Using protection profiles to simplify risk management |
Risk assessment is widely recognised as a necessary procedure in order to properly assess organisational network security. However, even though a number of relevant tools are available, surveys indicate that small and medium enterprises (SMEs) frequently fail to undertake risk assessment (NCC 2000). By not assessing the risks to which they are exposed, these enterprises leave important assets vulnerable to malicious exploitation, as well as to accidental loss or damage. This may, in turn, endanger a company?s assets, reputation and credibility. This represents a clear problem from the company perspective, and necessitates an understanding of the underlying reasons. The answer resides in the drawbacks related to current risk analysis tools, which prohibit SMEs from using them, and instead restrict their risk assessment options to the use of checklists, guidelines and managed security services. In order to improve SME risk management, there is a need for the development of a novel risk assessment methodology that will improve the ease of application, as well as a simplifying the interpretation of the results. Although some requirements can be met by the aforementioned checklist and guideline approaches, the problem here is that they propose a solution that is too generic, and therefore those organizations without in-house security expertise to guide them may not recognize how certain elements apply to their environment. A potential alternative is to partition the generic approach in some way, and a means of doing this is based upon the concept of pre-determined protection profiles, which offer a means to simplify risk assessment, and make it accessible to SMEs from all industry sectors. A Protection Profile is ?an implementation independent statement of security requirements that is shown to address threats that exist in a specified environment? [Commoncriteria 2003]. Rather than providing a single set of guidelines that aim for applicability across all organizations and environments, the protection profiles would take a more focused approach, and can be considered to provide baseline guidelines for different types of domain, different types of platform, etc - which organizations would then combine to suit their individual situation. In order to facilitate such a mix-and-match approach, protection profiles need to be structured into suitable top-level categories according to the type of protection they provide (e.g. technical, data, personnel, physical etc), which in tern would be divided into appropriate sub-categories and provide further recommendations on the security needs according to the business function and the importance of the data within. An organization would be expected to consider each of the top-level categories, and then select any of the underlying sub-categories and profiles, as appropriate to their environment. At the final level, each profile would include a general statement of relevant threats and common vulnerabilities, along with suggestions for consequent countermeasures (including an indication of the level of protection that they would provide. However, the specific content and structuring of the profiles could be approached in different ways. This presentation will, therefore, consider some of these alternatives, and the related advantages and disadvantages in each case.
Dimopoulos V, Furnell SM, Barlow I, Lines BL