1 / 13

Bridging the Policy Gap in Trust Evidence

Bridging the Policy Gap in Trust Evidence. Project Overview Hanover, NH March 31, 2011. Table of Content. Project Overview Context Goal Scope Expected Results Project Plan Work packages Time Frame Engagement with Business Communities Approach Interview Guide

aristotle-richardson
Download Presentation

Bridging the Policy Gap in Trust Evidence

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bridging the Policy Gap in Trust Evidence Project Overview Hanover, NH March 31, 2011

  2. Table of Content • Project Overview • Context • Goal • Scope • Expected Results • Project Plan • Work packages • Time Frame • Engagement with Business Communities • Approach • Interview Guide • Benefit for Participants • Acknowledgement • Contact Information

  3. Project Overview: Context • 60 percent of all companies perceive an increased risk level due to new developments such as social networking, cloud computing, and personal devices in the enterprise.1 • Enterprises must proof trust to regulators, external business partners, and themselves. • Trustin data, networks, and clients is to a large extent an organizational and behavioral concept – and not so much a technical one. 1) Ernst & Young: Borderless security. Ernst & Young’s 2010 Global Information Security Survey . EYGM Limited, 2010.

  4. Project Overview: Goal Understand the security and trust properties companies want to have in their systems Understand how companies communicate these properties to the systems (if possible at all) and how companies then verify that the systems have the properties

  5. Project Overview: Scope Project Scope Mental model of systems’ trust relevant behavior Systems’ actual trust relevant behavior equivalent? Scope Today Human produces Trust evidence: enforces System Policy draws conclusions from Attestation produces Don‘t think of what is easy for the machine to do. Instead, let policy engineering be driven from what business users require and perceive.

  6. Project Overview: Expected Results • Analysis of requirements and constraints of business communities for policy engineering and trust evidence • Assessment of current practice (e.g. SELinux) and experimental approaches (e.g. Trust Distribution Diagrams) against the requirements • Example user studies

  7. Project Plan: Work Packages 1 Business & Organizational Needs 2 Trust Evidence Languages • Identify communities of real-world stakeholders: • Chief information security officers • Business analysts • Business process experts • Information security architects • Identify use cases • Conduct expert interviews, gather data • Prepare mini case studies • Identify sample languages for trust evidence • Current practice: • SELinux hooks • TCG attestation • Experimental approaches • Property-based attestation and semantic remote attestation • DTrace-based characterizations of run-time behavior • Trust distribution diagram (TDD) 3 Assessment of Effectiveness • Study effectiveness of these languages for these communities to talk about these trust properties • Identify future directions of research Legend: Focus of this presentation.

  8. Project Plan: Time Frame WP 1: Business and Organizational Needs Design interview guide Prepare interviews Conduct interviews Document results WP 2: Trust Evidence Languages WP 3: Assessment of Effectiveness Q1/2011 Q2/2011 Q3/2011 Q4/2011

  9. Engagement with Businesses Communities: Approach Overall Methodology • Qualitative research • Mini-case studies based on expert interviews (telephone) • Interview guideline (10 pages) as a baseline • No publication of any information without prior approval Target Group • 8 to 10 multinational enterprises from different industries • 2 to 3 roles per company: • Chief Information Security Officer (CISO) • Information Security Architect/Responsible • Information Security Technology Expert Engagement Process • Step 1 (Interviews): • 1 interview (approx. 1 to 2 hours) with CISO • 1 to 2 interviews (approx. 1 to 2 hours) with further roles • Step 2 (Protocols): • Transcription of interview recordings • Creation of protocols and submission for approval to interviewees • Step 3 (Final documentation) • Creation and submission for approval to CISO Effort of Participation • 4 to 12 hours (depending on number of interviewees)

  10. Engagement with Businesses Communities: Interview Structure Trust Evidence Scenarios $/§ Strategic and Environmental Context Organizing Information Security Management Information Systems Perspective  Information Technology and Sources of Trust Evidence

  11. Engagement with Businesses Communities: Benefits for Participants Reflection of own approach within the peer group Reflection of own approach against external perspective Access to leading edge research knowledge Results will be made available to all participants in Q3/2011

  12. Acknowledgement • This project is supported by a research grant from Intel Corporation.

  13. Contacts

More Related