Aim of the project is to develop a robust and survivable Unified Formal Model of Enterprise Information System Security based on the existing and new models of different facets of security. The model and the theory behind it will be used to develop a set of easily measurable metrics for Management decision making and assurance of RoI.
Based on the above model and the metrics, a Web-enabled Object-oriented Framework for Enterprise Security Management will be developed along with a number of component services to be integrated with the Framework to automate different phases of the Security Engineering Life-cycle.
The scope of work will include the following:
1. Survey and integration of different models of the facets of Information Security into a unified formal model of Enterprise Information System Security.
2. Development of new metrics for risk, assurance, architectural efficacy, operational efficiency, protection capability, protection performance, etc.
3. Development of a Web-enabled Object-oriented Framework for Security Management consisting of the following components
(i) Security Requirement Analysis Component
(ii) Risk Analysis and Mitigation Component
(iii) Policy Development Component
(iv) Security Architecture and Infrastructure Advice Generation Component
(v) Operational Advice Generation Component
(vi) Security Testing Component
(vii) Web-based Training Component
Top
Summary of work done:
We need formal models of systems
whenever their complexity increases to such an extent that it becomes
impossible for human and organizational structures to manage. Cases in point
are the compiler technology and software engineering models. The security
design and management are becoming too complex because of the interplay among
technology, management, economics, social issues and the huge volume of data to
be managed. The matter is complicated because of frequent changes in all these
aspects and in fact, once the design and development is done, the changes in
the requirement and environment appear much more frequently than in software
systems. Any tangible assurance in this dynamic system requires formal analysis
and tools based on the formal model.
There exist various separate
models for the different aspects of enterprise security. For example,
Clark-Wilson model deals with integrity; Bell-La Padula Model deals with
Database Access; there are models of Discretionary, Mandatory and Role-based
Access Control; Risk Models of different kinds; Survivability models for
networks and security; Cost-Benefit Models; models for security architecture and
configuration generation; Testing models, etc. The major objective of the
present project was to integrate the above models and a few newly proposed ones
into a unified model of enterprise information security, so that the different
outputs of the tools can be checked for soundness and completeness. The
model-based approach will allow questions on information security posed by the
top management to be answered with a degree of confidence and the management
can take informed objective decisions regarding investing in and managing the
security infrastructure so that the security risk to the enterprise IT assets
can be mitigated to an acceptable level at an acceptable cost. The model will
also be used to develop formal metrics of information security, which are still
now in an infant stage.
During this project, a detailed survey of
different security models of confidentiality, integrity, availability,
non-repudiation, authentication, and access-control was conducted. An
integrated model for managing enterprise information system security has been
formulated. This model addresses various security parameters like
confidentiality, integrity, availability, etc. Modal propositional logic has
been used to formulate the model. Also, a detailed survey of existing methodologies
for measuring security has been conducted. A new fuzzy-logic based risk
analysis methodology has been formulated. Metrics of assurance, architectural
efficacy, operational efficiency, protection capability, and protection
performance have been proposed, too.
The second objective was to develop a suite of
services to support the different phases of the security-engineering life
cycle. The difference between the tools developed in the previous project and
this project is that the new tools are based on a sound formal model; they are
embedded in a web-based Object-oriented (J2EE) framework, so that the clients
can get the service from anywhere in the country; the framework supports rapid
deployment of newer services to be integrated in the future. The upgradation of
the existing services will also be easier. Under this project, an entire suite
of web-services have been developed which will enable enterprises to manage
their information security needs within a single framework. The suite of
services has been named WISSDOM, which is an acronym for Web enabled
Information System Security Design and Operational Management.
The web-services developed under the project are as follows:
(i) Data Capture Service
(ii) Consolidated Risk Analysis
(iii) Detailed risk analysis
(iv) Initial Vulnerability analysis
(v) Control list Generation (compliant with ISO 17799:2005)
(vi) Control Gap analysis (compliant with ISO 17799:2005)
(vii) Generation of Requirement Specification file
(viii) Generation of Baseline Policy Manual (compliant with ISO 17799:2005)
(ix) Generation of Detailed Policy Manual (compliant with ISO 17799:2005)
(x) Generation of Guideline Manual (compliant with ISO 17799:2005)
(xi) Generation of Procedure Manual (compliant with ISO 17799:2005)
(xii) Administrative/Security services
(xiii) Generation of Asset Based Advisory
(xiv) Generation of Location Based Advisory
(xv) Compliance Testing
(xvi) Training services
A third objective was to develop quality
training material on the web. A security training service has been developed
during this project period. It consists of 2 parts. One is a generic training
sub-module for imparting security knowledge to users. The other is a
tool-specific training sub-module that imparts knowledge on the usability of
the web-services. The training module supports different categories of users,
like Chief Information Security Officer, security manager, and general user.
This service is being offered using a Knowledge Management Tool Learn.ITY from
Aunwesha Knowledge Systems Pvt. Ltd.. The Company has permitted the use of
their product for development purpose.
