OMG Technical Meeting - March 2013

Presentation to UPDM Group Security View

Agenda

• Introduction– Presentation Objectives– Background

• Overview

• Security View Details

• Next Steps

• Q&A

2

Presentation Objectives

• Introduce DRAFT Security View• For each sub-view:

– Purpose, Description, Concepts– Conceptual Architecture & Deliverables– Sample attribution template

• Convey essence and flow of security lifecycle;

• Our road ahead for SecV

3

Background

DriversDrivers

• “Security at the front” not as an afterthought

• Information & IT Security Capability– confidentiality, integrity, availability, non-

repudiation, and audit-ability– of defence information and the supporting

systems and networks.

• Pan-enterprise Security

Background

CollaboratorsCollaborators

• Security is “special”– normally involves Specialists– has unique perspectives

• IM & IT Security at the forefront

• Key Collaborators:– IM & IT Security (D IM Secur)– IT Engineering & Integration (DIMEI)

Background

OutcomeOutcome

• Redesign and partitioning of SecV-1 into 1a and 1b

• No change to existing SecV-2 and 3

• Discovery of new business requirements leading to SecV-4, 5, 6 & 7

Overview

Draft Sub-viewsDraft Sub-views

SecV-1a: Asset Security Domain & Valuation Rating

SecV-1b: Asset-at-Node Security Strength Requirement

SecV-2: Data Element Security Matrix

SecV-3: Aggregated Information Security Matrix

SecV-4: Security Control Specification

SecV-5: Security Control Profile

SecV-6: Security Control Service Profile

SecV-7: Asset-At-Node Threat Mitigation

8

Security Methodology (1/1)

SecV-1aAsset

Security Domain & Valuation

Rating

SecV-1bAsset-at-

Node Security Strength

Requirement

SecV-2Data

Element Security Matrix

SecV-3Aggregated Information

Security Matrix

Conduct Asset Sensitivity; Assign Security Domain

& Valuation Rating

Conduct TRA; Assign Security

Strength Requirement

Assess IERs and SDEs; Assign

Security Classification

Register Classified Data

Element Combinations

Asset Classification

and Valuations Lists

TRA Results and Security

Strength Requirements

Resource Flow &

IER & SDE Assessments

Data Element Combinations Risk Register

9

Security Methodology (2/2)

SecV-4Security Control

Specification

SecV-5Security Control Profile

SecV-6Security Control Service Profile

SecV-7Asset-at-

Node Threat Mitigation

Define SecurityControls

(CSEC & DND)

Establish Security Control Profile for

Asset (FoS) & Asset-at-Node

Define Security Services;

Establish SecurityControl Service

Profile

Establish Security Services to

address Asset-at-NodeSecurity Needs

SecurityControl

Taxonomy

Security Control Profile

for Asset & Asset-at-Node

Security Service

Taxonomy &Service Profiles

Asset-at-NodeThreat

MitigationSpecification

10

SecV-1a Purpose

SecV-1a : Asset Security Domain and Valuation RatingSecV-1a : Asset Security Domain and Valuation Rating

• The Asset (typically a member at some level of abstraction within the Asset FoS – Family of Systems) would undergo an Asset Sensitivity Analysis; the resulting Statement of Sensitivity is described and referenced in SecV-1a.

• Based on the sensitivity analysis, the Security Officer determines and assigns a Security Domain to the Asset.

• The DND Security Officer is also able to assign a Valuation Rating (Very Low to Very High) to the Asset.

Asset within FoS Structure

11

Asset

Materiel System Personnel Cash

WeaponsIT Systeme.g. SAP

Communications

SAP Sub-SystemA/R

SAP Sub-SystemG/L

SAP Sub-SystemPayroll

SAP ApplicationModule G/L 01

SAP ApplicationModule G/L 02

SAP ApplicationModule 03

Security Classification Taxonomy

Security Domain (e.g.)Security Domain (e.g.)• UNCLASSIFIED• PROTECTED A• PROTECTED B• PROTECTED C• CONFIDENTIAL• SECRET• TOP SECRET• …

Security Caveat (e.g.)Security Caveat (e.g.)• CANUK• NATO• AUSCANNZUKUS• CANUS• FOUR EYES• FIVE EYES• …

13

SecV-1a Conceptual Model

Asset (FoS)

Cash

Valuation Rating

AssetStatement of Sensitivity

Real Property

Information

Equipment

Personnel

Systems

INCLUDES

Determines

ResourceSub Types

Recommends

Security Domain

Results in

ClassifiesValues

SecV-1a Attribution Template

Example: Data Collection Dialog for Asset Valuation and Security Classification

15

SecV-1b Purpose

SecV-1b: Asset-At-Node Security Strength RequirementSecV-1b: Asset-At-Node Security Strength Requirement

• The logical Asset – classified & valued via SecV-1a– “deployed” (assigned) to a Node (OV-2) – Initiates a Threat Risk Assessment (TRA) being– now referred to as Asset-At-Node.

• SecV-1b enables the capture of relevant information from the TRA, including links to threats, vulnerabilities, impacts, and control objectives.

• The TRA enables the DND Security Officer to assign a Security Strength Requirement Rating to the Asset at Node.

16

SecV-1b Conceptual Model

Asset-at-NodeThreat Risk Assessment

(TRA)

Assigned to

Operational NodeRefer OV-2

Asset

Node

Recommends

SecurityControl

Objectives

Security Strength Requirement Matrix

Exp

osu

re

Impact

Determines

Assignment ofAsset to Node

Initiates

3 3 4 4 4 5 5 5

3 3 4 4 4 5 5 5

3 3 3 3 3 4 4 4

2 2 2 2 2 4 4 4

1 1 1 1 2 3 3 3

1 1 1 1 2 2 3 3

SecV-1b Attribution Template

Example: Data Collection Dialog for Asset@Node TRA and Security Strength Requirement

SecV-2 Purpose

18

SecV-2 – Data Element Security MatrixSecV-2 – Data Element Security Matrix

• The OV-3 and SV-6 sub-views require that the security parameters of each Information Exchange Requirement (IER) and System Data Exchange (SDE) be analyzed and documented.

• The security classification of an IER or SDE is based on the fact that it contains one or more data elements of that security level.

• SecV-2 enables the security classification and requirements of the set of data elements that comprise the IER or SDE.

• Covers both privacy and national security issues.

SecV-2 Data Model (DADM)

19

uses

is used by

is for

has

classifies

is classified by

restricts

is restricted by

restricts

is restricted by

DATA-ATTRIBUTE

SECURITY-CLASSIFICATION

CAVEATED-SECURITY-CLASSIFICATION

CAVEAT

SYSTEM-EXCHANGE

SecV-3 Purpose

SecV-3 – Aggregated Information Security MatrixSecV-3 – Aggregated Information Security Matrix

• Aggregation of Data can result in higher classified Information

• Registration of Data Element Combinations• Potential for security issues is captured• “Some analysis required”

20

SecV-3 Data Model (DADM)

21

classifiesis classified by

is for

has

classifies

is classified by

restricts

is restricted by

classifies

is classified by

applies to

has

INFORMATION-AGGREGATE

CAVEATED-SECURITY-CLASSIFICATION

SECURITY-CLASSIFICATION CAVEAT

AGGREGATE-TYPE

DATA-ATTRIBUTE

22

SecV-4 Purpose

SecV-4 Security Control SpecificationSecV-4 Security Control Specification

• SecV-4 enables definition and maintenance of

Security Controls in a taxonomy• Security Controls

– reusable objects that can be shared– and associated to Assets;

• Allows Security Control XREF to policies, legislation and regulations, standards, other knowledge artifacts, e.g.:– ITSG 33 Annex 3 (CSEC)– NIST 800-53 Rev 3

23

SecV-4 Conceptual Model

SecurityControl

Security ControlClass

XREF links to KnowledgeArtifacts in

Corporate Memory, Web or elsewhere

Security ControlFamily

Organizes

Comprises

Links

INCLUDES:ManagementTechnicalOperational

For Example:Access ControlAwareness and TrainingPersonnel Security

For Example:AC 17 – Remote Access

SecV-4 Attribution Template

Example: Data Collection Dialog for Security Control Specification

25

SecV-5 Purpose

SecV-5: Security Control ProfileSecV-5: Security Control Profile

• SecV-5 enables the association of Security Controls that are applicable to an Asset (FoS). – This is referred to as the Asset Security Control Profile.

• SecV-5 further allows the Security Officer to create and maintain a similar Profile for the Asset-At-Node; – The Asset-at-Node would automatically inherit (as default)

the Asset Security Control Profile as a starting point. – The end result is titled the Asset-At-Node Security Control

Profile.

26

SecV-5 Conceptual Model

SecurityControl

Asset Security Control Profile

Asset(FoS)

Asset-At-NodeSecurity Control

Profile

Refers

Selects

Deployedto

Identifies

Requires

Asset

Node

SecV-5 Attribution Template

Example: Data Collection Dialog for Security Control Profile

28

SecV-6 Purpose

Sec V-6: Security Control Service ProfileSec V-6: Security Control Service Profile

• SecV-6 does two distinct things:– enables the specification and maintenance of the Security

Service– links a subset of Security Services to a Security Control; this

is referred to as the Security Control Service Profile.

• Security Services– reusable security mitigation mechanisms. – can be automated or manual– automated security services can be further defined in terms

of its hardware and software components.

29

SecV-6 Conceptual Model (1/2)

AutomatedSecurity Service

Security ServiceSoftware Component

Security Service

Comprises

Non-AutomatedSecurity Service

Security ServiceHardware Component

Sub-Type

SecV-6(1) Attribution Template

Example: Data Collection Dialog for Security Service Specification

31

SecV-6 Conceptual Model (2/2)

Security Service

Security Control Service Profile

Security Control(SecV-4)

Mitigated By

Manages

SecV-6(2) Attribution Template

Example: Data Collection Dialog for Service Control Service Profile

33

SecV-7 Purpose

SecV-7: Asset-At-Node Threat MitigationSecV-7: Asset-At-Node Threat Mitigation

• SecV-7 enables creation and maintenance of an Asset-At-Node Threat Mitigation Package:

– comprises a subset of Security Services needed by the Security Controls to protect the Asset-at-Node.

– Selection is influenced by the Strength Requirement Rating

34

SecV-7 Conceptual Model

Asset-at-Node Threat Mitigation Package

Security ServiceSelects

RequiresSecurity ControlService Profile

Refer SecV-5

Asset-At-Node Security Control Profile

Security Control

Mitigation Security Control Service

Refer SecV-6

Influences

Comprises

Refer SecV-4

Refer SecV-1b

Asset

Node

Asset-At-Node Security Strength Requirement

Example: Data Collection Dialog for Threat Mitigation Package

SecV-7 Attribution Template

Security ControlRefer SecV-4

TRATRAAsset-at-Node Security

Control ProfileRefer SecV-5

Asset

Security ControlService

Refer SecV-6 (2)Refer SecV-6 (1)

Security ControlService Profile

Asset-At-Node Mitigation Lifecycle

Deployed to

Asset

Node

Refer SecV-1a

Asset

Security Control Objectives

Refer SecV-1b

Asset-At-Node Security Strength Requirement

Asset-at-Node Threat Mitigation Pkg

Refer SecV-7

Mitigated By

InfluencesRequired by

has

hasEstablishes

Determines

Road Ahead

• Theoretical product, at this point

• Much work remains– ensure responsive to needs– Confirm concepts are valid, not redundant

• Validation effort initiated

• Update at next meeting in June.

37

Security View Road MapFOCIOC

S

Preliminary Development Work

2012

Today

Presentation of Draft to OMG

Testing and validation

Finalize Security Views

Presentation of Final to OMG

Implement SecV in Qualiware

ACTIVITY2013

JO N D F M A M J J A S O N D J F M A M J J A S O N D

2014

EA

15 Mar

Publish SecV in DNDAF

Q&A

• Looking for Feedback and Encouraging Wider Collaboration

• Contacts:VINCENT.QUESNEL@forces.gc.a

EA Programme Support

(613) 993-6164

GREG.ERICKSON@forces.gc.ca

EA Development

(613) 990-8341

39

SecV-1a Class Diagram

40

SecV-1b Class Diagram

41

SecV-2 Class Diagram

42

SecV-3 Class Diagram

43

SecV-4 Class Diagram

44

SecV-5 Class Diagram

45

SecV-6 Class Diagram

46

SecV-7 Class Diagram

47