Security Objectives

1
Security Objectives

• University of Sunderland
• CSEM02
• Harry R. Erwin, PhD

2
What are Security Objectives?

• Security objectives are the things you do to
• Enforce security policies
• Mitigate risks
• Security objectives may be met by
• Things the system does to protect itself, and
• Things you can assume the environment does for
  the system.

3
CCTool

• An expert system to aid in security analysis.
• No longer supported by NIAP/NIST/NSA.
• Still available from the module website.
• Discusses security objectives and requirements.
• Available at Sunderland as the UoSTool
  lthttp//osiris.sunderland.ac.uk/cs0her/Software/U
  oSTool.zipgt

4
The Security Mapping Process
CCTool Manual
5
Security Analysis Relationships
CCTool Manual
6
Security Objectives Result in Security
Requirements
CCTool Manual
7
Security Objectives

• The results of the analysis of the security
  environment can then be used to state the
  security objectives that counter the identified
  threats and address identified organizational
  security policies and assumptions. The security
  objectives should be consistent with the stated
  operational aim or product purpose of the system,
  and any knowledge about its physical environment.

CCTool Manual
8
Intent of the Objectives

• The intent of determining security objectives is
  to address all of the security concerns and to
  declare which security aspects are either
  addressed directly by the system or by its
  environment. This categorization is based on a
  process incorporating engineering judgment,
  security policy, economic factors and risk
  acceptance decisions.

CCTool Manual
9
Example Objectives

• O.AC_Label_Export Object security attributes and
  exportation.
• O.Access_History Access history for user session
• O.Admin_Code_Val Administrative validation of
  executables
• O.Admin_Guidance Administrator guidance
  docummentation

10
To Explore This Further

• Run CCTool (available on the terraces)