Page 31 - DCAP516_COMPUTER_SECURITY
P. 31

Unit 3: Assurance and Operational Issues




          Self Assessment                                                                       Notes

          Fill in the blanks:
          1.   ……………………………… addresses whether the features of a system, application, or
               component meets security requirements and specifications.

          2.   In selecting assurance methods, the need for assurance should be weighed against its
               …………………
          3.   Assurance can be quite expensive, especially if …………………………. is done.

          4.   ………………….. is a degree of confidence, not a true measure of how secure the system
               actually is.
          5.   The person who needs to be assured is the management official who is ultimately
               responsible for the security of the system is the …………………………………….

          3.5 Operational Assurance

          Design and implementation assurance addresses the quality of security features built into systems.
          Operational assurance addresses whether the system’s technical features are being bypassed or
          have vulnerabilities and whether required procedures are being followed. It does not address
          changes in the system’s security requirements, which could be caused by changes to the system
          and its operating or threat environment. Security tends to degrade during the operational phase
          of the system life cycle. System users and operators discover new ways to intentionally or
          unintentionally bypass or subvert security (especially if there is a perception that bypassing
          security improves functionality). Users and administrators often think that nothing will happen
          to them or their system, so they shortcut security. Strict adherence to procedures is rare, and they
          become outdated, and errors in the system’s administration commonly occur.
          Organizations use two basic methods to maintain operational assurance:
          1.   A system audit: A one-time or periodic event to evaluate security. An audit can vary widely
               in scope: it may examine an entire system for the purpose of reaccreditation or it may
               investigate a single anomalous event.

          2.   Monitoring: An ongoing activity that checks on the system, its users, or the environment. In
               general, the more “real-time” an activity is, the more it falls into the category of monitoring.
          This distinction can create some unnecessary linguistic hairsplitting, especially concerning system
          generated audit trails. Daily or weekly reviewing of the audit trail (for unauthorized access
          attempts) is generally monitoring, while an historical review of several months’ worth of the
          trail (tracing the actions of a specific user) is probably an audit.

          3.5.1 Audit Methods and Tools

          An audit conducted to support operational assurance examines whether the system is meeting
          stated or implied security requirements including system and organization policies. Some audits
          also examine whether security requirements are appropriate, but this is outside the scope of
          operational assurance. Less formal audits are often called security reviews.

          Audits can be self-administered or independent (either internal or external). Both types can
          provide excellent information about technical, procedural, managerial, or other aspects of
          security. The essential difference between a self-audit and an independent audit is objectivity.
          Reviews done by system management staff, often called self-audits/assessments, have an inherent





                                           LOVELY PROFESSIONAL UNIVERSITY                                   25
   26   27   28   29   30   31   32   33   34   35   36