A Study of Design Measure for Minimizing Security Vulnerability in Developing Virtualization Software
|
|
- Veronica Taylor
- 8 years ago
- Views:
Transcription
1 A Study of Design Measure for Minimizing Security Vulnerability in Developing Virtualization Software 1 Mi Young Park, *2 Yang Mi Lim 1, First Author Science and Technology Policy Institute,ollive@stepi.re.kr *2, Corresponding Author Duksung Women s University, yosimi@duksung.ac.kr Abstract As lots of users share IT resources as software, hardware, etc in cloud computing, the information security should be firstly solved. The solution of security vulnerability should be considered and built with the automatic diagnosis system prior to development of software, which can be efficiently completed through simulation of virtual test. This article catalogs vulnerabilities of security in realizing cloud computing virtualization technology according to priority and proposes a design process model for minimizing the security vulnerabilities for the construction of virtualization to practice the security vulnerabilities before software development using prioritized Security Use Case. 1. Introduction Keywords: Cloud Computing, Vulnerability, Vulnerability Scoring System Cloud computing and virtualization technology have merits of flexibility, efficiency and cost reduction as the user can utilize computing resources if necessary, which many companies are focusing on. Yet, for the realization of cloud computing technology, security problems should be solved together. Currently, security problems include malignant code and service availability infringement, information disclosure risk according to information ownership and administrative segregation, protocol vulnerability, zero day, legal and regulatory issues. In order to solve these problems, it is necessary to model security design process in software development process and go through a practice phase to minimize security vulnerability in virtualization establishment. Since software vulnerability occurs throughout the phases from an early phase of development, designing measures minimizing vulnerability at the early phase can reduce development cost and other costs and increase the reliability and security of the software [1]. Thus, this study checked and categorized it to develop the template of the security vulnerability of virtualization prior to software development and prepare security design documents based on the security requirements and produced a web-based checklist so as to make virtual practices before the development phase. This study analyzed the types and impacts of the vulnerability of the virtual machine for the template composition of the virtualization vulnerabilities, set the priority of the vulnerabilities and surveyed and organized detailed countermeasures by the degree of risk. These vulnerability priority data were designed and composed with the detailed items of the checklist so as to describe the detailed items and countermeasures and make virtual practices. 2. Relevant Research Cloud computing refers to a mode of providing the user with multiple data centers integrated with virtualization technology along with a variety of software, security and computing infrastructure on demand [2]. The thing that should be treated most importantly in the adoption of this cloud computing technology is to solve the vulnerabilities of software security. Software security vulnerabilities refer to security defects occurring due to the functional specifications of the software, design, error in the implementation of phase, booting, installation, or operational issues [3]. To solve these security defects, Cloud Security Alliance (CSA) defines seven threat factors [4,5,6]. Garthner's research proposes security guidelines for the cloud computing users [7, 8]. Nevertheless, with the security vulnerabilities, annual infringement level, diversity and the whole number of infringements are gradually increasing [9]. To solve these, attempts to design the software development process and standardize the security practice phase are increasing [10]. Until now, there is almost no standardized security practice about the overall software development. Kenneth and Gary reported the security practice for the reduction of International Journal of Advancements in Computing Technology(IJACT) Volume5, Number13, September
2 the security vulnerabilities though not the overall application practices of the software development phase as follows [11, 12]: Figure 1. Practices for the Reduction of the Security Vulnerabilities in the Software Development Phase 3. Security Vulnerability of Virtual Machine and Importance Analysis This chapter analyzed the types and impacts on the security vulnerabilities of virtual machines and researched the priority by the importance of the security vulnerabilities. These significances are used in cataloging the items on the checklist to be used in the design process of minimizing the security vulnerabilities of the virtualization to be described in Chapter 4 and used for the detailed items and countermeasures for the virtual practices. First of all, in providing the virtualization technology of cloud computing, all security vulnerabilities occurring in virtual machines in three kinds of VMware, Xen and VirtualBox were classified, and the results of damages that may occur accordingly were analyzed to measure the degree of risk. The classification of the types of vulnerability referred to Common Weakness Enumeration (CWE) [13]. Table 1 selected 20 types of security vulnerabilities occurring in the virtual machines such as VMware, Xen and Virtual Box most frequently used in companies and public institutions and researched the number of the vulnerabilities. Table 1. Analysis on the Types of Virtual Machine Vulnerabilities No. Vulnerability Type CWE VMware Xen VirtualBox 1 Permissions, Privileges, and Access Control CWE Buffer Errors CWE Resource Management Errors CWE Information Leak / Disclosure CWE Link Following CWE Sum Total Through Table 1, most frequently occurring security vulnerabilities were selected, and with these vulnerabilities, the result of the damages could be understood. These damage results were defined as the impact types due to the vulnerabilities and summarized like Table 2. Table 2. Impact Types by VM Vulnerabilities No. Vulnerability impact type based on CVE VMware Xen VirtualBox 1 Provides user account access Allows disruption of service Allows unauthorized disclosure of information Provides administrator access Allows disruption of service Unknown Allows unauthorized modification Provides unauthorized access Unknown Sum Total
3 Next, for the impacts due to the security vulnerabilities in Table 2, a valuation basis was set up to pick up the most dangerous items on rankings and the importance and priority were researched and analyzed like Table 3. Generally, in the software development process, if security vulnerabilities are found, they are reported in secret to the relevant software vendors or disclosed on the Internet. In addition, since the software vendors disclose the information about the vulnerabilities themselves and estimate the degree of risk of the vulnerabilities, the reliability of the written advice for security of each product will be reduced. This is because the calculation of the rating of the degree of risk of the security vulnerabilities has not been standardized, so a standardization policy is necessary preferentially. Thus, to secure the reliability of the calculation of the rating of the degree of risk, to set up the priority in the activity of minimizing the security vulnerabilities, the standardized policy for the degree of risk specialized in the virtualization environment was defined and to score the measurement standards of the degree of risk, open framework THE CVSS was used. Fig. 2 shows the frequently assessed items and the impact assessment items [14]. It shows that in these matrixes, the basic matrix score is delivered to the temporary matrix and the environmental matrix, and it is applied appropriately in the temporary matrix and the environmental matrix environments. Generally, in the basic and temporary matrixes, security vulnerability posting analysis is used by security solution and application companies, so that they have much more information than general users do, and accordingly, the basic matrix value is preferentially assessed and delivered to the temporary matrix and the environmental matrix. At this time, the environmental matrix is useful in assessing the security vulnerabilities of the environment fitting the user, and the preceding assessment score is reflected to receive the assessment. Table 3 describes the number of frequency according to the properties of CVSS and the relationship between the matrixes according to the properties of the impact types. Basic metrics frequency Figure 2. Emphasized Subset of Attributes from CVSS Table 3. Significance and Priority of Valuation Basis Valuation basis Significance Weight Priority Access Vector 3.1% 0.3% Access Complexity 2.6% 0.3% Authentication 40.5% 4.6% Basic metrics impact Confidentiality 20.8% 2.4% Integrity 15.5% 1.8% Availability 11.5% 1.3% Temporal Metrics frequency Utilizability tools & techniques Remediation level 6.0% 0.7% % 10.6% Report confidence 13.5% 6.5% Environmental Metrics Confidentiality requirement 64.4% 31.0%
4 impact Integrity requirement 7.2% 2.9% Availability requirement 15.3% 6.2% Collateral damage potential 25.0% 10.1% Workload scalability and reliability 52.4% 21.2% Priority-applied Security Design for Minimizing the Vulnerabilities of Virtualization This chapter describes the security design process including the priority-applied valuation basis checklist for the reduction of the security vulnerabilities in the software development phase based on the security vulnerability priority list of virtualization. The security design valuation basis is different from the general design valuation basis. The general design considers the module among the features, hours of work, procedures etc. except the security factor, so it is not proper for the security design assessment. Fig.3 is the model applying the result by the risk degree attribution using the security requirements and vulnerability list. Figure 3. The Proposed Design Model That Applies the Priority for Minimizing the Vulnerability of Virtualization The checklist testing web page for minimizing the security vulnerability of virtualization was established based on the security design model of Fig. 3. In order to design the checklist, the first page was composed for inputting the information of project for development and the information of the user who writes the relevant template. Secondly, the item for writing the misuse case which is relevant to the project was designed. Thirdly, the step for examining the input status of the case of using security by misuse case was composed. On this page, if many security use cases are inputted, then the priority input status should be examined. The priority input status as the detailed item is composed by referring the category of the virtual machine security vulnerability type analysis in Table 1, and the priority result of the upper and lower structure was examined by inputting weighting of security use case per each factor and the importance and priority assessment factor by the virtual machine vulnerability of Table 3. This content is a design section reflected by the security requirements, and the detailed scheme of the section is described in a picture. The range to test a point where this vulnerability is detected is determined on the basis of the guideline to solution in the configuration management application system based on the integrated information sharing DB. Figure 4. Steps of Design that reflects security requirements 391
5 The result shows the development of the project from the webpage which established the external review and the check list review in the process of test plans. The developed software tool should be passed through the process of practice based on the software simulation which examines the risk factor analysis and penetration state test finally after examining the result of the test. 5. Result This study developed a method of drawing out security requirements and the template according to that so as to prevent and mitigate the vulnerabilities of virtualization at an early phase of software development. The security requirements resolution method and template were developed for the prevention and mitigation of the initial vulnerability of virtualization. The security vulnerability type of virtualization technology was analyzed and the impact type was examined for the template composition. In addition, the priority was set by the importance and risk degree assessment about the security vulnerability for the upper and lower structural design of template contents, so the security vulnerability minimizing software development methodology reflecting the security requirements was suggested. The tool kit development for the security vulnerability minimizing can prepare countermeasure for the security vulnerabilities of virtualization in the cloud environment, and it can simulate the many security problems in the software development, so it is expected that it can save development cost and shorten the period of development. 6. References [1] Ministry of Information and Communication, Medium-and Long-term Information Protection Roadmap for Safe Implementation of u-korea, ICTD Report, Korea, [2] Myong Jun. Kim, Korea s Cloud Computing Strategy, IT21 Global Conference, [3] William A.Arbaugh, William L.Fithen, John McHugh, Windows of Vulnerability: A Case Study Analysis, IEEE Computer, vol. 33, pp , [4] CSA, Top Threats to Cloud Computing V1.0, Cloud Security Alliance, [5] Kichul Kim, Ok Heo, Seungjoo. Kim, A Security Evaluation Criteria for Korean Cloud Computing Service, Institute of Information Security and Cryptology, vol. 23, no. 2, pp.1-17, [6] Sunyoung Shin, Sukhyun Song, A Priority Study for Applying Public Cloud Services in Korea by Mapping the SRM with Overseas Cloud Services in the Public Sector, Internet and Information Security, vol.3, no. 3, pp.67-89, [7] Gartner, [8] J. Brodkin, Gartner: Seven Cloud Computing Security Risks, Network World, [9] Larry Bridwell, Computer Virus Prevalence Survey, ICSA Labs, [10] Honggun. Kim, The Software Security Standards for the Secure Realization of IT839 Strategy, Korea Information Security Agency, The 1st Distinguished Information Communication Standardization Paper Collection, pp , [11] Kenneth R. van Wyk, & Gary McGraw, Bridging the Gap between Software Development and Information Security, IEEE Security and Privacy, vol. 03, no. 5, pp.75-79, [12] Siv Hilde Houmb, Virginia N. L. Franqueira, Erlend A. Engum, Quantifying Security Risk Level from CVSS Estimates of Frequency and Impact, EEMCS, The Journal of Systems and Software, Elsevier, Vol.83 Issue 9, pp , [13] CWE, [14] Peter Mell, Karen A. Scarfone, Sasha Romanosky, A Complete Guide to the Common Vulnerability Scoring System, Version 2.0. Forum of Incident Response and Security Teams,
Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise
Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise 1. Introduction Information security means protecting information
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationVulnerability Management
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
More informationState of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard
State of Minnesota Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard Approval: Enterprise Security Office (ESO) Standard Version 1.00 Gopal Khanna
More informationSD Elements: A Tool for Secure Application Development Management
SD Elements: A Tool for Secure Application Development Management Golnaz Elahi 1, Tom Aratyn 2, Ramanan Sivaranjan 2, Rohit Sethi 2, and Eric Yu 3 1 Department of Computer Science, University of Toronto,
More informationA Review on Zero Day Attack Safety Using Different Scenarios
Available online www.ejaet.com European Journal of Advances in Engineering and Technology, 2015, 2(1): 30-34 Review Article ISSN: 2394-658X A Review on Zero Day Attack Safety Using Different Scenarios
More informationSoftware Vulnerability Assessment
Software Vulnerability Assessment Setup Guide Contents: About Software Vulnerability Assessment Setting Up and Running a Vulnerability Scan Manage Ongoing Vulnerability Scans Perform Regularly Scheduled
More information6. Exercise: Writing Security Advisories
CERT Exercises Toolset 49 49 6. Exercise: Writing Security Advisories Main Objective Targeted Audience Total Duration Time Schedule Frequency The objective of the exercise is to provide a practical overview
More informationEnsuring Cloud Security Using Cloud Control Matrix
International Journal of Information and Computation Technology. ISSN 0974-2239 Volume 3, Number 9 (2013), pp. 933-938 International Research Publications House http://www. irphouse.com /ijict.htm Ensuring
More informationWHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK
WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...
More informationQ: What is CVSS? Q: Who developed CVSS?
CVSS FAQ Q: What is CVSS? Q: Who developed CVSS? Q: What does CVSS not do? Q: What is involved in CVSS? Q: What are the details of the Base Metrics? Q: What are the details of the Temporal Metrics? Q:
More informationAssessing and Managing Security Risk in IT Systems: a Technology-independent Approach. John McCumber Software Assurance Forum October 15, 2008
Assessing and Managing Security Risk in IT Systems: a Technology-independent Approach John McCumber Software Assurance Forum October 15, 2008 IT Risk Assessment Find out the cause of this effect, Or rather
More informationAn ITIL Perspective for Storage Resource Management
An ITIL Perspective for Storage Resource Management BJ Klingenberg, IBM Greg Van Hise, IBM Abstract Providing an ITIL perspective to storage resource management supports the consistent integration of storage
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 14 Risk Mitigation Objectives Explain how to control risk List the types of security policies Describe how awareness and training
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationOffice of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationUF Risk IT Assessment Guidelines
Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an
More informationCDM Vulnerability Management (VUL) Capability
CDM Vulnerability Management (VUL) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Vulnerability Management Continuous Diagnostics and Mitigation
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationWhite Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security
White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review
More informationCloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org
Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security
More informationISSECO Syllabus Public Version v1.0
ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to
More informationModern Accounting Information System Security (AISS) Research Based on IT Technology
, pp.163-170 http://dx.doi.org/10.14257/astl.2016. Modern Accounting Information System Security (AISS) Research Based on IT Technology Jiamin Fang and Liqing Shu Accounting Branch, Jilin Business and
More informationSecurity & Trust in the Cloud
Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer
More informationSecurity Control Standard
Department of the Interior Security Control Standard Risk Assessment January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information
More informationGet Confidence in Mission Security with IV&V Information Assurance
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationManage Vulnerabilities (VULN) Capability Data Sheet
Manage Vulnerabilities (VULN) Capability Data Sheet Desired State: - Software products installed on all devices are free of known vulnerabilities 1 - The list of known vulnerabilities is up-to-date Desired
More informationA Secure System Development Framework for SaaS Applications in Cloud Computing
A Secure System Development Framework for SaaS Applications in Cloud Computing Eren TATAR, Emrah TOMUR AbstractThe adoption of cloud computing is ever increasing through its economical and operational
More informationThe Bayesian Network Methodology for Industrial Control System with Digital Technology
, pp.157-161 http://dx.doi.org/10.14257/astl.2013.42.37 The Bayesian Network Methodology for Industrial Control System with Digital Technology Jinsoo Shin 1, Hanseong Son 2, Soongohn Kim 2, and Gyunyoung
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationInformation Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationA Multi-layer Tree Model for Enterprise Vulnerability Management
A Multi-layer Tree Model for Enterprise Vulnerability Management Bin Wu Southern Polytechnic State University Marietta, GA, USA bwu@spsu.edu Andy Ju An Wang Southern Polytechnic State University Marietta,
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationA Software Security Assessment System Based On Analysis of
A Software Security Assessment System Based On Analysis of Vulnerabilities 1,2 Chenmeng Sui, 1 Yanzhao Liu, 2 Yun Liu, 1 China Information Technology Security Evaluation Center, Beijing,China,liuyz@itsec.gov.cn
More informationCloud Security. DLT Solutions LLC June 2011. #DLTCloud
Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions
More informationIntro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe
Intro to QualysGuard IT Risk & Asset Management Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe A Unified and Continuous View of ICT Security, Risks and Compliance
More informationINSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.
Symantec Corporation TM Symantec Product Vulnerability Management Process Best Practices Roles & Responsibilities INSIDE Vulnerabilities versus Exposures Roles Contact and Process Information Threat Evaluation
More informationSecurity Testing and Vulnerability Management Process. e-governance
Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
More informationTITLE III INFORMATION SECURITY
H. R. 2458 48 (1) maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible; and (2) promote the development of interoperable
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the
More informationCloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University
Cloud Computing: Opportunities, Challenges, and Solutions Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University What is cloud computing? What are some of the keywords? How many of you cannot
More informationPart A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...
Part A OVERVIEW...1 1. Introduction...1 2. Applicability...2 3. Legal Provision...2 Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...3 4. Guiding Principles...3 Part C IMPLEMENTATION...13 5. Implementation
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationData Loss Prevention Program
Data Loss Prevention Program Safeguarding Intellectual Property Author: Powell Hamilton Senior Managing Consultant Foundstone Professional Services One of the major challenges for today s IT security professional
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationISMS Implementation Guide
atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation
More informationEnterprise Software Management Systems by Using Security Metrics
Enterprise Software Management Systems by Using Security Metrics Bhanudas S. Panchabhai 1, A. N. Patil 2 1 Department of Computer Science, R. C. Patel Arts, Commerce and Science College, Shirpur, Maharashtra,
More information3 Web Services Threats, Vulnerabilities, and Countermeasures
3 Web Services Threats, Vulnerabilities, and Countermeasures Securing a Web service requires us to protect, as far as possible, all of its basic components, shown in Figure 3.1, and their interactions
More informationSTATE OF NEW JERSEY IT CIRCULAR
NJ Office of Information Technology P.O. Box 212 www.nj.gov/it/ps/ Chris Christie, Governor 300 River View E. Steven Emanuel, Chief Information Officer Trenton, NJ 08625-0212 STATE OF NEW JERSEY IT CIRCULAR
More informationAbout Effective Penetration Testing Methodology
보안공학연구논문지 (Journal of Security Engineering), 제 5권 제 5호 2008년 10월 About Effective Penetration Testing Methodology Byeong-Ho KANG 1) Abstract Penetration testing is one of the oldest methods for assessing
More informationSECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY
SECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationIT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.
IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationDelphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11
Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
More informationStrategies for assessing cloud security
IBM Global Technology Services Thought Leadership White Paper November 2010 Strategies for assessing cloud security 2 Securing the cloud: from strategy development to ongoing assessment Executive summary
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More informationSECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING
SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING 1. K.SURIYA Assistant professor Department of Computer Applications Dhanalakshmi Srinivasan College of Arts and Science for Womren Perambalur Mail: Surik.mca@gmail.com
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationSENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report 11-52 January 3, 2012
SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES Audit Report 11-52 January 3, 2012 Henry Mendoza, Chair Melinda Guzman, Vice Chair Margaret Fortune Steven M. Glazer William
More informationSecurity-as-a-Service (Sec-aaS) Framework. Service Introduction
Security-as-a-Service (Sec-aaS) Framework Service Introduction Need of Information Security Program In current high-tech environment, we are getting more dependent on information systems. This dependency
More informationHow To Manage A Vulnerability Management Program
VULNERABILITY MANAGEMENT A White Paper Presented by: MindPoint Group, LLC 8078 Edinburgh Drive Springfield, VA 22153 (o) 703.636.2033 (f) 866.761.7457 www.mindpointgroup.com blog.mindpointgroup.com SBA
More informationSAFECode Security Development Lifecycle (SDL)
SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training
More informationWeb Application Security. Sajjad Pourali sajjad@securation.com CERT of Ferdowsi University of Mashhad
Web Application Security Sajjad Pourali sajjad@securation.com CERT of Ferdowsi University of Mashhad Take away Why web application security is very important Understanding web application security How
More informationA Comprehensive Study on Cloud Computing Standardization
A Comprehensive Study on Cloud Computing Standardization Dr. Mukesh Chandra Negi Project Manager, Tech Mahindra Ltd, Noida, India ABSTRACT: Standard is a trust between standardization body, buyers and
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications
More informationRecent Researches in Electrical Engineering
The importance of introducing Information Security Management Systems for Service Providers Anel Tanovic*, Asmir Butkovic **, Fahrudin Orucevic***, Nikos Mastorakis**** * Faculty of Electrical Engineering
More informationExam 1 - CSIS 3755 Information Assurance
Name: Exam 1 - CSIS 3755 Information Assurance True/False Indicate whether the statement is true or false. 1. Antiquated or outdated infrastructure can lead to reliable and trustworthy systems. 2. Information
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security
More informationResearch Article Decision Making for the Adoption of Cloud Computing for Sensor Data: From the Viewpoint of Industrial Security
International Distributed Sensor Networks Volume 2015, Article ID 581563, 5 pages http://dx.doi.org/10.1155/2015/581563 Research Article Decision Making for the Adoption of Cloud Computing for Sensor Data:
More informationSecurity Issues in Cloud Computing
Security Issues in Cloud Computing Dr. A. Askarunisa Professor and Head Vickram College of Engineering, Madurai, Tamilnadu, India N.Ganesh Sr.Lecturer Vickram College of Engineering, Madurai, Tamilnadu,
More information74. Selecting Web Services with Security Compliances: A Managerial Perspective
74. Selecting Web Services with Security Compliances: A Managerial Perspective Khaled Md Khan Department of Computer Science and Engineering Qatar University k.khan@qu.edu.qa Abstract This paper proposes
More informationExternal Supplier Control Requirements
External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration
More informationAPPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION
18-19 September 2014, BULGARIA 137 Proceedings of the International Conference on Information Technologies (InfoTech-2014) 18-19 September 2014, Bulgaria APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK
More informationHow to Secure Your Environment
End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge
More informationSecurity Threats on National Defense ICT based on IoT
, pp.94-98 http://dx.doi.org/10.14257/astl.205.97.16 Security Threats on National Defense ICT based on IoT Jin-Seok Yang 1, Ho-Jae Lee 1, Min-Woo Park 1 and Jung-ho Eom 2 1 Department of Computer Engineering,
More informationIT audit updates. Current hot topics and key considerations. IT risk assessment leading practices
IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations
More informationPROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1
PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION CENTRAL SYSTEMS SUPPORT SECTION IT SYSTEMS SECURITY SUBSECTION PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS
More informationA Study on Analysis and Implementation of a Cloud Computing Framework for Multimedia Convergence Services
A Study on Analysis and Implementation of a Cloud Computing Framework for Multimedia Convergence Services Ronnie D. Caytiles and Byungjoo Park * Department of Multimedia Engineering, Hannam University
More informationMcAfee Vulnerability Manager 7.0.2
McAfee Vulnerability Manager 7.0.2 The McAfee Vulnerability Manager 7.0.2 quarterly release adds features to the product without having to wait for the next major release. This technical note contains
More informationSecurity Model for VM in Cloud
Security Model for VM in Cloud 1 Venkataramana.Kanaparti, 2 Naveen Kumar R, 3 Rajani.S, 4 Padmavathamma M, 5 Anitha.C 1,2,3,5 Research Scholars, 4Research Supervisor 1,2,3,4,5 Dept. of Computer Science,
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationFedRAMP Standard Contract Language
FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal
More informationLibrary Systems Security: On Premises & Off Premises
Library Systems Security: On Premises & Off Premises Guoying (Grace) Liu University of Windsor Leddy Library Huoxin (Michael) Zheng Castlebreck Inc. CLA 2015 Annual Conference, Ottawa, June 5, 2015 Information
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationAN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS
http://dx.doi.org/10.5516/net.04.2012.091 AN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS JAE-GU SONG *, JUNG-WOON LEE, GEE-YONG PARK, KEE-CHOON KWON,
More informationAn Innovative Two Factor Authentication Method: The QRLogin System
An Innovative Two Factor Authentication Method: The QRLogin System Soonduck Yoo*, Seung-jung Shin and Dae-hyun Ryu Dept. of IT, University of Hansei, 604-5 Dangjung-dong Gunpo city, Gyeonggi do, Korea,
More informationAnalyzing the Security Significance of System Requirements
Analyzing the Security Significance of System Requirements Donald G. Firesmith Software Engineering Institute dgf@sei.cmu.edu Abstract Safety and security are highly related concepts [1] [2] [3]. Both
More informationLegislative Language
Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting
More information