Upload
vicente-aceituno
View
5.372
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
1
O-ISM3 Challenge Results Study
Authored by:
Vicente Aceituno Tel: +34 696 470 328 e-mail: [email protected] COPYRIGHT NOTICE: Version 1.0: 24
th of March 2014
This Report is copyrighted by Inovement Europe.
2
Table of Contents Introduction ......................................................................................................... 3
Literature review ................................................................................................. 4
ISO 27000:2009 .............................................................................................. 4
COBIT 5 .......................................................................................................... 4
ITIL:2007 ......................................................................................................... 5
Analysis .............................................................................................................. 5
Experiment Design.......................................................................................... 5
Use Case .................................................................................................... 6
Questionnaire .............................................................................................. 8
Methodology ................................................................................................. 11
Results ............................................................................................................. 12
Discussion ........................................................................................................ 19
Is there a consensus in information technology standards about the definition of Confidentiality, Integrity and Availability? .................................................. 19
Are Confidentiality, Integrity and Availability sufficient to analyze the security requirements of an information system? ....................................................... 19
Are Confidentiality, Integrity and Availability necessary to analyze the security requirements of an information system? ....................................................... 20
Is there an alternative to Confidentiality, Integrity and Availability to analyze the security requirements of an information system quantitatively? .............. 20
Conclusions ...................................................................................................... 20
Findings ........................................................................................................ 20
Alternative to Confidentiality, Integrity and Availability .................................. 20
Further Research .......................................................................................... 21
Executive Summary ...................................................................................... 22
Works Cited ...................................................................................................... 22
Annex I Mapping of Information Security Criteria ............................................. 23
Annex II O-ISM3 Business and Security Objectives ......................................... 30
Business Objectives...................................................................................... 30
Security Objectives ....................................................................................... 31
3
Introduction Information security, also known as cybersecurity, computer security, information assurance or information technology security, is a discipline born with the earliest means of communication of information [1]. The importance of information security has grown as the worldwide economy and society rely more and more on information technology. Every information system provides a value in an organization. This Study makes the assumption that the analysis of the security of an information system must include both the system and the value it provides. This means the result of the analysis of the security requirements of the same information system in different points in time or in different organizations will render different results. Information security professionals both in the public and private sector face serious challenges in order to perform effectively for their organizations and clients, among those challenges are:
Complexity and evolution of organizations, information systems and their
environment.
Limited availability of knowledge about the organization, information
systems and their environment.
Complexity can be analyzed at multiple levels of detail, ranging from the
physical level all the way up to trust relationships between organizations.
Resources available for information security are normally limited.
Often information security professionals have a limited influence within
the organization to get things done.
There is a weak link between efforts and results. Twice as much work
doesn't necessarily result in twice as much security.
The result of a job well done is a negative: No incidents. This makes it
difficult to tell the skilled from the lucky.
Professionals in different organizations have different responsibilities, skills and resources. The expectations the organizations place on them, their accountability, credibility and influence present as well great variance. In this context, multiple standard bodies, national and international organizations, and private institutions have worked to advance the practice of information security. Two powerful results of their work and collaboration have been the flurry of information security standards, certifications and professional certifications in the market today. A key part of professional certification studies are information security standards. Most standards use the concepts of Confidentiality, Integrity and Availability.
4
This Study has two purposes:
Present proof of the shortcomings of these three concepts.
Present an alternative to these three concepts free of those shortcomings.
The research questions that this Study will answer are the following:
1. Is there a consensus in information technology standards about the
definition of Confidentiality, Integrity and Availability?
2. Are Confidentiality, Integrity and Availability sufficient [10] to analyze the
security requirements of an information system?
3. Are Confidentiality, Integrity and Availability necessary to analyze the
security requirements of an information system?
4. Is there an alternative to Confidentiality, Integrity and Availability to
analyze the security requirements of an information system
quantitatively?
Challenging established knowledge is always risky. Two examples that come to mind are the slow acceptance of the Wegener’s theory of continental drift [2] and the little impact that Ignaz Semmelweis early work on hygiene [3] had. This Study falsifies [4] the usefulness of Confidentiality, Integrity and Availability, but we don’t expect a quick paradigm shift [5] as a result.
Literature review The definition given by the most important information technology standards of Confidentiality, Integrity and Availability follows.
ISO 27000:2009
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Integrity: The property of safeguarding the accuracy and completeness of assets.
Availability: The property of being accessible and useable upon demand by an authorized entity.
COBIT 5
Confidentiality: Concerns the protection of sensitive information from unauthorized disclosure.
Integrity: Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations
5
Availability: Relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
ITIL:2007
Confidentiality: A security principle that requires that data should only be accessed by authorized people.
Integrity: A security principle that ensures data and Configuration Items are only modified by authorized personnel and Activities. Integrity considers all possible causes of modification, including software and hardware Failure, environmental Events, and human intervention.
Availability: Ability of a Configuration Item or IT Service to perform its agreed Function when required. Availability is determined by Reliability, Maintainability, Serviceability, Performance, and Security. Availability is usually calculated as a percentage. This calculation is often based on Agreed Service Time and Downtime. It is Best Practice to calculate Availability using measurements of the Business output of the IT Service.
Analysis
Experiment Design
If an information security professional wants to understand the security needs of an organization, he or she needs to communicate with those who have the information, the business managers. The design of the experiments assumes that all the necessary information that business managers has is available for the information security professional too, checking therefore the ability of the information security professional to obtain the information. The experiment presents participants with a use case that specifies how an organization relies on an information system to conduct business. The participants have access to the use case and a questionnaire where specific portions of the use case are specified. The participants have to design questions that would render the answers provided in the questionnaire. For a question to be considered correctly formulated, it must be logically consistent with the answer provided. In order to compare the success obtaining the information using Confidentiality, Integrity and Availability or not, participants can make the choice of using only the concepts of Confidentiality, Integrity and Availability in their questions, or none of them. In order to register and identify the participants, they were required to pay a small fee via Paypal. In order to encourage participation, an opportunity to win a prize was offered. The Use Case and Questionnaire follow.
6
Use Case
Ambiguous SL is a travel agency located in Madrid, Spain. Their business is selling retail travel packages both online and through their offices, which are street level on a main street. The most important system they own and operate is the Package Sales System, which they use for advertising, sales, and bookings. This system interfaces with the Amadeus GDS system (checking availability and bookings), with VISA (payments), and with an equivalent system of a Moroccan partner (MTravel), as it is a popular destination for Spanish tourist and represents a significant part of the company's business. The owner of Ambiguous SL has put Myrna in charge of IT, among other responsibilities. Myrna has hired you to find out which security measures (controls or processes) would provide the highest return of investment for Ambiguous SL. Myrna will take care of implementation. Your first (and only) task is to make an assessment of Ambiguous SL security needs. Myrna has named Ignatius as the project manager for the Package Sales System. He is an employee of the company (Confederacy SL) that develops and maintains the Package Sales System for Ambiguous SL. The Package Sales System functionality is as follows (please note this use case is simpler than a real life case):
Create, Modify and Delete Travel Packages.
Sell Travel Packages both online and at the office.
Receive feedback from customers and the public in general.
Send Travel Package offers to subscribers.
Manage Claims and Issues.
A high level view of the Package Sales System Database reveals the following data resources:
Travel Package Archive
Sales Archive
Feedback Archive
Offers Archive
Claims, Feedback and Incidences Archive
The following list of actions can be performed on each data resource:
Travel Package Archive: Create, Update, Retire, Publish, Unpublish.
Sales Archive: Book, Release, Sell, Refund, Update.
Feedback Archive: Create, Update, Close.
Offers Archive: Create, Update, Retire, Publish.
Claims, Feedback and Incidences Archive: Create, Update, Close
7
Sales Statistics Report Archive: Create, Close
There are certain requirements about who can do what, and where they can do it:
Only the sales manager can Create, Update and Publish Travel
Packages.
Each salesperson can only view the personal information of his or her
own clients.
Only the sales manager and the person assigned to Feedback and
Claims can view the personal information of all clients.
Only the owner of the company can access the Sales Statistics Report.
Only the sales manager can create Offers
Certain parts of the Package Sales System are licensed, namely the Operating System, Application Server and Database. As the company and systems are located in Spain, the Package Sales System needs to comply with the Spanish Privacy Law (LODP). Since the Package Sales System manages VISA payments, it needs to comply with PCI-DSS. Some of the users of the Package Sales System are employees of Ambiguous SL, some are temps from Adecco. The administrators of the Package Sales System are employees of Confederacy SL. The general public of Spain is a user and they can purchase Travel Packages through the application. The application does not serve the public of countries other than Spain. Persons under the age of 18 can ask for feedback and signup for offers, but they can't purchase Travel Packages. The system is located in a properly conditioned room inside the office. The system interfaces with Internet via a high speed fiber optic connection. The system interfaces with the interconnected systems and users via mail, file transfers and a VPN that connects directly with the MTravel network. The system is expected to work 24x7, but because of maintenance stoppages of no more than one hour per week during no business hours (from 9 to 5 from Tuesday to Sunday) are acceptable. The longest time that the system can be offline during business hours is 2 hours, because sales can be performed with TPV and handwritten notes can partially replace the use of the system. In case of a major malfunction of the system, it would be acceptable to lose one day of data, since most data could be reconstructed checking with VISA, Amadeus and Mtravel. It is understood that all "live" transactions would be lost in case of an incident. Data needs to be archived for 5 years in order to meet tax regulations. After ten years data should be deleted permanently, as customer behavior changes over time and data is no longer useful for Business Intelligence. Sales representatives and customers sometimes make mistakes entering data. This is acceptable as long as there is no more than one percent of the records contain inaccurate information.
8
In order to create an account in the Package Sales System, potential clients can login using Facebook or create an account linked to their email address. They can unlink or delete the account at any time, but that does not delete any data in the database if they have purchased a Travel Package, even if they cancelled the purchase. In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator. The email states what functions the user should be able to perform. The general public doesn't need an account to provide feedback or sign up for the Offers newsletter. Customers who lose their passwords to the Package Sales System can request a new one and a link will be sent to their email address. Users who lose their password to access the Package Sales System need to physically visit the Administrator, who resets the password and give it to them in a written note. As some Offers expire at midnight, the Package Sales System should prevent customers from purchasing Travel Packages after they have expired, even by a few seconds. There is a development environment that Confederacy SL maintains in their own data center and a pre-production environment, at Ambiguous SL office. The current administrator is subscribed to email lists that notify him of security updates. The Administrator has configured the system using security guidelines found on Internet for every component. Security patches have not been applied since a patch caused a half day downtime. The Administrator changes about once every six months. The system has no malware protection. The domain has been registered with Piensasolutions.es. The digital certificates used by the system are from Thawte. No one has been assigned with the responsibility to manage the domain or the certificates. The systems logs all the sales activity, but not any other activity. There is no Firewall. The internet connectivity provider (Telefonica) provides a service that is supposed to provide "clean" traffic. No part of the Package Sales System is located in a publicly accessible location. No part of the Package Sales System is accessible via Mobile application, but there are plans to incorporate a solution for this. No part of the Package Sales System is exposed to extreme environmental conditions.
Questionnaire
Question Answer
Ambiguous S.L
Madrid
Package Sales System
Clare
Ignatius
Create, Modify and Delete Travel Packages. Sell Travel Packages both online and at the office. Receive feedback from customers and the public in general. Send Travel Package offers to subscribers. Manage Claims and Incidences.
9
Travel Package Archive Sales Archive Feedback Archive Offers Archive Claims, Feedback and Incidences Archive
Travel Package Archive: Create, Update, Retire, Publish, Unpublish. Sales Archive: Book, Release, Sell, Refund, Update. Feedback Archive: Create, Update, Close. Offers Archive: Create, Update, Retire, Publish. Claims, Feedback and Incidences Archive: Create, Update, Close
Sales Statistics Report
Spain
Operating System, Application Server and Database
Only the chief of sales can Create, Update and Publish Travel Packages.
Every salesperson can only view the personal information of their own clients.
Only the chief of sales and the person assigned to Feedback and Claims can view the personal information of all clients.
Only the chief of sales can create Offers
Yes, we handle credit card transactions
Authorized Employees Authorized Outsourced Employees Clients over 18 years old Potential Clients Specific Groups: (Spain Users) +Location
Yes, we handle personal information
Clients Potential clients
Unauthorized Employees Non Employees Groups: (Non Spain users, Clients younger than 18 old)
User Client Potential Client Administrator
Spain
Mail, File Transfers, VPN
Amadeus GDS, VISA, Mtravel
The Package Sales System is expected to be online 24x7
One hour per week off business hours that are 9 to 5 from Tuesday to Sunday
Two Hours during business hours that are 9 to 5 from Tuesday to Sunday
10
All live transactions can be lost in the event of an interruption of service
Data needs to be kept for 5 years minimum, in order to meet tax regulations
After 10 years Package Sales System data can be deleted permanently.
One percent of records with wrong information
One day worth of data can be lost in the event of an incident
Public in general doesn't need an account to provide feedback or signing up for the Offers newsletter In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator
If the password to access the Package Sales System is lost, customers can request a new one getting a link sent to their mail address If the password to access the Package Sales System is lost, users need to visit physically the Administrator, who resets the password in the system for them and hands it in a written note
In order to get an account in the Package Sales System, the Chief of Sales sends a mail message to the Administrator. The mail states what functions the user should be able to perform.
As some sales are time-sensitive, the difference between real time and time of the systems should not be greater than one second
Manuals from Internet, no formal process
The current administrator is subscribed to mail lists that warn him of security updates Security patches are not applied since one patch caused a half day downtime
The system has not antimalware protection
The domain has been registered with Piensasolutions.es.
The digital certificates used by the system are from Thawte
No one has been assigned with the responsibility to manage either the domain or the certificates
The systems logs all the sales activity, but not any of the other activity
There is no Firewall. The internet connectivity provider (Telefonica) provides a service that is supposed to provide "clean" traffic.
No part of the Package Sales System is located in a publicly accessible location
No part of the Package Sales System is accessible via Mobile application, but there are plans to incorporate a solution for this.
No part of the Package Sales System sustains extreme environmental conditions.
The Administrator changes about once every six months.
11
Methodology
The existence and opening of the Challenge was announced online via twitter, an email list with more than 1000 members, LinkedIn groups and a press release that was sent to the most important bloggers and media in information security. The relevant rules and development of the Challenge follows:
Participants signed-up between the 28th of February and the 14th of
March (CET Time zone) 2014.
Every participant received a copy of a spreadsheet with the Answers and
a registration number within 24h of registration.
In the spreadsheet, the participant had to choose either the CIA Option or
the O-ISM3 Option.
Each participant had to fill in Questions that would give the Answers
provided and send the spreadsheet attached in an e-mail to
[email protected], with their registration number in the subject of the
mail.
Questions were be evaluated. A single ambiguous question, where the
answer is not a perfect match caused the participant to FAIL the
challenge (Example of FAIL: "What is the Integrity of the Data?· for the
answer "Data needs to be kept for 5 years", example of PASS: "When
does the system needs to be Available? for the answer: "Between 8 and
5 Monday to Friday").
Grammatically, logically inconsistent questions, not in the English
language, or longer than 255 characters or inclusion of malicious macros
would result in a FAIL.
For the CIA Option failure to use at least one of Confidentiality, Integrity
and Availability (or Confidential, Integer, Available) in any question would
result in a FAIL.
For the O-ISM3 Option using any of Confidentiality, Integrity or
Availability in any question will result in a FAIL.
All answers had to be sent by midnight on 16 of March (CET Time zone)
2014.
Those who have PASSED were to be announced on 24 of March.
The results of the entry evaluations could not be contested.
12
The names of the participants would not be published without their
permission.
A 500€ prize and a free seat for an O-ISM3 Course would had been
awarded. The winner would be chosen from those who PASSED. (Note:
No participants PASSED)
Results Out of eight people who registered to participate, two submitted their solutions. Two participants chose not to use Confidentiality, Integrity and Availability in their questions. Participant 007 got 45 out of 49 questions correctly. One wrong question (marked in green) can be attributed to a poor design of the answer. Incorrect questions are marked in red. His Questionnaire follows:
Question Answer
What is the name of the company? Ambiguous S.L
Where does the company operate from? Madrid
What is the most important system operated by the company? Package Sales System
Who's in charge of IT? Myrna
Who's responsible for this system (Package Sales System)? Ignatius
What are the system's functionalities?
Create, Modify and Delete Travel Packages. Sell Travel Packages both online and at the office. Receive feedback from customers and the public in general. Send Travel Package offers to subscribers. Manage Claims and Incidences.
What are the high level data resources used by Package Sales System?
Travel Package Archive Sales Archive Feedback Archive Offers Archive Claims, Feedback and Incidences Archive
13
What are the actions that can be performed on each data resource?
Travel Package Archive: Create, Update, Retire, Publish, Unpublish. Sales Archive: Book, Release, Sell, Refund, Update. Feedback Archive: Create, Update, Close. Offers Archive: Create, Update, Retire, Publish. Claims, Feedback and Incidences Archive: Create, Update, Close
What kind of information does the application generate? Sales Statistics Report
In which country do you provide your services? Spain
Are there parts of the Package Sales System that are licensed?
Operating System, Application Server and Database
Is there a requirement regarding who can do what and where with Travel Packages?
Only the chief of sales can Create, Update and Publish Travel Packages.
Is there a requirement regarding who can do what and where with client information?
Every salesperson can only view the personal information of their own clients.
Is there a requirement regarding who can do what and where with client information?
Only the chief of sales and the person assigned to Feedback and Claims can view the personal information of all clients.
Is there a requirement regarding who can do what and where with offers? Only the chief of sales can create Offers
Do you handle any payment card information? Yes, we handle credit card transactions
Who is supposed to access Package Sales System?
Authorized Employees Authorized Outsourced Employees Clients over 18 years old Potential Clients Specific Groups: (Spain Users) +Location
Do you handle any personal information? Yes, we handle personal information
What are the categories of people for which you are handling personal information?
Clients Potential clients
Who should not have access to Package Sales System?
Unauthorized Employees Non Employees Groups: (Non Spain users, Clients younger than 18 old)
What are the different categories of persons accessing your system?
User Client Potential Client Administrator
14
In which country is your system located? Spain
What kind of interface does your system have with other systems or users? Mail, File Transfers, VPN
Is your system connected to other systems outside the company? Amadeus GDS, VISA, Mtravel
When is your PSS supposed to be up and working?
The Package Sales System is expected to be online 24x7
What is the maximum downtime of PSS you are ready to accept for maintenance reason and when should it better occur?
One hour per week off business hours that are 9 to 5 from Tuesday to Sunday
When and how long would a downtime of PSS have an unacceptable impact on your business?
Two Hours during business hours that are 9 to 5 from Tuesday to Sunday
In the event PSS goes down, how much data processed by the system can you afford to lose?
All live transactions can be lost in the event of an interruption of service
Do you need to archive your data for any regulatory reason?
Data needs to be kept for 5 years minimum, in order to meet tax regulations
How long do you need to keep your data for business reason?
After 10 years Package Sales System data can be deleted permanently.
What is your expected level of quality for PSS information?
One percent of records with wrong information
In case of incident with PSS, how much data, in minutes, hours or days before the incident, can you afford to lose?
One day worth of data can be lost in the event of an incident
How do you grant access to PSS?
Public in general doesn't need an account to provide feedback or signing up for the Offers newsletter In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator
How do you manage passwords for PSS users?
If the password to access the Package Sales System is lost, customers can request a new one getting a link sent to their mail address If the password to access the Package Sales System is lost, users need to visit physically the Administrator, who resets the password in the system for them and hands it in a written note
15
How do you manage access rights for Ambiguous SL's employees?
In order to get an account in the Package Sales System, the Chief of Sales sends a mail message to the Administrator. The mail states what functions the user should be able to perform.
Does the accuracy of the PSS clock have importance?
As some sales are time-sensitive, the difference between real time and time of the systems should not be greater than one second
Do you have a process or a standard used to manage the security of your system?
Manuals from Internet, no formal process
How do you ensure your system has all the necessary software patches applied in order to prevent exploit of a known vulnerability?
The current administrator is subscribed to mail lists that warn him of security updates Security patches are not applied since one patch caused a half day downtime
Do you have an anti-malware protection on then system?
The system has not antimalware protection
Where did you register your Internet domain name your Internet Domain name?
The domain has been registered with Piensasolutions.es.
Who is your digital certificate provider?
The digital certificates used by the system are from Thawte
Who is responsible to manage the digital certificates and the domain name?
No one has been assigned with the responsibility to manage either the domain or the certificates
What are the actions that are logged by the system?
The systems logs all the sales activity, but not any of the other activity
Do you protect your system from attack coming through the internet with a firewall or any filtering system?
There is no Firewall. The internet connectivity provider (Telefonica) provides a service that is supposed to provide "clean" traffic.
Do you have a part or the entire system located in an area accessible to the public?
No part of the Package Sales System is located in a publicly accessible location
Is PSS accessible through a mobile application?
No part of the Package Sales System is accessible via Mobile application, but there are plans to incorporate a solution for this.
Is your system exposed to extreme environmental conditions?
No part of the Package Sales System sustains extreme environmental conditions.
How experienced is the administrator of the system?
The Administrator changes about once every six months.
16
Participant 006 got 47 out of 49 questions correctly. Incorrect questions are marked in red. His Questionnaire follows:
Question Answer
What is the name of your company? Ambiguous S.L
Where is your company located? Madrid
What is your most important IT system? Package Sales System
Who is responsible for managing the Package Sales System? Myrna
Who is the vendor's contact person for the Package Sales System? Ignatius
Which functionality does the Package Sales System offer?
Create, Modify and Delete Travel Packages. Sell Travel Packages both online and at the office. Receive feedback from customers and the public in general. Send Travel Package offers to subscribers. Manage Claims and Incidences.
Which data resources does the Package Sales System use?
Travel Package Archive Sales Archive Feedback Archive Offers Archive Claims, Feedback and Incidences Archive
Which action can be performed on each data resource of the Package Sales System?
Travel Package Archive: Create, Update, Retire, Publish, Unpublish. Sales Archive: Book, Release, Sell, Refund, Update. Feedback Archive: Create, Update, Close. Offers Archive: Create, Update, Retire, Publish. Claims, Feedback and Incidences Archive: Create, Update, Close
Which data resource contains the most important data? Sales Statistics Report
In which country is the vendor of the Package Sales System located? Spain
Which parts of the Package Sales System are licensed?
Operating System, Application Server and Database
Who can change data of the Travel Packages?
Only the chief of sales can Create, Update and Publish Travel Packages.
Are principles of information segregation used for the Package Sales System?
Every salesperson can only view the personal information of their own clients.
17
Is the principle of information segregation effective for every user role and account?
Only the chief of sales and the person assigned to Feedback and Claims can view the personal information of all clients.
Who can add data to the Offers Archive? Only the chief of sales can create Offers
Do you handle credit card transactions within the Package Sales System? Yes, we handle credit card transactions
Who is allowed access to the Package Sales System?
Authorized Employees Authorized Outsourced Employees Clients over 18 years old Potential Clients Specific Groups: (Spain Users) +Location
Do you handle personal information within the Package Sales System? Yes, we handle personal information
To whom does the personal information belong which is processed by the Package Sales System?
Clients Potential clients
Who may not access the Package Sales System?
Unauthorized Employees Non Employees Groups: (Non Spain users, Clients younger than 18 old)
Which roles (types of users) exist within the Package Sales System?
User Client Potential Client Administrator
Where are the users of the Package Sales System physically located? Spain
By what means does the Package Sales System interface with other systems? Mail, File Transfers, VPN
To which other systems does the Package Sales System have interfaces? Amadeus GDS, VISA, Mtravel
During which time should the Package Sales System be online?
The Package Sales System is expected to be online 24x7
During which time may maintenance services be performed on the Package Sales System?
One hour per week off business hours that are 9 to 5 from Tuesday to Sunday
What is the maximum tolerable amount of time the Package Sales System may be offline during business hours?
Two Hours during business hours that are 9 to 5 from Tuesday to Sunday
What data can be lost upon interruption of service?
All live transactions can be lost in the event of an interruption of service
18
Do you have requirements to archive the system data for a specific period of time?
Data needs to be kept for 5 years minimum, in order to meet tax regulations
After what period of time may the data be disposed of?
After 10 years Package Sales System data can be deleted permanently.
What is the maximum tolerable amount of data in the system that may be wrong?
One percent of records with wrong information
What is the maximum tolerable amount of data that may be lost in the case of an incident?
One day worth of data can be lost in the event of an incident
Can parts of the service be used without an account and how can an account be created?
Public in general doesn't need an account to provide feedback or signing up for the Offers newsletter In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator
What procedures are in place to reset an account password?
If the password to access the Package Sales System is lost, customers can request a new one getting a link sent to their mail address If the password to access the Package Sales System is lost, users need to visit physically the Administrator, who resets the password in the system for them and hands it in a written note
What procedure needs to be followed to create an account?
In order to get an account in the Package Sales System, the Chief of Sales sends a mail message to the Administrator. The mail states what functions the user should be able to perform.
What is the maximum amount of time the system time may differ from real time?
As some sales are time-sensitive, the difference between real time and time of the systems should not be greater than one second
Is a formal system hardening process followed in the system configuration?
Manuals from Internet, no formal process
Is a patch management process followed for the system?
The current administrator is subscribed to mail lists that warn him of security updates Security patches are not applied since one patch caused a half day downtime
Is an antimalware protection in place for the system?
The system has not antimalware protection
Where is the system domain registered?
The domain has been registered with Piensasolutions.es.
19
Are digital certificates used for the system, if yes who issued the certificates?
The digital certificates used by the system are from Thawte
Who is responsible to manage the domain and the associated certificates?
No one has been assigned with the responsibility to manage either the domain or the certificates
Which system activities are logged? The systems logs all the sales activity, but not any of the other activity
Are protection measures on network level (e.g. firewall) employed?
There is no Firewall. The internet connectivity provider (Telefonica) provides a service that is supposed to provide "clean" traffic.
Are parts of the system located in a publicly accessible area?
No part of the Package Sales System is located in a publicly accessible location
Is the system accessible via a mobile application?
No part of the Package Sales System is accessible via Mobile application, but there are plans to incorporate a solution for this.
Are parts of the system exposed to extreme environmental conditions?
No part of the Package Sales System sustains extreme environmental conditions.
How often does the system administrator change?
The Administrator changes about once every six months.
Discussion The small number of participants precludes from making any statistical analysis of the data.
Is there a consensus in information technology standards about the definition of Confidentiality, Integrity and Availability?
Checking the literature (page 4) we can confidently answer: No.
Are Confidentiality, Integrity and Availability sufficient to analyze the security requirements of an information system?
As no participants decided to use Confidentiality, Integrity and Availability, the answer would be inconclusive. On the other hand, it is easy to find an answer that can’t be asked using only Confidentiality, Integrity and Availability, for example:
Question Answer
The systems logs all the sales activity, but not any of the other activity
The answer for this question is therefore: No.
20
Are Confidentiality, Integrity and Availability necessary to analyze the security requirements of an information system?
Combining the results from both participants, it is possible to fully analyze the security requirements of the Package Sales System without mentioning Confidentiality, Integrity or Availability. The answer for this question is therefore: No.
Is there an alternative to Confidentiality, Integrity and Availability to analyze the security requirements of an information system quantitatively?
Combining the results from both participants, it is possible to fully analyze the security requirements of the Package Sales System without mentioning Confidentiality, Integrity or Availability. The answer for this question is therefore: Yes.
Conclusions
Findings
Confidentiality, Integrity and Availability are neither sufficient nor necessary to analyze the security requirements of an information system. This Study proves that an alternative is possible.
Alternative to Confidentiality, Integrity and Availability
Following the Scientific Method [6], the need for measurements free of variance, repeatable and independent of the observer led to the creation of Operational Definitions [7]. This is the approach taken by the definition of Security Objectives in O-ISM3 [8]. There are two important consequences of the use of operational definitions; one of them is that it is possible to use operational definitions to build on top of other operational definitions. This means that it is possible to define Threats, Incidents, Vulnerability and Weakness among other in terms of Security Objectives. The other consequence is that every security requirement has units. The units can be in different Levels of Measurement [9], which can be Nominal, or Ratio in the Use Case used in this Study. Example of Nominal:
Are parts of the system exposed to extreme environmental conditions?
No part of the Package Sales System sustains extreme environmental conditions.
21
Who may not access the Package Sales System?
Unauthorized Employees Non Employees Groups: (Non Spain users, Clients younger than 18 old)
Example of Ratio:
Do you have requirements to archive the system data for a specific period of time?
Data needs to be kept for 5 years minimum, in order to meet tax regulations
After what period of time may the data be disposed of?
After 10 years Package Sales System data can be deleted permanently.
The use of units makes it possible to manage security quantitatively. The use of units makes it possible to manage security quantitatively. With security
requirements that have Units, it becomes possible or event easy to perform management that is otherwise subjective, difficult or impossible.
1. Determine success criteria: A security objective can be met of failed. (When a security objective is failed, there has been an Incident).
2. Perform an assessment of the value of information security activities. Those that contribute to meet a security objective are valuable.
3. Perform an assessment of the return of investment of information security activities.
4. Prioritize the use of resources to maximize the value of information security activities.
5. Plan for the need of resources necessary to meet security objectives. 6. Check when management decisions render or not the expected results.
Further Research
It would be of interest to validate the following research questions:
Can Threat be defined with an operational definition, in relation with
Security Objectives?
Can Weakness be defined with an operational definition, in relation with
Security Objectives?
Can Vulnerability be defined with an operational definition, in relation with
Security Objectives?
Can Security be defined with an operational definition, in relation with
Security Objectives?
Can Risk be defined with an operational definition, in relation with
Security Objectives?
This Challenge took the point of view of the information security professional. It would be valuable to replicate this Challenge from the point of view of the final client or user of information security, comparing if they find it easier to answer
22
questions that use Confidentiality, Integrity and Availability or questions of the same nature of those used in this Study.
Executive Summary
The lack of consensus in information technology standards about the definition of Confidentiality, Integrity and Availability leads to high variance in the work of different individuals when carrying out their information security duties. High variance is undesirable in disciplines where results are important (architecture, medicine, aviation, for example), and should be avoided. Confidentiality, Integrity and Availability are neither sufficient nor necessary to analyze the security requirements of an information system. The results of this Study calls for the replacement of current definitions of Confidentiality, Integrity and Availability for an alternative where consensus is wider, variance is smaller, communication with business stakeholders is easier, and quantitative management of information security becomes possible.
Works Cited 1. http://en.wikipedia.org/w/index.php?title=Information_security&oldid=598
736584
2. http://en.wikipedia.org/w/index.php?title=Alfred_Wegener&oldid=597391
093
3. http://en.wikipedia.org/w/index.php?title=Ignaz_Semmelweis&oldid=5965
91369
4. http://en.wikipedia.org/w/index.php?title=Karl_Popper&oldid=600025946
5. http://en.wikipedia.org/w/index.php?title=Thomas_Kuhn&oldid=59576017
1
6. http://en.wikipedia.org/w/index.php?title=Scientific_method&oldid=59921
1918
7. http://en.wikipedia.org/w/index.php?title=Operational_definition&oldid=59
7679965
8. Open Information Security Management Maturity Model (O-ISM3)
9. http://en.wikipedia.org/w/index.php?title=Level_of_measurement&oldid=5
99847388
10. http://en.wikipedia.org/wiki/Necessity_and_sufficiency
23
Annex I Mapping of Information Security Criteria
ISM3 Security Objectives ISO Integrity, Availability, Confidentiality
COBIT Information Criteria
Parkerian Hexad
Accurate time and date should be reflected in all records
No equivalent No equivalent No equivalent
Availability of repositories, services and channels should exceed Customer needs. It can be measured as the period of time when a service, repository, interface or channel must exist, be accessible and usable (perform according to customer needs) upon demand. It is measured as well by the oldest recent messages and information that can be lost because of an interruption of service, channel or interface
Availability is the property of being accessible and usable upon demand by an authorized entity
Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities
Availability means having timely access to information
Completeness: The extent to which a repository is populated (available and consistent) with the information required to meet or exceed customer needs. The lower limit is usually set by business or customer needs, and the upper limit by regulatory needs
No equivalent
Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner
Utility means usefulness
Completeness: The extent to which a repository is populated (available and consistent) with the information required to meet or exceed customer needs. The lower limit is usually set by business or customer needs, and the upper limit by regulatory needs
No equivalent
Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations
Utility means usefulness
24
ISM3 Security Objectives ISO Integrity, Availability, Confidentiality
COBIT Information Criteria
Parkerian Hexad
Compliance Needs and Limitations. Examples:
Third party services and repositories need to be appropriately licensed.
Personal information completeness must be proportional to its use.
Personal information must be protected using certain security measures depending on the type of personal information.
The owner of Personal information must agree for it to be collected and he has the right to check it, fix it and approve how it will be used or ceded.
Encryption must be used under legal limitations.
Secrets must be kept according to the terms of agreed Non-Disclosure Agreements.
The owner of Personal information will be given notice when his data is being collected, including who is collecting the data.
Personal information must be used for the purpose agreed with the information owner.
Personal information must not be disclosed without the agreement of the information owner.
Personal information owners will have means to make data collectors accountable for their use of his personal information.
Personal information is held for no longer than required Tax records must be kept for a minimum number of years.
Repositories with Personal information have to be registered with a Data Protection agency
No equivalent
Compliance deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, e.g., externally imposed business criteria as well as internal policies
No equivalent
Expired or end of life-cycle repositories should be permanently destroyed. It can be measured as the date the expired or end of life-cycle repositories and records should be permanently and reliably destroyed.
No equivalent No equivalent No equivalent
Information systems and repositories should be physically accessible only to authorized users
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
Confidentiality concerns the protection of sensitive information from unauthorized disclosure.
Possession or Control
25
ISM3 Security Objectives ISO Integrity, Availability, Confidentiality
COBIT Information Criteria
Parkerian Hexad
Intellectual property (licensed, copyrighted, patented and trademarks) should be accessible to authorized users only
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
Confidentiality concerns the protection of sensitive information from unauthorized disclosure.
Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitor’s individuals are concerned about unauthorized access to their financial records.
This is a business objective, not a security objective
This is not an information security criterion
Efficiency concerns the provision of information through the optimal (most productive and economical) use of resources.
This is not an information security criterion
Personal information should be accessible for a valid purpose to authorized users only and is held for no longer than required
Confidentiality (partial match)
Effectiveness (partial match)
Confidentiality (partial match)
Personal information should preserve the anonymity of the information subjects if necessary, for example not linking user accounts or certificates to an identifiable user
No equivalent No equivalent No equivalent
Precision, relevance (up-to-date), completeness and consistency of repositories should exceed Customer needs. It can be measured as the maximum rate of erroneous and outdated information in the information available.
No equivalent
Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.
Utility means usefulness
Precision, relevance (up-to-date), completeness and consistency of repositories should exceed Customer needs. It can be measured as the maximum rate of erroneous and outdated information in the information available.
No equivalent
Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations
Utility means usefulness
26
ISM3 Security Objectives ISO Integrity, Availability, Confidentiality
COBIT Information Criteria
Parkerian Hexad
Reliability and performance of services and channels should exceed Customer needs. It can be measured as the longest time and the number of times in the availability (performance) time a service, repository, interface or channel can be interrupted according to or exceeding customer needs.
Reliability (partial match)
Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities
Availability means having timely access to information.
Reliability and performance of services and channels should exceed Customer needs. it can be measured as the longest time and the number of times in the availability (performance) time a service, repository, interface or channel can be interrupted according to or exceeding customer needs
Reliability: the property of consistent intended behavior and results
Reliability relates to the provision of appropriate information for management to operate the entity and to exercise its fiduciary and governance responsibilities
Availability means having timely access to information
Repositories should be accessed by authorized users only
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
Confidentiality concerns the protection of sensitive information from unauthorized disclosure
Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitor’s individuals are concerned about unauthorized access to their financial records.
Retention period can be measured as the minimum length of time a repository is kept (preserved) according to or exceeding customer and regulatory requirements
Integrity the property of safeguarding the accuracy and completeness of assets
Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations
Integrity refers to being correct or consistent with the intended state of information
Secrets (personal, industrial, trade) should be accessible to authorized users only
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
Confidentiality concerns the protection of sensitive information from unauthorized disclosure
Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitor’s individuals are concerned about unauthorized access to their financial records.
27
ISM3 Security Objectives ISO Integrity, Availability, Confidentiality
COBIT Information Criteria
Parkerian Hexad
Systems should be as free of weaknesses as possible
Integrity the property of safeguarding the accuracy and completeness of assets
Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations
Integrity refers to being correct or consistent with the intended state of information.
Systems should run trusted services only
Integrity the property of safeguarding the accuracy and completeness of assets
Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations
Integrity refers to being correct or consistent with the intended state of information.
Systems that need to be visible to not trusted systems are the least visible possible. Systems are visible to trusted systems only
No equivalent No equivalent No equivalent
The Authentication Process links the use of user accounts with their owner and manages the lifecycle of sessions
Authenticity: The property that ensures that the identity of a subject or resource is the one claimed. Authenticity applies to entities such as users, processes, systems and information
No equivalent No equivalent
The Authentication Process links the use of user accounts with their owner and manages the lifecycle of sessions
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
Confidentiality concerns the protection of sensitive information from unauthorized disclosure.
Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitor’s individuals are concerned about unauthorized access to their financial records.
The Authorization Process grants the use of services and interfaces and access to repositories to authorized users and denies it to unauthorized users.
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
Confidentiality concerns the protection of sensitive information from unauthorized disclosure.
Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitors individuals are concerned about unauthorized access to their financial records
28
ISM3 Security Objectives ISO Integrity, Availability, Confidentiality
COBIT Information Criteria
Parkerian Hexad
The electricity, temperature and humidity where systems operate should exceed the systems needs
No equivalent No equivalent No equivalent
The Signing Process records the will and intent about a repository of the owner of the user account or certificate concerning a repository, such as agreeing, witnessing or claiming authorship of repositories and messages like original works, votes, contracts and agreements.
Accountability: The property that ensures that the actions of an entity may be traced uniquely to the entity
Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations
No equivalent
The Signing Process records the will and intent about a repository of the owner of the user account or certificate concerning a repository, such as agreeing, witnessing or claiming authorship of repositories and messages like original works, votes, contracts and agreements. Digital signatures are a special kind of record.
Non-repudiation: the ability to prove an action or event has taken place, so that this event or action cannot be repudiated later.
No equivalent Authenticity refers to correct labeling or attribution of information.
Third party services and repositories should be appropriately licensed and accessible only to authorized users
Confidentiality (partial match)
Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations
Possession or Control
The Recording Process registers accurately the results of the registration, authentication, authorization, use of systems and signing processes, so these can be investigated and will and intent or responsibilities determined, within the limits set by Anonymity business objectives. The recording process will normally have to meet business objectives for accurate recording, including date and time. Depending on the security objectives of Anonymity, the recording process normally registers
Interface ID and Location User account or certificate ID Signature Type of Access Attempt (login,
logout, change password, change configuration, connect/disconnect systems, repositories I/O interfaces, enabling/disabling admin access or logging, etc)
Date and Time of Access attempt
Access attempt result Repository, Interface, Service
or Message accessed.
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
Confidentiality concerns the protection of sensitive information from unauthorized disclosure.
Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitor’s individuals are concerned about unauthorized access to their financial records.
29
ISM3 Security Objectives ISO Integrity, Availability, Confidentiality
COBIT Information Criteria
Parkerian Hexad
The User Registration Process links user accounts and certificates to identifiable users, and manages the lifecycle of user accounts, certificates and access rights. When protecting the anonymity of users is more important than making them accountable, registration must guarantee that user accounts and certificates are not linked to identifiable users.
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
Confidentiality concerns the protection of sensitive information from unauthorized disclosure.
Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitor’s individuals are concerned about unauthorized access to their financial records.
Use of services and physical and logical access to repositories and systems should be restricted to authorized users
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
Authenticity refers to correct labeling or attribution of information.
Users should be accountable for the repositories and messages they create or modify
Accountability: The property that ensures that the actions of an entity may be traced uniquely to the entity
No equivalent Authenticity refers to correct labeling or attribution of information
Users should be accountable for their acceptance of contracts and agreements
Accountability: The property that ensures that the actions of an entity may be traced uniquely to the entity
No equivalent Authenticity refers to correct labeling or attribution of information
Users should be accountable for their use of services
Accountability: The property that ensures that the actions of an entity may be traced uniquely to the entity
No equivalent Authenticity refers to correct labeling or attribution of information
30
Annex II O-ISM3 Business and Security Objectives
Business Objectives
Every organization exists for specific purposes that require it to set goals and meet certain obligations. Business objectives, ranging from aspirational goals to regulatory compliance, may originate internally, or be imposed by an external party such as the government. Their achievement depends on many factors, one being information security.
Sample Business Objectives
Paying the payroll on the 1st of every month.
Paying taxes on time.
Invoice all products and services provided.
Deliver the products and services when and where committed by the organization.
Online booking availability.
Online booking reliability.
Online booking volatility.
Tax information retention.
Old customer’s information expiry.
Precision of customer addresses.
Third-party services and repositories appropriately licensed.
Personal information collected proportional to its use.
Personal information held for no longer than required.
Tax records kept for a minimum number of years.
Personal information is protected using the mandated security measures.
Owner of personal information agrees for it to be collected, and has the right to check it and fix it and approve how it will be used.
Repositories with personal information registered with the Data Protection agency.
31
Security Objectives
Priority Security Objectives determine what availability means for the
business. Examples are backup and identification of single points of failure. Resources are allocated according to the priority of protected services, interfaces, and channels. In a multi-tiered information system, the priority of user-facing services is propagated to the lower-level services they depend on.
Priority Security Objectives
Availability: The period of time when a service, repository, interface, or channel must exist, be accessible, and usable (perform according to customer needs) upon demand
according to or exceeding customer needs.
Reliability: The longest time and number of times in the availability (performance) time a service, repository, interface, or channel can be interrupted according to or exceeding customer needs.
Volatility: The oldest recent messages and information that can be lost because of an
interruption of service, channel, or interface according to or exceeding customer needs.
Durability Security Objectives relate to the generic term integrity and include
the planned retention and destruction of information in accordance with policy and business objectives. Durability objectives are supported by archiving and secure disposal techniques.
Durability Security Objectives
Retention Period: The minimum length of time a repository is kept (preserved) according to or exceeding customer and regulatory requirements.
Expiry: The date the expired or end of lifecycle repositories and records should be permanently and reliably destroyed according to or exceeding customer and regulatory requirements. Those with personal information of customers and employees often
require a specific expiry date.
Information Quality Objectives also relate to integrity and include precision (or accuracy), relevance (how up-to-date information is), completeness, and consistency of repositories. Information quality objectives usually rely upon quality control techniques, but may also include access control, accountability, authorization, and audit techniques as well. The information quality of a repository is a measure of its fitness in fulfilling security objectives.
Sample Information Quality Security Objectives
Completeness: The extent to which a repository is populated (available and consistent) with the information required to meet or exceed customer needs. The lower limit is
usually set by business or customer needs, and the upper limit by regulatory needs.
Personal information completeness must be proportional to its use.
The owner of personal information must agree for it to be collected and has the right to check it, fix it, and approve how it will be used or ceded.
32
Sample Information Quality Security Objectives
The owner of personal information will be given notice when personal data is collected, including who is collecting the data.
Personal information must be used for the purpose agreed with the information owner.
Personal information must not be disclosed without the agreement of the information
subject.
Personal information owners will have means to make data collectors accountable for their use of personal information.
Access Control Objectives ensure that the business requirements for confidentiality of protected information (e.g., secrets, personal information, licensed, copyrighted, patented, and trademarked information) are clearly understood by the business. Access control requires the identification and management of authorized users, and typically includes enrolment, role management, segregation, accountability, authorization, and logging techniques for its implementation and control.
Access Control Security Objectives
Granting the use of services and interfaces and access to repositories to authorized users.
Denying the use of services and interfaces and access to repositories to unauthorized
users.
Express the will and intent about a repository of the owner of a user account or certificate.
Accurate recording of:
Interface ID and location
User account or certificate ID
Signature
Type of access attempt
Date and time of access attempt
Access attempt result
Repository, interface, service, or message accessed
Personal information is accessible to authorized users only and is held for no longer
than required.
Secrets are accessible to authorized users only.
Third-party services and repositories are appropriately licensed and accessible only to
authorized users.
Information systems are physically accessible only to authorized users.
Repositories are accessed by authorized users only.
33
Technical Security Objectives cover the underlying architecture of information
systems, and are a step remote from direct impact on the business. Technical security objectives typically include operational objectives for the data center’s safety, reliability, power, as well as the IT managed domain, including software patching and upgrading, maintenance processes, and vulnerability management and resilience to compromise and misuse. Technical security objectives usually depend upon data center infrastructure, technologies such as firewalls, anti-virus, intrusion detection and prevention, and processes such as patch management and secure configuration. Failure to meet technical security objectives puts all other (business and security) objectives at risk, but does not necessarily create a business objective failure itself.
Technical Security Objectives
Systems are as free of weaknesses as possible.
Systems that need to be visible to not trusted systems are the least visible possible.
Systems run trusted services only.
The electricity, temperature, and humidity where systems operate exceed the system
needs.