a generic security template for information system
TRANSCRIPT
A Generic Security Template for information system security arguments ————— Mapping security arguments within healthcare systems
Ying He School of Computing Science, University of Glasgow, UK.
Contents
v Background
v Objectives
v Business Model
v Evaluations
v Conclusions
Background
• Background – Number of incidents accounts for 42% in healthcare, top
among different sectors [1]. – Research communities (e.g. NIST, SANS) stress incident
learning in the incident handling lifecycle. – Incident Sharing Platform
• European Network and Information Security Agency (ENISA) • The US’s nation’s Healthcare and Public Health Information
Sharing and Analysis Centre (NH-ISAC). • UK government Cyber Security Information Sharing Partnership.
[1] Internal Security Threat Report Trends, Symantec Corporation, Volume19, (2014)
Background (Continued)
• The problem – Current research is not concerned with providing a
mechanism for conveying key incident details effectively. – Little research on feeding back lessons learned into the
Information Security Management Systems (ISMS). – Ineffective communication and redistribution of lessons
learned from different incident data sources, • Technical notes • Incident reports • Social media (e.g. news articles, weblogs)
– Incoherent security arguments about how those remedial actions taken have satisfied system security requirements.
Objectives
• Objectives – Propose a method that can present a coherent security
argument and effectively communicate security lessons. – Evaluate its suitability to depict security arguments from
different security incident data sources. – Evaluate its usability to communicate security arguments
comparing to traditional approaches? – Assess its acceptance and applicability in communicating
and redistributing lessons learned in a healthcare context.
Business Model
• Theoretical Basis – Assurance Case
• “A documented body of evidence that provides a convincing and valid argument that a specified set of critical claims are adequately justified for a given application in a given environment”.
– Goal Structuring Notations (GSN) • Included in ISO 15026 to present assurance cases. • Widely used in Safety Area.
• The “Generic Security Template” “A documented body of lessons learned identified from a security incident that can support the Security Requirements of the Information Security Management Systems (ISMS)”.
Business Model - Example
• Example (NHS Surrey IT Asset 2013) – The Context,
e.g. “Healthcare system of NHS Surrey”. – The Strategy,
e.g. “IT Asset Disposal Guidance”. – The Security Issue,
e.g. “The disposal process for redundant equipment did not require the IT team to carry out an assessment of the risks of using a data”.
– The Violated Security Requirement, e.g. “A risk management of the disposal process should be conducted”.
– The Recommendation, e.g. “Carry out a risk assessment when using a data processor to dispose of the hard drives”.
An IT asset disposal company has been
selected.
Healthcare System (HS) is acceptably Secure.
An asset disposal strategy has been
created.
The devices containing personal data has been
identified.
Personal Data:Wipe medical
information and confidential sensitive data before recycling.
Argument over IT Asset Disposal
Guidance.
Healthcare System of NHS Surrey
An IT Asset Disposal guidance proposed by
Information Commissioner Office according to Data
Protection Act
A risk management of the disposal process has been conducted.
Risk Management: Carry out a risk
assessment when using a data processor to dispose of the hard
drives.
A contract with the data processor has
been drawn up.
Contract:Have a written contract
with the company processing the IT
Asset.
Disposal Monitoring:Monitor the destruction process
and maintain audit trails and inventory logs of hard drives
destroyed by the company based on the serial numbers in the
destruction certificates for each individual drive.
Remedial Action:Take remedial action which includes developing a new
policy framework to address the internal re-use of
information and appliances and disposal process for redundant equipment.
The Asset disposal process and data
processors have been managed.
Argument over All Missing Security
Recommendations.
(Guideline non-existent): Remedial action has been
taken for the disposal process for redundant equipment.
G1: {System X} is acceptably secure
G3 {Index 1.X}{Security Requirement 1.X}
is addressed
S1: Argument over {Security Standard X}
C1: ISMS for {System X}
C2: Security Standard for {System X}
In the context of
S2: Argument over all Missing Security Recommendation
G2 (Standard non-existent): {Missing Recommendation
Y} is addressed
GN {Index N.X}{Security Requirement N.X}
is addressed
LL1 {Security Issue N.X}{Recommendation N.X}
LL2 {Missing Security Issue Y}{Missing Recommendation Y}
(p = # security requirements of
level 1)
(r = # security requirements of
level n)
(q = # missing security recommendations )
r
pq
In the context of
Evaluations - Suitability
• Objective – “Evaluate the GST’s suitability to depict security arguments from
different security incident data sources”.
• Methodologies – Case studies from the US, China and UK
• US security incident reports (6) • China incident news articles (13) • UK incident money penalty report (14)
– Selected Case • Two from the US (VA Data Leakage, 2006/2007 ) • One from China (Shenzhen Data Leakage, 2008) • One from UK (NHS Surrey IT Asset, 2013)
Evaluations - Suitability
• Findings – The GST is suitable to depict security arguments from different
security incident data sources
Evaluations - Usability
• Objective – “Evaluate the GST’s usability to communicate security arguments
from security incidents comparing to traditional approaches”
• Methodologies – Controlled Experiment
• Accuracy, Efficiency,Task load, Ease of use • Participants: 24 students from University of Glasgow • Group A (Report & GST); Group B (Report)
– Heuristic Evaluation • Cognitive Dimensions • Qualitative Feedback
Evaluations - Usability
• Findings of Controlled Experiment – Participants are better able to understand the security
arguments with the help of the GST than using Text alone; (Result is statistically significant) – The time taken to complete the designed task will be less using
the GST than that using the Text alone; (Result is NOT statistically significant) – The mental effort is lower with the help of the GST than using
Text alone; (Result is statistically significant) – Participants find the GST easier to use than the Text approach. (Subjective feedback)
Evaluations - Usability
• Findings of Heuristic Evaluation – Level of abstraction of the GST – Scalability of GST
Evaluations - Acceptance
• Objective – “Assess the GST’s acceptance in communicating and
redistributing lessons learned in a healthcare context”.
• Industrial Case Study – Internship: Security Strengthening Program – Participants
• Ten healthcare professionals • Five security experts
– Interview themes • Security incident handling process • Acceptance of the GST
Evaluations - Acceptance
• Findings of Incident Handling Process – A mature incident handling process
• Preparation, investigation, mitigation, post-incident learning, incident response team, severity level definition.
– Ineffective incident knowledge gathering • Low severity: less focus on incident knowledge gathering • High severity: report generated for administrative use only
– Ineffective incident lessons learned dissemination • Low severity : technical notes documented in pieces • High severity : report difficult to digest
– Ineffective incident knowledge feedback • Low severity : focus on direct causes rather than root causes • High severity : report not include revision to security procedures
Evaluations - Acceptance
• Findings of GST Acceptance – Different interpretation of the GST by different user groups – Applicable scenarios in the organisation
• A tool to convert incident report into a learning document • A tool for communicating incidents • A tool to feed incident knowledge to security management systems
– Limitations • Lack of multi-view function • Not fully accepted by healthcare professionals
Evaluations - Applicability
• Objective – “Assess the GST’s applicability in communicating and
redistributing lessons learned in a healthcare context”.
• Industrial Case Study – Internship: Security Strengthening Program – Participants
• Three healthcare professionals • Two IT security experts • One IT security manager
– Interview themes • Feed back lessons learned from external incidents to the information
security management system (ISMS) of the redacted hospital.
Evaluations - Applicability
• Findings – Lessons learned fed back to the ISMS
• The lessons learned from incidents in other healthcare organisations can be transferred into the redacted hospital.
• The redacted hospital is more likely to accept lessons from the Shenzhen data leakage incident.
• The GST helps the hospital assess whether applicable security standards address the concerns raised in previous breaches.
– Customisation Requirements • Provide software support • Enable multi-view function • Add lessons learned acceptance identifier
Contributions
• Contributions – Identified the current barrier of incident learning – ineffective
communication and redistribution of lessons learned. – Proposed a security argument approach to effectively
communicate lessons learned. – This approach is suitable to present security arguments from
incident reports, money penalty reports and news articles. – This approach can improve the communication of lessons
learned compared to the traditional text-based reports. – This approach is accepted in a healthcare organisation and
can be applied to communicate lessons learned to the security management system of a healthcare organisation.
Limitations and Future Work
• Limitations and Future work – Subjective features, translation from natural language
statements into structured graphical overview. • Apply knowledge representation. • Apply intelligent techniques (e.g. natural language processing).
– Scalability • Commercial GSN tools (e.g. ASCE, INESS) • Provide SW support.
– Soundness of security argument • Confidence argument • Apply formalisms to mechanically check logical soundness.
Publications
[1] Y. He, C.W. Johnson, M. Evangelopoulou and Z.S. Lin. Diagraming approach to structure the security lessons: Evaluation using Cognitive Dimensions. The 7th International Conference on Trust & Trustworthy Computing, 2014, Crete, Greece. [2] Y. He, C.W. Johnson, Y. Lu, and A. Ahmad. Improving the exchange of lessons learned in security incident reports: Case studies in the privacy of electronic patient records. The 8th IFIP WG 11.11 International Conference on Trust Management, 2014, Singapore. [3] Y. He, C.W. Johnson, Y. Lu and Y. Lin. Improving the Information Security Management: An Industrial Study in the Privacy of Electronic Patient Records. IEEE CBMS 2014 The 27th International Symposium on Computer-Based Medical Systems, 2014, New York, US. [4] Y. He, C.W. Johnson, K. Renaud and Y. Lu and S. Jebriel. An empirical study on the use of the Generic Security Template for structuring the lessons from information security incidents. The 6th International Conference of Computer Science and Information Technology, 2014, Amman, Jodan. [5] Y. He, and C.W. Johnson. Generic security cases for information system security in healthcare systems. The 7th IET International Conference on System Safety, Incorporating the Cyber Security Conference 2012, Edinburgh, UK.