A Generic Security Template for information system security arguments

Similar documents
The Sharing Intelligence for Health & Care Group Inaugural report

Data analysis, interpretation and presentation

Client information note Assessment process Management systems service outline

ESKISP Manage security testing

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.

Governance and Management of Information Security

Data Protection HEADLINE PART Developments: Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance

HSCIC Audit of Data Sharing Activities:

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Perceptions about Self-Encrypting Drives: A Study of IT Practitioners

Cybersecurity for Medical Devices

Data Protection Breach Reporting Procedure

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities:

Improved Event Logging for Security and Forensics: developing audit management infrastructure requirements

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

a Medical Device Privacy Consortium White Paper

Committees Date: Subject: Public Report of: For Information Summary

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

SOFTWARE MANAGEMENT PROGRAM. Software Testing Checklist

IT asset disposal for organisations

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

In the launch of this series, Information Security Management

ISO 27002:2013 Version Change Summary

How To Write An Article On The European Cyberspace Policy And Security Strategy

ISO Gap Analysis - Case Study

Enterprise Security Architecture

Information Security Team

Cybersecurity and internal audit. August 15, 2014

Cloud Security Trust Cisco to Protect Your Data

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

How To Save Money On Health Care Through A Computer System

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Microsoft s Compliance Framework for Online Services

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Energy Industry Cybersecurity Report. July 2015

Our Commitment to Information Security

2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report.

Security Controls What Works. Southside Virginia Community College: Security Awareness

RECORDS MANAGEMENT FRAMEWORK

Does it state the management commitment and set out the organizational approach to managing information security?

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

Big Data, Big Risk, Big Rewards. Hussein Syed

Technology and Cyber Resilience Benchmarking Report December 2013

HSCIC Audit of Data Sharing Activities:

Compliance Guide: ASD ISM OVERVIEW

NSW Government Open Data Policy. September 2013 V1.0. Contact

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

Information Governance Management Framework

Capabilities for Cybersecurity Resilience

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

Information Security Standards in Government The journey towards ISO/IEC 27001

How small and medium-sized enterprises can formulate an information security management system

Customer-Facing Information Security Policy

The Virtual Digital Forensics Lab: Expanding Law Enforcement Capabilities

Security Information Lifecycle

When things go wrong: information governance breaches and the role of the ICO. David Evans, Senior Policy Officer

1.1.1 Introduction to Cloud Computing

A Best Practice Guide

ENISA What s On? ENISA as facilitator for enhanced Network and Information Security in Europe. CENTR General Assembly, Brussels October 4, 2012

Cybersecurity Challenges in Healthcare. Doug Copley Beaumont Health & Michigan Healthcare Cybersecurity Council

Safety Management Systems (SMS) guidance for organisations

DFS C Open Data Policy

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

MOST FRAUD CASES INVOLVE SENIOR MANAGEMENT. HOW TO PREVENT THEM FROM MISUSING THEIR POWER?

HITRUST CSF Assurance Program

TMMi Case Study. Methodology. Scope. Use TMMi to do a gap analysis for an independent

Information governance strategy

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Aon Risk Solutions Global Risk Consulting Captive & Insurance Management. Cyber risk and the captive market - a match made in the cloud?

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

CYBER SECURITY FOUNDATION - OUTLINE

PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Health & Life sciences breach security program. David Houlding MSc CISSP CIPP Healthcare Privacy & Security Lead Intel Health and Life Sciences

CCG: IG06: Records Management Policy and Strategy

Correlation between competency profile and course learning objectives for Full-time MBA

Information Security Awareness Training

Achieve. Performance objectives

Protecting Business Information With A SharePoint Data Governance Model. TITUS White Paper

4.10 Information Management Policy

Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?

INFORMATION S ECURI T Y

SecSDM: A Model for Integrating Security into the Software Development Life Cycle

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

Four Top Emagined Security Services

CDC UNIFIED PROCESS PRACTICES GUIDE

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

The Legal Pitfalls of Failing to Develop Secure Cloud Services

What is required of a compliant Risk Assessment?

Information Security Management System for Microsoft s Cloud Infrastructure

Transcription:

A Generic Security Template for information system security arguments Mapping security arguments within healthcare systems Ying He School of Computing Science, University of Glasgow, UK.

Contents v Background v Objectives v Business Model v Evaluations v Conclusions

Background Background Number of incidents accounts for 42% in healthcare, top among different sectors [1]. Research communities (e.g. NIST, SANS) stress incident learning in the incident handling lifecycle. Incident Sharing Platform European Network and Information Security Agency (ENISA) The US s nation s Healthcare and Public Health Information Sharing and Analysis Centre (NH-ISAC). UK government Cyber Security Information Sharing Partnership. [1] Internal Security Threat Report Trends, Symantec Corporation, Volume19, (2014)

Background (Continued) The problem Current research is not concerned with providing a mechanism for conveying key incident details effectively. Little research on feeding back lessons learned into the Information Security Management Systems (ISMS). Ineffective communication and redistribution of lessons learned from different incident data sources, Technical notes Incident reports Social media (e.g. news articles, weblogs) Incoherent security arguments about how those remedial actions taken have satisfied system security requirements.

Objectives Objectives Propose a method that can present a coherent security argument and effectively communicate security lessons. Evaluate its suitability to depict security arguments from different security incident data sources. Evaluate its usability to communicate security arguments comparing to traditional approaches? Assess its acceptance and applicability in communicating and redistributing lessons learned in a healthcare context.

Business Model Theoretical Basis Assurance Case A documented body of evidence that provides a convincing and valid argument that a specified set of critical claims are adequately justified for a given application in a given environment. Goal Structuring Notations (GSN) Included in ISO 15026 to present assurance cases. Widely used in Safety Area. The Generic Security Template A documented body of lessons learned identified from a security incident that can support the Security Requirements of the Information Security Management Systems (ISMS).

Business Model - Example Example (NHS Surrey IT Asset 2013) The Context, e.g. Healthcare system of NHS Surrey. The Strategy, e.g. IT Asset Disposal Guidance. The Security Issue, e.g. The disposal process for redundant equipment did not require the IT team to carry out an assessment of the risks of using a data. The Violated Security Requirement, e.g. A risk management of the disposal process should be conducted. The Recommendation, e.g. Carry out a risk assessment when using a data processor to dispose of the hard drives.

Healthcare System (HS) is acceptably Secure. Healthcare System of NHS Surrey An IT Asset Disposal guidance proposed by Information Commissioner Office according to Data Protection Act Argument over IT Asset Disposal Guidance. Argument over All Missing Security Recommendations. An asset disposal strategy has been created. An IT asset disposal company has been selected. (Guideline non-existent): Remedial action has been taken for the disposal process for redundant equipment. A risk management of the disposal process has been conducted. Risk Management: Carry out a risk assessment when using a data processor to dispose of the hard drives. The devices containing personal data has been identified. Personal Data: Wipe medical information and confidential sensitive data before recycling. A contract with the data processor has been drawn up. Contract: Have a written contract with the company processing the IT Asset The Asset disposal process and data processors have been managed. Disposal Monitoring: Monitor the destruction process and maintain audit trails and inventory logs of hard drives destroyed by the company based on the serial numbers in the destruction certificates for each individual drive. Remedial Action: Take remedial action which includes developing a new policy framework to address the internal re-use of information and appliances and disposal process for redundant equipment.

C1: ISMS for {System X} In the context of G1: {System X} is acceptably secure C2: Security Standard for {System X} In the context of S1: Argument over {Security Standard X} S2: Argument over all Missing Security Recommendation G3 {Index 1.X} {Security Requirement 1.X} is addressed p (p = # security requirements of level 1) G2 (Standard non-existent): {Missing Recommendation Y} is addressed q (q = # missing security recommendations ) r (r = # security requirements of level n) LL2 {Missing Security Issue Y} {Missing Recommendation Y} GN {Index N.X} {Security Requirement N.X} is addressed LL1 {Security Issue N.X} {Recommendation N.X}

Evaluations - Suitability Objective Evaluate the GST s suitability to depict security arguments from different security incident data sources. Methodologies Case studies from the US, China and UK US security incident reports (6) China incident news articles (13) UK incident money penalty report (14) Selected Case Two from the US (VA Data Leakage, 2006/2007 ) One from China (Shenzhen Data Leakage, 2008) One from UK (NHS Surrey IT Asset, 2013)

Evaluations - Suitability Findings The GST is suitable to depict security arguments from different security incident data sources

Evaluations - Usability Objective Evaluate the GST s usability to communicate security arguments from security incidents comparing to traditional approaches Methodologies Controlled Experiment Accuracy, Efficiency,Task load, Ease of use Participants: 24 students from University of Glasgow Group A (Report & GST); Group B (Report) Heuristic Evaluation Cognitive Dimensions Qualitative Feedback

Evaluations - Usability Findings of Controlled Experiment Participants are better able to understand the security arguments with the help of the GST than using Text alone; (Result is statistically significant) The time taken to complete the designed task will be less using the GST than that using the Text alone; (Result is NOT statistically significant) The mental effort is lower with the help of the GST than using Text alone; (Result is statistically significant) Participants find the GST easier to use than the Text approach. (Subjective feedback)

Evaluations - Usability Findings of Heuristic Evaluation Level of abstraction of the GST Scalability of GST

Evaluations - Acceptance Objective Assess the GST s acceptance in communicating and redistributing lessons learned in a healthcare context. Industrial Case Study Internship: Security Strengthening Program Participants Ten healthcare professionals Five security experts Interview themes Security incident handling process Acceptance of the GST

Evaluations - Acceptance Findings of Incident Handling Process A mature incident handling process Preparation, investigation, mitigation, post-incident learning, incident response team, severity level definition. Ineffective incident knowledge gathering Low severity: less focus on incident knowledge gathering High severity: report generated for administrative use only Ineffective incident lessons learned dissemination Low severity : technical notes documented in pieces High severity : report difficult to digest Ineffective incident knowledge feedback Low severity : focus on direct causes rather than root causes High severity : report not include revision to security procedures

Evaluations - Acceptance Findings of GST Acceptance Different interpretation of the GST by different user groups Applicable scenarios in the organisation A tool to convert incident report into a learning document A tool for communicating incidents A tool to feed incident knowledge to security management systems Limitations Lack of multi-view function Not fully accepted by healthcare professionals

Evaluations - Applicability Objective Assess the GST s applicability in communicating and redistributing lessons learned in a healthcare context. Industrial Case Study Internship: Security Strengthening Program Participants Three healthcare professionals Two IT security experts One IT security manager Interview themes Feed back lessons learned from external incidents to the information security management system (ISMS) of the redacted hospital.

Evaluations - Applicability Findings Lessons learned fed back to the ISMS The lessons learned from incidents in other healthcare organisations can be transferred into the redacted hospital. The redacted hospital is more likely to accept lessons from the Shenzhen data leakage incident. The GST helps the hospital assess whether applicable security standards address the concerns raised in previous breaches. Customisation Requirements Provide software support Enable multi-view function Add lessons learned acceptance identifier

Contributions Contributions Identified the current barrier of incident learning ineffective communication and redistribution of lessons learned. Proposed a security argument approach to effectively communicate lessons learned. This approach is suitable to present security arguments from incident reports, money penalty reports and news articles. This approach can improve the communication of lessons learned compared to the traditional text-based reports. This approach is accepted in a healthcare organisation and can be applied to communicate lessons learned to the security management system of a healthcare organisation.

Limitations and Future Work Limitations and Future work Subjective features, translation from natural language statements into structured graphical overview. Apply knowledge representation. Apply intelligent techniques (e.g. natural language processing). Scalability Commercial GSN tools (e.g. ASCE, INESS) Provide SW support. Soundness of security argument Confidence argument Apply formalisms to mechanically check logical soundness.

Publications [1] Y. He, C.W. Johnson, M. Evangelopoulou and Z.S. Lin. Diagraming approach to structure the security lessons: Evaluation using Cognitive Dimensions. The 7th International Conference on Trust & Trustworthy Computing, 2014, Crete, Greece. [2] Y. He, C.W. Johnson, Y. Lu, and A. Ahmad. Improving the exchange of lessons learned in security incident reports: Case studies in the privacy of electronic patient records. The 8th IFIP WG 11.11 International Conference on Trust Management, 2014, Singapore. [3] Y. He, C.W. Johnson, Y. Lu and Y. Lin. Improving the Information Security Management: An Industrial Study in the Privacy of Electronic Patient Records. IEEE CBMS 2014 The 27th International Symposium on Computer-Based Medical Systems, 2014, New York, US. [4] Y. He, C.W. Johnson, K. Renaud and Y. Lu and S. Jebriel. An empirical study on the use of the Generic Security Template for structuring the lessons from information security incidents. The 6th International Conference of Computer Science and Information Technology, 2014, Amman, Jodan. [5] Y. He, and C.W. Johnson. Generic security cases for information system security in healthcare systems. The 7th IET International Conference on System Safety, Incorporating the Cyber Security Conference 2012, Edinburgh, UK.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information