O-ISM3 Challenge Results Study

1

O-ISM3 Challenge Results Study

Authored by:

Vicente Aceituno Tel: +34 696 470 328 e-mail: [email protected] COPYRIGHT NOTICE: Version 1.0: 24

th of March 2014

This Report is copyrighted by Inovement Europe.

2

Table of Contents Introduction ......................................................................................................... 3

Literature review ................................................................................................. 4

ISO 27000:2009 .............................................................................................. 4

COBIT 5 .......................................................................................................... 4

ITIL:2007 ......................................................................................................... 5

Analysis .............................................................................................................. 5

Experiment Design.......................................................................................... 5

Use Case .................................................................................................... 6

Questionnaire .............................................................................................. 8

Methodology ................................................................................................. 11

Results ............................................................................................................. 12

Discussion ........................................................................................................ 19

Is there a consensus in information technology standards about the definition of Confidentiality, Integrity and Availability? .................................................. 19

Are Confidentiality, Integrity and Availability sufficient to analyze the security requirements of an information system? ....................................................... 19

Are Confidentiality, Integrity and Availability necessary to analyze the security requirements of an information system? ....................................................... 20

Is there an alternative to Confidentiality, Integrity and Availability to analyze the security requirements of an information system quantitatively? .............. 20

Conclusions ...................................................................................................... 20

Findings ........................................................................................................ 20

Alternative to Confidentiality, Integrity and Availability .................................. 20

Further Research .......................................................................................... 21

Executive Summary ...................................................................................... 22

Works Cited ...................................................................................................... 22

Annex I Mapping of Information Security Criteria ............................................. 23

Annex II O-ISM3 Business and Security Objectives ......................................... 30

Business Objectives...................................................................................... 30

Security Objectives ....................................................................................... 31

3

Introduction Information security, also known as cybersecurity, computer security, information assurance or information technology security, is a discipline born with the earliest means of communication of information [1]. The importance of information security has grown as the worldwide economy and society rely more and more on information technology. Every information system provides a value in an organization. This Study makes the assumption that the analysis of the security of an information system must include both the system and the value it provides. This means the result of the analysis of the security requirements of the same information system in different points in time or in different organizations will render different results. Information security professionals both in the public and private sector face serious challenges in order to perform effectively for their organizations and clients, among those challenges are:

Complexity and evolution of organizations, information systems and their

environment.

Limited availability of knowledge about the organization, information

systems and their environment.

Complexity can be analyzed at multiple levels of detail, ranging from the

physical level all the way up to trust relationships between organizations.

Resources available for information security are normally limited.

Often information security professionals have a limited influence within

the organization to get things done.

There is a weak link between efforts and results. Twice as much work

doesn't necessarily result in twice as much security.

The result of a job well done is a negative: No incidents. This makes it

difficult to tell the skilled from the lucky.

Professionals in different organizations have different responsibilities, skills and resources. The expectations the organizations place on them, their accountability, credibility and influence present as well great variance. In this context, multiple standard bodies, national and international organizations, and private institutions have worked to advance the practice of information security. Two powerful results of their work and collaboration have been the flurry of information security standards, certifications and professional certifications in the market today. A key part of professional certification studies are information security standards. Most standards use the concepts of Confidentiality, Integrity and Availability.

https://www.ccn-cert.cni.es/publico/serieCCN-STIC401/en/c/confidentiality.htm

https://www.ccn-cert.cni.es/publico/serieCCN-STIC401/en/i/integrity.htm

https://www.ccn-cert.cni.es/publico/serieCCN-STIC401/en/a/availability.htm

4

This Study has two purposes:

Present proof of the shortcomings of these three concepts.

Present an alternative to these three concepts free of those shortcomings.

The research questions that this Study will answer are the following:

1. Is there a consensus in information technology standards about the

definition of Confidentiality, Integrity and Availability?

2. Are Confidentiality, Integrity and Availability sufficient [10] to analyze the

security requirements of an information system?

3. Are Confidentiality, Integrity and Availability necessary to analyze the

security requirements of an information system?

4. Is there an alternative to Confidentiality, Integrity and Availability to

analyze the security requirements of an information system

quantitatively?

Challenging established knowledge is always risky. Two examples that come to mind are the slow acceptance of the Wegener’s theory of continental drift [2] and the little impact that Ignaz Semmelweis early work on hygiene [3] had. This Study falsifies [4] the usefulness of Confidentiality, Integrity and Availability, but we don’t expect a quick paradigm shift [5] as a result.

Literature review The definition given by the most important information technology standards of Confidentiality, Integrity and Availability follows.

ISO 27000:2009

Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Integrity: The property of safeguarding the accuracy and completeness of assets.

Availability: The property of being accessible and useable upon demand by an authorized entity.

COBIT 5

Confidentiality: Concerns the protection of sensitive information from unauthorized disclosure.

Integrity: Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations

https://www.ccn-cert.cni.es/publico/serieCCN-STIC401/en/c/confidentiality.htm

https://www.ccn-cert.cni.es/publico/serieCCN-STIC401/en/i/integrity.htm

https://www.ccn-cert.cni.es/publico/serieCCN-STIC401/en/a/availability.htm

5

Availability: Relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

ITIL:2007

Confidentiality: A security principle that requires that data should only be accessed by authorized people.

Integrity: A security principle that ensures data and Configuration Items are only modified by authorized personnel and Activities. Integrity considers all possible causes of modification, including software and hardware Failure, environmental Events, and human intervention.

Availability: Ability of a Configuration Item or IT Service to perform its agreed Function when required. Availability is determined by Reliability, Maintainability, Serviceability, Performance, and Security. Availability is usually calculated as a percentage. This calculation is often based on Agreed Service Time and Downtime. It is Best Practice to calculate Availability using measurements of the Business output of the IT Service.

Analysis

Experiment Design

If an information security professional wants to understand the security needs of an organization, he or she needs to communicate with those who have the information, the business managers. The design of the experiments assumes that all the necessary information that business managers has is available for the information security professional too, checking therefore the ability of the information security professional to obtain the information. The experiment presents participants with a use case that specifies how an organization relies on an information system to conduct business. The participants have access to the use case and a questionnaire where specific portions of the use case are specified. The participants have to design questions that would render the answers provided in the questionnaire. For a question to be considered correctly formulated, it must be logically consistent with the answer provided. In order to compare the success obtaining the information using Confidentiality, Integrity and Availability or not, participants can make the choice of using only the concepts of Confidentiality, Integrity and Availability in their questions, or none of them. In order to register and identify the participants, they were required to pay a small fee via Paypal. In order to encourage participation, an opportunity to win a prize was offered. The Use Case and Questionnaire follow.

6

Use Case

Ambiguous SL is a travel agency located in Madrid, Spain. Their business is selling retail travel packages both online and through their offices, which are street level on a main street. The most important system they own and operate is the Package Sales System, which they use for advertising, sales, and bookings. This system interfaces with the Amadeus GDS system (checking availability and bookings), with VISA (payments), and with an equivalent system of a Moroccan partner (MTravel), as it is a popular destination for Spanish tourist and represents a significant part of the company's business. The owner of Ambiguous SL has put Myrna in charge of IT, among other responsibilities. Myrna has hired you to find out which security measures (controls or processes) would provide the highest return of investment for Ambiguous SL. Myrna will take care of implementation. Your first (and only) task is to make an assessment of Ambiguous SL security needs. Myrna has named Ignatius as the project manager for the Package Sales System. He is an employee of the company (Confederacy SL) that develops and maintains the Package Sales System for Ambiguous SL. The Package Sales System functionality is as follows (please note this use case is simpler than a real life case):

Create, Modify and Delete Travel Packages.

Sell Travel Packages both online and at the office.

Receive feedback from customers and the public in general.

Send Travel Package offers to subscribers.

Manage Claims and Issues.

A high level view of the Package Sales System Database reveals the following data resources:

Travel Package Archive

Sales Archive

Feedback Archive

Offers Archive

Claims, Feedback and Incidences Archive

The following list of actions can be performed on each data resource:

Travel Package Archive: Create, Update, Retire, Publish, Unpublish.

Sales Archive: Book, Release, Sell, Refund, Update.

Feedback Archive: Create, Update, Close.

Offers Archive: Create, Update, Retire, Publish.

Claims, Feedback and Incidences Archive: Create, Update, Close

7

Sales Statistics Report Archive: Create, Close

There are certain requirements about who can do what, and where they can do it:

Only the sales manager can Create, Update and Publish Travel

Packages.

Each salesperson can only view the personal information of his or her

own clients.

Only the sales manager and the person assigned to Feedback and

Claims can view the personal information of all clients.

Only the owner of the company can access the Sales Statistics Report.

Only the sales manager can create Offers

Certain parts of the Package Sales System are licensed, namely the Operating System, Application Server and Database. As the company and systems are located in Spain, the Package Sales System needs to comply with the Spanish Privacy Law (LODP). Since the Package Sales System manages VISA payments, it needs to comply with PCI-DSS. Some of the users of the Package Sales System are employees of Ambiguous SL, some are temps from Adecco. The administrators of the Package Sales System are employees of Confederacy SL. The general public of Spain is a user and they can purchase Travel Packages through the application. The application does not serve the public of countries other than Spain. Persons under the age of 18 can ask for feedback and signup for offers, but they can't purchase Travel Packages. The system is located in a properly conditioned room inside the office. The system interfaces with Internet via a high speed fiber optic connection. The system interfaces with the interconnected systems and users via mail, file transfers and a VPN that connects directly with the MTravel network. The system is expected to work 24x7, but because of maintenance stoppages of no more than one hour per week during no business hours (from 9 to 5 from Tuesday to Sunday) are acceptable. The longest time that the system can be offline during business hours is 2 hours, because sales can be performed with TPV and handwritten notes can partially replace the use of the system. In case of a major malfunction of the system, it would be acceptable to lose one day of data, since most data could be reconstructed checking with VISA, Amadeus and Mtravel. It is understood that all "live" transactions would be lost in case of an incident. Data needs to be archived for 5 years in order to meet tax regulations. After ten years data should be deleted permanently, as customer behavior changes over time and data is no longer useful for Business Intelligence. Sales representatives and customers sometimes make mistakes entering data. This is acceptable as long as there is no more than one percent of the records contain inaccurate information.

8

In order to create an account in the Package Sales System, potential clients can login using Facebook or create an account linked to their email address. They can unlink or delete the account at any time, but that does not delete any data in the database if they have purchased a Travel Package, even if they cancelled the purchase. In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator. The email states what functions the user should be able to perform. The general public doesn't need an account to provide feedback or sign up for the Offers newsletter. Customers who lose their passwords to the Package Sales System can request a new one and a link will be sent to their email address. Users who lose their password to access the Package Sales System need to physically visit the Administrator, who resets the password and give it to them in a written note. As some Offers expire at midnight, the Package Sales System should prevent customers from purchasing Travel Packages after they have expired, even by a few seconds. There is a development environment that Confederacy SL maintains in their own data center and a pre-production environment, at Ambiguous SL office. The current administrator is subscribed to email lists that notify him of security updates. The Administrator has configured the system using security guidelines found on Internet for every component. Security patches have not been applied since a patch caused a half day downtime. The Administrator changes about once every six months. The system has no malware protection. The domain has been registered with Piensasolutions.es. The digital certificates used by the system are from Thawte. No one has been assigned with the responsibility to manage the domain or the certificates. The systems logs all the sales activity, but not any other activity. There is no Firewall. The internet connectivity provider (Telefonica) provides a service that is supposed to provide "clean" traffic. No part of the Package Sales System is located in a publicly accessible location. No part of the Package Sales System is accessible via Mobile application, but there are plans to incorporate a solution for this. No part of the Package Sales System is exposed to extreme environmental conditions.

Questionnaire

Question Answer

Ambiguous S.L

Madrid

Package Sales System

Clare

Ignatius

Create, Modify and Delete Travel Packages. Sell Travel Packages both online and at the office. Receive feedback from customers and the public in general. Send Travel Package offers to subscribers. Manage Claims and Incidences.

9

Travel Package Archive Sales Archive Feedback Archive Offers Archive Claims, Feedback and Incidences Archive

Travel Package Archive: Create, Update, Retire, Publish, Unpublish. Sales Archive: Book, Release, Sell, Refund, Update. Feedback Archive: Create, Update, Close. Offers Archive: Create, Update, Retire, Publish. Claims, Feedback and Incidences Archive: Create, Update, Close

Sales Statistics Report

Spain

Operating System, Application Server and Database

Only the chief of sales can Create, Update and Publish Travel Packages.

Every salesperson can only view the personal information of their own clients.

Only the chief of sales and the person assigned to Feedback and Claims can view the personal information of all clients.

Only the chief of sales can create Offers

Yes, we handle credit card transactions

Authorized Employees Authorized Outsourced Employees Clients over 18 years old Potential Clients Specific Groups: (Spain Users) +Location

Yes, we handle personal information

Clients Potential clients

Unauthorized Employees Non Employees Groups: (Non Spain users, Clients younger than 18 old)

User Client Potential Client Administrator

Spain

Mail, File Transfers, VPN

Amadeus GDS, VISA, Mtravel

The Package Sales System is expected to be online 24x7

One hour per week off business hours that are 9 to 5 from Tuesday to Sunday

Two Hours during business hours that are 9 to 5 from Tuesday to Sunday

10

All live transactions can be lost in the event of an interruption of service

Data needs to be kept for 5 years minimum, in order to meet tax regulations

After 10 years Package Sales System data can be deleted permanently.

One percent of records with wrong information

One day worth of data can be lost in the event of an incident

Public in general doesn't need an account to provide feedback or signing up for the Offers newsletter In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator

If the password to access the Package Sales System is lost, customers can request a new one getting a link sent to their mail address If the password to access the Package Sales System is lost, users need to visit physically the Administrator, who resets the password in the system for them and hands it in a written note

In order to get an account in the Package Sales System, the Chief of Sales sends a mail message to the Administrator. The mail states what functions the user should be able to perform.

As some sales are time-sensitive, the difference between real time and time of the systems should not be greater than one second

Manuals from Internet, no formal process

The current administrator is subscribed to mail lists that warn him of security updates Security patches are not applied since one patch caused a half day downtime

The system has not antimalware protection

The domain has been registered with Piensasolutions.es.

The digital certificates used by the system are from Thawte

No one has been assigned with the responsibility to manage either the domain or the certificates

The systems logs all the sales activity, but not any of the other activity

There is no Firewall. The internet connectivity provider (Telefonica) provides a service that is supposed to provide "clean" traffic.

No part of the Package Sales System is located in a publicly accessible location

No part of the Package Sales System is accessible via Mobile application, but there are plans to incorporate a solution for this.

No part of the Package Sales System sustains extreme environmental conditions.

The Administrator changes about once every six months.

11

Methodology

The existence and opening of the Challenge was announced online via twitter, an email list with more than 1000 members, LinkedIn groups and a press release that was sent to the most important bloggers and media in information security. The relevant rules and development of the Challenge follows:

Participants signed-up between the 28th of February and the 14th of

March (CET Time zone) 2014.

Every participant received a copy of a spreadsheet with the Answers and

a registration number within 24h of registration.

In the spreadsheet, the participant had to choose either the CIA Option or

the O-ISM3 Option.

Each participant had to fill in Questions that would give the Answers

provided and send the spreadsheet attached in an e-mail to

[email protected], with their registration number in the subject of the

mail.

Questions were be evaluated. A single ambiguous question, where the

answer is not a perfect match caused the participant to FAIL the

challenge (Example of FAIL: "What is the Integrity of the Data?· for the

answer "Data needs to be kept for 5 years", example of PASS: "When

does the system needs to be Available? for the answer: "Between 8 and

5 Monday to Friday").

Grammatically, logically inconsistent questions, not in the English

language, or longer than 255 characters or inclusion of malicious macros

would result in a FAIL.

For the CIA Option failure to use at least one of Confidentiality, Integrity

and Availability (or Confidential, Integer, Available) in any question would

result in a FAIL.

For the O-ISM3 Option using any of Confidentiality, Integrity or

Availability in any question will result in a FAIL.

All answers had to be sent by midnight on 16 of March (CET Time zone)

2014.

Those who have PASSED were to be announced on 24 of March.

The results of the entry evaluations could not be contested.

12

The names of the participants would not be published without their

permission.

A 500€ prize and a free seat for an O-ISM3 Course would had been

awarded. The winner would be chosen from those who PASSED. (Note:

No participants PASSED)

Results Out of eight people who registered to participate, two submitted their solutions. Two participants chose not to use Confidentiality, Integrity and Availability in their questions. Participant 007 got 45 out of 49 questions correctly. One wrong question (marked in green) can be attributed to a poor design of the answer. Incorrect questions are marked in red. His Questionnaire follows:

Question Answer

What is the name of the company? Ambiguous S.L

Where does the company operate from? Madrid

What is the most important system operated by the company? Package Sales System

Who's in charge of IT? Myrna

Who's responsible for this system (Package Sales System)? Ignatius

What are the system's functionalities?


What are the high level data resources used by Package Sales System?


13

What are the actions that can be performed on each data resource?


What kind of information does the application generate? Sales Statistics Report

In which country do you provide your services? Spain

Are there parts of the Package Sales System that are licensed?


Is there a requirement regarding who can do what and where with Travel Packages?


Is there a requirement regarding who can do what and where with client information?


Is there a requirement regarding who can do what and where with client information?


Is there a requirement regarding who can do what and where with offers? Only the chief of sales can create Offers

Do you handle any payment card information? Yes, we handle credit card transactions

Who is supposed to access Package Sales System?


Do you handle any personal information? Yes, we handle personal information

What are the categories of people for which you are handling personal information?


Who should not have access to Package Sales System?


What are the different categories of persons accessing your system?


14

In which country is your system located? Spain

What kind of interface does your system have with other systems or users? Mail, File Transfers, VPN

Is your system connected to other systems outside the company? Amadeus GDS, VISA, Mtravel

When is your PSS supposed to be up and working?


What is the maximum downtime of PSS you are ready to accept for maintenance reason and when should it better occur?


When and how long would a downtime of PSS have an unacceptable impact on your business?


In the event PSS goes down, how much data processed by the system can you afford to lose?


Do you need to archive your data for any regulatory reason?


How long do you need to keep your data for business reason?


What is your expected level of quality for PSS information?


In case of incident with PSS, how much data, in minutes, hours or days before the incident, can you afford to lose?


How do you grant access to PSS?


How do you manage passwords for PSS users?


15

How do you manage access rights for Ambiguous SL's employees?


Does the accuracy of the PSS clock have importance?


Do you have a process or a standard used to manage the security of your system?


How do you ensure your system has all the necessary software patches applied in order to prevent exploit of a known vulnerability?


Do you have an anti-malware protection on then system?


Where did you register your Internet domain name your Internet Domain name?


Who is your digital certificate provider?


Who is responsible to manage the digital certificates and the domain name?


What are the actions that are logged by the system?


Do you protect your system from attack coming through the internet with a firewall or any filtering system?


Do you have a part or the entire system located in an area accessible to the public?


Is PSS accessible through a mobile application?


Is your system exposed to extreme environmental conditions?


How experienced is the administrator of the system?


16

Participant 006 got 47 out of 49 questions correctly. Incorrect questions are marked in red. His Questionnaire follows:

Question Answer

What is the name of your company? Ambiguous S.L

Where is your company located? Madrid

What is your most important IT system? Package Sales System

Who is responsible for managing the Package Sales System? Myrna

Who is the vendor's contact person for the Package Sales System? Ignatius

Which functionality does the Package Sales System offer?


Which data resources does the Package Sales System use?


Which action can be performed on each data resource of the Package Sales System?


Which data resource contains the most important data? Sales Statistics Report

In which country is the vendor of the Package Sales System located? Spain

Which parts of the Package Sales System are licensed?


Who can change data of the Travel Packages?


Are principles of information segregation used for the Package Sales System?


17

Is the principle of information segregation effective for every user role and account?


Who can add data to the Offers Archive? Only the chief of sales can create Offers

Do you handle credit card transactions within the Package Sales System? Yes, we handle credit card transactions

Who is allowed access to the Package Sales System?


Do you handle personal information within the Package Sales System? Yes, we handle personal information

To whom does the personal information belong which is processed by the Package Sales System?


Who may not access the Package Sales System?


Which roles (types of users) exist within the Package Sales System?


Where are the users of the Package Sales System physically located? Spain

By what means does the Package Sales System interface with other systems? Mail, File Transfers, VPN

To which other systems does the Package Sales System have interfaces? Amadeus GDS, VISA, Mtravel

During which time should the Package Sales System be online?


During which time may maintenance services be performed on the Package Sales System?


What is the maximum tolerable amount of time the Package Sales System may be offline during business hours?


What data can be lost upon interruption of service?


18

Do you have requirements to archive the system data for a specific period of time?


After what period of time may the data be disposed of?


What is the maximum tolerable amount of data in the system that may be wrong?


What is the maximum tolerable amount of data that may be lost in the case of an incident?


Can parts of the service be used without an account and how can an account be created?


What procedures are in place to reset an account password?


What procedure needs to be followed to create an account?


What is the maximum amount of time the system time may differ from real time?


Is a formal system hardening process followed in the system configuration?


Is a patch management process followed for the system?


Is an antimalware protection in place for the system?


Where is the system domain registered?


19

Are digital certificates used for the system, if yes who issued the certificates?


Who is responsible to manage the domain and the associated certificates?


Which system activities are logged? The systems logs all the sales activity, but not any of the other activity

Are protection measures on network level (e.g. firewall) employed?


Are parts of the system located in a publicly accessible area?


Is the system accessible via a mobile application?


Are parts of the system exposed to extreme environmental conditions?


How often does the system administrator change?


Discussion The small number of participants precludes from making any statistical analysis of the data.

Is there a consensus in information technology standards about the definition of Confidentiality, Integrity and Availability?

Checking the literature (page 4) we can confidently answer: No.

Are Confidentiality, Integrity and Availability sufficient to analyze the security requirements of an information system?

As no participants decided to use Confidentiality, Integrity and Availability, the answer would be inconclusive. On the other hand, it is easy to find an answer that can’t be asked using only Confidentiality, Integrity and Availability, for example:

Question Answer


The answer for this question is therefore: No.

20

Are Confidentiality, Integrity and Availability necessary to analyze the security requirements of an information system?

Combining the results from both participants, it is possible to fully analyze the security requirements of the Package Sales System without mentioning Confidentiality, Integrity or Availability. The answer for this question is therefore: No.

Is there an alternative to Confidentiality, Integrity and Availability to analyze the security requirements of an information system quantitatively?

Combining the results from both participants, it is possible to fully analyze the security requirements of the Package Sales System without mentioning Confidentiality, Integrity or Availability. The answer for this question is therefore: Yes.

Conclusions

Findings

Confidentiality, Integrity and Availability are neither sufficient nor necessary to analyze the security requirements of an information system. This Study proves that an alternative is possible.

Alternative to Confidentiality, Integrity and Availability

Following the Scientific Method [6], the need for measurements free of variance, repeatable and independent of the observer led to the creation of Operational Definitions [7]. This is the approach taken by the definition of Security Objectives in O-ISM3 [8]. There are two important consequences of the use of operational definitions; one of them is that it is possible to use operational definitions to build on top of other operational definitions. This means that it is possible to define Threats, Incidents, Vulnerability and Weakness among other in terms of Security Objectives. The other consequence is that every security requirement has units. The units can be in different Levels of Measurement [9], which can be Nominal, or Ratio in the Use Case used in this Study. Example of Nominal:

Are parts of the system exposed to extreme environmental conditions?


21

Who may not access the Package Sales System?


Example of Ratio:

Do you have requirements to archive the system data for a specific period of time?


After what period of time may the data be disposed of?


The use of units makes it possible to manage security quantitatively. The use of units makes it possible to manage security quantitatively. With security

requirements that have Units, it becomes possible or event easy to perform management that is otherwise subjective, difficult or impossible.

1. Determine success criteria: A security objective can be met of failed. (When a security objective is failed, there has been an Incident).

2. Perform an assessment of the value of information security activities. Those that contribute to meet a security objective are valuable.

3. Perform an assessment of the return of investment of information security activities.

4. Prioritize the use of resources to maximize the value of information security activities.

5. Plan for the need of resources necessary to meet security objectives. 6. Check when management decisions render or not the expected results.

Further Research

It would be of interest to validate the following research questions:

Can Threat be defined with an operational definition, in relation with

Security Objectives?

Can Weakness be defined with an operational definition, in relation with


Can Vulnerability be defined with an operational definition, in relation with


Can Security be defined with an operational definition, in relation with


Can Risk be defined with an operational definition, in relation with


This Challenge took the point of view of the information security professional. It would be valuable to replicate this Challenge from the point of view of the final client or user of information security, comparing if they find it easier to answer

22

questions that use Confidentiality, Integrity and Availability or questions of the same nature of those used in this Study.

Executive Summary

The lack of consensus in information technology standards about the definition of Confidentiality, Integrity and Availability leads to high variance in the work of different individuals when carrying out their information security duties. High variance is undesirable in disciplines where results are important (architecture, medicine, aviation, for example), and should be avoided. Confidentiality, Integrity and Availability are neither sufficient nor necessary to analyze the security requirements of an information system. The results of this Study calls for the replacement of current definitions of Confidentiality, Integrity and Availability for an alternative where consensus is wider, variance is smaller, communication with business stakeholders is easier, and quantitative management of information security becomes possible.

Works Cited 1. http://en.wikipedia.org/w/index.php?title=Information_security&oldid=598

736584

2. http://en.wikipedia.org/w/index.php?title=Alfred_Wegener&oldid=597391

093

3. http://en.wikipedia.org/w/index.php?title=Ignaz_Semmelweis&oldid=5965

91369

4. http://en.wikipedia.org/w/index.php?title=Karl_Popper&oldid=600025946

5. http://en.wikipedia.org/w/index.php?title=Thomas_Kuhn&oldid=59576017

1

6. http://en.wikipedia.org/w/index.php?title=Scientific_method&oldid=59921

1918

7. http://en.wikipedia.org/w/index.php?title=Operational_definition&oldid=59

7679965

8. Open Information Security Management Maturity Model (O-ISM3)

9. http://en.wikipedia.org/w/index.php?title=Level_of_measurement&oldid=5

99847388

10. http://en.wikipedia.org/wiki/Necessity_and_sufficiency

23

Annex I Mapping of Information Security Criteria

ISM3 Security Objectives ISO Integrity, Availability, Confidentiality

COBIT Information Criteria

Parkerian Hexad

Accurate time and date should be reflected in all records

No equivalent No equivalent No equivalent

Availability of repositories, services and channels should exceed Customer needs. It can be measured as the period of time when a service, repository, interface or channel must exist, be accessible and usable (perform according to customer needs) upon demand. It is measured as well by the oldest recent messages and information that can be lost because of an interruption of service, channel or interface

Availability is the property of being accessible and usable upon demand by an authorized entity

Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities

Availability means having timely access to information

Completeness: The extent to which a repository is populated (available and consistent) with the information required to meet or exceed customer needs. The lower limit is usually set by business or customer needs, and the upper limit by regulatory needs

No equivalent

Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner

Utility means usefulness

Completeness: The extent to which a repository is populated (available and consistent) with the information required to meet or exceed customer needs. The lower limit is usually set by business or customer needs, and the upper limit by regulatory needs

No equivalent

Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations


24



Parkerian Hexad

Compliance Needs and Limitations. Examples:

Third party services and repositories need to be appropriately licensed.

Personal information completeness must be proportional to its use.

Personal information must be protected using certain security measures depending on the type of personal information.

The owner of Personal information must agree for it to be collected and he has the right to check it, fix it and approve how it will be used or ceded.

Encryption must be used under legal limitations.

Secrets must be kept according to the terms of agreed Non-Disclosure Agreements.

The owner of Personal information will be given notice when his data is being collected, including who is collecting the data.

Personal information must be used for the purpose agreed with the information owner.

Personal information must not be disclosed without the agreement of the information owner.

Personal information owners will have means to make data collectors accountable for their use of his personal information.

Personal information is held for no longer than required Tax records must be kept for a minimum number of years.

Repositories with Personal information have to be registered with a Data Protection agency

No equivalent

Compliance deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, e.g., externally imposed business criteria as well as internal policies

No equivalent

Expired or end of life-cycle repositories should be permanently destroyed. It can be measured as the date the expired or end of life-cycle repositories and records should be permanently and reliably destroyed.


Information systems and repositories should be physically accessible only to authorized users

Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes

Confidentiality concerns the protection of sensitive information from unauthorized disclosure.

Possession or Control

25



Parkerian Hexad

Intellectual property (licensed, copyrighted, patented and trademarks) should be accessible to authorized users only



Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitor’s individuals are concerned about unauthorized access to their financial records.

This is a business objective, not a security objective

This is not an information security criterion

Efficiency concerns the provision of information through the optimal (most productive and economical) use of resources.

This is not an information security criterion

Personal information should be accessible for a valid purpose to authorized users only and is held for no longer than required

Confidentiality (partial match)

Effectiveness (partial match)


Personal information should preserve the anonymity of the information subjects if necessary, for example not linking user accounts or certificates to an identifiable user


Precision, relevance (up-to-date), completeness and consistency of repositories should exceed Customer needs. It can be measured as the maximum rate of erroneous and outdated information in the information available.

No equivalent

Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.


Precision, relevance (up-to-date), completeness and consistency of repositories should exceed Customer needs. It can be measured as the maximum rate of erroneous and outdated information in the information available.

No equivalent



26



Parkerian Hexad

Reliability and performance of services and channels should exceed Customer needs. It can be measured as the longest time and the number of times in the availability (performance) time a service, repository, interface or channel can be interrupted according to or exceeding customer needs.

Reliability (partial match)

Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities

Availability means having timely access to information.

Reliability and performance of services and channels should exceed Customer needs. it can be measured as the longest time and the number of times in the availability (performance) time a service, repository, interface or channel can be interrupted according to or exceeding customer needs

Reliability: the property of consistent intended behavior and results

Reliability relates to the provision of appropriate information for management to operate the entity and to exercise its fiduciary and governance responsibilities

Availability means having timely access to information

Repositories should be accessed by authorized users only


Confidentiality concerns the protection of sensitive information from unauthorized disclosure


Retention period can be measured as the minimum length of time a repository is kept (preserved) according to or exceeding customer and regulatory requirements

Integrity the property of safeguarding the accuracy and completeness of assets


Integrity refers to being correct or consistent with the intended state of information

Secrets (personal, industrial, trade) should be accessible to authorized users only


Confidentiality concerns the protection of sensitive information from unauthorized disclosure


27



Parkerian Hexad

Systems should be as free of weaknesses as possible



Integrity refers to being correct or consistent with the intended state of information.

Systems should run trusted services only



Integrity refers to being correct or consistent with the intended state of information.

Systems that need to be visible to not trusted systems are the least visible possible. Systems are visible to trusted systems only


The Authentication Process links the use of user accounts with their owner and manages the lifecycle of sessions

Authenticity: The property that ensures that the identity of a subject or resource is the one claimed. Authenticity applies to entities such as users, processes, systems and information

No equivalent No equivalent

The Authentication Process links the use of user accounts with their owner and manages the lifecycle of sessions




The Authorization Process grants the use of services and interfaces and access to repositories to authorized users and denies it to unauthorized users.



Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise’s strategic plans from competitors individuals are concerned about unauthorized access to their financial records

28



Parkerian Hexad

The electricity, temperature and humidity where systems operate should exceed the systems needs


The Signing Process records the will and intent about a repository of the owner of the user account or certificate concerning a repository, such as agreeing, witnessing or claiming authorship of repositories and messages like original works, votes, contracts and agreements.

Accountability: The property that ensures that the actions of an entity may be traced uniquely to the entity


No equivalent

The Signing Process records the will and intent about a repository of the owner of the user account or certificate concerning a repository, such as agreeing, witnessing or claiming authorship of repositories and messages like original works, votes, contracts and agreements. Digital signatures are a special kind of record.

Non-repudiation: the ability to prove an action or event has taken place, so that this event or action cannot be repudiated later.

No equivalent Authenticity refers to correct labeling or attribution of information.

Third party services and repositories should be appropriately licensed and accessible only to authorized users



Possession or Control

The Recording Process registers accurately the results of the registration, authentication, authorization, use of systems and signing processes, so these can be investigated and will and intent or responsibilities determined, within the limits set by Anonymity business objectives. The recording process will normally have to meet business objectives for accurate recording, including date and time. Depending on the security objectives of Anonymity, the recording process normally registers

Interface ID and Location User account or certificate ID Signature Type of Access Attempt (login,

logout, change password, change configuration, connect/disconnect systems, repositories I/O interfaces, enabling/disabling admin access or logging, etc)

Date and Time of Access attempt

Access attempt result Repository, Interface, Service

or Message accessed.




29



Parkerian Hexad

The User Registration Process links user accounts and certificates to identifiable users, and manages the lifecycle of user accounts, certificates and access rights. When protecting the anonymity of users is more important than making them accountable, registration must guarantee that user accounts and certificates are not linked to identifiable users.




Use of services and physical and logical access to repositories and systems should be restricted to authorized users


Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

Authenticity refers to correct labeling or attribution of information.

Users should be accountable for the repositories and messages they create or modify


No equivalent Authenticity refers to correct labeling or attribution of information

Users should be accountable for their acceptance of contracts and agreements



Users should be accountable for their use of services



30

Annex II O-ISM3 Business and Security Objectives

Business Objectives

Every organization exists for specific purposes that require it to set goals and meet certain obligations. Business objectives, ranging from aspirational goals to regulatory compliance, may originate internally, or be imposed by an external party such as the government. Their achievement depends on many factors, one being information security.

Sample Business Objectives

Paying the payroll on the 1st of every month.

Paying taxes on time.

Invoice all products and services provided.

Deliver the products and services when and where committed by the organization.

Online booking availability.

Online booking reliability.

Online booking volatility.

Tax information retention.

Old customer’s information expiry.

Precision of customer addresses.

Third-party services and repositories appropriately licensed.

Personal information collected proportional to its use.

Personal information held for no longer than required.

Tax records kept for a minimum number of years.

Personal information is protected using the mandated security measures.

Owner of personal information agrees for it to be collected, and has the right to check it and fix it and approve how it will be used.

Repositories with personal information registered with the Data Protection agency.

31

Security Objectives

Priority Security Objectives determine what availability means for the

business. Examples are backup and identification of single points of failure. Resources are allocated according to the priority of protected services, interfaces, and channels. In a multi-tiered information system, the priority of user-facing services is propagated to the lower-level services they depend on.

Priority Security Objectives

Availability: The period of time when a service, repository, interface, or channel must exist, be accessible, and usable (perform according to customer needs) upon demand

according to or exceeding customer needs.

Reliability: The longest time and number of times in the availability (performance) time a service, repository, interface, or channel can be interrupted according to or exceeding customer needs.

Volatility: The oldest recent messages and information that can be lost because of an

interruption of service, channel, or interface according to or exceeding customer needs.

Durability Security Objectives relate to the generic term integrity and include

the planned retention and destruction of information in accordance with policy and business objectives. Durability objectives are supported by archiving and secure disposal techniques.

Durability Security Objectives

Retention Period: The minimum length of time a repository is kept (preserved) according to or exceeding customer and regulatory requirements.

Expiry: The date the expired or end of lifecycle repositories and records should be permanently and reliably destroyed according to or exceeding customer and regulatory requirements. Those with personal information of customers and employees often

require a specific expiry date.

Information Quality Objectives also relate to integrity and include precision (or accuracy), relevance (how up-to-date information is), completeness, and consistency of repositories. Information quality objectives usually rely upon quality control techniques, but may also include access control, accountability, authorization, and audit techniques as well. The information quality of a repository is a measure of its fitness in fulfilling security objectives.

Sample Information Quality Security Objectives

Completeness: The extent to which a repository is populated (available and consistent) with the information required to meet or exceed customer needs. The lower limit is

usually set by business or customer needs, and the upper limit by regulatory needs.

Personal information completeness must be proportional to its use.

The owner of personal information must agree for it to be collected and has the right to check it, fix it, and approve how it will be used or ceded.

32

Sample Information Quality Security Objectives

The owner of personal information will be given notice when personal data is collected, including who is collecting the data.

Personal information must be used for the purpose agreed with the information owner.

Personal information must not be disclosed without the agreement of the information

subject.

Personal information owners will have means to make data collectors accountable for their use of personal information.

Access Control Objectives ensure that the business requirements for confidentiality of protected information (e.g., secrets, personal information, licensed, copyrighted, patented, and trademarked information) are clearly understood by the business. Access control requires the identification and management of authorized users, and typically includes enrolment, role management, segregation, accountability, authorization, and logging techniques for its implementation and control.

Access Control Security Objectives

Granting the use of services and interfaces and access to repositories to authorized users.

Denying the use of services and interfaces and access to repositories to unauthorized

users.

Express the will and intent about a repository of the owner of a user account or certificate.

Accurate recording of:

Interface ID and location

User account or certificate ID

Signature

Type of access attempt

Date and time of access attempt

Access attempt result

Repository, interface, service, or message accessed

Personal information is accessible to authorized users only and is held for no longer

than required.

Secrets are accessible to authorized users only.

Third-party services and repositories are appropriately licensed and accessible only to

authorized users.

Information systems are physically accessible only to authorized users.

Repositories are accessed by authorized users only.

33

Technical Security Objectives cover the underlying architecture of information

systems, and are a step remote from direct impact on the business. Technical security objectives typically include operational objectives for the data center’s safety, reliability, power, as well as the IT managed domain, including software patching and upgrading, maintenance processes, and vulnerability management and resilience to compromise and misuse. Technical security objectives usually depend upon data center infrastructure, technologies such as firewalls, anti-virus, intrusion detection and prevention, and processes such as patch management and secure configuration. Failure to meet technical security objectives puts all other (business and security) objectives at risk, but does not necessarily create a business objective failure itself.

Technical Security Objectives

Systems are as free of weaknesses as possible.

Systems that need to be visible to not trusted systems are the least visible possible.

Systems run trusted services only.

The electricity, temperature, and humidity where systems operate exceed the system

needs.

Technology

O-ISM3 Challenge Results Study