1 / 12

Information Assurance (IA) Design Framework

Information Assurance (IA) Design Framework. Jim Ross, CISSP (Boeing) Chair, Information Assurance Working Group January 22, 2007. Approved for Public Release Jan 07-107. IA Issues with Typical Design Process. Most System and Software Engineers are not Security Engineers

georgio
Download Presentation

Information Assurance (IA) Design Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Assurance (IA)Design Framework Jim Ross, CISSP (Boeing) Chair, Information Assurance Working Group January 22, 2007 Approved for Public Release Jan 07-107

  2. IA Issues with Typical Design Process • Most System and Software Engineers are not Security Engineers • Often not aware of the security consequences of their designs • No standard methodology for incorporating security into designs • No standard language to convey security design requirements to systems or software engineers • Typical Security Design Process consists of: • Rigorous software development process (e.g. Software Assurance) • Oriented towards software maintainability and quality(not security design) • Makes secure code but no help in designing secure architectures • IA is added after the system functionality is established • IA is not integral to the initial system design • “Penetrate and Patch” • As vulnerabilities are discovered they are fixed after the system design is completed

  3. IA Design Methodology for NCO • Must support Spiral/Evolutionary Development cycles • Early functionality and prototypes required • Incremental IA capabilities to keep pace with functional growth • Must support a Systems of Systems design approach • Facilitates spiral development • Uses modeling methods to develop and validate designs early • Support SoS interoperability not just system integration (no more “stovepipes”) • Must integrate IA early in the design cycle • The longer IA is put off the more program risk is assumed • Must provide design for IA Certification & Accreditation (C&A) • IA must be designed-in (and not patched-in) to meet C&A requirements • Early insight into the IA design to address issues (reduce C&A risks) • Clearly communicate IA design to customer and C&A Authorities

  4. Reference Model ReferenceArchitecture Architecture Implementation Models, Architectures and Implementations Extended McCumber Model(shown on next page) IA Design Framework Abstract Implementation Specific Concrete A Model Driven Architecture (MDA) Approach to IA Design

  5. Extended McCumber IA Model IA Design Framework

  6. Development Process IA Design Framework Development Process START HERE (2) Component Modeling (3) Model Verification &Validation (1) IA Decomposition (5) Common Component Library (4) Pattern Development/ Discovery

  7. IA Decomposition

  8. Sample Section of theIA Decomposition Document

  9. Sample Section of theIA Decomposition Document

  10. Sample Section of theIA Decomposition Document

  11. SysML with IA ExtensionsProposed to Meet Design Needs • Support Spiral/Evolutionary Development cycles • SysML allows a top down approach adding more detail and functionality as the system design matures • Early spirals might not have the complete IA system but the framework will exist and can mature with each spiral. • Support a Systems of Systems design approach • SysML is designed for systems modeling and is being extended for modeling of Systems of Systems

  12. SysML with IA ExtensionsProposed to Meet Design Needs • Integrate IA early in the design cycle • IA framework supports spiral development, and can be incorporated very early in the system design even if the IA design is not complete • The design can be shared with other system architects in a common Model “language” • Provide design for IA Certification & Accreditation (C&A) • IA requirements should be modeled prior to implementation and reviewed for correctness • Changes to the IA requirements could then be applied to the model showing functionality and cost impacts • Better understanding of the security design by all parties reduces program risk and cost

More Related