WITAT '96

Operational Assurance

Dan Gambel

Session Title: Operational Assurance

Description: Product and system assurance is only one ingredient involved in gaining confidence in an operation. Operational assurance depends not only on the information technology, but also on the people, environment, and processes involved. Even if information technology was 100% free of flaws, people would have to install, configure, and use it correctly for the system to be secure.

This working group provided recommendations for improvement to operational assurance.

Scope:

This working group addresses those additional assurance required when a system is operating and the three areas in which this assurance is addressed:

• Certification and Accreditation (C&A)
• Inspector General (IG) Inspections and Security Audits
• Information System Security Officer (ISSO) Oversight

The system analysis working group listed 9 objectives for the operational assurance methods. Each of the methods was evaluated against each of these objectives. Where appropriate, recommendations were made for each of the operational assurance methods to more fully meet the objective. The result is a set of recommendations for each of the methods to more fully meet the objectives.

Objectives

• Assure continuity of security posture throughout system lifecycle.
• Collect and react to exploitation feedback.
• Ensure complete analysis of enterprise including the environment, the processes, and the personnel.

Ensure continuity of protection objectives across physical and electronic implementation of the enterprise (i.e., across the policies, procedures, personnel, environment, and AIS implementations).

Determine and counter degraded assurance due to changes in the knowledge base and experience of system administration, operations, and system users.

• Measure and promote an institutionalization and ownership of security practices.
• Reflect actual assurance not just a "snap-shot."
• Collect the data necessary to, detect, react, correct, and prosecute violations to security policy.
• Ensure that the residual risk is well-understood in the context of the mission (or business) objectives.

• Certification and Accreditation (C&A)
• Inspector General (IG) Inspections and Security Audits
• Information System Security Officer (ISSO) Oversight

Certification and Accreditation (C&A)

• Complete examining the difference between technical risk and total mission risk.
• Examine the European method of performing Accreditations for improvements.
• Regulate accountability for operating risk to those who make decisions to operate.
• Inspect for the degree of institutionalization of security practices.
• Validate the process for ISSO to collect and react to exploitation feedback.
• Clearly describe the security perimeter.
• Document allocation of security requirements to enterprise components (e.g., people, process, environment).
• Review the implementation of the security requirements.

Ensure continuity of protection objectives across physical and electronic implementation of the enterprise (i.e., across the policies, procedures, personnel, environment, and AIS implementations).

• Determine and document personnel knowledge and experience requirements/ assumptions.
• Indicate those accountable for breaches in security and degraded mode .
• Ensure that residual risk is well-understood by accreditation authority.

Inspector General (IG) Inspections and Security Audits

• Simplify security administration through tool awareness and improvement .
• Inspect for the degree of institutionalization of security practices.
• Check the execution of exploitation feedback reaction to documented process.
• Address the requirements for periodic review of security posture. (Policy compliance review).
• Audit the information handling and protection across the physical / AIS boundary.
• Determine personnel knowledge and experience.
• Indicate those accountable for breaches in security ad degraded mode of operations.
• Conduct random inspections to gain better insight into institutionalization of security practices.
• (Private sector) Ensure that the link between financial readiness and mission readiness is well-understood.

• The ISSO must promote the institutionalization of security practices.
• The ISSO is responsible for detecting, reporting, and reacting to exploitation feedback.
• Determine personnel knowledge and experience.
• Ensure adequate knowledge and experience.
• Inform those accountable for breaches in security and degraded mode of operations.
• Demonstrate a willingness to be accountable and to hold those responsible accountable.
• Include rationale for security practices and dangers to mission in security awareness training.
• Promote an institutionalization of security practices.
• Centralize security administration.
• Build and promote the ISSO career path.