Presentation is loading. Please wait.

Presentation is loading. Please wait.

OMG Technical Meeting - March 2013 Presentation to UPDM Group Security View.

Published byLucy Megan French Modified over 7 years ago

Similar presentations

Presentation on theme: "OMG Technical Meeting - March 2013 Presentation to UPDM Group Security View."— Presentation transcript:

1 OMG Technical Meeting - March 2013 Presentation to UPDM Group Security View

2 Agenda Introduction –Presentation Objectives –Background Overview Security View Details Next Steps Q&A 2

3 Presentation Objectives Introduce DRAFT Security View For each sub-view: –Purpose, Description, Concepts –Conceptual Architecture & Deliverables –Sample attribution template Convey essence and flow of security lifecycle; Our road ahead for SecV 3

4 BackgroundDrivers “Security at the front” not as an afterthought Information & IT Security Capability –confidentiality, integrity, availability, non- repudiation, and audit-ability –of defence information and the supporting systems and networks. Pan-enterprise Security

5 BackgroundCollaborators Security is “special” –normally involves Specialists –has unique perspectives IM & IT Security at the forefront Key Collaborators: –IM & IT Security (D IM Secur) –IT Engineering & Integration (DIMEI)

6 BackgroundOutcome Redesign and partitioning of SecV-1 into 1a and 1b No change to existing SecV-2 and 3 Discovery of new business requirements leading to SecV-4, 5, 6 & 7

7 Overview Draft Sub-views SecV-1a: Asset Security Domain & Valuation Rating SecV-1b: Asset-at-Node Security Strength Requirement SecV-2: Data Element Security Matrix SecV-3: Aggregated Information Security Matrix SecV-4: Security Control Specification SecV-5: Security Control Profile SecV-6: Security Control Service Profile SecV-7: Asset-At-Node Threat Mitigation

8 8 Security Methodology (1/1) SecV-1a Asset Security Domain & Valuation Rating SecV-1b Asset-at- Node Security Strength Requiremen t SecV-2 Data Element Security Matrix SecV-3 Aggregated Information Security Matrix Conduct Asset Sensitivity; Assign Security Domain & Valuation Rating Conduct TRA; Assign Security Strength Requirement Assess IERs and SDEs; Assign Security Classification Register Classified Data Element Combinations Asset Classification and Valuations Lists TRA Results and Security Strength Requirements Resource Flow & IER & SDE Assessments Data Element Combinations Risk Register

9 9 Security Methodology (2/2) SecV-4 Security Control Specificatio n SecV-5 Security Control Profile SecV-6 Security Control Service Profile SecV-7 Asset-at- Node Threat Mitigation Define Security Controls (CSEC & DND) Establish Security Control Profile for Asset (FoS) & Asset-at-Node Define Security Services; Establish Security Control Service Profile Establish Security Services to address Asset-at-Node Security Needs Security Control Taxonomy Security Control Profile for Asset & Asset-at-Node Security Service Taxonomy & Service Profiles Asset-at-Node Threat Mitigation Specification

10 10 SecV-1a Purpose SecV-1a : Asset Security Domain and Valuation Rating The Asset (typically a member at some level of abstraction within the Asset FoS – Family of Systems) would undergo an Asset Sensitivity Analysis; the resulting Statement of Sensitivity is described and referenced in SecV-1a. Based on the sensitivity analysis, the Security Officer determines and assigns a Security Domain to the Asset. The DND Security Officer is also able to assign a Valuation Rating (Very Low to Very High) to the Asset.

11 Asset within FoS Structure 11 Asset MaterielSystemPersonnelCash Weapons IT System e.g. SAP Communications SAP Sub-System A/R SAP Sub-System G/L SAP Sub-System Payroll SAP Application Module G/L 01 SAP Application Module G/L 02 SAP Application Module 03

12 Security Classification Taxonomy Security Domain (e.g.) UNCLASSIFIED PROTECTED A PROTECTED B PROTECTED C CONFIDENTIAL SECRET TOP SECRET … Security Caveat (e.g.) CANUK NATO AUSCANNZUKUS CANUS FOUR EYES FIVE EYES …

13 13 SecV-1a Conceptual Model Asset (FoS) Cash Valuation Rating Asset Statement of Sensitivity Real Property Information Equipment Personnel Systems INCLUDES Determines Resource Sub Types Recommends Security Domain Results in ClassifiesValues

14 SecV-1a Attribution Template Example: Data Collection Dialog for Asset Valuation and Security Classification

15 15 SecV-1b Purpose SecV-1b: Asset-At-Node Security Strength Requirement The logical Asset –classified & valued via SecV-1a –“deployed” (assigned) to a Node (OV-2) –Initiates a Threat Risk Assessment (TRA) being –now referred to as Asset-At-Node. SecV-1b enables the capture of relevant information from the TRA, including links to threats, vulnerabilities, impacts, and control objectives. The TRA enables the DND Security Officer to assign a Security Strength Requirement Rating to the Asset at Node.

16 16 SecV-1b Conceptual Model Asset-at-Node Threat Risk Assessment (TRA) Assigned to Operational Node Refer OV-2 Asset Node Recommends Security Control Objectives Security Strength Requirement Matrix Exposure Impact Determines Assignment of Asset to Node Initiates 33444555 33444555 33333444 22222444 11112333 11112233

17 SecV-1b Attribution Template Example: Data Collection Dialog for Asset@Node TRA and Security Strength Requirement

18 SecV-2 Purpose 18 SecV-2 – Data Element Security Matrix The OV-3 and SV-6 sub-views require that the security parameters of each Information Exchange Requirement (IER) and System Data Exchange (SDE) be analyzed and documented. The security classification of an IER or SDE is based on the fact that it contains one or more data elements of that security level. SecV-2 enables the security classification and requirements of the set of data elements that comprise the IER or SDE. Covers both privacy and national security issues.

19 SecV-2 Data Model (DADM) 19

20 SecV-3 Purpose SecV-3 – Aggregated Information Security Matrix Aggregation of Data can result in higher classified Information Registration of Data Element Combinations Potential for security issues is captured “Some analysis required” 20

21 SecV-3 Data Model (DADM) 21

22 22 SecV-4 Purpose SecV-4 Security Control Specification SecV-4 enables definition and maintenance of Security Controls in a taxonomy Security Controls –reusable objects that can be shared –and associated to Assets; Allows Security Control XREF to policies, legislation and regulations, standards, other knowledge artifacts, e.g.: –ITSG 33 Annex 3 (CSEC) –NIST 800-53 Rev 3

23 23 SecV-4 Conceptual Model Security Control Security Control Class XREF links to Knowledge Artifacts in Corporate Memory, Web or elsewhere Security Control Family Organizes Comprises Links INCLUDES: Management Technical Operational For Example: Access Control Awareness and Training Personnel Security For Example: AC 17 – Remote Access

24 SecV-4 Attribution Template Example: Data Collection Dialog for Security Control Specification

25 25 SecV-5 Purpose SecV-5: Security Control Profile SecV-5 enables the association of Security Controls that are applicable to an Asset (FoS). –This is referred to as the Asset Security Control Profile. SecV-5 further allows the Security Officer to create and maintain a similar Profile for the Asset-At-Node; –The Asset-at-Node would automatically inherit (as default) the Asset Security Control Profile as a starting point. –The end result is titled the Asset-At-Node Security Control Profile.

26 26 SecV-5 Conceptual Model Security Control Asset Security Control Profile Asset (FoS) Asset-At-Node Security Control Profile Refers Selects Deployed to Identifies Requires Asset Node

27 SecV-5 Attribution Template Example: Data Collection Dialog for Security Control Profile

28 28 SecV-6 Purpose Sec V-6: Security Control Service Profile SecV-6 does two distinct things: –enables the specification and maintenance of the Security Service –links a subset of Security Services to a Security Control; this is referred to as the Security Control Service Profile. Security Services –reusable security mitigation mechanisms. –can be automated or manual –automated security services can be further defined in terms of its hardware and software components.

29 29 SecV-6 Conceptual Model (1/2) Automated Security Service Software Component Security Service Comprises Non-Automated Security Service Hardware Component Sub-Type

30 SecV-6(1) Attribution Template Example: Data Collection Dialog for Security Service Specification

31 31 SecV-6 Conceptual Model (2/2) Security Service Security Control Service Profile Security Control (SecV-4) Mitigated By Manages

32 SecV-6(2) Attribution Template Example: Data Collection Dialog for Service Control Service Profile

33 33 SecV-7 Purpose SecV-7: Asset-At-Node Threat Mitigation SecV-7 enables creation and maintenance of an Asset-At-Node Threat Mitigation Package: –comprises a subset of Security Services needed by the Security Controls to protect the Asset-at-Node. –Selection is influenced by the Strength Requirement Rating

34 34 SecV-7 Conceptual Model Asset-at-Node Threat Mitigation Package Security Service Selects Requires Security Control Service Profile Refer SecV-5 Asset-At-Node Security Control Profile Security Control Mitigation Security Control Service Refer SecV-6 Influences Comprises Refer SecV-4 Refer SecV-1b Asset Node Asset-At-Node Security Strength Requirement

35 Example: Data Collection Dialog for Threat Mitigation Package SecV-7 Attribution Template

36 Security Control Refer SecV-4 TRA Asset-at-Node Security Control Profile Refer SecV-5 Asset Security Control Service Refer SecV-6 (2) Refer SecV-6 (1) Security Control Service Profile Asset-At-Node Mitigation Lifecycle Deployed to Asset Node Refer SecV-1a Asset Security Control Objectives Refer SecV-1b Asset-At-Node Security Strength Requirement Asset-at-Node Threat Mitigation Pkg Refer SecV-7 Mitigated By Influences Required by has Establishes Determines

37 Road Ahead Theoretical product, at this point Much work remains –ensure responsive to needs –Confirm concepts are valid, not redundant Validation effort initiated Update at next meeting in June. 37

38 Security View Road Map FOCIOC S Preliminary Development Work 2012 Today Presentation of Draft to OMG Testing and validation Finalize Security Views Presentation of Final to OMG Implement SecV in Qualiware ACTIVITY 2013 JONDFMAMJJASONDJFMAMJJASOND 2014 EA 15 Mar Publish SecV in DNDAF

39 Q&A Looking for Feedback and Encouraging Wider Collaboration Contacts: VINCENT.QUESNEL@forces.gc.a EA Programme Support (613) 993-6164 GREG.ERICKSON@forces.gc.ca EA Development (613) 990-8341 39

40 SecV-1a Class Diagram 40

41 SecV-1b Class Diagram 41

42 SecV-2 Class Diagram 42

43 SecV-3 Class Diagram 43

44 SecV-4 Class Diagram 44

45 SecV-5 Class Diagram 45

46 SecV-6 Class Diagram 46

47 SecV-7 Class Diagram 47

Download ppt "OMG Technical Meeting - March 2013 Presentation to UPDM Group Security View."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Privacy By Design Sample Use Case

Privacy By Design Sample Use Case
Human Views for MODAF Dr Anne Bruseberg Systems Engineering & Assessment Ltd, UK on behalf of the Human Factors Integration Defence Technology Centre.

Human Views for MODAF Dr Anne Bruseberg Systems Engineering & Assessment Ltd, UK on behalf of the Human Factors Integration Defence Technology Centre.
Ninth Lecture Hour 8:30 – 9:20 pm, Thursday, September 13

Ninth Lecture Hour 8:30 – 9:20 pm, Thursday, September 13
<<Date>><<SDLC Phase>>

<<Date>><<SDLC Phase>>
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.

MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.
EEN [Canada] Forum Shelley Borys Director, Evaluation September 30, 2010 Developing Evaluation Capacity.

EEN [Canada] Forum Shelley Borys Director, Evaluation September 30, 2010 Developing Evaluation Capacity.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Risk Management.

Risk Management.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.

The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.
IS&T Project Management: Project Management 101 June, 2006.

IS&T Project Management: Project Management 101 June, 2006.
Enterprise Architecture

Enterprise Architecture
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Similar presentations

Ads by Google