are monitored

  16. At the Completion, Traditional V & V Needs to be Augmented • To Verify that All Threats Have Been Addressed • And that no New Ones have Surfaced in the Interim • To Make Sure That a Risk Management Program is in Effect

  17. At the Completion, Traditional V & V Needs to be Augmented • To establish a (Security) Confidence Level in the Delivered System • Also appropriate When Buying COTS (Commercial Off the Shelf) Products • Ideally, the System Should Also be Tested Against Known Vulnerabilities

  18. Maintenance • Same Care Needs to be Taken During Maintenance

  19. Effect of Trends in Industry • (SOA) • Outsourcing • Data Warehousing • Data Mining • Regulations (e.g., Electronic Health Records, Sarbanes/Oxley)

More Related