Fundamental Concepts of IT Security Assurance

1 ISACA JOURNAL VOLUME 2, 2012 Government and commercial organizations rely heavily on the use of information to conduct their business activities. Loss of confidentiality, integrity, availability, accountability, authenticity and reliability of information and services can have an adverse impact on organizations. Consequently, there is a critical need to protect information and to manage the security of IT systems within organizations. Alongside significant benefits, every new technology introduces new challenges for the protection of this information. The requirement to protect information is particularly important in today’s environment because many organizations are internally and externally connected by networks of IT systems.1 IT systems are prone to failure and security violations due to errors and vulnerabilities. These errors and vulnerabilities can be caused by many factors, such as rapidly changing technology, human error, poor requirement specifications, poor development processes or underestimating the threat. In addition, system modifications, new flaws and new attacks are frequently introduced, which contributes to increased vulnerabilities, failures and security violations throughout the IT system life cycle.2 The industry came to the realization that it is almost impossible to guarantee an error-free, riskfree and secure IT system due to the imperfection of the opposing security mechanisms, human error or oversight, and component or equipment failure.3 Completely secure IT systems do not exist; only those in which the owners may have varying degrees of confidence that security needs of a system are satisfied do.4 In addition, many information systems have not been designed to be secure. The security that can be achieved through technical means is limited and should be supported by appropriate management and procedures.5 The task of IT security (ITS) engineering and management is to manage the security risk by mitigating the vulnerabilities and threats with technological and organizational security measures to achieve an IT system with acceptable assurance. ITS management has an additional task: establishing acceptable assurance and risk objectives. In this way, the stakeholders of an IT system will achieve reasonable confidence that the IT system performs in the way intended or claimed, with acceptable risk and within budget.6 ISO/IEC TR 15443 Information technology— Security techniques—A framework for IT security assurance is a multipart technical report intended to guide ITS professionals in the selection of an appropriate assurance method when specifying, selecting or deploying a security service, product or environmental factor (known as a “deliverable”).7 The objective of ISO/IEC TR 15443 is to present a variety of assurance methods and to guide the ITS professional in the selection of an appropriate assurance method (or combination of methods) to achieve confidence that a given IT system satisfies its stated ITS assurance requirements. ISO/IEC TR 15443 analyzes assurance methods that may not be unique to ITS; however, guidance given in the standard is limited to ITS requirements. This article introduces the fundamental concepts of ITS assurance based on ISO/IEC TR 15443.