O-ISM3 Challenge Results Study
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
4,064
On Slideshare
1,033
From Embeds
3,031
Number of Embeds
6

Actions

Shares
Downloads
41
Comments
0
Likes
1

Embeds 3,031

http://www.ism3.com 2,636
http://ism3.com 375
http://translate.googleusercontent.com 9
http://www.ism3.com. 7
https://translate.googleusercontent.com 3
http://131.253.14.125 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 1 O-ISM3 Challenge Results Study Authored by: Vicente Aceituno Tel: +34 696 470 328 e-mail: vaceituno@inovement.es COPYRIGHT NOTICE: Version 1.0: 24th of March 2014 This Report is copyrighted by Inovement Europe.
  • 2. 2 Table of Contents Introduction......................................................................................................... 3 Literature review................................................................................................. 4 ISO 27000:2009.............................................................................................. 4 COBIT 5.......................................................................................................... 4 ITIL:2007......................................................................................................... 5 Analysis.............................................................................................................. 5 Experiment Design.......................................................................................... 5 Use Case .................................................................................................... 6 Questionnaire.............................................................................................. 8 Methodology ................................................................................................. 11 Results ............................................................................................................. 12 Discussion........................................................................................................ 19 Is there a consensus in information technology standards about the definition of Confidentiality, Integrity and Availability?.................................................. 19 Are Confidentiality, Integrity and Availability sufficient to analyze the security requirements of an information system?....................................................... 19 Are Confidentiality, Integrity and Availability necessary to analyze the security requirements of an information system? ....................................................... 20 Is there an alternative to Confidentiality, Integrity and Availability to analyze the security requirements of an information system quantitatively?.............. 20 Conclusions...................................................................................................... 20 Findings ........................................................................................................ 20 Alternative to Confidentiality, Integrity and Availability.................................. 20 Further Research.......................................................................................... 21 Executive Summary...................................................................................... 22 Works Cited...................................................................................................... 22 Annex I Mapping of Information Security Criteria ............................................. 23 Annex II O-ISM3 Business and Security Objectives......................................... 30 Business Objectives...................................................................................... 30 Security Objectives ....................................................................................... 31
  • 3. 3 Introduction Information security, also known as cybersecurity, computer security, information assurance or information technology security, is a discipline born with the earliest means of communication of information [1]. The importance of information security has grown as the worldwide economy and society rely more and more on information technology. Every information system provides a value in an organization. This Study makes the assumption that the analysis of the security of an information system must include both the system and the value it provides. This means the result of the analysis of the security requirements of the same information system in different points in time or in different organizations will render different results. Information security professionals both in the public and private sector face serious challenges in order to perform effectively for their organizations and clients, among those challenges are:  Complexity and evolution of organizations, information systems and their environment.  Limited availability of knowledge about the organization, information systems and their environment.  Complexity can be analyzed at multiple levels of detail, ranging from the physical level all the way up to trust relationships between organizations.  Resources available for information security are normally limited.  Often information security professionals have a limited influence within the organization to get things done.  There is a weak link between efforts and results. Twice as much work doesn't necessarily result in twice as much security.  The result of a job well done is a negative: No incidents. This makes it difficult to tell the skilled from the lucky. Professionals in different organizations have different responsibilities, skills and resources. The expectations the organizations place on them, their accountability, credibility and influence present as well great variance. In this context, multiple standard bodies, national and international organizations, and private institutions have worked to advance the practice of information security. Two powerful results of their work and collaboration have been the flurry of information security standards, certifications and professional certifications in the market today. A key part of professional certification studies are information security standards. Most standards use the concepts of Confidentiality, Integrity and Availability.
  • 4. 4 This Study has two purposes:  Present proof of the shortcomings of these three concepts.  Present an alternative to these three concepts free of those shortcomings. The research questions that this Study will answer are the following: 1. Is there a consensus in information technology standards about the definition of Confidentiality, Integrity and Availability? 2. Are Confidentiality, Integrity and Availability sufficient [10] to analyze the security requirements of an information system? 3. Are Confidentiality, Integrity and Availability necessary to analyze the security requirements of an information system? 4. Is there an alternative to Confidentiality, Integrity and Availability to analyze the security requirements of an information system quantitatively? Challenging established knowledge is always risky. Two examples that come to mind are the slow acceptance of the Wegener’s theory of continental drift [2] and the little impact that Ignaz Semmelweis early work on hygiene [3] had. This Study falsifies [4] the usefulness of Confidentiality, Integrity and Availability, but we don’t expect a quick paradigm shift [5] as a result. Literature review The definition given by the most important information technology standards of Confidentiality, Integrity and Availability follows. ISO 27000:2009  Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.  Integrity: The property of safeguarding the accuracy and completeness of assets.  Availability: The property of being accessible and useable upon demand by an authorized entity. COBIT 5  Confidentiality: Concerns the protection of sensitive information from unauthorized disclosure.  Integrity: Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations
  • 5. 5  Availability: Relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. ITIL:2007  Confidentiality: A security principle that requires that data should only be accessed by authorized people.  Integrity: A security principle that ensures data and Configuration Items are only modified by authorized personnel and Activities. Integrity considers all possible causes of modification, including software and hardware Failure, environmental Events, and human intervention.  Availability: Ability of a Configuration Item or IT Service to perform its agreed Function when required. Availability is determined by Reliability, Maintainability, Serviceability, Performance, and Security. Availability is usually calculated as a percentage. This calculation is often based on Agreed Service Time and Downtime. It is Best Practice to calculate Availability using measurements of the Business output of the IT Service. Analysis Experiment Design If an information security professional wants to understand the security needs of an organization, he or she needs to communicate with those who have the information, the business managers. The design of the experiments assumes that all the necessary information that business managers has is available for the information security professional too, checking therefore the ability of the information security professional to obtain the information. The experiment presents participants with a use case that specifies how an organization relies on an information system to conduct business. The participants have access to the use case and a questionnaire where specific portions of the use case are specified. The participants have to design questions that would render the answers provided in the questionnaire. For a question to be considered correctly formulated, it must be logically consistent with the answer provided. In order to compare the success obtaining the information using Confidentiality, Integrity and Availability or not, participants can make the choice of using only the concepts of Confidentiality, Integrity and Availability in their questions, or none of them. In order to register and identify the participants, they were required to pay a small fee via Paypal. In order to encourage participation, an opportunity to win a prize was offered. The Use Case and Questionnaire follow.
  • 6. 6 Use Case Ambiguous SL is a travel agency located in Madrid, Spain. Their business is selling retail travel packages both online and through their offices, which are street level on a main street. The most important system they own and operate is the Package Sales System, which they use for advertising, sales, and bookings. This system interfaces with the Amadeus GDS system (checking availability and bookings), with VISA (payments), and with an equivalent system of a Moroccan partner (MTravel), as it is a popular destination for Spanish tourist and represents a significant part of the company's business. The owner of Ambiguous SL has put Myrna in charge of IT, among other responsibilities. Myrna has hired you to find out which security measures (controls or processes) would provide the highest return of investment for Ambiguous SL. Myrna will take care of implementation. Your first (and only) task is to make an assessment of Ambiguous SL security needs. Myrna has named Ignatius as the project manager for the Package Sales System. He is an employee of the company (Confederacy SL) that develops and maintains the Package Sales System for Ambiguous SL. The Package Sales System functionality is as follows (please note this use case is simpler than a real life case):  Create, Modify and Delete Travel Packages.  Sell Travel Packages both online and at the office.  Receive feedback from customers and the public in general.  Send Travel Package offers to subscribers.  Manage Claims and Issues. A high level view of the Package Sales System Database reveals the following data resources:  Travel Package Archive  Sales Archive  Feedback Archive  Offers Archive  Claims, Feedback and Incidences Archive The following list of actions can be performed on each data resource:  Travel Package Archive: Create, Update, Retire, Publish, Unpublish.  Sales Archive: Book, Release, Sell, Refund, Update.  Feedback Archive: Create, Update, Close.  Offers Archive: Create, Update, Retire, Publish.  Claims, Feedback and Incidences Archive: Create, Update, Close
  • 7. 7  Sales Statistics Report Archive: Create, Close There are certain requirements about who can do what, and where they can do it:  Only the sales manager can Create, Update and Publish Travel Packages.  Each salesperson can only view the personal information of his or her own clients.  Only the sales manager and the person assigned to Feedback and Claims can view the personal information of all clients.  Only the owner of the company can access the Sales Statistics Report.  Only the sales manager can create Offers Certain parts of the Package Sales System are licensed, namely the Operating System, Application Server and Database. As the company and systems are located in Spain, the Package Sales System needs to comply with the Spanish Privacy Law (LODP). Since the Package Sales System manages VISA payments, it needs to comply with PCI-DSS. Some of the users of the Package Sales System are employees of Ambiguous SL, some are temps from Adecco. The administrators of the Package Sales System are employees of Confederacy SL. The general public of Spain is a user and they can purchase Travel Packages through the application. The application does not serve the public of countries other than Spain. Persons under the age of 18 can ask for feedback and signup for offers, but they can't purchase Travel Packages. The system is located in a properly conditioned room inside the office. The system interfaces with Internet via a high speed fiber optic connection. The system interfaces with the interconnected systems and users via mail, file transfers and a VPN that connects directly with the MTravel network. The system is expected to work 24x7, but because of maintenance stoppages of no more than one hour per week during no business hours (from 9 to 5 from Tuesday to Sunday) are acceptable. The longest time that the system can be offline during business hours is 2 hours, because sales can be performed with TPV and handwritten notes can partially replace the use of the system. In case of a major malfunction of the system, it would be acceptable to lose one day of data, since most data could be reconstructed checking with VISA, Amadeus and Mtravel. It is understood that all "live" transactions would be lost in case of an incident. Data needs to be archived for 5 years in order to meet tax regulations. After ten years data should be deleted permanently, as customer behavior changes over time and data is no longer useful for Business Intelligence. Sales representatives and customers sometimes make mistakes entering data. This is acceptable as long as there is no more than one percent of the records contain inaccurate information.
  • 8. 8 In order to create an account in the Package Sales System, potential clients can login using Facebook or create an account linked to their email address. They can unlink or delete the account at any time, but that does not delete any data in the database if they have purchased a Travel Package, even if they cancelled the purchase. In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator. The email states what functions the user should be able to perform. The general public doesn't need an account to provide feedback or sign up for the Offers newsletter. Customers who lose their passwords to the Package Sales System can request a new one and a link will be sent to their email address. Users who lose their password to access the Package Sales System need to physically visit the Administrator, who resets the password and give it to them in a written note. As some Offers expire at midnight, the Package Sales System should prevent customers from purchasing Travel Packages after they have expired, even by a few seconds. There is a development environment that Confederacy SL maintains in their own data center and a pre-production environment, at Ambiguous SL office. The current administrator is subscribed to email lists that notify him of security updates. The Administrator has configured the system using security guidelines found on Internet for every component. Security patches have not been applied since a patch caused a half day downtime. The Administrator changes about once every six months. The system has no malware protection. The domain has been registered with Piensasolutions.es. The digital certificates used by the system are from Thawte. No one has been assigned with the responsibility to manage the domain or the certificates. The systems logs all the sales activity, but not any other activity. There is no Firewall. The internet connectivity provider (Telefonica) provides a service that is supposed to provide "clean" traffic. No part of the Package Sales System is located in a publicly accessible location. No part of the Package Sales System is accessible via Mobile application, but there are plans to incorporate a solution for this. No part of the Package Sales System is exposed to extreme environmental conditions. Questionnaire Question Answer Ambiguous S.L Madrid Package Sales System Clare Ignatius Create, Modify and Delete Travel Packages. Sell Travel Packages both online and at the office. Receive feedback from customers and the public in general. Send Travel Package offers to subscribers. Manage Claims and Incidences.
  • 9. 9 Travel Package Archive Sales Archive Feedback Archive Offers Archive Claims, Feedback and Incidences Archive Travel Package Archive: Create, Update, Retire, Publish, Unpublish. Sales Archive: Book, Release, Sell, Refund, Update. Feedback Archive: Create, Update, Close. Offers Archive: Create, Update, Retire, Publish. Claims, Feedback and Incidences Archive: Create, Update, Close Sales Statistics Report Spain Operating System, Application Server and Database Only the chief of sales can Create, Update and Publish Travel Packages. Every salesperson can only view the personal information of their own clients. Only the chief of sales and the person assigned to Feedback and Claims can view the personal information of all clients. Only the chief of sales can create Offers Yes, we handle credit card transactions Authorized Employees Authorized Outsourced Employees Clients over 18 years old Potential Clients Specific Groups: (Spain Users) +Location Yes, we handle personal information Clients Potential clients Unauthorized Employees Non Employees Groups: (Non Spain users, Clients younger than 18 old) User Client Potential Client Administrator Spain Mail, File Transfers, VPN Amadeus GDS, VISA, Mtravel The Package Sales System is expected to be online 24x7 One hour per week off business hours that are 9 to 5 from Tuesday to Sunday Two Hours during business hours that are 9 to 5 from Tuesday to Sunday
  • 10. 10 All live transactions can be lost in the event of an interruption of service Data needs to be kept for 5 years minimum, in order to meet tax regulations After 10 years Package Sales System data can be deleted permanently. One percent of records with wrong information One day worth of data can be lost in the event of an incident Public in general doesn't need an account to provide feedback or signing up for the Offers newsletter In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator If the password to access the Package Sales System is lost, customers can request a new one getting a link sent to their mail address If the password to access the Package Sales System is lost, users need to visit physically the Administrator, who resets the password in the system for them and hands it in a written note In order to get an account in the Package Sales System, the Chief of Sales sends a mail message to the Administrator. The mail states what functions the user should be able to perform. As some sales are time-sensitive, the difference between real time and time of the systems should not be greater than one second Manuals from Internet, no formal process The current administrator is subscribed to mail lists that warn him of security updates Security patches are not applied since one patch caused a half day downtime The system has not antimalware protection The domain has been registered with Piensasolutions.es. The digital certificates used by the system are from Thawte No one has been assigned with the responsibility to manage either the domain or the certificates The systems logs all the sales activity, but not any of the other activity There is no Firewall. The internet connectivity provider (Telefonica) provides a service that is supposed to provide "clean" traffic. No part of the Package Sales System is located in a publicly accessible location No part of the Package Sales System is accessible via Mobile application, but there are plans to incorporate a solution for this. No part of the Package Sales System sustains extreme environmental conditions. The Administrator changes about once every six months.
  • 11. 11 Methodology The existence and opening of the Challenge was announced online via twitter, an email list with more than 1000 members, LinkedIn groups and a press release that was sent to the most important bloggers and media in information security. The relevant rules and development of the Challenge follows:  Participants signed-up between the 28th of February and the 14th of March (CET Time zone) 2014.  Every participant received a copy of a spreadsheet with the Answers and a registration number within 24h of registration.  In the spreadsheet, the participant had to choose either the CIA Option or the O-ISM3 Option.  Each participant had to fill in Questions that would give the Answers provided and send the spreadsheet attached in an e-mail to learn@inovement.es, with their registration number in the subject of the mail.  Questions were be evaluated. A single ambiguous question, where the answer is not a perfect match caused the participant to FAIL the challenge (Example of FAIL: "What is the Integrity of the Data?· for the answer "Data needs to be kept for 5 years", example of PASS: "When does the system needs to be Available? for the answer: "Between 8 and 5 Monday to Friday").  Grammatically, logically inconsistent questions, not in the English language, or longer than 255 characters or inclusion of malicious macros would result in a FAIL.  For the CIA Option failure to use at least one of Confidentiality, Integrity and Availability (or Confidential, Integer, Available) in any question would result in a FAIL.  For the O-ISM3 Option using any of Confidentiality, Integrity or Availability in any question will result in a FAIL.  All answers had to be sent by midnight on 16 of March (CET Time zone) 2014.  Those who have PASSED were to be announced on 24 of March.  The results of the entry evaluations could not be contested.
  • 12. 12  The names of the participants would not be published without their permission.  A 500€ prize and a free seat for an O-ISM3 Course would had been awarded. The winner would be chosen from those who PASSED. (Note: No participants PASSED) Results Out of eight people who registered to participate, two submitted their solutions. Two participants chose not to use Confidentiality, Integrity and Availability in their questions. Participant 007 got 45 out of 49 questions correctly. One wrong question (marked in green) can be attributed to a poor design of the answer. Incorrect questions are marked in red. His Questionnaire follows: Question Answer What is the name of the company? Ambiguous S.L Where does the company operate from? Madrid What is the most important system operated by the company? Package Sales System Who's in charge of IT? Myrna Who's responsible for this system (Package Sales System)? Ignatius What are the system's functionalities? Create, Modify and Delete Travel Packages. Sell Travel Packages both online and at the office. Receive feedback from customers and the public in general. Send Travel Package offers to subscribers. Manage Claims and Incidences. What are the high level data resources used by Package Sales System? Travel Package Archive Sales Archive Feedback Archive Offers Archive Claims, Feedback and Incidences Archive
  • 13. 13 What are the actions that can be performed on each data resource? Travel Package Archive: Create, Update, Retire, Publish, Unpublish. Sales Archive: Book, Release, Sell, Refund, Update. Feedback Archive: Create, Update, Close. Offers Archive: Create, Update, Retire, Publish. Claims, Feedback and Incidences Archive: Create, Update, Close What kind of information does the application generate? Sales Statistics Report In which country do you provide your services? Spain Are there parts of the Package Sales System that are licensed? Operating System, Application Server and Database Is there a requirement regarding who can do what and where with Travel Packages? Only the chief of sales can Create, Update and Publish Travel Packages. Is there a requirement regarding who can do what and where with client information? Every salesperson can only view the personal information of their own clients. Is there a requirement regarding who can do what and where with client information? Only the chief of sales and the person assigned to Feedback and Claims can view the personal information of all clients. Is there a requirement regarding who can do what and where with offers? Only the chief of sales can create Offers Do you handle any payment card information? Yes, we handle credit card transactions Who is supposed to access Package Sales System? Authorized Employees Authorized Outsourced Employees Clients over 18 years old Potential Clients Specific Groups: (Spain Users) +Location Do you handle any personal information? Yes, we handle personal information What are the categories of people for which you are handling personal information? Clients Potential clients Who should not have access to Package Sales System? Unauthorized Employees Non Employees Groups: (Non Spain users, Clients younger than 18 old) What are the different categories of persons accessing your system? User Client Potential Client Administrator
  • 14. 14 In which country is your system located? Spain What kind of interface does your system have with other systems or users? Mail, File Transfers, VPN Is your system connected to other systems outside the company? Amadeus GDS, VISA, Mtravel When is your PSS supposed to be up and working? The Package Sales System is expected to be online 24x7 What is the maximum downtime of PSS you are ready to accept for maintenance reason and when should it better occur? One hour per week off business hours that are 9 to 5 from Tuesday to Sunday When and how long would a downtime of PSS have an unacceptable impact on your business? Two Hours during business hours that are 9 to 5 from Tuesday to Sunday In the event PSS goes down, how much data processed by the system can you afford to lose? All live transactions can be lost in the event of an interruption of service Do you need to archive your data for any regulatory reason? Data needs to be kept for 5 years minimum, in order to meet tax regulations How long do you need to keep your data for business reason? After 10 years Package Sales System data can be deleted permanently. What is your expected level of quality for PSS information? One percent of records with wrong information In case of incident with PSS, how much data, in minutes, hours or days before the incident, can you afford to lose? One day worth of data can be lost in the event of an incident How do you grant access to PSS? Public in general doesn't need an account to provide feedback or signing up for the Offers newsletter In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator How do you manage passwords for PSS users? If the password to access the Package Sales System is lost, customers can request a new one getting a link sent to their mail address If the password to access the Package Sales System is lost, users need to visit physically the Administrator, who resets the password in the system for them and hands it in a written note
  • 15. 15 How do you manage access rights for Ambiguous SL's employees? In order to get an account in the Package Sales System, the Chief of Sales sends a mail message to the Administrator. The mail states what functions the user should be able to perform. Does the accuracy of the PSS clock have importance? As some sales are time-sensitive, the difference between real time and time of the systems should not be greater than one second Do you have a process or a standard used to manage the security of your system? Manuals from Internet, no formal process How do you ensure your system has all the necessary software patches applied in order to prevent exploit of a known vulnerability? The current administrator is subscribed to mail lists that warn him of security updates Security patches are not applied since one patch caused a half day downtime Do you have an anti-malware protection on then system? The system has not antimalware protection Where did you register your Internet domain name your Internet Domain name? The domain has been registered with Piensasolutions.es. Who is your digital certificate provider? The digital certificates used by the system are from Thawte Who is responsible to manage the digital certificates and the domain name? No one has been assigned with the responsibility to manage either the domain or the certificates What are the actions that are logged by the system? The systems logs all the sales activity, but not any of the other activity Do you protect your system from attack coming through the internet with a firewall or any filtering system? There is no Firewall. The internet connectivity provider (Telefonica) provides a service that is supposed to provide "clean" traffic. Do you have a part or the entire system located in an area accessible to the public? No part of the Package Sales System is located in a publicly accessible location Is PSS accessible through a mobile application? No part of the Package Sales System is accessible via Mobile application, but there are plans to incorporate a solution for this. Is your system exposed to extreme environmental conditions? No part of the Package Sales System sustains extreme environmental conditions. How experienced is the administrator of the system? The Administrator changes about once every six months.
  • 16. 16 Participant 006 got 47 out of 49 questions correctly. Incorrect questions are marked in red. His Questionnaire follows: Question Answer What is the name of your company? Ambiguous S.L Where is your company located? Madrid What is your most important IT system? Package Sales System Who is responsible for managing the Package Sales System? Myrna Who is the vendor's contact person for the Package Sales System? Ignatius Which functionality does the Package Sales System offer? Create, Modify and Delete Travel Packages. Sell Travel Packages both online and at the office. Receive feedback from customers and the public in general. Send Travel Package offers to subscribers. Manage Claims and Incidences. Which data resources does the Package Sales System use? Travel Package Archive Sales Archive Feedback Archive Offers Archive Claims, Feedback and Incidences Archive Which action can be performed on each data resource of the Package Sales System? Travel Package Archive: Create, Update, Retire, Publish, Unpublish. Sales Archive: Book, Release, Sell, Refund, Update. Feedback Archive: Create, Update, Close. Offers Archive: Create, Update, Retire, Publish. Claims, Feedback and Incidences Archive: Create, Update, Close Which data resource contains the most important data? Sales Statistics Report In which country is the vendor of the Package Sales System located? Spain Which parts of the Package Sales System are licensed? Operating System, Application Server and Database Who can change data of the Travel Packages? Only the chief of sales can Create, Update and Publish Travel Packages. Are principles of information segregation used for the Package Sales System? Every salesperson can only view the personal information of their own clients.
  • 17. 17 Is the principle of information segregation effective for every user role and account? Only the chief of sales and the person assigned to Feedback and Claims can view the personal information of all clients. Who can add data to the Offers Archive? Only the chief of sales can create Offers Do you handle credit card transactions within the Package Sales System? Yes, we handle credit card transactions Who is allowed access to the Package Sales System? Authorized Employees Authorized Outsourced Employees Clients over 18 years old Potential Clients Specific Groups: (Spain Users) +Location Do you handle personal information within the Package Sales System? Yes, we handle personal information To whom does the personal information belong which is processed by the Package Sales System? Clients Potential clients Who may not access the Package Sales System? Unauthorized Employees Non Employees Groups: (Non Spain users, Clients younger than 18 old) Which roles (types of users) exist within the Package Sales System? User Client Potential Client Administrator Where are the users of the Package Sales System physically located? Spain By what means does the Package Sales System interface with other systems? Mail, File Transfers, VPN To which other systems does the Package Sales System have interfaces? Amadeus GDS, VISA, Mtravel During which time should the Package Sales System be online? The Package Sales System is expected to be online 24x7 During which time may maintenance services be performed on the Package Sales System? One hour per week off business hours that are 9 to 5 from Tuesday to Sunday What is the maximum tolerable amount of time the Package Sales System may be offline during business hours? Two Hours during business hours that are 9 to 5 from Tuesday to Sunday What data can be lost upon interruption of service? All live transactions can be lost in the event of an interruption of service
  • 18. 18 Do you have requirements to archive the system data for a specific period of time? Data needs to be kept for 5 years minimum, in order to meet tax regulations After what period of time may the data be disposed of? After 10 years Package Sales System data can be deleted permanently. What is the maximum tolerable amount of data in the system that may be wrong? One percent of records with wrong information What is the maximum tolerable amount of data that may be lost in the case of an incident? One day worth of data can be lost in the event of an incident Can parts of the service be used without an account and how can an account be created? Public in general doesn't need an account to provide feedback or signing up for the Offers newsletter In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator What procedures are in place to reset an account password? If the password to access the Package Sales System is lost, customers can request a new one getting a link sent to their mail address If the password to access the Package Sales System is lost, users need to visit physically the Administrator, who resets the password in the system for them and hands it in a written note What procedure needs to be followed to create an account? In order to get an account in the Package Sales System, the Chief of Sales sends a mail message to the Administrator. The mail states what functions the user should be able to perform. What is the maximum amount of time the system time may differ from real time? As some sales are time-sensitive, the difference between real time and time of the systems should not be greater than one second Is a formal system hardening process followed in the system configuration? Manuals from Internet, no formal process Is a patch management process followed for the system? The current administrator is subscribed to mail lists that warn him of security updates Security patches are not applied since one patch caused a half day downtime Is an antimalware protection in place for the system? The system has not antimalware protection Where is the system domain registered? The domain has been registered with Piensasolutions.es.
  • 19. 19 Are digital certificates used for the system, if yes who issued the certificates? The digital certificates used by the system are from Thawte Who is responsible to manage the domain and the associated certificates? No one has been assigned with the responsibility to manage either the domain or the certificates Which system activities are logged? The systems logs all the sales activity, but not any of the other activity Are protection measures on network level (e.g. firewall) employed? There is no Firewall. The internet connectivity provider (Telefonica) provides a service that is supposed to provide "clean" traffic. Are parts of the system located in a publicly accessible area? No part of the Package Sales System is located in a publicly accessible location Is the system accessible via a mobile application? No part of the Package Sales System is accessible via Mobile application, but there are plans to incorporate a solution for this. Are parts of the system exposed to extreme environmental conditions? No part of the Package Sales System sustains extreme environmental conditions. How often does the system administrator change? The Administrator changes about once every six months. Discussion The small number of participants precludes from making any statistical analysis of the data. Is there a consensus in information technology standards about the definition of Confidentiality, Integrity and Availability? Checking the literature (page 4) we can confidently answer: No. Are Confidentiality, Integrity and Availability sufficient to analyze the security requirements of an information system? As no participants decided to use Confidentiality, Integrity and Availability, the answer would be inconclusive. On the other hand, it is easy to find an answer that can’t be asked using only Confidentiality, Integrity and Availability, for example: Question Answer The systems logs all the sales activity, but not any of the other activity The answer for this question is therefore: No.
  • 20. 20 Are Confidentiality, Integrity and Availability necessary to analyze the security requirements of an information system? Combining the results from both participants, it is possible to fully analyze the security requirements of the Package Sales System without mentioning Confidentiality, Integrity or Availability. The answer for this question is therefore: No. Is there an alternative to Confidentiality, Integrity and Availability to analyze the security requirements of an information system quantitatively? Combining the results from both participants, it is possible to fully analyze the security requirements of the Package Sales System without mentioning Confidentiality, Integrity or Availability. The answer for this question is therefore: Yes. Conclusions Findings Confidentiality, Integrity and Availability are neither sufficient nor necessary to analyze the security requirements of an information system. This Study proves that an alternative is possible. Alternative to Confidentiality, Integrity and Availability Following the Scientific Method [6], the need for measurements free of variance, repeatable and independent of the observer led to the creation of Operational Definitions [7]. This is the approach taken by the definition of Security Objectives in O-ISM3 [8]. There are two important consequences of the use of operational definitions; one of them is that it is possible to use operational definitions to build on top of other operational definitions. This means that it is possible to define Threats, Incidents, Vulnerability and Weakness among other in terms of Security Objectives. The other consequence is that every security requirement has units. The units can be in different Levels of Measurement [9], which can be Nominal, or Ratio in the Use Case used in this Study. Example of Nominal: Are parts of the system exposed to extreme environmental conditions? No part of the Package Sales System sustains extreme environmental conditions.
  • 21. 21 Who may not access the Package Sales System? Unauthorized Employees Non Employees Groups: (Non Spain users, Clients younger than 18 old) Example of Ratio: Do you have requirements to archive the system data for a specific period of time? Data needs to be kept for 5 years minimum, in order to meet tax regulations After what period of time may the data be disposed of? After 10 years Package Sales System data can be deleted permanently. The use of units makes it possible to manage security quantitatively. The use of units makes it possible to manage security quantitatively. With security requirements that have Units, it becomes possible or event easy to perform management that is otherwise subjective, difficult or impossible. 1. Determine success criteria: A security objective can be met of failed. (When a security objective is failed, there has been an Incident). 2. Perform an assessment of the value of information security activities. Those that contribute to meet a security objective are valuable. 3. Perform an assessment of the return of investment of information security activities. 4. Prioritize the use of resources to maximize the value of information security activities. 5. Plan for the need of resources necessary to meet security objectives. 6. Check when management decisions render or not the expected results. Further Research It would be of interest to validate the following research questions:  Can Threat be defined with an operational definition, in relation with Security Objectives?  Can Weakness be defined with an operational definition, in relation with Security Objectives?  Can Vulnerability be defined with an operational definition, in relation with Security Objectives?  Can Security be defined with an operational definition, in relation with Security Objectives?  Can Risk be defined with an operational definition, in relation with Security Objectives? This Challenge took the point of view of the information security professional. It would be valuable to replicate this Challenge from the point of view of the final client or user of information security, comparing if they find it easier to answer
  • 22. 22 questions that use Confidentiality, Integrity and Availability or questions of the same nature of those used in this Study. Executive Summary The lack of consensus in information technology standards about the definition of Confidentiality, Integrity and Availability leads to high variance in the work of different individuals when carrying out their information security duties. High variance is undesirable in disciplines where results are important (architecture, medicine, aviation, for example), and should be avoided. Confidentiality, Integrity and Availability are neither sufficient nor necessary to analyze the security requirements of an information system. The results of this Study calls for the replacement of current definitions of Confidentiality, Integrity and Availability for an alternative where consensus is wider, variance is smaller, communication with business stakeholders is easier, and quantitative management of information security becomes possible. Works Cited 1. http://en.wikipedia.org/w/index.php?title=Information_security&oldid=598 736584 2. http://en.wikipedia.org/w/index.php?title=Alfred_Wegener&oldid=597391 093 3. http://en.wikipedia.org/w/index.php?title=Ignaz_Semmelweis&oldid=5965 91369 4. http://en.wikipedia.org/w/index.php?title=Karl_Popper&oldid=600025946 5. http://en.wikipedia.org/w/index.php?title=Thomas_Kuhn&oldid=59576017 1 6. http://en.wikipedia.org/w/index.php?title=Scientific_method&oldid=59921 1918 7. http://en.wikipedia.org/w/index.php?title=Operational_definition&oldid=59 7679965 8. Open Information Security Management Maturity Model (O-ISM3) 9. http://en.wikipedia.org/w/index.php?title=Level_of_measurement&oldid=5 99847388 10.http://en.wikipedia.org/wiki/Necessity_and_sufficiency
  • 23. 23 Annex I Mapping of Information Security Criteria ISM3 Security Objectives ISO Integrity, Availability, Confidentiality COBIT Information Criteria Parkerian Hexad Accurate time and date should be reflected in all records No equivalent No equivalent No equivalent Availability of repositories, services and channels should exceed Customer needs. It can be measured as the period of time when a service, repository, interface or channel must exist, be accessible and usable (perform according to customer needs) upon demand. It is measured as well by the oldest recent messages and information that can be lost because of an interruption of service, channel or interface Availability is the property of being accessible and usable upon demand by an authorized entity Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities Availability means having timely access to information Completeness: The extent to which a repository is populated (available and consistent) with the information required to meet or exceed customer needs. The lower limit is usually set by business or customer needs, and the upper limit by regulatory needs No equivalent Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner Utility means usefulness Completeness: The extent to which a repository is populated (available and consistent) with the information required to meet or exceed customer needs. The lower limit is usually set by business or customer needs, and the upper limit by regulatory needs No equivalent Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations Utility means usefulness
  • 24. 24 ISM3 Security Objectives ISO Integrity, Availability, Confidentiality COBIT Information Criteria Parkerian Hexad Compliance Needs and Limitations. Examples:  Third party services and repositories need to be appropriately licensed.  Personal information completeness must be proportional to its use.  Personal information must be protected using certain security measures depending on the type of personal information.  The owner of Personal information must agree for it to be collected and he has the right to check it, fix it and approve how it will be used or ceded.  Encryption must be used under legal limitations.  Secrets must be kept according to the terms of agreed Non-Disclosure Agreements.  The owner of Personal information will be given notice when his data is being collected, including who is collecting the data.  Personal information must be used for the purpose agreed with the information owner.  Personal information must not be disclosed without the agreement of the information owner.  Personal information owners will have means to make data collectors accountable for their use of his personal information.  Personal information is held for no longer than required Tax records must be kept for a minimum number of years.  Repositories with Personal information have to be registered with a Data Protection agency No equivalent Compliance deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, e.g., externally imposed business criteria as well as internal policies No equivalent Expired or end of life-cycle repositories should be permanently destroyed. It can be measured as the date the expired or end of life-cycle repositories and records should be permanently and reliably destroyed. No equivalent No equivalent No equivalent Information systems and repositories should be physically accessible only to authorized users Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes Confidentiality concerns the protection of sensitive information from unauthorized disclosure. Possession or Control
  • 25. 25 ISM3 Security Objectives ISO Integrity, Availability, Confidentiality COBIT Information Criteria Parkerian Hexad Intellectual property (licensed, copyrighted, patented and trademarks) should be accessible to authorized users only Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes Confidentiality concerns the protection of sensitive information from unauthorized disclosure. Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitor’s individuals are concerned about unauthorized access to their financial records. This is a business objective, not a security objective This is not an information security criterion Efficiency concerns the provision of information through the optimal (most productive and economical) use of resources. This is not an information security criterion Personal information should be accessible for a valid purpose to authorized users only and is held for no longer than required Confidentiality (partial match) Effectiveness (partial match) Confidentiality (partial match) Personal information should preserve the anonymity of the information subjects if necessary, for example not linking user accounts or certificates to an identifiable user No equivalent No equivalent No equivalent Precision, relevance (up-to-date), completeness and consistency of repositories should exceed Customer needs. It can be measured as the maximum rate of erroneous and outdated information in the information available. No equivalent Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner. Utility means usefulness Precision, relevance (up-to-date), completeness and consistency of repositories should exceed Customer needs. It can be measured as the maximum rate of erroneous and outdated information in the information available. No equivalent Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations Utility means usefulness
  • 26. 26 ISM3 Security Objectives ISO Integrity, Availability, Confidentiality COBIT Information Criteria Parkerian Hexad Reliability and performance of services and channels should exceed Customer needs. It can be measured as the longest time and the number of times in the availability (performance) time a service, repository, interface or channel can be interrupted according to or exceeding customer needs. Reliability (partial match) Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities Availability means having timely access to information. Reliability and performance of services and channels should exceed Customer needs. it can be measured as the longest time and the number of times in the availability (performance) time a service, repository, interface or channel can be interrupted according to or exceeding customer needs Reliability: the property of consistent intended behavior and results Reliability relates to the provision of appropriate information for management to operate the entity and to exercise its fiduciary and governance responsibilities Availability means having timely access to information Repositories should be accessed by authorized users only Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes Confidentiality concerns the protection of sensitive information from unauthorized disclosure Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitor’s individuals are concerned about unauthorized access to their financial records. Retention period can be measured as the minimum length of time a repository is kept (preserved) according to or exceeding customer and regulatory requirements Integrity the property of safeguarding the accuracy and completeness of assets Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations Integrity refers to being correct or consistent with the intended state of information Secrets (personal, industrial, trade) should be accessible to authorized users only Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes Confidentiality concerns the protection of sensitive information from unauthorized disclosure Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitor’s individuals are concerned about unauthorized access to their financial records.
  • 27. 27 ISM3 Security Objectives ISO Integrity, Availability, Confidentiality COBIT Information Criteria Parkerian Hexad Systems should be as free of weaknesses as possible Integrity the property of safeguarding the accuracy and completeness of assets Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations Integrity refers to being correct or consistent with the intended state of information. Systems should run trusted services only Integrity the property of safeguarding the accuracy and completeness of assets Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations Integrity refers to being correct or consistent with the intended state of information. Systems that need to be visible to not trusted systems are the least visible possible. Systems are visible to trusted systems only No equivalent No equivalent No equivalent The Authentication Process links the use of user accounts with their owner and manages the lifecycle of sessions Authenticity: The property that ensures that the identity of a subject or resource is the one claimed. Authenticity applies to entities such as users, processes, systems and information No equivalent No equivalent The Authentication Process links the use of user accounts with their owner and manages the lifecycle of sessions Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes Confidentiality concerns the protection of sensitive information from unauthorized disclosure. Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitor’s individuals are concerned about unauthorized access to their financial records. The Authorization Process grants the use of services and interfaces and access to repositories to authorized users and denies it to unauthorized users. Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes Confidentiality concerns the protection of sensitive information from unauthorized disclosure. Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitors individuals are concerned about unauthorized access to their financial records
  • 28. 28 ISM3 Security Objectives ISO Integrity, Availability, Confidentiality COBIT Information Criteria Parkerian Hexad The electricity, temperature and humidity where systems operate should exceed the systems needs No equivalent No equivalent No equivalent The Signing Process records the will and intent about a repository of the owner of the user account or certificate concerning a repository, such as agreeing, witnessing or claiming authorship of repositories and messages like original works, votes, contracts and agreements. Accountability: The property that ensures that the actions of an entity may be traced uniquely to the entity Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations No equivalent The Signing Process records the will and intent about a repository of the owner of the user account or certificate concerning a repository, such as agreeing, witnessing or claiming authorship of repositories and messages like original works, votes, contracts and agreements. Digital signatures are a special kind of record. Non-repudiation: the ability to prove an action or event has taken place, so that this event or action cannot be repudiated later. No equivalent Authenticity refers to correct labeling or attribution of information. Third party services and repositories should be appropriately licensed and accessible only to authorized users Confidentiality (partial match) Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations Possession or Control The Recording Process registers accurately the results of the registration, authentication, authorization, use of systems and signing processes, so these can be investigated and will and intent or responsibilities determined, within the limits set by Anonymity business objectives. The recording process will normally have to meet business objectives for accurate recording, including date and time. Depending on the security objectives of Anonymity, the recording process normally registers  Interface ID and Location  User account or certificate ID  Signature  Type of Access Attempt (login, logout, change password, change configuration, connect/disconnect systems, repositories I/O interfaces, enabling/disabling admin access or logging, etc)  Date and Time of Access attempt  Access attempt result  Repository, Interface, Service or Message accessed. Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes Confidentiality concerns the protection of sensitive information from unauthorized disclosure. Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitor’s individuals are concerned about unauthorized access to their financial records.
  • 29. 29 ISM3 Security Objectives ISO Integrity, Availability, Confidentiality COBIT Information Criteria Parkerian Hexad The User Registration Process links user accounts and certificates to identifiable users, and manages the lifecycle of user accounts, certificates and access rights. When protecting the anonymity of users is more important than making them accountable, registration must guarantee that user accounts and certificates are not linked to identifiable users. Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes Confidentiality concerns the protection of sensitive information from unauthorized disclosure. Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitor’s individuals are concerned about unauthorized access to their financial records. Use of services and physical and logical access to repositories and systems should be restricted to authorized users Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. Authenticity refers to correct labeling or attribution of information. Users should be accountable for the repositories and messages they create or modify Accountability: The property that ensures that the actions of an entity may be traced uniquely to the entity No equivalent Authenticity refers to correct labeling or attribution of information Users should be accountable for their acceptance of contracts and agreements Accountability: The property that ensures that the actions of an entity may be traced uniquely to the entity No equivalent Authenticity refers to correct labeling or attribution of information Users should be accountable for their use of services Accountability: The property that ensures that the actions of an entity may be traced uniquely to the entity No equivalent Authenticity refers to correct labeling or attribution of information
  • 30. 30 Annex II O-ISM3 Business and Security Objectives Business Objectives Every organization exists for specific purposes that require it to set goals and meet certain obligations. Business objectives, ranging from aspirational goals to regulatory compliance, may originate internally, or be imposed by an external party such as the government. Their achievement depends on many factors, one being information security. Sample Business Objectives Paying the payroll on the 1st of every month. Paying taxes on time. Invoice all products and services provided. Deliver the products and services when and where committed by the organization. Online booking availability. Online booking reliability. Online booking volatility. Tax information retention. Old customer’s information expiry. Precision of customer addresses. Third-party services and repositories appropriately licensed. Personal information collected proportional to its use. Personal information held for no longer than required. Tax records kept for a minimum number of years. Personal information is protected using the mandated security measures. Owner of personal information agrees for it to be collected, and has the right to check it and fix it and approve how it will be used. Repositories with personal information registered with the Data Protection agency.
  • 31. 31 Security Objectives Priority Security Objectives determine what availability means for the business. Examples are backup and identification of single points of failure. Resources are allocated according to the priority of protected services, interfaces, and channels. In a multi-tiered information system, the priority of user-facing services is propagated to the lower-level services they depend on. Priority Security Objectives Availability: The period of time when a service, repository, interface, or channel must exist, be accessible, and usable (perform according to customer needs) upon demand according to or exceeding customer needs. Reliability: The longest time and number of times in the availability (performance) time a service, repository, interface, or channel can be interrupted according to or exceeding customer needs. Volatility: The oldest recent messages and information that can be lost because of an interruption of service, channel, or interface according to or exceeding customer needs. Durability Security Objectives relate to the generic term integrity and include the planned retention and destruction of information in accordance with policy and business objectives. Durability objectives are supported by archiving and secure disposal techniques. Durability Security Objectives Retention Period: The minimum length of time a repository is kept (preserved) according to or exceeding customer and regulatory requirements. Expiry: The date the expired or end of lifecycle repositories and records should be permanently and reliably destroyed according to or exceeding customer and regulatory requirements. Those with personal information of customers and employees often require a specific expiry date. Information Quality Objectives also relate to integrity and include precision (or accuracy), relevance (how up-to-date information is), completeness, and consistency of repositories. Information quality objectives usually rely upon quality control techniques, but may also include access control, accountability, authorization, and audit techniques as well. The information quality of a repository is a measure of its fitness in fulfilling security objectives. Sample Information Quality Security Objectives Completeness: The extent to which a repository is populated (available and consistent) with the information required to meet or exceed customer needs. The lower limit is usually set by business or customer needs, and the upper limit by regulatory needs. Personal information completeness must be proportional to its use. The owner of personal information must agree for it to be collected and has the right to check it, fix it, and approve how it will be used or ceded.
  • 32. 32 Sample Information Quality Security Objectives The owner of personal information will be given notice when personal data is collected, including who is collecting the data. Personal information must be used for the purpose agreed with the information owner. Personal information must not be disclosed without the agreement of the information subject. Personal information owners will have means to make data collectors accountable for their use of personal information. Access Control Objectives ensure that the business requirements for confidentiality of protected information (e.g., secrets, personal information, licensed, copyrighted, patented, and trademarked information) are clearly understood by the business. Access control requires the identification and management of authorized users, and typically includes enrolment, role management, segregation, accountability, authorization, and logging techniques for its implementation and control. Access Control Security Objectives Granting the use of services and interfaces and access to repositories to authorized users. Denying the use of services and interfaces and access to repositories to unauthorized users. Express the will and intent about a repository of the owner of a user account or certificate. Accurate recording of:  Interface ID and location  User account or certificate ID  Signature  Type of access attempt  Date and time of access attempt  Access attempt result  Repository, interface, service, or message accessed Personal information is accessible to authorized users only and is held for no longer than required. Secrets are accessible to authorized users only. Third-party services and repositories are appropriately licensed and accessible only to authorized users. Information systems are physically accessible only to authorized users. Repositories are accessed by authorized users only.
  • 33. 33 Technical Security Objectives cover the underlying architecture of information systems, and are a step remote from direct impact on the business. Technical security objectives typically include operational objectives for the data center’s safety, reliability, power, as well as the IT managed domain, including software patching and upgrading, maintenance processes, and vulnerability management and resilience to compromise and misuse. Technical security objectives usually depend upon data center infrastructure, technologies such as firewalls, anti-virus, intrusion detection and prevention, and processes such as patch management and secure configuration. Failure to meet technical security objectives puts all other (business and security) objectives at risk, but does not necessarily create a business objective failure itself. Technical Security Objectives Systems are as free of weaknesses as possible. Systems that need to be visible to not trusted systems are the least visible possible. Systems run trusted services only. The electricity, temperature, and humidity where systems operate exceed the system needs.