Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182.

Published byBeverly Johnson Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182."— Presentation transcript:

1 Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182

2 Security Engineering “Security engineering is a specialized field of engineering that deals with the development of detailed engineering plans and designs for security features, controls and systems.” Wikipedia It helps building systems resistant in the event of a malice or an error.

3 Most organizations tend to neglect the security requirements needed in order to keep their system safe. Security requirements are usually considered in the end and not during an early analysis of the design process.

4 Control Objectives Environmental context of the information system

5 Control Objectives (contd…) Information contained within the system

6 Control Objectives (contd..) Physical assets of the system

7 Information Security Objectives: Security Objectives Assurance Objectives

8 Security Control Objectives Confidentiality Authentication Availability Integrity Non-repudiation

9 Confidentiality Ensures information is not accessible by unauthorized users Protects assets of a computing system For example: Giving out confidential information over the phone to someone who’s not authorized

10 Authentication Ensures that the users are the right people. Information is in the right hands and the assets are being used in an authorized manner. For example: Passwords, digital certificates, smart cards

11 Availability Ensures information is accessible to authorized users and is available when needed. For example: Access to a database as and when required. DoS: Denial of service should not be there

12 Integrity Ensures that the data cannot be created, deleted or modified without authorized access to it. For example: When a database is not properly shutdown before maintenance is performed. Employee intentionally modifies or deletes important data.

13 Non-repudiation It is the proof of the identity of the sender and the recipient. For example: Ecommerce uses digital signatures and ecryption.

14 Assurance Control Objectives Management functions Involves security policies, information security plan, risk management and personal security.

15 gemgem

16 Assurance Control Objectives Configuration Management Personnel Management Vulnerability Management Software Development Management Verification Management

17 Requirements Legacy Systems: used by some organizations where anything else cannot be implemented. User’s Documentation: includes detailed system requirements. The engineer is supposed to look through the requirements specifications in order to derive any system security requirement.

18 Security Standards “Prescribed configuration and practices that improve the security of IT systems.” Wiki Standards are used by both government and user organizations.

19 Security Models

20 The Common Criteria Provides assurance on specification, implementation and evaluation process of a security product and makes sure it is conducted in a standard manner.

21 The Common Criteria (contd..)

22 Functional requirements include: Authentication Resource utilization Privacy Protection of TOE Trusted channels Security Management

23 ISO/IEC 17799 Addresses good security policies Doesn’t provide detailed instructions Superficial overview of the security requirements that act as a base

24 ISO/IEC 17799 (contd..) Personnel Security Compliance Access Control Organizational security infrastructure and policy Physical and environmental security Operations Management etc.

25 The Capability Maturity Model- Integrated (CMMI) Include practices for process improvement Manage development & maintenance of products Help periodically measure improvement ‘Assessment’ model: determines the level at which the organization currently stands

26 CMMI

27 SSE-CMM The System Security Engineering Capability Maturity Model Describes essential characteristics of an organization’s security engineering process Includes entire system life cycle of a product, concept definition, requirement analysis, design, development, integration, installation, maintenance etc.

28 SSE-CMM (contd..) Organization engineering activities Interactions within the organization such as with systems software, hardware, system management, operation as well as maintenance Interactions with other organizations such as system management, certification, evaluation of the policies

29 Cost-benefit analysis It is important for an organization to choose between effective security policies, optimal performance and affordable cost. Security policies are implemented depending upon how often an attack is expected.

30 Cost-benefit analysis (Contd..) It is difficult to analyze whether a certain investment in a security policy would give the expected returns.

31

32 References http://en.wikipedia.org/wiki/Security_engineering http://www.albion.com/security/intro-4.html http://en.wikipedia.org/wiki/Information_security#Int egrity http://ieeexplore.ieee.org/iel5/4021173/4021174/040 21255.pdf?isnumber=4021174&prod=CNF&arnumber= 402 1255&arSt=482&ared=488&arAuthor=Sung- il+Han%3B+Kab-seung+Kou%3B+Gang-soo+Lee http://www.mantagroup.com/html/images/wp- 0506102.gif http://ieeexplore.ieee.org/iel5/4301108/4301109/043 01148.pdf http://www.cs.cmu.edu/~shawnb/SAEM-ICSE2002.pdf

33 References (Contd..) http://en.wikipedia.org/wiki/Information_security http://en.wikipedia.org/wiki/Legacy_system http://en.wikipedia.org/wiki/Common_Criteria http://images.google.com/imgres?imgurl=http://www.iso15408.net/pps18.gif&imgrefurl=http://www.iso154 08.net/15408presentation.htm&h=405&w=542&sz=26 &hl=en&start=11&um=1&tbnid=uhRTB9CFgMm4XM:&t bnh=99&tbnw=132&prev=/images%3Fq%3DThe%2B common%2Bcriteria%26um%3D1%26hl%3Den%26 http://www.opengroup.org/architecture/togaf8- doc/arch/chap27.htmlsa%3DG http://www.boldtech.com/images/cmmi.jpg http://www.sse-cmm.org/model/model.asp

34 Thank You !

Download ppt "Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id # 993923182."

Similar presentations

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Security Controls – What Works

Security Controls – What Works
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
OPM Cybersecurity Competencies by Occupation (Technical Competencies) 2210085508540391 Information Technology Management Series Electronics Engineering.

OPM Cybersecurity Competencies by Occupation (Technical Competencies) Information Technology Management Series Electronics Engineering.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Chapter 1  Introduction 1 Overview  What is a secure computer system?  Concerns of a secure system o Data: Privacy, Integrity, Availability o Users:

Chapter 1  Introduction 1 Overview  What is a secure computer system?  Concerns of a secure system o Data: Privacy, Integrity, Availability o Users:
Risks, Controls and Security Measures

Risks, Controls and Security Measures
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.

Similar presentations

Ads by Google