IT Security Assessments (Process of matching security policies against the architecture of the system in order to measure compliance
The systems security assessment is the method of creating a security policy that would be complimentary to the architecture of the system and the method would allow for the measure of compliance. Security assessments are activities that belong to the phase of the design cycle, and that is because it is very difficult to assess the risk of a system that is already functioning. Assessing risk alone does not make the process true. The issues of costs, and the types of security architecture and many other necessities that are outside the actual security measures need to be considered because they come into play. (Ramachandran, 2002) There is also the complexities of the networks itself to consider. Modern internet-based systems have created hybrid network configuration that brings the problems of scalability. One type of hybrid network is the integration of mobile wireless networks and the internet.
The primary network in the case of the internet and other networking is the grid. It is defined as a combination of hardware and software created infrastructure that provides a platform for dependable, consistent and inexpensive access to high end computing capabilities. There is thus resource sharing and the types of grids are cluster, enterprise, and global grids. (Merkow; Breithaupt, 2005) While the entire grid may thus be given a security system, each administrative domain must also have its own protocol to suit the type it is and also integrate to the grid. Certification of the domains as with the GSI and X509 certificates was the earlier known solution for authentication. (Douligeris; Serpanos, 2007)
This system thus incorporated is the basis of secure layered protocols for different types of communication. When the LAN and internet went worldwide, the grid security had to be reconsidered. The second type of grid uses the stand-alone mobile networks with infrastructure wireless networks which can be seen in the merging of cellular and wireless networks is a type of hybrid network where cellular features are mixed with adhoc connectivity to create a composite network that carries both the features. (Belding-Royer; Agha; Pujolle, 2005)
In any case the network device security is the most important part of any security infrastructure. The growing networks and inclusion of more and more new networked devices has caused increase of nodes most of which are not amenable to high security protocols like printers -- those which are network enabled have insecure default configurations. Most security problems begin with the routers which are the first device that is targeted for an attack. Compromise of these devices will make the entire network infrastructure weak or will be a way for attackers to cause a 'man-in-the-middle attacks' which may include rerouting traffic, information gathering and denial of service. (Andress, 2003) There are many criteria for the analysis of the security scenario.
The problems of security begin with the expansion of networking and in the beginning of the millennium the growth in demand for networks was huge and the system relied on the packet-switched data communications networks which were based on the "protocol layering" concept -- that is rules, or protocols being used in a stack fashion and based on what was defined as the "end-to-end network" both of which created the internet. The main element in this system is the IP address that is found in the "logical layers and the modern use of network protocols centered on the IP address." (Whitt, 2004)
In the networking the emphasis always is on the 'Network Layers.' The modern network thus consists of many additional features including wireless transmissions, telephony, internet, and mobile networks. The amalgamation of all the services in a single device such as mobile phones for example has caused vast changes in the way the operations are carried out in the communication sector. The first method is the use of the 'Federal Information Technology Security Assessment Framework' championed by the 'National Institute for Standards and Technology -- NIST' and this method helps in the security assessment by evaluating the threats against and vulnerabilities within the assets of the system. It is also used to certify all implemented security controls as adequate or other grades like 'completely secure or meeting acceptable levels of risk' and so on. (Ramachandran, 2002)
The 'Common Criteria Testing Laboratories' based a system on the end user and the requirements of the end user determine the nature of the security proposed for the system, and it can be the same as in the ITSEC system. The common criteria have a set of validities that form the fundamental directives contained in the protection profile. The role of evaluation is to test the premises of the developer and discover potential security threats. Thus the claims made by the developer is tested and evaluated and the end user thus can be satisfied about the outcome. The 'Common Criteria' deals with the information that is stored and used with multiple hardware and software components. The assurance is that the design of the system is wherein there is higher security and trust. This involves the selection of the individual IT product like operating systems, browsers, other software and other hardware, all of which must be critically evaluated and this can be evaluated as a whole or for each of the components individually such that they serve as the basis of future use of the component in identical situations and can be claimed to be robust. This can result in assembling evaluated components into a trustworthy system. (Merkow; Breithaupt, 2005)
Today the security scenario is changing. For example the banking services and sensitive interaction occurs through the wireless service networks. Mobile banking and WAP service offered to banks and now with the "downloads" or "applications" is supported in mobiles in the U.S. The tally is that over fifteen percent of banking customers use mobile services for transactions. The most vital aspect to be considered is security and especially data packet security and authentication. (Merkow; Breithaupt, 2005) In general there are many protocols implemented and many proposals that have grown with the need of various services. That is where the security evaluation plays a great role.
These criteria are met in the international protocol called the TSEC where the evaluation begins with the network concept itself. In the TSEC, thus each component is evaluated individually as against the TSEC rating systems from Division D. Division D. has minimal protection to class C2 controlled protection and have many intermittent classes in between where C. stands for discretionary protection, C1, for discretionary security protection, C2 for controlled access and object reuse protection and so on. (Contesti; Andre; Waxvik; Henry; Goins, 2007)
There cannot be any change to these basic concepts in the model and the changes that the 'International Common Criteria' for information technology security evaluation has brought in do not affect the existing systems because by verifying the certification of the components that are used, it can be seen if the system is robust. It also states if the system is ideal for the network security required -- e.g. more for the bank, lesser for a library. In this system the e NIST Security Assessment Framework described in [NIST00] is the ideal solution to most type of security networks because the methods consist of multiple modules that provide security to all aspects of the network. (Ramachandran, 2002)
The five levels begin with establishing a documented security policy to cover all aspects of security management. This would incorporate the details of all ace methods and procedures, the methods of operations, the collection of procedures, exact technology to be used that may include the hard ware software and vendor criteria, and the goal sets for the implementation of the security. The NIST00 also at the second level is where the process of implementation of the security is created. And the procedures are properly documented. Following this at Level 3, the stock is taken of the already implemented or existing systems and controls that can be used in the process or those systems that the organizations must ensure implementation of their security procedures. (Ramachandran, 2002)
The important system is the method of making the end user proficient in handling the system procedures and understanding the safety protocols and procedures that calls for some level of for security skills which must meet an assessment and the deficient training needs is documented. Going further in level 4; the final test and review of all the procedures and controls is done. There are regression procedures for testing security in the presence of system evolution and from here the final level namely the Level 5 is reached where a 'Fully Integrated Procedures and Controls' are seen to become viable. In other words the system at this stage has an implemented security controls and external security resources that completely protect the system architecture. (Ramachandran, 2002) The economics of the system is shown by the…