Security/Information Assurance Measurements and Metrics



Similar documents
Maintaining Herd Communication - Standards Used In IT And Cyber Security. Laura Kuiper

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing

Cloud Computing Governance & Security. Security Risks in the Cloud

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Top Ten Technology Risks Facing Colleges and Universities

How To Protect Your Cloud Computing Resources From Attack

Big Data, Big Risk, Big Rewards. Hussein Syed

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

The Evolving Threat Landscape: Protecting Your Mobile and Virtual Environment from Emerging Security Threats

Debate Session II No More Mr. Nice Guy! Tightening the screws on Cloud Security. Thursday 27 March :20 10:50 am Iben Rodriguez

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES

The Evolving Security Landscape. Andreas M Antonopoulos Senior Vice President & Founding Partner

Privacy for Healthcare Data in the Cloud - Challenges and Best Practices

Cybersecurity Awareness. Part 1

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Click to edit Master title style

An Overview of Large US Military Cybersecurity Organizations

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Evolving Threats and Attacks: A Cloud Service Provider s viewpoint. John Howie Senior Director Online Services Security and Compliance

Executive Overview...4. Importance to Citizens, Businesses and Government...5. Emergency Management and Preparedness...6

FISMA Implementation Project

IT Audit in the Cloud

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Seeing Though the Clouds

Managing Security and Privacy Risk in Healthcare Applications

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

State of South Carolina Policy Guidance and Training

Security aspects of e-tailing. Chapter 7

2012 Bit9 Cyber Security Research Report

Essential Characteristics of Cloud Computing: On-Demand Self-Service Rapid Elasticity Location Independence Resource Pooling Measured Service

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Best Practices at Research Level

Cloud Security Introduction and Overview

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Cloud Computing Standards: Overview and ITU-T positioning

Christos Douligeris cdoulig at unipi dot gr. Department of Informatics University of Piraeus

Industrial Control Systems Security Guide

NIST Cyber Security Activities

SECURITY. Risk & Compliance Services

Business Risk Assessment - A Primer

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications

ITL BULLETIN FOR MARCH 2012 GUIDELINES FOR IMPROVING SECURITY AND PRIVACY IN PUBLIC CLOUD COMPUTING

DRUVA SECURITY OVERVIEW ICT AFRICA CAPE TOWN LEE MEPSTED EMEA CHANNEL MANAGER

Checklist to Assess Security in IT Contracts

Human Factors in Information Security

HEALTHCARE SECURITY AND PRIVACY CATALOG OF SERVICES

Enterprise Security Architecture for Cyber Security. M.M.Veeraragaloo 5 th September 2013

Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA Utilities Telecom Council 1

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

How To Secure A Voice Over Internet Protocol (Voip) From A Cyber Attack

Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

EU Threat Landscape Threat Analysis in Research ENISA Workshop Brussels 24th February 2015

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Altius IT Policy Collection Compliance and Standards Matrix

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Roadmaps to Securing Industrial Control Systems

Cyber Security An Exercise in Predicting the Future

Cloud Security and Managing Use Risks

2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP

Challenges in Industrial IT-Security Dr. Rolf Reinema, Head of Technology Field IT-Security, Siemens AG Siemens AG All rights reserved

Requirements Engineering for SaaS Application Security in Cloud Using SQUARE Methodology

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Get Confidence in Mission Security with IV&V Information Assurance

Looking at the SANS 20 Critical Security Controls

Building Security In:

Cyber Security Risk Management

A 360 degree approach to security

Emerging SCADA and Security Solutions Presented by; Michael F. Graves, P.E. Chris Murphy, CISSP

Healthcare Data in the Cloud A Gathering Storm of Governance. Erik Pupo Senior Manager, Deloitte

ISACA rudens konference

Security in the Cloud an end to end Problem

Vermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Compiled by; Mark E.S. Bernard, ISO Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

Cyber Security Metrics Dashboards & Analytics

A Systems Engineering Approach to Developing Cyber Security Professionals

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

BMC s Security Strategy for ITSM in the SaaS Environment

Emerging risks for internet users

Appendix B: Existing Guidance to Support HIE Implementation Opportunities

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

How to ensure control and security when moving to SaaS/cloud applications

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

The silver lining: Getting value and mitigating risk in cloud computing

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Perspectives on Cloud Computing and Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Data Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :

Training and Awareness

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Italy. EY s Global Information Security Survey 2013

Strategic Plan On-Demand Services April 2, 2015

Information Security and Risk Management

Transcription:

Security/Information Assurance Measurements and Metrics Wai Tsang, Ph.D. TecSec 6 Th Annual International Software Measurement & Analysis Conference Richmond, VA September 13, 2011

Agenda Software estimation and measurement Sizing estimation (SLOC, FP, Feature Point) Cost and schedule estimation Metrics and Measurements Cyber Impact Attacks Security/Privacy Cyber Security/Privacy/Information Assurance Risk management standards Metrics and measurements Information assurance standards Verticals in need of cyber security/privacy 2

Software Estimation (Sizing, Cost and Schedule) and Measurements Phases Concept of Operation Requirement Specification Product Design Specification Detailed Design Specification Software Acceptance 3

Software Sizing Estimation Methodologies Source Lines-Of-Code (SLOC) Function Points (FP) Feature Points 4

Software Sizing Estimators SLOC SLOC factors: Executable Instructions, Data Declarations Analog-based Language dependent Design-oriented Variations a function of languages Convertible to function points SLOC with a Predictive Model (COnstructive COst MOdel or COCOMO) FP Core factors: Inputs, Outputs, Logic Files, Inquiries, Interfaces Specification-based Language independent User-oriented Variations a function of counting conventions Expandable to SLOC 5

Feature Points Derivative of FP for real time system software Core FP factors Add algorithm parameter 6

Cost and Schedule Estimation Methodologies Analogies Subsystem, computer software configuration item (CSCI), computer software component (CSC), computer software unit (CSU) Expert (engineering) opinion Personnel w/ experiential knowledge Parametric models Cost drivers based on statistical formulas, Development and operational environments, SW characteristics Engineering build Effort summation of detailed functional task breakouts (CSC and CSU) Cost performance report analysis Requirements/design, code/unit test, integration/test Cost estimation relationship factors Algebraic relationship 7

Software Metrics and Measurements Metrics Monitor Predict Track Understand Measurements Quantifiable dimension, attribute, software program, product, process 8

Cyber World (1) Cyber space is a de-perimeterized, distributed data environment It is global, densely connected and dynamic Cloud computing As-A-Service (AAS) offerings to reduce TCO Software or SAAS Platform or PAAS Infrastructure or IAAS Service Oriented Architecture (SOA) 9

Cyber World (2) Not friendly: Trojan, worms, viruses, malware, botnets => DDoS, identity theft, phishing/pharming, fraud, Communications Security (COMSEC) => Information Security (INFOSEC) Security, privacy, and information assurance Self protecting data objects User-centric Fine grained access control Arbitrate assets with risks (i.e., threats, exploits, vulnerabilities) Preserve privacy to address liabilities Who is involved? (DHS, DoD, NSA, DoE labs, ENISA, MITRE, Verizon Business,. 10

Web Browser Web browser is a security critical component in the ICT environment. It is the channel for: Information sharing, banking, social networking, shopping, payments, cloud services, critical infrastructure.. Target for cyber attacks [Symantec] Web-based attack increased by 93% from 2009 to 2010 40 million attacks for September 2010 11

Phishing 12

Security/Privacy Requirements Security Confidentiality Integrity Availability Non-repudiation Identity management Authorization, Authentication and Accountability (AAA) Privacy Notice Consent Minimization Control Access Retention Secondary use sharing 13

Security/Privacy Considerations within the Software Development Life Cycle (SDLC) Like project, quality and risk issues, security/privacy related issues can cause the project to fail To ensure success, security/privacy must be the default (built-in not bolted on) and implemented across the entire SDLC Security/privacy must be adaptive and preferably are concurrent with implementation of the formalized programs 14

Risk Management Standards and Guidelines NIST SP 800-3--Risk Management Guide for Information Technology Systems NIST SP 800-37 Rev 1 Guide for Risk Management Framework to Federal Information Systems: A Security Life Cycle approach NIST SP 800-39 DRAFT Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View NIST SP 800-53 Rev 3--Recommended Security Controls for Federal Information Systems and Organizations NIST SP 800-53A Rev 1--Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans NIST SP 800-64--Security Considerations in the System Development Life Cycle NIST SP 800-13--DRAFT Information Security Continuous Monitoring for Federal Information Systems and Organizations ISO ENISA 15

Security/Privacy Metrics and Measurements Measurements are single-point-in-views of specific discrete factor, generated by counting Metrics are derived by comparing to a predetermined baseline two or more measurements taken over time, generated from analysis Security/privacy attributes are not mutually commensurable Security/privacy are often measured in terms of Information Assurance (IA) IA controls: Technical, operational and management 16

Information Assurance (IA) Standards and Guidelines NIST SP 800-55 Rev 1 Guide to Performance Measures for Information Security (SP 800-55 and SP 800-80) ISO/IEC 15408 IT-Security Techniques-Evaluation Criteria for Information Security ISO/IEC 15939 Systems and Software Engineering-Measurement Process ISO/IEC 21827 IT-System Security Engineering-Capability Maturity Model-SSE-CMM ISO/IEC 27001 IT-Security Techniques, Information Security Management Systems-Requirements ISO/IEC 27004 IT-Security Techniques, Information Security Management Systems-Measurements ISA 99.03.01 and 99.03.02 FIPS 140 Evaluation 17

Verticals in Need of Cyber Security/Privacy Financial Mobile payments, web-based transactions PCI-DSS, FFIEC Healthcare Electronic Health Record (EHR), Health Information Exchange (HIE) HIPAA, HITECH Smart Grid Information sharing among domains/stakeholders 18

THANK YOU Wai Tsang, Ph.D. (o) 571-299-4129 (m) 703-303-4376 wtsang@tecsec.com 19

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information