Assurance deals with security features of IT products applies to:
- Requirements
- Security policy
- Product design Product Implementation
- System operation
CC Assurance Levels and why is it needed?
EAL 1: Functionally Tested
EAL 2: Structurally tested
EAL 3: Methodically tested and checked
EAL 4: Methodically designed, tested and reviewed
EAL 5: Semi-formally designed and tested
EAL 6: Semi-formally verified design and tested
EAL 7: Formally verified design and tested
Evaluation Parties and Phases, who is it monitored and operated by?
Parties:
- Sponsor – customer or vendor
- Developer – provides evidence for evaluation
- Evaluator – confirms requirements are satisfied
- Certifier – agency monitoring evaluation process
Monitored and regulated by a government agency in each country
- Operated by NIST and NSA
Phases of Evaluation
Preparation: Initial contact between sponsor and developer
Conduct of evaluation: Confirms satisfaction of security target
**Conclusion: ** Final report to the certifiers for **acceptance **
The three fundamental questions IT security management tries to address
- IT security requirements
- Assignment of responsibilities
- Risk management approach
What is IT Security Management?
A process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity and **reliability **
Four steps in security iterative security management process
- PLAN – Security policy assessment
- DO – Implementation
- CHECK – Assessment
- ACT – Preventive actions
Examines organisation’s IT security
- Objectives – wanted IT security outcomes
- Strategies – How to meet objectives
- Polices – Identify what needs to be **done **
The Approaches to identify and mitigate risks to an organisation’s IT infrastructure
- Baseline - Implements agreed controls to provide protection against the most common threats
- **Informal - **Involves conducting an informal, pragmatic risk analysis on organisation’s IT systems
- Detailed risk
- Combined
The final stage of risk assessment will be the risk treatment alternatives:
- Risk acceptance
- Risk avoidance
- Risk transfer
- Risk consequence
- Reduce likelihood
What is Intellectual Property?
Is the ownership of ideas: names, designs, symbols, and literal, used in commerce.
- Patents: Obtaining rights over invention
- Trademarks: obtaining rights over brand identity
- Copyright: Unauthorised use
Copyright and its exclusive rights
Legal right that protects published work from being published or sold
Has copyright rights:
- Reproduction rights
- Modification rights
- Distribution right
- Public-performance right
- Public-display right
Patent and types
Granting property right to the inventor
Types:
- Utility
- Design
- Plant
What is Trademark?
A word, symbol, or device used in trade with goods
Used to prevent others from using a confusingly similar mark, selling the same goods under a different mark
What is Digital rights Management?
Systems and procedures that ensure that holders of digital rights are clearly identified and receive payment for their works
