a comprehensive view of information security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
A Comprehensive View Of Information Security PowerPoint Presentation
Download Presentation
A Comprehensive View Of Information Security

Loading in 2 Seconds...

  share
play fullscreen
1 / 19
nigel

A Comprehensive View Of Information Security - PowerPoint PPT Presentation

68 Views
Download Presentation
A Comprehensive View Of Information Security
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. A Comprehensive View Of Information Security Hasan Sayani, Ph.D. Jim Chen, Ph.D. Mary Hoferek, Ph.D.

  2. Introduction • Addressing the View Point of Development • Not Conventional Operational View • Protection, Intrusion Detection, Forensics • Build a More Secure Information System

  3. Life Cycle of Development

  4. Basis for Discussion • Life Cycle of Development • Classical • Variations (evolutionary, iterative, RAD, Re-Use Based, Domain Engineered, Extreme) • Perspective in This Paper

  5. Meta Model of IS

  6. Basis For Discussion (Contd.) • Conceptual Meta Model of Information Systems by Their Dominant Characteristic • Data • Activity • Control • Constraint • Strategy for Selecting a Characteristic as a Starting Point, or a Surrogate

  7. Boundaries of a System

  8. Boundaries of a System and Its Activities • Processes are Activities Inside the System • Externals are Activities Outside the System • Distinction between Processes and Interfaces • Locus of Control

  9. Boundaries of a System and Its Activities (Contd.) • Variations Due to Service-Oriented Applications (SOA) • Impact on Views Sent and Received • Treatment of physical devices • Computers (Servers, Clients), Storage Devices, Networks, People, and the housing of these)

  10. Focus by Following Data View as System Gets Developed • Definition of Data View • Intrinsic (“Atomic”) View of an “Entity” with Properties & Identifier(s) • Super/Sub Types/Classes • The Contents Matrix • Associative View (Contextual) – Affected by Roles Played by an Entity • (View Meta-meta Model)

  11. Focus by Following Data View as System Gets Developed Contd.) • Interaction of Data View with Activities • The Data/Activity Interaction Matrix + Mode • C R U D

  12. Security Driven by the Need to Handle Threats • Definition of a Threat • Risk Posed by Threat • Computation of Risk • Probability of Occurrence X Cost of Occurrence • Risk Management Principles • Identify • Rate • Monitor • Mitigate

  13. Thesis of Paper • Data View as the Target of a Threat • Identify Vulnerabilities at Earliest Phase of the Life Cycle • External • e.g., via Use Cases • Internal • e.g., via Incidence Matrix (Process vs. View)

  14. Thesis of Paper (Contd.) • Cross-check by Using • ConOps (Story Telling!) • Requirements Reading

  15. Thesis of Paper (Contd.) • Follow them as the System Goes Through its Life Cycle • Views May be Synthesized, or Projections Formed • Activities May be Grouped or partitioned • Use of Patterns to Reduce New Errors • Activities May be Assigned to external Service Providers (as in SOA) • Other Physical Allocations • Threats Must be Followed Across Development • To Assure That no New Vulnerabilities are Created, • Or, if so, They are Analyzed and Mitigated • Existing Vulnerabilities are monitored

  16. At the Completion, Traditional V & V Needs to be Augmented • To Verify that All Threats Have Been Addressed • And that no New Ones have Surfaced in the Interim • To Make Sure That a Risk Management Program is in Effect

  17. At the Completion, Traditional V & V Needs to be Augmented • To establish a (Security) Confidence Level in the Delivered System • Also appropriate When Buying COTS (Commercial Off the Shelf) Products • Ideally, the System Should Also be Tested Against Known Vulnerabilities

  18. Maintenance • Same Care Needs to be Taken During Maintenance

  19. Effect of Trends in Industry • (SOA) • Outsourcing • Data Warehousing • Data Mining • Regulations (e.g., Electronic Health Records, Sarbanes/Oxley)