Security by Checklist

We've all seen the checklists with suggestions for how to secure your system. Many of us have even written them. (I have.) The problem is that security is more complicated than that, and checklists—especially if followed slavishly or enforced without thought—can make matters worse

Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

Risk and Business Goal Based Security Requirement and Countermeasure Prioritization

Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security” but need to be able to justify their security investment plans. Currently companies achieve this by means of checklist-based security assessments, but these methods are a way to achieve consensus without being able to provide justifications of countermeasures in terms of business goals. But such justifications are needed to operate securely and effectively in networked businesses. In this paper, we first compare a Risk-Based Requirements Prioritization method (RiskREP) with some requirements engineering and risk assessment methods based on their requirements elicitation and prioritization properties. RiskREP extends misuse case-based requirements engineering methods with IT architecture-based risk assessment and countermeasure definition and prioritization. Then, we present how RiskREP prioritizes countermeasures by linking business goals to countermeasure specification. Prioritizing countermeasures based on business goals is especially important to provide the stakeholders with structured arguments for choosing a set of countermeasures to implement. We illustrate RiskREP and how it prioritizes the countermeasures it elicits by an application to an action case

Physical Security Assessment of a Regional University Computer Network

Assessing a network\u27s physical security is an essential step in securing its data. This document describes the design, implementation, and validation of PSATool, a prototype application for assessing the physical security of a network\u27s intermediate distribution frames, or IDFs (a.k.a. wiring closets ). PSATool was created to address a lack of tools for IDF assessment. It implements a checklist-based protocol for assessing compliance with 52 security requirements compiled from federal and international standards. This checklist can be extended according to organizational needs. PSATool was validated by using it to assess physical security at 135 IDFs at East Tennessee State University. PSATool exposed 95 threats, hazards, and vulnerabilities in 82 IDFs. A control was recommended for each threat, hazard, and vulnerability discovered. The administrators of ETSU\u27s network concluded that PSATool\u27s results agreed with their informal sense of these IDFs\u27 physical security, while providing documented support for improvements to IDF security

Applying a Security Testing Methodology: a Case Study

Turvatestimine on tarkvara testimise haru, mille eesmärgiks on kontrollida, kas tarkvara on haavatav rünnete suhtes ning kas andmed, mida tarkvara töötleb, on kaitstud. Tarkvara turvalisuse standardeid töötatakse välja selleks, et tekitada ühine arusaam turvanõuetest, mida turvaline tarkvara peab täitma. Selles bakalaureusetöös kirjeldatakse ja rakendatakse tegevusi, mis on vajalikud veebirakenduse turvalisuse kindlakstegemiseks. Kombineerides OWASP ASVS veebirakenduste turvastandardit ja OWASP Top 10 riskide nimekirja, töötati välja turvanõuete nimekiri. Turvanõuete testimiseks töötati välja testjuhtumid ning testiti veebirakendust UXP Portal. Turvatestimise tulemusena tuvastati arvukalt turvaprobleeme. Juhtumiuuringu läbiviimise kogemuse põhjal vormistati õpitust lähtuvad soovitused.Security testing is a software testing discipline that aims to verify that the functionality of the software is resistant to attacks and data processed by the software is protected. To establish common requirements that the software must fulfill, software security standards are published. This thesis aims to describe and apply a process necessary to verify the security of a web application. A checklist of security requirements was gathered combining OWASP ASVS web application security standard and OWASP Top Ten project. Test cases were developed and web application UXP Portal was tested to verify the security requirements in the checklist. Numerous security vulnerabilities were identified by security testing. The recommendations based on lessons learned during the case study were presented

The Role of Transportation in Campus Emergency Planning, MTI Report 08-06

In 2005, Hurricane Katrina created the greatest natural disaster in American history. The states of Louisiana, Mississippi and Alabama sustained significant damage, including 31 colleges and universities. Other institutions of higher education, most notably Louisiana State University (LSU), became resources to the disaster area. This is just one of the many examples of disaster impacts on institutions of higher education. The Federal Department of Homeland Security, under Homeland Security Presidential Directive–5, requires all public agencies that want to receive federal preparedness assistance to comply with the National Incident Management System (NIMS), which includes the creation of an Emergency Operations Plan (EOP). Universities, which may be victims or resources during disasters, must write NIMS–compliant emergency plans. While most university emergency plans address public safety and logistics management, few adequately address the transportation aspects of disaster response and recovery. This MTI report describes the value of integrating transportation infrastructure into the campus emergency plan, including planning for helicopter operations. It offers a list of materials that can be used to educate and inform campus leadership on campus emergency impacts, including books about the Katrina response by LSU and Tulane Hospital, contained in the report´s bibliography. It provides a complete set of Emergency Operations Plan checklists and organization charts updated to acknowledge lessons learned from Katrina, 9/11 and other wide–scale emergencies. Campus emergency planners can quickly update their existing emergency management documents by integrating selected annexes and elements, or create new NIMS–compliant plans by adapting the complete set of annexes to their university´s structures

Keberkesanan carta pembelajaran Omygram terhadap tahap pencapaian pelajar PVMA dalam mata pelajaran Bahasa Inggeris bagi topik plurals

Pembinaan bahan bantu belajar untuk tujuan PdPC sememangnya digalakkan oleh Kementerian Pendidikan Malaysia bagi meningkatkan kualiti pendidikan. Kajian ini bertujuan untuk membangun dan mengenalpasti keberkesanan carta pembelajaran Omygram terhadap tahap pencapaian pelajar PVMA dalam mata pelajaran Bahasa Inggeris bagi topik plurals. Kajian ini adalah kuasi-eksperimen yang melibatkan dua buah sekolah menengah harian di daerah Batu Pahat. Instrumen kajian yang digunakan ialah soalan ujian pra dan pasca, soal selidik dan senarai semak. Dapatan kajian telah dianalisis menggunakan perisian Statistic Package For The Social Science Version 22.0 (SPSS). Analisis deskriptif dalam bentuk frekuensi, peratus, min dan sisihan piawai digunakan semasa penganalisaan data. Ujian-t pula digunakan untuk melihat perbezaan pencapaian antara ujian pra dengan ujian pasca bagi kumpulan rawatan dan kumpulan kawalan. Kumpulan rawatan diberi set soal selidik tentang motivasi pelajar selepas menggunakan carta pembelajaran Omygram dalam PdPC. Hasil dapatan kajian mendapati bahawa, terdapat perbezaan pencapaian yang signifikan antara skor ujian pra dengan skor ujian pasca bagi kumpulan rawatan. Motivasi pelajar selepas menggunakan carta pembelajaran Omygram juga berada pada tahap tinggi