Security Engineering – SSE-CMM Viewpoint

Security engineering is divided into three major areas or processes, namely risk, engineering and assurance (SSE-CMM, 2003, Chan and Kwok, 2001). Figure 3.3 illustrates their relationship. The risk process identifies and prioritises systems threats. The engineering process works in concert with other engineering disciplines to implement appropriate solutions. The assurance process establishes confidence in the solutions and communicates it to the customers (Chan and Kwok, 2001). The three security engineering processes – risk, engineering and

assurance are examined from the perspectives of the SSE-CMM (2003), the protection profile improvement process of Williams and Ferraiolo (1999) and the integration of security design research of Chan and Kwok (2001). The three processes are inter-related and act co-dependently to produce a security solution and it is pertinent to examine them in more detail to understand their interrelationship during security development.

Figure 3.3 - Three major areas in security engineering Source Chan and Kwok – 2001

3.5.5.1 Security Engineering – Risk Process

Risk, according to SSE-CMM (1997), is defined as “the likelihood that the impact of an unwanted incident will be realised.” A major security engineering objective is the reduction of risk. Risk assessment was previously defined as the systematic consideration of the business harm likely to arise from a security failure. It involves the identification of business assets, their possible threats and vulnerabilities and the prioritisation of risk-mitigating techniques/resources (Margaritis et al, 2001, Carlson, 2001, ISO 17799-2:2002, SSE-CMM, 2003). Chan and Kwok (2001) note that the risk process identifies and prioritises dangers inherent to the developed service or product.

Engineering Process

Assurance

Process Risk

Process

Assurance Argument Risk Information

Product, System or Service

Williams and Ferraiolo (1999), in P³I - Protection Profile Process Improvement, examine the use of the SSE-CMM to develop a quality Protection Profile (PP) based on the functional and assurance requirements contained in the Common Criteria standard. Chaula, Yngström and Kowalski (2004), in Security Metrics and Evaluation of Information Systems Security, acknowledge the use of the processes in security evaluation, risk assessment, protection profiling and in assurance rating and use the PP to create the security specifications. The development of a quality PP is complex and involves all aspects of security engineering. Its quality is dependent on its creating processes and therefore, a mature process helps ensure the development of high quality PPs. The SSE-CMM is advocated as a means to ensure the security engineering processes are mature.

Williams and Ferraiolo (1999) note that PA04 (Assess threat); PA05 (Assess vulnerability); PA02 (Assess impact) and finally, PA03 (Assess security risk) relate to understanding risk. The selection of the most appropriate risk assessment method depends on various factors including the technology used, amount of information available and the expertise of the developers. A critical factor is the determination of the appropriate metrics for the risk components, otherwise, it is impossible to determine the severity of the risks. Chan and Kwok (2001) note that the risk process, in the SSE-CMM arena, requires the assessment of four important entities: impact; security risk; threats and vulnerabilities. The PA activities involved in gathering information about threats, vulnerabilities and impact are interdependent. Their goal is to discover which combinations are deemed sufficiently risky to justify action. An overall risk analysis is performed to determine what combination of threats, vulnerabilities and impact will present a significant risk. The risks are prioritised to discover which requirements are critical over those that ‘are merely nice to have.’ The SSE-CMM is seen as an aid and prevents the creation of solutions which are too costly, too difficult for users or which are insufficient (Williams and Ferraiolo, 1999).

3.5.5.2 Security Engineering – Engineering Process

The engineering process includes PA01 (Administer security control), PA07 (Coordinate security), PA08 (Monitor security posture), PA09 (Provide security

input) and PA10 (Specify security needs) (Chan and Kwok, 2001, SSE-CMM, 2003). Williams and Ferraiolo (1999) differentiate the groupings of the PAs and cluster PA10 (Specify security needs); PA07 (Coordinate security) and PA08 (Monitor security posture) together to develop an understanding of the security needs of the consumer through the security policies and the security usage assumptions.

The practices in PA10 (Specify security needs) include identifying the policies, laws, standards and other external influences and constraints that affect the security environment. These enable the identification of high-level security goals in a security policy. PA07 (Coordinate security) ensures the solution is valid across the solution and consumer environment whilst PA08 (Monitor security posture) contains the practices needed to ensure the underlying security needs do not change unnoticed during the development and vetting processes. This underlying security information demonstrates that the security solution fits its intended context which creates consumer confidence in its appropriateness (Williams and Ferraiolo, 1999). The risk and engineering (security engineering) processes are interlinked to the assurance process because the evidence which promotes assurance, demonstrates rationale behind the security solution.

3.5.5.3 Security Engineering – Assurance Process

Assurance is defined ‘as the degree of confidence that security needs are satisfied’. It is a product of security engineering and indirectly it reduces risk. SSE-CMM contributes to this confidence through the repeatability of quality results. It does not impose any additional security controls and provides the confidence that, once deployed, the security controls will function as intended. Assurance is often communicated in the form of an argument and reveals that its development has followed a mature engineering process subject to CPI. SSE-CMM activities provide assurance relevant evidence (SSE-CMM, 2003).

Activities in the assurance process use the products of the risk and engineering processes which establishes confidence in the security solutions and conveys this confidence to the users (Chan and Kwok, 2001). Williams and Ferraiolo (1999) maintain that choosing assurance requirements is a complex task and involves PA10 (Specify security needs), PA06 (Build assurance argument), PA09 (Provide

security input) and PA07 (Coordinate security). PA10 (Specify security needs), provides the practices necessary to select a set of assurance requirements.

PA06 (Build assurance argument) contains the practices which identify and manage the appropriate assurance evidence into arguments that the solution is achieved. This approach ensures that security claims are not overlooked and are supported by sufficient evidence. PA09 (Provide security input) guides the process of selecting and modifying the assurance requirements. A traditional problem is the tendency to develop the assurance evidence after the security system is developed. The SSE-CMM encourages developing the assurance requirements at the earliest possible stage and PA07(Coordinate security) contains these necessary practices. The early development of the assurance requirements will reduce the costs and increase the quality of the assurance efforts (Williams and Ferraiolo, 1999, SSE-CMM, 2003).

There are activities within the SSE-CMM model that facilitate establishing the trustworthiness of the security system. The practices in PA11 (Verify and validate security) and PA06 (Build assurance argument) help establish its consistency and completeness. PA11 (Validate and verify security) contains the practices which verify that the security solution meets its requirements and is valid for its intended environment. Its results are important inputs to PA06 (Build assurance argument) and are part of the assurance argument which increases the confidence in the security solution (Williams and Ferraiolo, 1999, SSE-CMM, 2003).

The SSE-CMM model can be applied to security engineering in three ways. First, it presents the SSAM which determines the capability levels of security engineering within an organisation. Second, it presents a methodology for security engineering process improvement and third, it presents a method to determine and improve assurance. The appraisal method is adapted in a variety of security assessment models to determine the state of security engineering within various environments and is examined next.