1 / 21

Security Standards and Threat Evaluation

Explore methodologies, standards, and frameworks for measuring and evaluating threats. Learn about certification and accreditation processes for IT systems.

thomasgonzales
Download Presentation

Security Standards and Threat Evaluation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Standards and Threat Evaluation

  2. Main Topic of Discussion • Methodologies • Standards • Frameworks • Measuring threats • Threat evaluation • Certification and accreditation

  3. IT Governance A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.

  4. C & A The certification and accreditation (C&A) process focuses on federal IT systems processing, storing, and transmitting sensitive information, the associated tasks and subtasks, security controls, and verification techniques and procedures, have been broadly defined so as to be universally applicable to all types of IT systems, including national security or intelligence systems, if so directed by appropriate authorities.

  5. Standards in Assessing Risk • Need a way to measure risk consistently • Need to cover multiple geographies • Needs to scale • Newly forming • Teaching

  6. Methodologies • A Body of Practices, procedures and rules used by those who engage in an inquiry • Can include multiple frameworks • Overall approach used to measure something • Repeatable • Utilizes standards

  7. Standards • Something that is widely recognized or employed, especially because of its excellence • An acknowledged measure of comparison for qualitative or quantitative value • Many different types of standards- even for the same elements needing to be measured

  8. Framework • A set of assumptions, concepts, values and practices that constitutes a way of viewing reality • Building block for crafting approach • Encapsulates elements for performing a task • Acts as a guide- details can be plugged in for specific tasks

  9. Standards • CoBit • ISO17999 • Common Criteria • NIST

  10. COBIT • www.isaca.org Control Objectives for Information and related Technology • Framework, Standard or Good practice? • Includes: • Maturity models • Critical Success factors • Key Goal Indicators • Key Performance Indicators

  11. COBIT COBIT is structured around four main fields of management implying 34 processes of management associated with information technology: • Planning and organization • Acquisition and implementation • Delivery and Support • Monitoring

  12. ISO17999 • “A detailed security Standard” • Ten major sections: • Business Continuity Planning • System Access Control • System Development and Maintenance • Physical and Environmental Security • Compliance • Personnel Security • Security organization • Computer and Network Management • Asset Classification • Security Policy

  13. ISO17999 • Most widely recognized security standard • Based on BS7799, last published in May 1999 • Comprehensive security control objectives • UK based standard

  14. SSECMM CIA Triad • Defines the “triad” as the following items: • Confidentiality • Integrity • Availability • Accountability • Privacy • Assurance

  15. Common Criteria • Developed from TCSEC standard in 1980’s (Orange book) • International Standard • ISO took ITSEC (UK) TCSEC and CTCPEC (Canada) and combined them into CC (1996) • NIAP • National Information Assurance Partnership • http://niap.nist.gov/

  16. Common Criteria • 11 Functionality Classes: • Audit • Cryptographic Support • Communications • User Data Protection • Identification and Authentication • Security Management • Privacy • TOE Security functions • Resource utilization • TOE Access • Trusted Paths

  17. Threat Approach

  18. Threat Evaluation • Evaluation of level of threat to an asset • Based on: • Visibility, inherent weakness, location, personal/business values • Method: • Determine threats to assets (and their importance) • Determine cost of countermeasures • Implement countermeasures to reduce threat

  19. Threats • Activity that represents possible danger • Can come in different forms • Can come from different places • Can’t protect from all threats • Protect against most likely or most worrisome such as: • Business mission • Data (integrity, confidentiality, availability)

  20. Vulnerability Assessment • Evaluation of weakness in asset • Based on: • Known published weakness • Perceived / studied weakness • Assessed threats • Method: • Determined threats relevant to asset • Determined vulnerability to those threats • Determine vulnerability to theoretical threats • Fortify / accept vulnerabilities

More Related