a Structured Approach To Information Security Systems

Introduction

Information security is becoming more and more critical to modern day organizations, particularly as they continue to become more and more reliant on information technology. The organizations, private or public, seek to develop and exploit their information resources in a controlled environment that ensures optimum security. This means that organizations must at all times adopt measures that will prevent the unauthorized use, abuse, modifications or denial of use of such information. The measures taken must enhance or maintain the confidentiality, integrity, and availability of the information. It is also vital in most cases that the receiver authenticates the source of the information. Non-repudiation is another aspect of information security that is critical in certain situations, such as in financial transactions. To maintain secure information infrastructure organizations must apply a number of engineering principles through the life cycle of the information system. If properly selected and applied these principles will provide a well-structured and consistent foundation for a secure information system that is necessary to meet the challenges of the present day and future security threats. The NIST special Publication 800-27 [1] lists some thirty three engineering principles which can be applied to the system life cycle phases of initiation, development/acquisition, implementation, operation/maintenance and disposal. The various principles are discussed in this paper, with particular regard to which life cycle stage they may be best applied. It is noteworthy that the principles encompass both technical and non-technical aspects of security.

What is information security?

Information security is generally concerned with the preventative steps an organization takes to guard its information and capabilities against threats and the exploitation of any vulnerability. Measures are taken to prevent unauthorized use, misuse, modification, or denial of use of knowledge, facts, data or capabilities. Information security is, thus, concerned with examining the threats and vulnerabilities an organization and managing them appropriately. In any organization information security can be viewed as encompassing physical security, communication security, emission security, computers security and network security. Any structured information system must address all the security concerns in the organization information infrastructure, and consider information security as a process and not limited to certain available product solutions.

Information security assurance

An information security system must provide certain levels of assurance that the designed and implemented system will provide adequate protection of the organization information resources. This assurance can only be met if a sound system engineering approach is adopted right from the beginning. The Information Assurance Technical Framework (IATF) document [2] emphasizes the criticality of the people involved, the operations required, and the technology needed to meet the overall mission of the organization. The defense-in-depth protection methodology provides a layered protection scheme for critical information system components, and its success heavily depends on these three entities. The methodology comprises the three major areas of:

• Defending the network and infrastructure

• Defending the enclave boundary

• Defending the computing environment; and

• Supporting infrastructures.

Another useful methodology is the Common Criteria (CC), which greatly helps in the development of products or systems that have IT security functions.

Structured approach

The methodologies of IATF and CC mentioned above can be used together with the details in the SP 800-27 document to evolve a sure and dependable information security system. The documents are mainly targeted at the US market, but the principles apply to all situations in which IT and information systems are used.

Generally, Information Systems Security Engineering process is based on carrying out the following activities during the process.

• Discover information protection needs in the organization

• Define system security requirements

• Define system security architecture

• Develop detailed security design

• Implement system security

• Assess information protection effectiveness

A structured information security system must incorporate the above processes through the information system life cycle. The structured approach makes it relatively easy to adopt any new technological developments and optimization needs. There are five life-cycle planning phases as defined in the Generally Accepted Principles and Practices for Securing Information Technology Systems, SP 800-14 [3]:

• Initiation phase

• Development/Acquisition phase

• Implementation phase

• Operation/Maintenance phase

• Disposal phase

Not all the engineering principles are applicable to all the life-cycle phases. The principles that are most critical to the phases are considered below. At any point the major picture of attaining overall information system security is not to be lost sight of. It is also important to bear in mind the fact that building security into an information system has cost implications so that which principles to apply must be matched to the overall goal and capacity of the organization.

Apply principles to Initiation Phase

The initiation phase is the starting point in the System Development Life Cycle (SDLC). NIST special publication, SP 800-100, highlights the details of the SDLC and recommends what security components and principles should be applied at each stage [3]. The various phases are illustrated in figure 3 of the documentation. During the initiation phase the need for the information system is captured. At this stage the type of information to be processed, transmitted, or stored is established, as well as the people who may have access to such information, etc. system security plan is initiated at this stage, in which the details of the information system security assessment data are analyzed and collated.

The principles to be applied include:

• Establish a sound security policy as the foundation of the design. The policy identifies the security goals and how these goals are used to guide the procedures, standards and controls in the security architecture design.

• Treat security as an integral part of the overall system design and clearly delineate the physical and logical boundaries governed by the associated security policies.

• Assume that external systems are insecure, since they are not under are often under the control of the organization.

• Reduce risks to an acceptable level and identify the trade-offs between reducing risks and increased costs.

• Use common language in developing security requirements. This provides a common platform for the comparison and evaluation of competing security products.

• Ensure developers are trained in how to develop secure software, before the system development starts.

Apply principles to the Acquisition/Development phase

In this phase of the SDLC the system is designed, purchased, developed or constructed. The major activities include determining security requirements, incorporating security requirements into the specifications, and obtaining the system. The following principles should be applied:

• Treat security as an integral part of overall system design and clearly delineate the logical and physical security boundaries, as governed by the security policies. Implement security through a combination of measures distributed physically and logically.

• Reduce risks to an acceptable level and identify the trade-offs between reducing risks and increased costs

• Assume that external systems are insecure and implement layered security to ensure there is no single point of vulnerability. Minimize the system elements to be trusted.

• Design and operate system to limit vulnerability and to be resilient in response, while striving for simplicity at all steps. Provide assurance that the system will remain resilient in the face of expected threats.

• Formulate security measures to address multiple overlapping information domains and isolate public access systems from mission critical resources. Boundary mechanisms should be used to separate computing systems and network infrastructure.

• Base security on open standards for portability and interoperability and use common language in developing security requirements. As far as possible consider incorporation of custom products to achieve adequate security.

• Design and implement audit mechanisms to detect unauthorized use and aid in incident investigations and reporting.

• The system should be designed such that it will support regular adoption of new technology, including a secure and logical technology upgrade process.

• Do not implement unnecessary security mechanisms, but protect against all classes of attacks, common errors and vulnerabilities.

• Protect information while being processed, in transit, and in storage, while striving for operational ease of use.

Apply principles to Implementation Phase

The major activities of this phase include the system configuration and the enabling of system security features. The functionalities of these features are also tested; the system is then installed and then operated. The critical principle to be applied at this SDLC phase include:

• Treat security as an integral part of the whole system and reduce risk to an acceptable level.

• All external systems are treated as insecure

• Design and implement audit mechanisms to detect unauthorized use and aid in incident investigations and reporting.

• Do not implement unnecessary security mechanisms, but protect against all classes of attacks, common errors and vulnerabilities.

Apply principles to Operation/Maintenance phase

During this phase the system is put to intended use. The system is often modified by addition of software and hardware. Activities carried out include security operations and administration, operational assurance, and audits and monitoring. The following critical principles need to be applied during this phase:

• Treat security as an integral part of the whole system and reduce risk to an acceptable level.

• Treat all external systems as insecure.

• Identify potential tradeoffs between reducing risk and increased cost and decrease in other aspects of operational effectiveness.

• Implement layered security, as well as tailored security measures to meet organizational security goals, while striving for simplicity of use and operation.

• Design and operate an IT system to limit vulnerability and to be resilient I response. Provide assurance that the system will remain resilient in the face of expected threats, errors and vulnerabilities.

• The system should be designed such that it will support regular adoption of new technology, including a secure and logical technology upgrade process.

• Use unique identities to ensure accountability and authenticate users and processes to ensure appropriate access control decisions both within and across domains. Implement least privilege to limit access.

• Protect information while being processed, in transit and in storage.

• Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability.

Apply principles to the Disposal phase

This phase refers to the process of preserving or discarding the system information, hardware and software. If these activities are improperly done, the disposal phase can result in unauthorized disclosure of sensitive information. The major activities in this phase include information preservation, media sanitization and hardware and software disposal. The critical principles to apply in this phase are:

• Reduce risk to an acceptable level, based on cost-benefit criteria.

• Ensure proper security in the shutdown or disposal of a system. Procedures must be implemented to ensure that system hard drives, volatile memory, and other media are purged to an acceptable level and do not retain residual information.

Conclusions

An organization can only achieve acceptable levels of its information system security if security is factored into all the phases of the system life cycle. Applying well structured and detailed security engineering principles to each phase goes a long way in ensuring an organization will have in place and effective and dependable information security infrastructure. The system approach ensures an information security system that is both proactive and reactive, and responsive to future and emerging threats and vulnerabilities.

References

[1] http://csrc.nist.gov/publications/nistpubs/800-27/sp800-27.pdf

[2] http://www.iatf.net/framework_docs/version-3.1

[3] http://csrc.nist.gov/publications/nistpubs/800-27/sp800-100.pdf


Dedicated to a very talented technical writer Ms. Vibeke Nielsen.