Scribd
Upload
5 views

Finally (IAS101)

The document outlines the concepts of risk management in information assurance and security, emphasizing the importance of managing risk through assessment and treatment techniques such as acceptance, avoidance, mitigation, and transfer. It also discusses trust and assurance in security systems, highlighting the role of trust mechanisms and the trusted computing base. Additionally, it describes the lifecycle management of security systems, detailing stages from evaluation to certification and accreditation.

Uploaded by

teacher27
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
5 views

Finally (IAS101)

The document outlines the concepts of risk management in information assurance and security, emphasizing the importance of managing risk through assessment and treatment techniques such as acceptance, avoidance, mitigation, and transfer. It also discusses trust and assurance in security systems, highlighting the role of trust mechanisms and the trusted computing base. Additionally, it describes the lifecycle management of security systems, detailing stages from evaluation to certification and accreditation.

Uploaded by

teacher27
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 13

INFORMATION

ASSURANCE
AND SECURITY 1
IAS101
Terms: Risk: Viega and McGraw, Building Secure
Software assert that software and system security is “all
about managing risk.”

• Risk is the possibility that a particular threat will


adversely impact an information system by exploiting a
particular vulnerability. The assessment of risk must
take into account the consequences of an exploit.
• Risk management is a process for an organization to
identify and address the risks in their environment.
There are several risk management frameworks, and
each defines a procedure for an organization to follow.
Risk Management Framework:

One particular risk management procedure (from Viega and


McGraw) consists of six steps:
• 1 Assess assets
• 2 Assess threats
• 3 Assess vulnerabilities
• 4 Assess risks
• 5 Prioritize countermeasure options
• 6 Make risk management decisions
Risk Treatments: Once the risk has been identified
and assessed, managing the risk can be done through one of
four techniques:

• Risk acceptance: risks not avoided or transferred are retained by the


organization. E.g. sometimes the cost of insurance is greater than the
potential loss. Sometimes the loss is improbable, though catastrophic.
• Risk avoidance: not performing an activity that would incur risk. E.g.
disallow remote login.
• Risk mitigation: taking actions to reduce the losses due to a risk; many
technical countermeasures fall into this category.
• Risk transfer: shift the risk to someone else. E.g. most insurance
contracts, home security systems
Risk Management

The risk treatments – acceptance, avoidance,


mitigation, transfer are with respect to a specific risk
for a specific pary.
• E.g., buying insurance is risk transfer for you, not
for the insurance company. For the insurance
company, it’s risk acceptance. But they may require
you to take measures to avoid or mitigate their risk.
Mitigation versus Avoidance

There is often a confusion about the difference between risk


avoidance and risk mitigation.
• Risk avoidance is about preventing the risk from being
actualized. E.g., not parking in a high crime area.
• Risk mitigation is about limiting the damage should the risk
be actualized. E.g., having a LoJack or cheap car stereo.
Note the risk in this case is that your car will be broken into.
Terms: Trust and Assurance
• Trust is a generic term that implies a mechanism in place to provide a
basis for confidence in the reliability/security of the system. Failure of the
mechanism may destroy the basis for trust.
• Trust mechanisms are the security features of a system that provide
enforcement of a security policy.
• The trusted computing base (TCB) is a collection of all the trust
mechanisms of a computer system which collectively enforce the policy.
• Assurance is a measure of confidence that the security features,
practices, procedures, and architecture of a system accurately mediates
and enforces the security policy.
Trust Management
The concept of trust management provides a unified approach to conceptualizing
(parts of) IA. That is, a big part of IA is about controlling interactions among:
• Actions
• Principals
• Policies
• Credentials
Various policy management systems have been built with the goal of formalizing
and describing these relationships: KeyNote (1999) and Extensible Access
Control Markup Language (XACML) (2009). These provide formal mechanisms
for defining policy languages.
Lifecycle

A lifecycle is the process by which an asset is managed from its


arrival or creation to its termination or destruction. Software
engineering defines several lifecycle models for the development
or acquisition of computer software in a waterfall model, the
process is divided into stages performed sequentially:
Requirements Design Coding
Testing Deployment Production
Decommission
Security Systems Lifecycle
Management
Security systems lifecycle management is a process by which the project managers
for a system will ensure that appropriate information assurance safeguards are
incorporated into a system.
The stages leading to acquisition by the government of a secured system might be:
• 1 Evaluation of sensitivity of the application based on risk analysis
• 2 Determination of security specifications
• 3 Design review and perform system tests to ensure safeguards are adequate,
through testing and validation that the product meets specifications
• 4 System certification and accreditation, issuance of a certificate that the system
meets the need and can be procured.
Assurance Requirement: Some indication of
various types of lifecycle concerns appear in the Common Criteria
“Assurance Requirements”, including:
Assurance Requirements (2)
END OF OUR FINAL …
NEXT FINAL EXAMINATION ! ! !

You might also like