Page 29 - DCAP516_COMPUTER_SECURITY
P. 29

Unit 3: Assurance and Operational Issues




          The design architects the system to satisfy, or meet, the specifications. Typically, the design is  Notes
          layered by breaking the system into abstractions, and then refining the abstractions as you work
          your way down to the hardware. An analyst also must show the design matches the specification.
          The implementation is the actual coding of the modules and software components. These must
          be correct (perform as specified), and their aggregation must satisfy the design.

          3.1 Meaning of Computer Security Assurance


          Computer security assurance is the degree of confidence one has that the security measures,
          both technical and operational, work as intended to protect the system and the information it
          processes. Assurance is not, however, an absolute guarantee that the measures work as intended.
          Like the closely related areas of reliability and quality, assurance can be difficult to analyze;
          however, it is something people expect and obtain (though often without realizing it). For
          example, people may routinely get product recommendations from colleagues but may not
          consider such recommendations as providing assurance.
          Assurance is a degree of confidence, not a true measure of how secure the system actually is. This
          distinction is necessary because it is extremely difficult — and in many cases virtually impossible
          — to know exactly how secure a system is.

               !
             Caution  Assurance is a challenging subject because it is difficult to describe and even more
             difficult to quantify. Because of this, many people refer to assurance as a “warm fuzzy
             feeling” that controls work as intended.

          However, it is possible to apply a more rigorous approach by knowing two things:
          (1)  who needs to be assured and
          (2)  what types of assurance can be obtained.



             Did u know?  The person who needs to be assured is the management official who is
             ultimately responsible for the security of the system is the authorizing or accrediting official.

          3.1.1 Methods and Tools for Obtaining Assurance

          There are many methods and tools for obtaining assurance. For discussion purposes, this unit
          categorizes assurance in terms of a general system life cycle. The unit first discusses planning
          for assurance and then presents the two categories of assurance methods and tools: (1) design
          and implementation assurance; and (2) operational assurance. Operational assurance is further
          categorized into audits and monitoring.
          The division between design and implementation assurance and operational assurance can be
          fuzzy. While such issues as configuration management or audits are discussed under operational
          assurance, they may also be vital during a system’s development. The discussion tends to focus
          more on technical issues during design and implementation assurance and to be a mixture of
          management, operational, and technical issues under operational assurance.

          3.2 Selecting Assurance Methods

          The accrediting official makes the final decision about how much and what types of assurance
          are needed for a system. For this decision to be informed, it is derived from a review of security,



                                           LOVELY PROFESSIONAL UNIVERSITY                                   23
   24   25   26   27   28   29   30   31   32   33   34