55915X Ch11.qxd 3/22/04 5:52 PM Page 497 Chapter 11 ✦ Systems Security Engineering 497 Mission/Business Function Information Management Functions Mission/ Business Threats Information Threats Information Protection Policy Information Management Policy Figure 11-5: Discover Information Protection Needs activity (from IATF document, Release 3.1, September 2002). The information systems security engineer should use any reliable sources of infor- mation to learn about the customer’s mission and business operations, including areas such as human resources, finance, command and control, engineering, logis- tics, and research and development. This knowledge can be used to generate a con- cept of operations (CONOPS) document or a mission needs statement (MNS). Then, with this information in hand, an information management model (IMM) should be developed that ultimately defines a number of information domains. Information management is defined as: ✦ Creating information ✦ Acquiring information ✦ Processing information ✦ Storing and retrieving information ✦ Transferring information ✦ Deleting information Information domains identify the members of a particular domain; the applicable privileges, roles, rules, and responsibilities of the users in the domain; and a list of the information entities that are under control in the domain. The information man- agement model should take into account: ✦ The information being processed ✦ Processes being used 55915X Ch11.qxd 3/22/04 5:52 PM Page 498 498 Part II ✦ The Information Systems Security Engineering Professional (ISSEP) Concentration ✦ Information generators ✦ Information consumers ✦ User roles ✦ Information management policy requirements ✦ Regulations ✦ Agreements or contracts The principle of least privilege should be used in developing the model by permit- ting users to access only the information required for them to accomplish their assigned tasks. The IMM is illustrated in Figure 11-6. Process InformationUser Fig. a Process A Process B Information Fig. b Users 1 Users 2 Figure 11-6: Graphic of the information management model (from IATF document, Release 3.1, Appendix H, September 2002). A short example of an IMM is given in Table 11-1. Information Management Model Table 11-1 Users Rules Process Information President Read/Write Corporate Finance Policy Treasurer Read/Write Corporate Finance Policy Senior V.P. Read Corporate Finance Policy 55915X Ch11.qxd 3/22/04 5:52 PM Page 499 Chapter 11 ✦ Systems Security Engineering 499 A similar example of the output domains of the IMM is given in Table 11-2. Table 11-2 IMM Information Domain Example Domain Users Rules Process Information Human Resources Director Read/Write Corporate Finance Financial Reports, Salaries Human Resources Benefits Staff Read Corporate Finance Financial Reports, Salaries After the IMM has been developed, the information systems security engineer can use the information in the model to determine the appropriate controls, regula- tions, directives, laws, and policies to use for each of the customer’s domains. For example, the model might indicate that material must be classified at a certain level or that Certification and Accreditation (C&A) are required. Another advantage of identifying the information domains is the ability of the information systems secu- rity engineer to evaluate the types of potential threats to a domain and the impact of a threat realized upon a domain. As part of the Discover Information Protection Needs activity, metrics are assigned to threats, or potentially harmful events (PHE), and to the level of harm to information (HTI) for each domain. The information sys- tem security principles of confidentiality, integrity, and availability (C.I.A.) are applied to estimate the HTI. This process is illustrated in Figure 11-7. RISK Information Threat Likelihood of Harm Potentially Harmful EventsHarm to Information Disclosure Motivation to Attack Adversaries Accidents Nature Non-Malicious Events Modification Service Denial Harm to Assets Harm System System Vulnerabilities Figure 11-7: The PHE and HTI process (from IATF document, Release 3.1, Appendix H, September 2002). 55915X Ch11.qxd 3/22/04 5:52 PM Page 500 500 Part II ✦ The Information Systems Security Engineering Professional (ISSEP) Concentration For example, the metrics could be numbers ranging from 0 to 3 for the PHE and HTI, and they could be displayed as shown in Figure 11-8. PHE HTI Measures None Low Medium High Serious 0 2 3 2 1 3 3 2 Significant 0 1 Mild 0 1 None 0 0 0 0 Figure 11-8: A PHE-HTI combination matrix (from IATF document, Release 3.1, Appendix H, September 2002). In the Discover Information Protection Needs activity of the ISSE process, the infor- mation systems security engineer must document all elements of the activity. These elements include: ✦ Roles ✦ Responsibilities ✦ Threats ✦ Strengths ✦ Security services ✦ Priorities ✦ Design constraints These items form the basis of an Information Protection Policy (IPP), which in turn becomes a component of the customer’s Information Management Policy (IMP), as shown in Figure 11.5. The information systems security engineer must also support the certification and accreditation (C&A) of the system. For example, the security engineer can identify the Designated Approving Authority (DAA) and the Certification Authority (CA). A detailed discussion of C&A is given in Chapter 12. Define System Security Requirements In this ISSE activity, the information systems security engineer identifies one or more solution sets that can satisfy the information protection needs of the IPP. This subprocess is illustrated in Figure 11-9. 55915X Ch11.qxd 3/22/04 5:52 PM Page 501 Chapter 11 ✦ Systems Security Engineering 501 INFORMATION PROTECTION POLICY NEEDS SOLUTION SOLUTION SOLUTION SET SET SET Figure 11-9: Mapping of solution sets to information protection needs. In selecting a solution set, the information systems security engineer must also con- sider the needs of external systems such as Public Key Infrastructure (PKI) or other cryptographic-related systems, as shown in Figure 11-10. NEEDS PKI EXTERNAL SYSTEM SYSTEM INFORMATION PROTECTION POLICY Figure 11-10: Mapping of needs to solution set components. 55915X Ch11.qxd 3/22/04 5:52 PM Page 502 502 Part II ✦ The Information Systems Security Engineering Professional (ISSEP) Concentration A solution set consists of a preliminary security CONOPS, the system context, and the system requirements. In close cooperation with the customer and based on the IPP, the information systems security engineer selects the best solution among the solu- tion sets. The information protection functions and the information management functions are delineated in the preliminary security CONOPS, and the dependencies among the organization’s mission and the services provided by other entities are identified. In developing the system context, the information systems security engi- neer uses systems engineering techniques to identify the boundaries of the system to be protected and allocates security functions to this system as well as to exter- nal systems. The information systems security engineer accomplishes this alloca- tion by analyzing the flow of data among the system to be protected and the external systems and by using the information compiled in the IPP and IMM. The third component of the solution set — the system security requirements — is generated by the information systems security engineer in collaboration with the systems engineers. Requirements should be unambiguous, comprehensive, and concise, and they should be obtained through the process of requirements analysis. The functional requirements and constraints on the design of the information secu- rity components include regulations, the operating environment, targeting internal as well as external threats, and customer needs. At the end of this process, the information systems security engineer reviews the security CONOPS, the security context, and the system security requirements with the customer to ensure that they meet the needs of the customer and are accepted by the customer. As with all activities in the ISSE process, documentation is very important and should be generated in accordance with the C&A requirements. Design System Security Architecture The requirements generated in the Define System Security Requirements activity of the ISSE process are necessarily stated in functional terms, indicating what is needed, but not how to accomplish what is needed. In Design System Security Architecture, the information systems security engineer performs a functional decomposition of the requirements that can be used to select the components required to implement the designated functions. Some aids that are used to implement the functional decompo- sition are timeline analyses, flow block diagrams, and a requirements allocation sheet. The result of the functional decomposition is the functional architecture of the information security systems, shown schematically in Figure 11-11. In the decomposition process, the performance requirements at the higher level are mapped onto the lower level functions to ensure that the resulting system performs as required. Also as part of this activity, the information systems security engineer determines, at a functional level, the security services that should be assigned to the system to be protected as well as to external systems. Such services include encryption, key management, and digital signatures. Because implementations are not specified in this activity, a complete risk analysis is not possible. General risk analysis, however, can be done by estimating the vulnerabilities in the classes of components that are likely to be used. 55915X Ch11.qxd 3/22/04 5:52 PM Page 503 Chapter 11 ✦ Systems Security Engineering 503 SECURITY COMPONENTS INTERNAL SECURITY DESIGN ELEMENTS SECURITY SYSTEM ELEMENTS INFORMATION INTERFACES INFORMATION INFORMATION Figure 11-11: Design system security architecture. As always, documentation in accordance with requirements of the C&A process should be performed. Develop Detailed Security Design The information protection design is achieved through continuous assessments of risks and the comparison of these risks with the information system security requirements by the ISSE personnel. The design activity is iterative, and it involves both the SE and ISSE professionals. The design documentation should meet the requirements of the C&A process. It should be noted that this activity specifies the system and components but does not specify products or vendors. The tasks performed by the information systems security engineer include: ✦ Mapping security mechanisms to system security design elements ✦ Cataloging candidate commercial off-the-shelf (COTS) products ✦ Cataloging candidate government off-the-shelf (GOTS) products ✦ Cataloging custom security products ✦ Qualifying external and internal element and system interfaces ✦ Developing specifications such as Common Criteria protection profiles Some characteristics of this effort are: ✦ The design documents should be under configuration control. ✦ The design must meet the customer’s design constraints. ✦ The components in the design must address both technical and nontechnical information security mechanisms. ✦ The interdependency and interaction among security mechanisms must be included in the risk analysis process. 55915X Ch11.qxd 3/22/04 5:52 PM Page 504 504 Part II ✦ The Information Systems Security Engineering Professional (ISSEP) Concentration ✦ The information systems security engineer must take into account trade-offs that might have to be made among cost, priorities, performance, schedule, and remaining security risks. ✦ The security requirements should map onto the security design. ✦ Any failures to meet the security requirements must be reported to the C&A authorities. ✦ The design should produce a revised security CONOPS. ✦ The design should take into account the effects and costs of long-lead-time items and life cycle support requirements. Implement System Security This activity moves the system from the design phase to the operational phase. The steps in this process are shown in Figure 11-12. DESIGN ACQUIRE CONFIGURE TEST DOCUMENT TRAIN INTEGRATE OPERATIONS Figure 11-12: The path from design to operations in the Implement System Security activity. The Implement System Security activity concludes with a system effectiveness assessment that produces evidence that the system meets the requirements and needs of the mission. Security accreditation usually follows this assessment. The assessment is accomplished through the following actions of the information systems security engineer: ✦ Verifying that the implemented system does address and protect against the threats itemized in the original threat assessment ✦ Providing inputs to the C&A process ✦ Application of information protection assurance mechanisms related to sys- tem implementation and testing ✦ Providing inputs to and reviewing the evolving system life cycle support plans 55915X Ch11.qxd 3/22/04 5:52 PM Page 505 Chapter 11 ✦ Systems Security Engineering 505 ✦ Providing inputs to and reviewing the operational procedures ✦ Providing inputs to and reviewing the maintenance training materials ✦ Taking part in multidisciplinary examinations of all system issues and concerns An important part of the Implement System Security activity is the determination of the specific components of the information system security solution. Some of the factors that have to be considered in selecting the components include: ✦ Availability now and in the future ✦ Cost ✦ Form factor ✦ Reliability ✦ Risk to system caused by substandard performance ✦ Conformance to design specifications ✦ Compatibility with existing components ✦ Meeting or exceeding evaluation criteria (Typical evaluation criteria include the Commercial COMSEC Evaluation Program [CCEP], National Information Assurance Partnership [NIAP], Federal Information Processing Standards [FIPS], NSA criteria, and NIST criteria.) In some cases, components might have to be built and customized to meet the requirements if no suitable components are available for purchase or lease. The information systems security engineer is responsible for configuring the security components to provide the specified security controls and services. Additional tasks related to the Implement System Security activity conducted by the systems and design engineers in cooperation with the information systems security engineer include: ✦ Conducting unit testing of components ✦ Developing test procedures to ensure that the designed system performs as required; these procedures should incorporate: • Test planning, to include facilities, schedule, personnel, tools, and required resources • Integration testing • Functional testing to ensure that systems and subsystems operate properly • Generation of test reports • Tests of all interfaces, as feasible [...]... evaluated to ensure that the system will meet the users’ needs by performing the required functions to the required quality standard in the intended environment The systems engi­ neer examines how well the system meets the needs of the mission The information systems security engineer focuses on the effectiveness of the information protection — whether the system can provide the confidentiality, integrity,... modifications to the SE/ISSE pro­ cess activities Figure 11-13 illustrates the relationship of the SE/ISSE process to the C&A process In summary, the outputs of the SE/ISSE process are the implementation of the sys­ tem and the corresponding system documentation The outputs of the C&A process are Certification documentation, Certification recommendations, and an Accreditation decision Another means of... availability, authentication and nonrepudiation for the information it is processing that is required for mission success ISSE and Its Relationship to C&A Processes The ISSE process provides input to the C&A process in the form of evidence and documentation Thus, the information systems security engineer has to consider the requirements of the DAA The Defense Information Technology Security Certification and Accreditation... completed, the risk assessment results, particularly any mitigation needs and residual risk, will be documented and shared with the customer to obtain their concurrence Implement System Security The risk analysis will be conducted/updated Strategies will be developed for the mitigation of identified risks Identify possible mission impacts and advise the customer and the customer’s Certifiers and Accreditors... security These 33 principles incorporate the concepts developed in the eight principles and 14 practices detailed in SP 800-14 With this foundation, the five system life cycle phases are then defined and each of the 33 EP-ITS principles are 519 520 Part II ✦ The Information Systems Security Engineering Professional (ISSEP) Concentration mapped onto the life cycle phases, as applicable NIST SP 800 -64 details... provides specifications, tasks, and clauses that can be used in an RFP to acquire information security features, procedures, and assurances The ISSEP candidate should also understand the relationship between the SDLC phases and the acquisition process for the corresponding information system This relationship is illustrated in Table 11-8, also taken from NIST SP 800 -64 Table 11-8 Relationship between... Firewalls ✦ Switches and routers ✦ Mobile code ✦ Biometrics ✦ Certificate management Principles of Defense in Depth The strategy of Defense in Depth is aimed at protecting U.S federal and defense information systems and networks from the various types and classes of attacks The technology focus areas of the Defense in Depth strategy are: ✦ Defending the network and infrastructure ✦ Defending the enclave boundary... security Enclaves always assume the highest mission assurance category and security classification of the Automated Information System (AIS) applications or outsourced IT-based pro­ cesses they support, and derive their security needs from those systems They pro­ vide standard IA capabilities such as boundary defense, incident detection and response, and key management, and also deliver common applications... to Implementing the Defense in Depth Strategy From the previous discussion of the Defense in Depth strategy, it is clear that large investments of time and resources are required for an effective strategy implemen­ tation In order to maximize the productivity of the resources available and mini­ mize the various costs associated with the implementation of the Defense in Depth strategy, the following... the customer’s Certifiers and Accreditors 507 508 Part II ✦ The Information Systems Security Engineering Professional (ISSEP) Concentration Summary Showing the Correspondence of the SE and ISSE Activities As discussed in the descriptions of the SE and ISSE processes, there is a one-to-correspondence of activities in the ISSE process to those in the SE process Table 11-4, taken from IATF document, Release . analyzing the flow of data among the system to be protected and the external systems and by using the information compiled in the IPP and IMM. The third component of the solution set — the system. that the system will meet the users’ focuses on the effectiveness of the information protection — whether the system can provide to the required quality standard in the authentication and nonrepudiation. cooperation with the customer and based on the IPP, the information systems security engineer selects the best solution among the solu- tion sets. The information protection functions and the information