Security Methodology Richard Baskerville Outline • Security Method Design Theories • Security Method Adaptation Basic Design Theory in Secure Information Systems Methodology TFO Assumed in Many Security Method Designs T 1 T 2 T 3 T 4 T n . . . O 1 O 2 O 3 O m . . . T O T 1 T 2 T 3 T 4 T n . . . F 1 F 2 F 3 F l . . . O 1 O 2 O 3 O m . . . T F O Security Design Methods • CobIT -Governance • Octave -Risk Learning (TFO) • Generic -Cost-Benefit (TFO) • NIST RMF -Risk-Centered Design • ISO/IEC 27001 -Quality Improvement • ITIL -Security as a Service • CRAMM -Integrated Security (TFO) Design Theories
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Security Methodology
Richard Baskerville
Outline
• Security Method Design Theories
• Security Method Adaptation
Basic Design Theory in Secure Information Systems
Methodology
TFO Assumed in Many Security Method Designs
T1
T2
T3
T4
Tn
. . .
O1
O2
O3
Om
. . .
T O
T1
T2
T3
T4
Tn
. . .
F1
F2
F3
Fl
. . .
O1
O2
O3
Om
. . .
T F O
Security Design Methods
• CobIT - Governance
• Octave - Risk Learning (TFO)
• Generic - Cost-Benefit (TFO)
• NIST RMF - Risk-Centered Design
• ISO/IEC 27001 - Quality Improvement
• ITIL - Security as a Service
• CRAMM - Integrated Security (TFO)
Design Theories
CobIT Method Component
Design Theory: Governance
Monitor & Evaluate
Deliver & Support
Plan & Organize
Acquire & Implement
IT Resources
Information
Business Objectives & IT Governance
Control Objectives
Control Objectives
Control Objectives
Control Objectives
Octave Method Component
Design Theory: Risk Learning (TFO)(From Christopher Alberts, Audrey Dorofee, James Stevens, Carol Woody, Introduction to the OCTAVE® Approach, August 2003, Software Engineering Institute, http://www.cert.org/octave/pubs.html)
Framework Core Notional Information and Decision Flows within an Organization
ISO/IEC 27001
This standard has evolved toward the
development of management systems for
information security and provides a stronger
basis for third party audit and certification. It
offers a managerially-oriented complement to
operatd the technologically-oriented ISO 27002.
Design Theory: Cybersecurity Quality Improvement
Structure of the Information Security
Management System (ISMS)
• Leadership - top management must demonstrate leadership and
commitment to the ISMS, mandate policy, and assign information security
roles, responsibilities and authorities.
• Planning - outlines the process to identify, analyze and plan to treat information security risks, and clarify the objectives of information security.
• Support - adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
• Operation - a bit more detail about assessing and treating information security risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).
• Performance evaluation - monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate.
• Improvement - address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS