An Assurance Framework for Independent Co-assurance of Safety and Security

Integrated safety and security assurance for complex systems is difficult for many technical and socio-technical reasons such as mismatched processes, inadequate information, differing use of language and philosophies, etc.. Many co-assurance techniques rely on disregarding some of these challenges in order to present a unified methodology. Even with this simplification, no methodology has been widely adopted primarily because this approach is unrealistic when met with the complexity of real-world system development. This paper presents an alternate approach by providing a Safety-Security Assurance Framework (SSAF) based on a core set of assurance principles. This is done so that safety and security can be co-assured independently, as opposed to unified co-assurance which has been shown to have significant drawbacks. This also allows for separate processes and expertise from practitioners in each domain. With this structure, the focus is shifted from simplified unification to integration through exchanging the correct information at the right time using synchronisation activities

Incorporating Global Information Security and Assurance in I.S. Education

Over the years, the news media has reported numerous information security incidents. Because of identity theft, terrorism, and other criminal activities, President Obama has made information security a national priority. Not only is information security and assurance an American priority, it is also a global issue. This paper discusses the importance of Global Information Security and Assurance in information systems (IS) education. Current university graduates will become tomorrow’s users and protectors of data and systems. It is important for universities to provide training in security and assurance of information systems. Are students getting adequate education in this area? If not, this leaves them ill-prepared for the needs of the workplace. The security of our information systems needs to be a major concern for educators and corporate leaders. We recommend that instruction in security and assurance be a core component of the curriculum for all IS and business students. The purpose of this special issue is to provide insights, ideas, and practical tips from IS educators and professionals. Along with the academic papers in this issue, a new section was added, advisory from professionals. Just as a university information systems department has an advisory board of professionals, this new section provides an advisory to academics; professionals provide insights into the corporate world and they need

System Security Assurance: A Systematic Literature Review

System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions

Unmanned Insecurity: The Safety and Privacy Issues of Unmanned Aircraft Information Assurance

Information assurance and computer security are foundational paradigms in ground based information systems. However, in the aerial realm of unmanned systems, information security often takes the proverbial back seat to high visibility issues such as safety and privacy. Yet, a secure unmanned aircraft is a basic tenant of safety and privacy in the operational arena. Information assurance and security that are enveloped into an unmanned aircraft protect the systems data, communications, as well as internal operations and permeates not only the aircraft’s systems, but also the system’s interactions with satellites, ground stations, and other aerial entities that share data and communication streams with the UAS. This paper will discuss the vital foundational information assurance and security elements of unmanned aerial systems and how these elements relate directly to UAS safety, privacy, reliability, and resilience. It will present case based research of unmanned and manned aircraft mishaps, from both the military and civilian domains, that demonstrate the centrality of security to a safe and viable operational aircraft. It will also demonstrate how privacy issues stem directly or indirectly from information assurance and computer security breaches in an unmanned aircraft. Such breaches of privacy can lead to such issues as privacy torts, theft of intellectual property, Constitutional violations, and issues of personal safety and security from exposed data and communication streams. Additionally, information security breaches can also lead to a hostile takeover of the UAS by a malicious third party, or improper systems functioning of the aircraft leading to myriad public safety issues such as a downed UAS, the uncontrolled flight of the UAS in controlled airspace, or at worse the collision of the UAS into a manned aircraft resulting in a catastrophic outcome. This paper will also discuss the mechanisms of information security in an unmanned aerial system as well as its corresponding ground station and satellite communication systems. It will trace security issues directly to issues of safety and privacy and provide methodologies to improve UAS information security to improve system safety and data security to eliminate negative outcomes from operational UAS missions. Additionally, the paper will provide guidance on holistic UAS operational security, through the maintenance of confidentiality, availability, and integrity via policy, technological, and physical security mechanisms

Concepts of Safety Critical Systems Unification Approach & Security Assurance Process

The security assurance of computer-based systems that rely on safety and security assurance, such as consistency, durability, efficiency and accessibility, require or need resources. This targets the System-of-Systems (SoS) problems with the exception of difficulties and concerns that apply similarly to subsystem interactions on a single system and system-as-component interactions on a large information system. This research addresses security and information assurance for safety-critical systems, where security and safety are addressed before going to actual implementation/development phase for component-based systems. For this purpose, require a conceptual idea or strategy that deals with the application logic security assurance issues. This may explore the vulnerability in single component or a reuse of specification in existing logic in component-based system. Keeping in view this situation, we have defined seven concepts of security assurance and security assurance design strategy for safety-critical systems

IASME: Information Security Management Evolution for SMEs

Most of the research in information risk and risk management has focused on the needs of larger organisations. In the area of standards accreditation, the ISO/IEC 27001 Information Risk Management standard has continued to grow in acceptance and popularity with such organisations, although not to a significant extent with SMEs. An interesting product recently developed for ENISA (European Nations Information Security Association) based on the Carnegie-Mellon maturity model and aimed at SMEs has not so far filled the gap. In this paper, a researcher and two practitioners from the UK discuss an innovative development in the UK for addressing the information assurance needs of smaller organisations. They also share their perceptions about the security of national information infrastructures, and concerns that SMEs do not get the priority that their position in the supply chain would suggest they should have. The authors also explore the development and roll out of IASME (Information Assurance for SMEs), which they have developed in the context of a tight market, where spare cash is in short supply, and many SMEs are still in survival mode. The question for the business is therefore not seen as “can we afford to spend on information security” but “can we afford not to spend…” As well as the effect on being able to do business at all of having an SMEs systems compromised, there are also matters of reputation, and the growing threat of fines as a result of not complying with laws and regulations. The paper concludes with achievements of real businesses using the IASME process to cost-effectively achieve information assurance levels appropriate for themselves

e-Government Technical Security Controls Taxonomy for Information Assurance Contractors - A Relational Approach

When project managers consider risks that may affect a project, they rarely consider risks associated with the use of information systems. The Federal Information Security Management Act (FISMA) of 2002 recognizes the importance of information security to the economic and national security of the Unites States. The requirements of FISMA are addressed using the NIST Special Publication 800-53 Rev 3, which has improved the way organizations practice information assurance. The NIST SP 800-53 Rev 3 takes a hierarchical approach to information assurance, which has resulted in the duplication and subsequent withdrawal and merging of fifteen security controls. In addition, the security controls are not associated with the appropriate information systems. The current security assessment model often results in a waste of resources, since controls that are not applicable to an information system have to be addressed. This research developed and tested the value of using an information system breakdown structure (ISBS) model for identification of project information system resources. It also assessed the value of using an e-Government Relational Technical Security Controls Model for mapping the ISBS to the applicable relational technical security controls. A questionnaire containing ninety-five items was developed and emailed to twenty-four information security contractors of which twenty-two efficiently completed questionnaires were received. The questionnaire assessed the value of using the ISBS, and the relationships of the e-Government Relational Technical Security Controls model. Literature review and industry experts opinion was used to triangulate the research results and establish their validity. Cronbach's Alpha coefficient for the four sections of the questionnaire established its reliability. The results of the research indicated that the ISBS model is an invaluable, customizable, living tool that should be used for identification of information system resources on projects. It can also be used for assigning responsibility for the different information systems and for security classification. The study also indicated that using the e-Government Relational Technical Security Controls provides a relational and fully integrated approach to information assurance while reducing the likelihood of duplicating security controls. This study could help project managers identify and mitigate risks associated with the use of information systems on projects

An Assurance Framework for Independent Co-assurance of Safety and Security

Integrated safety and security assurance for complex systems is difficult for many technical and socio-technical reasons, such as mismatched processes, inadequate information, differing use of language and philosophies, etc. Many co-assurance techniques rely on disregarding some of these challenges to present a unified methodology. Even with this simplification, no methodology has been widely adopted, primarily because this approach is unrealistic when met with the complexity of real-world system development. This paper presents an alternate approach by providing a Safety-Security Assurance Framework (SSAF) based on a core set of assurance principles. This is done so that safety and security can be co-assured independently, as opposed to a unified co-assurance, which has been shown to have significant drawbacks. This also allows for separate processes and expertise from practitioners in each domain. In this structure, the focus is shifted from simplified unification to integration through exchanging the correct information at the right time using synchronization activities

The Education of Information Security Professionals: An Analysis of Industry Needs vs Academic Curriculum in the 21st Century

This research compared the employment of the skills and attributes needed by information systems security professionals in an information systems security work environment with those taught in NSA Centers of Academic Excellence in Information Assurance Education. Using two surveys the goal of this research was to determine if the skills and attributes identified in the CISSP were employed in an information systems work environment and if these skills were taught in colleges and universities designated as NSA Centers of Academic Excellence in Information Assurance Education. The skills and attributes within the10 domains of the CISSP were identified by 23 questions contained in two surveys, one to information systems security professionals working in the field and one to information systems security faculty in NSA designated Centers of Academic Excellence in Information Assurance Education. The CISSP domains cover the following areas of information security responsibilities: 1) Access Control Systems and Methodology, 2) Telecommunications and Network Security, 3) Security Management Practices, 4) Applications and Systems Development Security, 5) Cryptography, 6) Security Architecture and Models, 7) Operations Security, 8) Business Continuity Planning and Disaster Recovery Planning, 9) Laws, Investigations, and Ethics, and 10) Physical Security. The CISSP domains were chosen as the defining criteria for the development of the operational definitions after an extensive review of literature in the field of information security. The surveys were developed over three phases: the pilot phase, the validity phase, and the reliability phase. The breakdown of the domain descriptions into questions was accomplished during the pilot survey phase. Requests for participation in the survey were e-mailed to 800 information systems security professionals and 321 information systems security faculty. There was a 67% information systems security faculty response rate and a 20% information systems security professional response rate. This research indicated that information systems security professionals working in an information systems security work environment employed or addressed the skills and attributes identified in the 10 domains of the CISSP. This research also indicated that the skills and attributes taught in the curriculum of NSA Centers of Academic Excellence in Information Assurance Education had no association with the skills and attributes employed, or addressed, by information systems security professionals in an information systems security work environment. There was one exception, Domain 4, Applications and Systems Development Security, which indicated there was an association between how the skills and attributes were employed in an information systems security work environment and were taught in NSA Centers of Academic Excellence in Information Assurance Education. The findings of this research can be used as a baseline to develop information systems security curriculum. Further research is needed to determine the differences, if any, in the skills and attributes identified in the various information security certifications, the correlation between the skills and attributes identified in each of the information security certifications, and any differences in the employment of these skills and attributes between certified and non-certified information systems security professionals