4.2 - Interpret, describe and explain the security measures that should appear within a Security Case Flashcards
Give an example of a Physical Deterrent control?
Fences and Lighting
Give an example of a Physical Preventative control?
Locks, Badge System, Security Guard,Biometric systems
Should implementations details be included in a security claim?
No, In general, claims should be straightforward statements that do not consider implementation details. Things like source code and database contents would be too much information for a security case
How is a top level-claim supported?
By objective evidence
What is an example of a security claim?
System X is acceptably secure
What does a security case consider?
A security case considers people and processes as well as technology.
How is a security case developed?
A case is developed by showing how the top-level claim is supported by subclaims.
What could a absence of buffer overflow vulnerabilities subclaim be supported in a security case?
It could be supported by showing that (1) programmers were trained on how to write code that minimizes the possibility of buffer overflow vulnerabilities; (2) experienced programmers reviewed the code to see if any buffer overflow possibilities existed and found none; (3) a static analysis tool scanned the code and found no problems
Why is evidence important in a security case?
Evidence is important as this is how the security case is judged on its soundness of argument.
How is a security case judged?
The stakeholders and/or their representatives review the security case and decide whether the security case is credible.
When should evidence for a security case be collected?
During the planning/Design Phrase of the Software development life cycle process
What does as security case contain?
It consists of a structured collection of security-related claims, arguments, and evidence.
What does as security case contain?
It consists of a structured collection of security-related claims, arguments, and evidence.
What is included in system testing?
Test plan, descriptors, test selection analysis and test results
When should the security case be developed?
Alongside product development
What is a security claim in a security case?
A claim embodies what is to be shown; an argument tells why to believe a claim has been met, based upon subclaims and evidence such as results of tests, simulations, analysis, etc
What is a strategy in a security case?
the strategy is an additional cue that helps the reader understand the form that an argument is going to take. Instead of being true or false statements, as the claims and subclaims are, the strategy provides information on how to substantiate the stated claim
What could an example claim be?
Coding defects
Name the three Implementation Strategies issues
Constraints, Dependencies and Cost benefit analysis
Which IT security policy is needed for a security case?
ACCEPTABLE USE POLICY ANTI-VIRUS POLICY IDENTITY POLICY PASSWORD POLICY ENCRYPTION POLICY REMOTE ACCESS POLICY VIRTUAL PRIVATE NETWORK (VPN) POLICY EXTRANET POLICY DATA PROTECTION/BACKUPS Policy
