A model of certifier and accreditor risk calculation for multi-level systems
| Autor: | Joe Loughry |
|---|---|
| Rok vydání: | 2013 |
| Předmět: |
Certified Information Security Manager
business.industry Computer science Risk management framework Certified Information Systems Security Professional Certification Computer security computer.software_genre Security testing Software security assurance business computer Risk management Certification and Accreditation |
| Zdroj: | 2013 IEEE International Conference on Technologies for Homeland Security (HST). |
| DOI: | 10.1109/ths.2013.6699004 |
| Popis: | From direct observation of the certification (post-software-development) and accreditation (pre-installation) testing of cross domain systems used for the interconnection of classified security domains in U.S. and U.K. defence and intelligence community systems, certain characteristic behavioural patterns have been noted. The savvy developer can use these to exert a measure of control over the duration and cost of certification testing and to predict the likely direction and magnitude of the residual risk calculation performed by security accreditors in multi-lateral, multi-level, collateral, and compartmented site accreditations. DCID 6/3, Common Criteria, DIACAP, and ICD 503 testing efforts across the evolution of a long-lived cross domain software development programme were examined using grounded theory methodology. Whilst discovered through investigation of classified cross domain system testing inefficiencies, it is believed that the principles are applicable more widely to privacy-sensitive areas such as electronic health care, financial, and law enforcement record keeping systems. The first thing found was a syndrome of pathological regressive interactions amongst software developers, managers, independent verification and validation contractors, penetration testers, and certification authorities that resulted in schedule slippage during the certification testing phase and, in the accreditation phase, ineffective duplication of testing with no corresponding improvement in residual risk. To understand why these problems occurred, an abstract model of how security accreditors agree upon the true level of residual risk in multi-level cross domain system installations was developed. The model is powerful enough to handle collateral, SCI, and international cross domain systems with any number of endpoints. It works by establishing the visibility of threats, vulnerabilities, and mitigations from each data owner's perspective according to the associated accreditor's clearance over the space of all possible multilevel configurations, then identifying the smallest set of covert-channel-like information flows necessary to reach a concord about residual risk without violating the global security policy. Conventional wisdom holds that security rules should be strictly enforced, but it is shown that under present regulations, some desirable information flows are inhibited and other undesirable information flows are forced. Paradoxically, it is sometimes the case that relaxing the rules actually improves security. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|