An Assurance Framework for Independent Co-assurance of Safety and Security

Integrated safety and security assurance for complex systems is difficult for many technical and socio-technical reasons such as mismatched processes, inadequate information, differing use of language and philosophies, etc.. Many co-assurance techniques rely on disregarding some of these challenges in order to present a unified methodology. Even with this simplification, no methodology has been widely adopted primarily because this approach is unrealistic when met with the complexity of real-world system development. This paper presents an alternate approach by providing a Safety-Security Assurance Framework (SSAF) based on a core set of assurance principles. This is done so that safety and security can be co-assured independently, as opposed to unified co-assurance which has been shown to have significant drawbacks. This also allows for separate processes and expertise from practitioners in each domain. With this structure, the focus is shifted from simplified unification to integration through exchanging the correct information at the right time using synchronisation activities

The Federal Information Security Management Act of 2002: A Potemkin Village

Due to the daunting possibilities of cyberwarfare, and the ease with which cyberattacks may be conducted, the United Nations has warned that the next world war could be initiated through worldwide cyberattacks between countries. In response to the growing threat of cyberwarfare and the increasing importance of information security, Congress passed the Federal Information Security Management Act of 2002 (FISMA). FISMA recognizes the importance of information security to the national economic and security interests of the United States. However, this Note argues that FISMA has failed to significantly bolster information security, primarily because FISMA treats information security as a technological problem and not an economic problem. This Note analyzes existing proposals to incentivize heightened software quality assurance, and proposes a new solution designed to strengthen federal information security in light of the failings of FISMA and the trappings of Congress’s 2001 amendment to the Computer Fraud and Abuse Act

System Security Assurance: A Systematic Literature Review

System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions

Secure Biometric Cryptosystem for Distributed System

Information (biometric) security is concerned with the assurance of confidentiality, integrity, and availability of information in all forms, biometric information is very sophisticated in terms of all, in this work we are focusing on data pattern along with all security assurance, so that we can improve the matching performance with good security assurance, here one of the most effective RSA algorithm use with biometric (fingerprint) data. Our work includes the determination of appropriate key sizes with security issues and determines the matching performance using MATLAB and JDK1.6, performance of this system is more than 86.7% and when combines this with blind authentication techniques then we get all security assurance with high performance biometric cryptosystem

An approach in defining Information Assurance Patterns based on security ontology and meta-modeling

We have to realizing that information is the most important asset. We are at a stage where the information is not only becoming a valuable asset but also the volume of it is increasing at a rapid rate. Modern Enterprises are now working hard to ensure the proper storage, availability and integrity of this information. So we are having the information assurance discipline which is focusing on preservation of information confidentiality, integrity and availability in all of the informations’ various state. We have the information security patterns. But we have to realize that we have to design the Information assurance patterns which can be reusable solutions of addressing information assurance in enterprise-level information engineering. In this paper we are going to propose five Information Assurance patterns based on meta-modelling. And then we will be integrating the exisitng security ontology to the derived Information Assurance patterns. By this we can get the benefits of using patterns and at the same time we can use the concept of security ontology in our Information Assurance Patterns

Incorporating Global Information Security and Assurance in I.S. Education

Over the years, the news media has reported numerous information security incidents. Because of identity theft, terrorism, and other criminal activities, President Obama has made information security a national priority. Not only is information security and assurance an American priority, it is also a global issue. This paper discusses the importance of Global Information Security and Assurance in information systems (IS) education. Current university graduates will become tomorrow’s users and protectors of data and systems. It is important for universities to provide training in security and assurance of information systems. Are students getting adequate education in this area? If not, this leaves them ill-prepared for the needs of the workplace. The security of our information systems needs to be a major concern for educators and corporate leaders. We recommend that instruction in security and assurance be a core component of the curriculum for all IS and business students. The purpose of this special issue is to provide insights, ideas, and practical tips from IS educators and professionals. Along with the academic papers in this issue, a new section was added, advisory from professionals. Just as a university information systems department has an advisory board of professionals, this new section provides an advisory to academics; professionals provide insights into the corporate world and they need

IASME: Information Security Management Evolution for SMEs

Most of the research in information risk and risk management has focused on the needs of larger organisations. In the area of standards accreditation, the ISO/IEC 27001 Information Risk Management standard has continued to grow in acceptance and popularity with such organisations, although not to a significant extent with SMEs. An interesting product recently developed for ENISA (European Nations Information Security Association) based on the Carnegie-Mellon maturity model and aimed at SMEs has not so far filled the gap. In this paper, a researcher and two practitioners from the UK discuss an innovative development in the UK for addressing the information assurance needs of smaller organisations. They also share their perceptions about the security of national information infrastructures, and concerns that SMEs do not get the priority that their position in the supply chain would suggest they should have. The authors also explore the development and roll out of IASME (Information Assurance for SMEs), which they have developed in the context of a tight market, where spare cash is in short supply, and many SMEs are still in survival mode. The question for the business is therefore not seen as “can we afford to spend on information security” but “can we afford not to spend…” As well as the effect on being able to do business at all of having an SMEs systems compromised, there are also matters of reputation, and the growing threat of fines as a result of not complying with laws and regulations. The paper concludes with achievements of real businesses using the IASME process to cost-effectively achieve information assurance levels appropriate for themselves

A Multi-Layer and Multi-Tenant Cloud Assurance Evaluation Methodology

Data with high security requirements is being processed and stored with increasing frequency in the Cloud. To guarantee that the data is being dealt in a secure manner we investigate the applicability of Assurance methodologies. In a typical Cloud environment the setup of multiple layers and different stakeholders determines security properties of individual components that are used to compose Cloud applications. We present a methodology adapted from Common Criteria for aggregating information reflecting the security properties of individual constituent components of Cloud applications. This aggregated information is used to categorise overall application security in terms of Assurance Levels and to provide a continuous assurance level evaluation. It gives the service owner an overview of the security of his service, without requiring detailed manual analyses of log files