Security Controls

From The Secure Arc Wiki

Jump to: navigation, search
Go to ThreatsGo to Asset DefinitionGo to Asset ValueGo to VulnerabilitiesGo to Asset ImpactGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to Deterrent ControlGo to Detective ControlGo to Preventative ControlGo to Corrective ControlGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to Countermeasures

At it’s highest level, the role of a Security Architect is to identify vulnerabilities that may expose an asset to attack, present a number of alternative solutions to the business and make an informed decision on which Security Controls to put in place. These controls may come in a variety of forms, from a segmented, fire-walled infrastructure design down to the cryptographic controls applied to individual connections. Similarly controls may provide detail as to how the entry points to a system may be secured using role based access controls.

Security Controls Model

The Secure Arc Reference Architecture logical model is adapted from the Logical Model of IT Security Controls (page 232, Figure 7-2) in the book Security Metrics - Replacing Fear, Uncertainy, and DoubtSecurity Metrics - Replacing Fear, Uncertainy, and Doubt combined with the Common Vulnerability Scoring System (CVSS) specification. The high level data model above represents the basic relationships between Exposures, Threats and Countermeasures.

The goal is to enable complete end-to-end traceability between Information Assets and the decisions behind the Security Controls that are employed to protect them.

The different domains of the Security Controls Model have different active stages. In the case of the Exposures domain, the Asset Definition and Classification sub-domains are relatively static. You define all of your Information Asset types once, classify them to determine their Value and from that point on they don't need to be changed for your organization again. The Vulnerabilities within the Exposures box are really the only part of the Exposures domain that requires active updates and maintenance.

The Threats box is all about what is currently being exploited and what is actively being attacked and the Countermeasure Controls are specifically design time decisions and alternatives, however these will also be updated in light of new Vulnerabilities that are identified. The Metrics within the Exposures domain should be maintained constantly.

You can click on each area of the diagram above to go to the detailed description of each one. The first step is to define all of the Information Assets in the solution.

Navigation

Personal tools