Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Vicente Aceituno Canal
© Inovement 2014
Measuring the Security of
Information Systems
Questions
 Is AIC necessary?
 Is AIC sufficient?
 Is AIC ambiguous?
 Is AIC useful?
 Is AIC reproducible / repeatable...
Traditional Security
Concepts
…for you?
What are…
…the
fundamental
concepts of
security…
Take a minute to
write your own
definition
Availability
Confidentiality Integrity
Traditional Security
Concepts
Number of
concepts?
The need for Security Requirements
 Does the result of this procedure increase or
decrease security?
The need for Security Requirements
 Does the result of this procedure increase or
decrease security?
 Answer: It depends...
The need for Security Requirements
 Does the result of this procedure increase or
decrease security?
 Answer: It depends...
The need for Security Requirements
 Does the result of this procedure increase or
decrease security?
 Answer: It depends...
The need for Security Requirements
 The current state of security can be measured only
comparing against a baseline for s...
Scoop: Management of Security
 Perform an assessment of the value of information security
activities. Those that contribu...
Measurement
Measuring
is reducing
uncertainty.
Measurement
Do or invest
in “A”
Do or invest
in “B”
SR1
Measurement
SR1
SR2
Measurement
SR1
SR2
SR3
Measurement
Measurement
Security
Requirement “A”
Security
Requirement “B”
SR1
SR2
SR3
Measurement
Do or invest
in “A”
Do or invest
in “B”
SR3
Measurement
Needless to say,
Requirements need
to be mutually
exclusive, otherwise
they are redundant
Use Case
Ambiguous Ltd is a business that sells retail travel packages. The most important
system they own and operate is ...
Use Case
5. There are certain requirements about who can do what, and where they can do
it:
 Only the sales manager can C...
Use Case
8. In order to create an account in the Package Sales System, potential clients
can login using Facebook or creat...
Use Case
12. The system is expected to work 24x7
13. because of maintenance stoppages of no more than one hour per week du...
 Measurement is called “Assessment” in consulting
lingo.
 An assessment is performed by asking questions,
for example:
...
 The O-ISM3 Challenge
 Crafting the answers with IAC
 Crafting the answers with anything but IAC
 The Results
Traditional Security
Concepts
Availability
Confidentiality Integrity
Traditional Security
Concepts:
ISO2700x
Availability: The property of being accessible and useable
upon demand by an autho...
Traditional Security
Concepts: CobIT
Availability: Relates to information being available when
required by the business pr...
Traditional Security
Concepts: ITIL
Availability: Ability of a Configuration Item or IT Service to
perform its agreed Func...
 Does it macth your own definition?
Security Concepts
IntegrityConfidentiality
Authentication
Authorization
Audit
Privacy
Utility
Accountability
Availability
...
Assessment with Traditional Definitions
 What are the high level data resources used by the
system?
 What is the expecte...
Something is very wrong
 Standards don’t agree on the definition of fundamental
concepts. Even ISO standards don’t.
 Con...
The Alternative
Wouldn’t it be better to just skip the debate?
Traditional definitions are about the nature
of the thing,...
The Alternative
 On October 15, 1970, the West Gate Bridge in Melbourne,
Australia collapsed, killing 35 construction wor...
Operational Definitions
 Use operational definitions for Security Requirements,
concepts are defined through the operatio...
Operational Definitions
 Benefits:
 Independent of the observer.
 Repeatable.
 Free of ambiguity and undesirable varia...
Operational Questions
1. What are the high level data resources used by the system?
2. What are the actions that can be pe...
Operational Questions
11. Which roles (types of users accounts) exist within the system?
12. When is the system supposed t...
Operational Definitions
 Would you answer the same tomorrow?
 What if it is someone else who asks?
 What is it was a ma...
Conclusions
 Is AIC necessary?
 Is AIC sufficient?
 Is AIC ambiguous?
 Is AIC useful?
 Is AIC reproducible / repeatab...
Learn More
 Open Information Security Management Maturity
Model (O-ISM3) www2.opengroup.org/ogsys/catalog/C102
 O-ISM3 R...
Vicente Aceituno Canal
vaceituno@inovement.es
++44 20 8144 8211
© Inovement 2014
Measuring the Security of Information Systems
Upcoming SlideShare
Loading in …5
×

Measuring the Security of Information Systems

686 views

Published on

Measuring the Security of Information Systems

Published in: Internet
  • Be the first to comment

Measuring the Security of Information Systems

  1. 1. Vicente Aceituno Canal © Inovement 2014 Measuring the Security of Information Systems
  2. 2. Questions  Is AIC necessary?  Is AIC sufficient?  Is AIC ambiguous?  Is AIC useful?  Is AIC reproducible / repeatable / automatable?  Is AIC good for measurement, communication, management, risk assessment?
  3. 3. Traditional Security Concepts …for you? What are… …the fundamental concepts of security…
  4. 4. Take a minute to write your own definition Availability Confidentiality Integrity
  5. 5. Traditional Security Concepts Number of concepts?
  6. 6. The need for Security Requirements  Does the result of this procedure increase or decrease security?
  7. 7. The need for Security Requirements  Does the result of this procedure increase or decrease security?  Answer: It depends on the baseline.  If the hard drive contains valid data, it is not secure.  If the hard drive contains expired data, it is secure.
  8. 8. The need for Security Requirements  Does the result of this procedure increase or decrease security?  Answer: It depends on the baseline.  If the hard drive contains valid data, it is not secure.  If the hard drive contains expired data, it is secure.  What about a hacker accessing a system?
  9. 9. The need for Security Requirements  Does the result of this procedure increase or decrease security?  Answer: It depends on the baseline.  If the hard drive contains valid data, it is not secure.  If the hard drive contains expired data, it is secure.  What about a hacker accessing a system?  Well, if it is HIS system…
  10. 10. The need for Security Requirements  The current state of security can be measured only comparing against a baseline for security, so you can compare what you want with what you get.  A baseline for security can be expressed using Security Requirements.
  11. 11. Scoop: Management of Security  Perform an assessment of the value of information security activities. Those that contribute to meet a security requirement are valuable.  Perform an assessment of the return of investment of information security activities.  Prioritize the use of resources to maximize the value of information security activities.  Plan for the need of resources necessary to meet security requirements.  Check when past decisions render or not the expected results.
  12. 12. Measurement Measuring is reducing uncertainty.
  13. 13. Measurement Do or invest in “A” Do or invest in “B”
  14. 14. SR1 Measurement
  15. 15. SR1 SR2 Measurement
  16. 16. SR1 SR2 SR3 Measurement
  17. 17. Measurement Security Requirement “A” Security Requirement “B” SR1 SR2 SR3
  18. 18. Measurement Do or invest in “A” Do or invest in “B” SR3
  19. 19. Measurement Needless to say, Requirements need to be mutually exclusive, otherwise they are redundant
  20. 20. Use Case Ambiguous Ltd is a business that sells retail travel packages. The most important system they own and operate is the Package Sales System, which they use for advertising, sales, and bookings. 1.A high level view of the Package Sales System Database reveals the following data resources:  Travel Package Archive  Sales Archive  Feedback Archive  Offers Archive  Claims, Feedback and Incidences Archive 1.The following list of actions can be performed on each data resource:  Travel Package Archive: Create, Update, Retire, Publish, Unpublish.  Sales Archive: Book, Release, Sell, Refund, Update.  Feedback Archive: Create, Update, Close.  Offers Archive: Create, Update, Retire, Publish.  Claims, Feedback and Incidences Archive: Create, Update, Close  Sales Statistics Report Archive: Create, Close 1.The systems logs all the sales activity, but not any other activity. 2.As some Offers expire at midnight, the Package Sales System should prevent customers from purchasing Travel Packages after they have expired, even by a few seconds.
  21. 21. Use Case 5. There are certain requirements about who can do what, and where they can do it:  Only the sales manager can Create, Update and Publish Travel Packages.  Each salesperson can only view the personal information of his or her own clients.  Only the sales manager and the person assigned to Feedback and Claims can view the personal information of all clients.  Only the owner of the company can access the Sales Statistics Report.  Only the sales manager can create Offers. 6. The general public of Spain is a user and they can purchase Travel Packages through the application. Persons under the age of 18 can ask for feedback and signup for offers, but they can't purchase Travel Packages. The users of the system are authorized employees, authorized outsourced employees, and clients. 7. The system shouldn’t be used by unauthorized employees, non employees, users not in Spain, clients younger than 18 years old.
  22. 22. Use Case 8. In order to create an account in the Package Sales System, potential clients can login using Facebook or create an account linked to their email address. They can unlink or delete the account at any time, but that does not delete any data in the database if they have purchased a Travel Package, even if they cancelled the purchase. In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator. The general public doesn't need an account to provide feedback or sign up for the Offers newsletter. 9. Customer who lose their passwords to the Package Sales System can request a new one and a link will be sent to their email address. Users who lose their password to access the Package Sales System need to physically visit the Administrator, who resets the password and give it to them in a written note. 10. The email the Sales Manager sends the Administrator states what functions the user should be able to perform. 11. The administrators of the Package Sales System are employees of Confederacy SL.
  23. 23. Use Case 12. The system is expected to work 24x7 13. because of maintenance stoppages of no more than one hour per week during no business hours (from 9 to 5 from Tuesday to Sunday) are acceptable. 14. The longest time that the system can be offline during business hours is 2 hours, because sales can be performed with TPV and handwritten notes can partially replace the use of the system. 15. In case of a major malfunction of the system, it would be acceptable to lose one day of data, since most data could be reconstructed checking with VISA, Amadeus and Mtravel. 16. It is understood that all "live" transactions would be lost in case of an incident. 17. Data needs to be archived for 5 years in order to meet tax regulations. 18. After ten years data should be deleted permanently, as customer behaviour changes over time and data is no longer useful for Business Intelligence. 19. Sales representatives and customers sometimes make mistakes entering data. This is acceptable as long as there is no more than one percent of the records contain innacurate information.
  24. 24.  Measurement is called “Assessment” in consulting lingo.  An assessment is performed by asking questions, for example:  Who is supposed to access the System? - Authorized Employees, Authorized Outsourced Employees, Clients over 18 years old, Potential Clients, Users in Spain.  Who should not have access to the System? - Unauthorized Employees, Non Employees, Non Spain users, Clients younger than 18 years old Measurement SR3
  25. 25.  The O-ISM3 Challenge  Crafting the answers with IAC  Crafting the answers with anything but IAC  The Results
  26. 26. Traditional Security Concepts Availability Confidentiality Integrity
  27. 27. Traditional Security Concepts: ISO2700x Availability: The property of being accessible and useable upon demand by an authorized entity. Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. Integrity: The property of safeguarding the accuracy and completeness of assets.
  28. 28. Traditional Security Concepts: CobIT Availability: Relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. Confidentiality: Concerns the protection of sensitive information from unauthorized disclosure. Integrity: Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations
  29. 29. Traditional Security Concepts: ITIL Availability: Ability of a Configuration Item or IT Service to perform its agreed Function when required. Availability is determined by Reliability, Maintainability, Serviceability, Performance, and Security. Confidentiality: A security principle that requires that data should only be accessed by authorized people. Integrity: A security principle that ensures data and Configuration Items are only modified by authorized personnel and Activities. Integrity considers all possible causes of modification, including software and hardware Failure, environmental Events, and human intervention.
  30. 30.  Does it macth your own definition?
  31. 31. Security Concepts IntegrityConfidentiality Authentication Authorization Audit Privacy Utility Accountability Availability Reliability Possession Non Repudiation Identification
  32. 32. Assessment with Traditional Definitions  What are the high level data resources used by the system?  What is the expected confidentiality of each data resource?  What is the expected integrity (accuracy and completeness) of each data resource?  What is the expected availability of each data resource?  Here is where you need to explain what you mean. The answer depends on the explanation of each concept.  Would you answer the same tomorrow?  What if it is someone else who asks?  What is it was a machine or a form?
  33. 33. Something is very wrong  Standards don’t agree on the definition of fundamental concepts. Even ISO standards don’t.  Confidentiality, Integrity and Availability are surrounded by a constellation of concepts. Not all professionals agree on what are the fundamental concepts.  We could debate:  If the different definitions are equivalent.  If the fundamental concepts are incomplete, ambiguous or both.  Which are fundamental, which are not.  The simple possibility of debate and disagreement implies that there is a high variance on assessments depending on what professional or company you count on.
  34. 34. The Alternative Wouldn’t it be better to just skip the debate? Traditional definitions are about the nature of the thing, “What is it”. Useful to tell security from non-security. Operational definitions are about the measurement of the thing, “How do you measure it”. Useful to manage security.
  35. 35. The Alternative  On October 15, 1970, the West Gate Bridge in Melbourne, Australia collapsed, killing 35 construction workers. The subsequent enquiry found that the failure arose because engineers had specified the supply of a quantity of flat steel plate. The word flat in this context lacked an operational definition, so there was no test for accepting or rejecting a particular shipment or for controlling quality.
  36. 36. Operational Definitions  Use operational definitions for Security Requirements, concepts are defined through the operations by which we measure them (asking questions).  Operationalization is used to specifically refer to the scientific practice of defining concepts through the operations by which we measure them.
  37. 37. Operational Definitions  Benefits:  Independent of the observer.  Repeatable.  Free of ambiguity and undesirable variance.  Depending on the level of measurement (nominal, ordinal, interval, ratio) can have Units, making possible the optimization of resources.  Sorry, I am not defining security itself operationally today
  38. 38. Operational Questions 1. What are the high level data resources used by the system? 2. What are the actions that can be performed on each type of data resource of the system? 3. What are the actions that are logged by the system? 4. What is the maximum amount of time the logs of the system time may differ from real time? 5. What are the requirements regarding who can do what and where with economic or contractual data resources? 6. Who are the users of the system? 7. Who should not be able to use the system? 8. How are user accounts managed? 9. How are credentials (password, digital certificate, other) managed? 10. How are access rights managed?
  39. 39. Operational Questions 11. Which roles (types of users accounts) exist within the system? 12. When is the system supposed to be up and working? 13. How many interruptions and how long are acceptable in the window of availability? 14. When and how long would a downtime of system have an unacceptable impact on your business? 15. In case of incident with system, how much data, in minutes, hours or days before the incident, can you afford to lose? 16. In the event system goes down, how many live transactions can you afford to lose? 17. For how long the data resources should be archived? 18. When do data resources of the system expire and need to be deleted, if any? 19. What is the maximum tolerable amount of data resources in the system that may be inaccurate?
  40. 40. Operational Definitions  Would you answer the same tomorrow?  What if it is someone else who asks?  What is it was a machine or a form?
  41. 41. Conclusions  Is AIC necessary?  Is AIC sufficient?  Is AIC ambiguous?  Is AIC useful?  Is AIC reproducible / repeatable / automatable?  Is AIC good for measurement, communication, management, risk assessment?
  42. 42. Learn More  Open Information Security Management Maturity Model (O-ISM3) www2.opengroup.org/ogsys/catalog/C102  O-ISM3 Resources www.ism3.com/?q=node/39  O-ISM3 Challenge Study www.slideshare.net/vaceituno/o- ism3-challenge-results-study
  43. 43. Vicente Aceituno Canal vaceituno@inovement.es ++44 20 8144 8211 © Inovement 2014

×