A study of Object-Oriented Information Security Management Model 物件導向資訊保安管理模型的研究

advertisement
A study of Object-Oriented Information Security Management Model
物件導向資訊保安管理模型的研究
FUNG, Pui-kwan, Peggy MPhil 2003
Abstract
Information security of an organization, if properly managed, should be fully documented. It has been
suggested that a security officer’s workbench, with its database and graphical representations, may
present a more effective form of security documentation. However, such a tool requires a well-developed
model of the information system security and a standardized means to represent security entities and
relationships, particularly a directory-based classification scheme for security entities and relationships.
This thesis proposed an information security model to facilitate the development of electronic security
documentation.
An X.500-like security entities classification scheme was proposed. This proposed model defines the
structure and hierarchy of security relevant data. There are five main security classes in the proposed
model; namely, Systems, Environment, Security, Procedures and Linkages. Each of the above classes has
a number of subclasses and the whole set of classes can be described as a directory tree. Such a directorybased model facilitates the documentation and maintenance of security relevant data and its complex
relationships.
The potential use of the data and their complex linkages in this model was then explored. Linkages
(Relationships) link up entities under same and different security classes. We termed the relationship
between a Threat and a Security Entity as a “TE” relationship and that between an incident TE and a
target TE as a “TETE” relationship. It was found that a threat acting on a System or Environment Entity
(incident TE relationship) causes consequent threats, which in turn act on another System or Environment
Entity (target TE relationship). With TE and TETE relationships, propagation of threats within the system
to their consequential business impact can be traced automatically, and thus, a threat tree can be
constructed automatically.
Further the model was developed to assist in the formulation of effective defence via appropriate
countermeasures. As countermeasures are not 100% effective, there may be some residual threats, and
thus multiple countermeasures may be required for a security system. Linkages between incident threats
and residual threats of countermeasures provide a better picture on the state of security of an organization.
These linkages can be used to build a Threat Countermeasure Diagram (TCD) that describes the structure
of the deployed root countermeasure and its subsequent countermeasures to guard against information
security threats for an organization.
A prototype was developed in Java to test whether this proposed model can facilitate the development of
an electronic form of information security documentation. A typical scenario on automatic construction of
Threat Tree and TCD was illustrated with examples. The potential use of this model in risk assessment
was discussed.
Download