![Page 1: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/1.jpg)
Security Standards and
Threat Evaluation
![Page 2: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/2.jpg)
Main Topic of Discussion
Methodologies Standards Frameworks Measuring threats
– Threat evaluation– Certification and accreditation
![Page 3: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/3.jpg)
IT Governance
A structure of relationships and processes to direct and
control the enterprise in order to achieve the
enterprise’s goals by adding value while balancing risk
versus return over IT and its processes.
![Page 4: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/4.jpg)
C & A
The certification and accreditation (C&A) process
focuses on federal IT systems processing, storing,
and transmitting sensitive information, the
associated tasks and subtasks, security controls,
and verification techniques and procedures, have
been broadly defined so as to be universally
applicable to all types of IT systems, including
national security or intelligence systems, if so
directed by appropriate authorities.
![Page 5: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/5.jpg)
Standards in Assessing Risk
Need a way to measure risk consistently Need to cover multiple geographies Needs to scale
Newly forming Teaching
![Page 6: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/6.jpg)
Methodologies
A Body of Practices, procedures and rules used by those who engage in an inquiry
Can include multiple frameworks Overall approach used to measure something Repeatable Utilizes standards
![Page 7: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/7.jpg)
Standards
Something that is widely recognized or employed, especially because of its excellence
An acknowledged measure of comparison for qualitative or quantitative value
Many different types of standards- even for the same elements needing to be measured
![Page 8: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/8.jpg)
Framework
A set of assumptions, concepts, values and practices that constitutes a way of viewing reality
Building block for crafting approach Encapsulates elements for performing a task Acts as a guide- details can be plugged in
for specific tasks
![Page 9: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/9.jpg)
Standards
CoBit ISO17999 Common Criteria NIST
![Page 10: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/10.jpg)
COBIT
www.isaca.orgControl Objectives for Information and related
Technology Framework, Standard or Good practice? Includes:
– Maturity models– Critical Success factors– Key Goal Indicators– Key Performance Indicators
![Page 11: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/11.jpg)
COBIT
COBIT is structured around four main fields
of management implying 34 processes of
management associated with information
technology: 1. Planning and organization
2. Acquisition and implementation
3. Delivery and Support
4. Monitoring
![Page 12: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/12.jpg)
ISO17999
“A detailed security Standard” Ten major sections:
– Business Continuity Planning– System Access Control– System Development and Maintenance– Physical and Environmental Security– Compliance– Personnel Security– Security organization– Computer and Network Management– Asset Classification– Security Policy
![Page 13: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/13.jpg)
ISO17999
Most widely recognized security standard Based on BS7799, last published in May
1999 Comprehensive security control objectives UK based standard
![Page 14: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/14.jpg)
SSECMM CIA Triad
Defines the “triad” as the following items: Confidentiality Integrity Availability Accountability Privacy Assurance
![Page 15: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/15.jpg)
Common Criteria
Developed from TCSEC standard in 1980’s (Orange book)
International Standard ISO took ITSEC (UK) TCSEC and CTCPEC
(Canada) and combined them into CC (1996) NIAP
– National Information Assurance Partnership
– http://niap.nist.gov/
![Page 16: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/16.jpg)
Common Criteria
11 Functionality Classes:– Audit– Cryptographic Support– Communications– User Data Protection– Identification and Authentication– Security Management– Privacy– TOE Security functions– Resource utilization– TOE Access– Trusted Paths
![Page 17: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/17.jpg)
![Page 18: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/18.jpg)
Threat Approach
![Page 19: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/19.jpg)
Threat Evaluation
Evaluation of level of threat to an asset Based on:
– Visibility, inherent weakness, location, personal/business values
Method:– Determine threats to assets (and their importance)– Determine cost of countermeasures– Implement countermeasures to reduce threat
![Page 20: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/20.jpg)
Threats
Activity that represents possible danger Can come in different forms Can come from different places Can’t protect from all threats Protect against most likely or most worrisome such
as:– Business mission– Data (integrity, confidentiality, availability)
![Page 21: Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification](https://reader036.vdocuments.site/reader036/viewer/2022062409/56649ed15503460f94bdfa5c/html5/thumbnails/21.jpg)
Vulnerability Assessment
Evaluation of weakness in asset Based on:
– Known published weakness
– Perceived / studied weakness
– Assessed threats
Method:– Determined threats relevant to asset
– Determined vulnerability to those threats
– Determine vulnerability to theoretical threats
– Fortify / accept vulnerabilities