4.2 - Interpret, describe and explain the security measures that should appear within a Security Case

Question 1

Give an example of a Physical Deterrent control?

Answer 1

Fences and Lighting

Question 2

Give an example of a Physical Preventative control?

Answer 2

Locks, Badge System, Security Guard,Biometric systems

Question 3

Should implementations details be included in a security claim?

Answer 3

No, In general, claims should be straightforward statements that do not consider implementation details. Things like source code and database contents would be too much information for a security case

Question 4

How is a top level-claim supported?

Answer 4

By objective evidence

Question 5

What is an example of a security claim?

Answer 5

System X is acceptably secure

Question 6

What does a security case consider?

Answer 6

A security case considers people and processes as well as technology.

Question 7

How is a security case developed?

Answer 7

A case is developed by showing how the top-level claim is supported by subclaims.

Question 8

What could a absence of buffer overflow vulnerabilities subclaim be supported in a security case?

Answer 8

It could be supported by showing that (1) programmers were trained on how to write code that minimizes the possibility of buffer overflow vulnerabilities; (2) experienced programmers reviewed the code to see if any buffer overflow possibilities existed and found none; (3) a static analysis tool scanned the code and found no problems

Question 9

Why is evidence important in a security case?

Answer 9

Evidence is important as this is how the security case is judged on its soundness of argument.

Question 10

How is a security case judged?

Answer 10

The stakeholders and/or their representatives review the security case and decide whether the security case is credible.

Question 11

When should evidence for a security case be collected?

Answer 11

During the planning/Design Phrase of the Software development life cycle process

Question 12

What does as security case contain?

Answer 12

It consists of a structured collection of security-related claims, arguments, and evidence.

Question 13

What does as security case contain?

Answer 13

It consists of a structured collection of security-related claims, arguments, and evidence.

Question 14

What is included in system testing?

Answer 14

Test plan, descriptors, test selection analysis and test results

Question 15

When should the security case be developed?

Answer 15

Alongside product development

Question 16

What is a security claim in a security case?

Answer 16

A claim embodies what is to be shown; an argument tells why to believe a claim has been met, based upon subclaims and evidence such as results of tests, simulations, analysis, etc

Question 17

What is a strategy in a security case?

Answer 17

the strategy is an additional cue that helps the reader understand the form that an argument is going to take. Instead of being true or false statements, as the claims and subclaims are, the strategy provides information on how to substantiate the stated claim

Question 18

What could an example claim be?

Answer 18

Coding defects

Question 19

Name the three Implementation Strategies issues

Answer 19

Constraints, Dependencies and Cost benefit analysis

Question 20

Which IT security policy is needed for a security case?

Answer 20

ACCEPTABLE USE POLICY
ANTI-VIRUS POLICY
IDENTITY POLICY
PASSWORD POLICY
ENCRYPTION POLICY
REMOTE ACCESS POLICY
VIRTUAL PRIVATE NETWORK (VPN) POLICY
EXTRANET POLICY
DATA PROTECTION/BACKUPS Policy