Information Assurance Metrics Highlights



Similar documents
OFFICE OF THE SECRETARY OF DEFENSE 1700 DEFENSE PENTAGON WASHINGTON, DC

Computer Security: Principles and Practice

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

DIACAP Presentation. Presented by: Dennis Bailey. Date: July, 2007

DEPARTMENT OF MEDICAL ASSISTANCE SERVICES VULNERABILITY ASSESSMENT AND NETWORK PENETRATION TEST JUNE 2009

Common Criteria Evaluations for the Biometrics Industry

How To Check If A System Is Secure

DEPARTMENT OF MEDICAL ASSISTANCE SERVICES VULNERABILITY ASSESSMENT AND NETWORK PENETRATION TEST FEBRUARY 2007

Big Data, Big Risk, Big Rewards. Hussein Syed

Performing Effective Risk Assessments Dos and Don ts

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Cybersecurity Health Check At A Glance

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

Office of Inspector General

Ohio Supercomputer Center

Security Control Standard

SECURITY. Risk & Compliance Services

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

AF Life Cycle Management Center

SECURITY RISK ANALYSIS AND MANAGEMENT

Cyber R &D Research Roundtable

Get Confidence in Mission Security with IV&V Information Assurance

Risk Management Guide for Information Technology Systems. NIST SP Overview

Certification and Accreditation: A Program for Practitioner Education

Basics of Internet Security

Guide to Vulnerability Management for Small Companies

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions

Exam 1 - CSIS 3755 Information Assurance

Looking at the SANS 20 Critical Security Controls

FISMA Implementation Project

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Compliance Services CONSULTING. Gap Analysis. Internal Audit

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Procedures associated with Board Policy 5.22

A Program for Education in Certification and Accreditation

Metrics to Assess and Manage Software Application Security Risk. M. Sahinoglu, S. Stockton, S. Morton, P. Vasudev, M. Eryilmaz

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002

How To Assess A Critical Service Provider

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Detecting SQL Injection Vulnerabilities in Web Services

VULNERABILITY MANAGEMENT AND RESEARCH PENETRATION TESTING OVERVIEW

1. Why is the customer having the penetration test performed against their environment?

UF IT Risk Assessment Standard

Information Security Insights From and For Canadian Small to Medium Sized Enterprises

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

OFFICE OF THE SECRETARY OF DEFENSE 1700 DEFENSE PENTAGON WASHINGTON, DC

Penetration Testing. Presented by

Supporting FISMA and NIST SP with Secure Managed File Transfer

National Information Assurance Certification and Accreditation Process (NIACAP)

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

CPSC 467: Cryptography and Computer Security

Information Security for Managers

Bellevue University Cybersecurity Programs & Courses

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Practical Overview on responsibilities of Data Protection Officers. Security measures

USING SECURITY METRICS TO ASSESS RISK MANAGEMENT CAPABILITIES

Network Security Policy: Best Practices White Paper

CSC 474 Information Systems Security

BM482E Introduction to Computer Security

Cyber Security & Data Privacy. January 22, 2014

How Much Do I Need To Do to Comply? Vice president SystemExperts Corporation

Taking Information Security Risk Management Beyond Smoke & Mirrors

Risk Assessment Guide

How To Secure An Extended Enterprise

HIPAA Compliance Evaluation Report

Library Systems Security: On Premises & Off Premises

Through the Security Looking Glass. Presented by Steve Meek, CISSP

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

INFORMATION SECURITY STRATEGIC PLAN

Spillemyndigheden s Certification Programme Information Security Management System

HACKERS & ATTACK ANATOMY

Information Technology Security Certification and Accreditation Guidelines

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

white SECURITY TESTING WHITE PAPER

Summary of CIP Version 5 Standards

Penetration Testing - a way for improving our cyber security

Office of Inspector General

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

What s happening in the area of E-security for the Financial Transactions in China

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

<Insert Picture Here> How to protect sensitive data, challenges & risks

ISC2 EXAM - ISSEP. Information Systems Security Engineering Professional. Buy Full Product.

WEB APPLICATION SECURITY ASSURANCE STANDARDS. Version 1.6

Electronic Signature Policy

ISMS Implementation Guide

E Governance Security Standards Framework:

UNCLASSIFIED. Trademark Information

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Course Title: Penetration Testing: Network Threat Testing, 1st Edition

Attachment A. Identification of Risks/Cybersecurity Governance

DATABASE SECURITY, INTEGRITY AND RECOVERY

The Protection Mission a constant endeavor

Information System Security

OFFICE OF THE SECRETARY OF DEFENSE 1700 DEFENSE PENTAGON WASHINGTON, DC

Cyber Security Controls Assessment : A Critical Discipline of Systems Engineering

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

The Information Assurance Process: Charting a Path Towards Compliance

Security Risk Management - Approaches and Methodology

UoB Risk Assessment Methodology

Transcription:

Information Assurance Metrics Highlights Dr. Michael Schildcrout Naval Security Group 1

Outline Metrics Development Process Joint Service Effort DOT&E Sponsorship Risk Levels Remaining Issues 2

Information Assurance Metrics for Operational Test & Evaluation Metrics for IA OT&E must be: Physically observable Measurable Quantitative, when feasible Directly related to overall goal: Protection of Information

4 DITSCAP DoD Information Technology Security Certification and Accreditation Process Developed by the DT Community Four Phases. Each phase contains a stage of vulnerability assessment Phase 1: Definition Phase 2: Verification Phase 3: Validation Phase 4: Post-Accreditation

IA Metric Components Information Assurance Value Confidentiality Prevent Unauth Disclosure (DITSCAP) Integrity Prevent Unauth Change (DITSCAP) Availability Time/Reliable Access to Info (DITSCAP) Accountability (DITSCAP) Data Integrity Timely System/Data Authenticity System Integrity Reliable System/Data Nonrepudiation 5

6 Information Assurance Value Protect Detect React Attacks Fail to Protect Fail to Detect Fail to Recover

Why s to How s Protect Detect React Information Assurance Value How s Why s Confidentiality Integrity Availability Accountability 7

Streamlined Metrics 1. Review / Inspection of Security Policy 2. Effectiveness against Unauthorized Access or Disclosure 3. Effectiveness against Attack on Data 4. Effectiveness against Attack on System 5. Effort to penetrate to a given level of Access (Privileged, Root, etc.) 6. Effectiveness of Authentication 8

9 IA OT&E Test Standards Review / Inspection of Security Policy and Procedures System Scans Penetration Tests Insider Outsider Password Cracking Detection/Recovery Time

Threat-Risk Assessment Matrix (Higher Level = Higher Risk) Threat Likelihood of Threat Penetration Impact Low Medium High Low Level 1 (None) Level 2 (Low) Level 3 (Moderate) Moderate Level 2 (Low) Level 3 (Moderate) Level 4 (High) Severe Level 3 (Moderate) Level 4 (High) Level 4 (High) 10

11 IA OT&E at the Different Risk Levels Level 1 Exempt from further testing Level 2 Paper Assessment based on system documentation. Similar in scope to DITSCAP Phase 1 vulnerability assessment Level 3 System level assessment similar in scope to DITSCAP Phase 2 vulnerability assessment Level 4 Similar in scope to DITSCAP Phase 3 vulnerability assessment (Level 3 plus Red Team penetration tests)

12 IA Process with Risk Levels Step 1: Initial OTA Review Low Risk and Importance? Yes No further IA OT&E No Level 2 Step II: Paper Assessment Low Risk and Importance? Yes Level 3 Step III: Operational Assessment No High/Unknown Residual Risk? Yes No Level 4 Step IV: Red Team Penetration Testing during IOT&E IA IOT&E Complete

Remaining Issues How complete are the metrics? There will always be the need for flexibility How often must IA OT&E be repeated? How can compatibility with DITSCAP be improved? Which organization(s) will maintain the IA database? What will be the format? Others? 13

Back-ups 14

IA OT&E Metrics 1A. Effectiveness of security policy in preventing unauthorized access: all test standards met? 1B. Effectiveness of system's defense in depth: all test standards met? 2A. Effectiveness of system in preventing unauthorized access (Insider and Outsider): acceptable or not acceptable? 2B. Effectiveness of system in preventing unnecessary disclosure of system information: acceptable or not acceptable? 3A. Ability to detect information degradation/corruption/attack: acceptable or not acceptable? 3B. Time (thresholds set by the user) to respond to information degradation/corruption 3C. Time (threshold set by the user) to restore degraded, corrupted information 4A. Ability to detect system degradation/corruption/attack: acceptable or not acceptable? 4B. Time (threshold set by the user) to respond to system degradation/corruption. 4C. Time (threshold set by the user) to restore critical functionality in a degraded, corrupted system 4D. Time (threshold set by the user) to restore full functionality in a degraded, corrupted system 5. Effort (low, medium, high) to penetrate to a given level of access 6. Effectiveness of authentication? 15

Example IA Metric with Test Standards IA OT&E Metric 2A. Effectiveness of system in preventing unauthorized access (from both Insider and Outsider): acceptable or not acceptable? 2B. Effectiveness of system in preventing unnecessary disclosure of information; acceptable or not acceptable? Test Standard System Test - for low risk/low impact systems only Vulnerability Analysis / Penetration Test - all others (as required; degree TBD; Inside and Outside) List severity of Known Vulnerabilities; none, low, medium, or high System Test - for low risk/low impact systems only Vulnerability Analysis / Penetration Test - all others (as required; degree TBD) 16

IA Operational Test Level Process ORD Specific Requirements ORD,STAR, CONOPS Threat/Risk Assessment Matrix (Determines Test Level) Determine Metrics to be Used Reassess as necessary (IA policy/system/threat changes, early test results, etc.) Tailoring, as Appropriate Define Test Strategy Feed Data into Overall IA Database (Location TBD) Test Reports Test Execution 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information