Performing Security Analyses of Information Systems
by
Book Cover & Preview Text
The terrorist events of September 11, 2001, in New York City, Washington, DC, and Pennsylvania, have stimulated a national interest in all types of security by leaders and citizens of the United States of America, as well as various leaders worldwide. Although the results of this increased awareness of U.S. security laxness may include the diminution of personal privacy, a large majority of Americans are for improving security, in all its manifestations. Some of the lack of security precautions that could have contributed to the successful attacks on the World Trade Center and the Pentagon are the ready access the terrorists had to Internet information and the use of the Internet for sending and receiving information using encrypted electronic mail messages.
Given the current status of interest in information system network security, this book is primarily for commercial and government organizations that deal with nonsensitive unclassified information and sensitive but unclassified information (sometimes referred to as SBU information). This is information that is not classified (i.e., it is data that is not Confidential, Secret, Top Secret, nor any of the higher classifications) but is sensitive and needs to be protected from unauthorized observation, destruction, or modification. This is the situation for most commercial organizations as well as most civilian government organizations, or at least most of the information these types of organizations must handle.
Throughout this book the word "organization" will be used to denote a commercial or government operation such as a company, corporation, business, enterprise, organization, agency, or the like. "Owners" of an organization’s information system may be the actual persons who own the system but may also be the leading stakeholders of the organization’s system such as a Chief Executive Officer (CEO), Chief Information Officer (CIO), or other high-level manager or government official.
"According to federal intelligence and national security officials, no generally accepted methodology for strategic analysis of cyber threats to the nation’s infrastructures has been developed. -- The intelligence community officials we met with said that developing such a methodology would require an intense interagency effort and a dedication of significant resources (GAO 2001)." The prescriptive model for performing a comprehensive security analysis that is presented in this book can be used by any government or commercial organization to identify the cost-effective security mechanisms and methods required to offer the protection they need for their specific information system.
When organizations decide that they want a quality security system for protecting their information technology assets (often in response to a striking publicized event), they usually want it quickly. The best way to ensure that cost-effective countermeasures are defined accurately and completely is to first perform a security analysis that includes a formal risk assessment. Charging forward by defining solutions (i.e., security methods or products) for issues that are poorly understood (if at all) and that can be quickly acquired and installed may seem like a good idea at first, but when these methods and products do not work properly and/or are too expensive, owners will be displeased and disappointed. Hopefully, the prescriptive model for performing a comprehensive security analysis provided in this book will be used to avoid making these costly and time-consuming mistakes.
1.1.1 Purpose
A primary objective of this book is to present a formal prescriptive process for performing a security analysis, which, if properly followed, should provide a comprehensive end-to-end method and greatly diminish the possibility of an organization purchasing and/or implementing security mechanisms or methods that are not appropriate for meeting the organization’s security requirements. The focus of this book is on providing directions for performing a formal comprehensive security analysis. Because the definition of what constitutes an acceptable security analysis varies from organization to organization and from week to week within an organization, it is not recommended that a computer program for supporting security analyses be built unless it incorporates the capability to easily modify the embedded comprehensive prescriptive analysis process.
Information system owners (even if the system consists of a single computer) have three options (Bernstein 1996):
Do not plug your organizational computer network into a public network (such as the Internet) by keeping it isolated (often referred to as a "stand alone" or "private" system); Place security software on each client in your system; and/or Place security subsystems (platform and software) at a network perimeter location (e.g., a firewall).
The guidance offered by this book is for those who select option 2 and/or option 3. Some owners may wish to employ option 1 (stand-alone system), but this will greatly limit the system’s capabilities to access information and to interface with others, both as a receiver and transmitter of information. Even some large organizations will select option 1 for some of their internal subsystems to "ensure" security. As we shall see later, "stand-alone" systems certainly do not ensure system security. Most organizations that have large computer networks will deploy security mechanisms in their clients and at the perimeter of their information system, especially if they are using a public wide area network for their communications.
Formats
Book Details
About the Book
This book is primarily for commercial and government organizations (owners, managers, system administrators, and users) that deal with sensitive but unclassified and nonsensitive unclassified information, namely, data that is not classified (i.e., it is not Confidential, Secret, Top Secret, nor any of the higher classifications), yet needs to be protected from viewing by the public or those who do not have a need-to-know. This is the situation for most commercial organizations as well as most civilian government organizations. The security information presented here is for information system owners (or their named representatives) and security analysts who operate at an operational and analytical level rather than at a detailed programming level. The information and processes presented here will enable the owner or security analyst to minimize the various security risks to any extent desired. In addition, this book can be a supplemental guide for novices or competents or even some experts who need additional information and analytical processes in order to perform their required duties as security analysts. The approach to information system security taken here limits to a minimum the educational and knowledge background required for reading and understanding the principal elements of identifying needed security mechanisms.
About the Author
Dr. Charles L. Smith, Sr. is a sometimes consultant but currently works full time for TLA Associates in charge of the security aspects and overview of the Standard Procurement System as the security representative of the Defense Contract Management Agency. He has worked on many computer system architecture and security efforts primarily as a consultant, including the security aspects of the Federal Aviation Administration’s computer program for improved airspace control, Chrysler Corporation’s powertrain testing system, the Defense Contract Management Agency’s worldwide computer network, the Pentagon’s Digital Network, and the Internal Revenue Service’s tax systems modernization program. He has a Ph.D. in Information Technology from George Mason University (1992) and is a Certified Information Systems Security Professional (2001).