Marshall
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Marshall as PDF for free.
More details
- Words: 802
- Pages: 13
4/13/2000
Pragmatic Use of ISO/IEC 15408 (The Common Criteria) HL7 International Affiliates Joint Meeting August 25, 2000 Dresden, Germany Glen Marshall [email protected]
1
What is ISO/IEC 15408? ¥ A framework defining criteria for evaluating IT products and systems. ¥ A standard for information protection Ð Ð Ð
Confidentiality Integrity Availability
¥ Human Activity Centered Ð Technology and Assurance Functions
2
1
4/13/2000
What ISO/IEC 15408 Is Not ¥ A Security Standard ¥ A Prescription ¥ ÒSecurity for DummiesÓ ¥ A Panacea
3
What is ISO/IEC 15408 Good For? ¥ Consumer Decision Assistance Ð What is Ògood enoughÓ? Ð Have we covered the right risks effectively?
¥ Comparisons Among Alternatives Ð Everyone plays by the same rules Ð Vendor products & systems Ð In-house development efforts
4
2
4/13/2000
What is ISO/IEC 15408 Good For? ¥ For Healthcare IT É Ð Translating regulations to actions Ð Responding to external audits Ð Assuring healthcare stakeholders Ð Establishing trust among systems Ð Planning systems changes
5
What is ISO/IEC 15408 Not For? ¥ Non-IT administrative security ¥ Specifying the evaluation method Ð Business framework Ð Legal requirements
¥ Accreditation procedures ¥ Esoteric technical aspects
6
3
4/13/2000
How is ISO/IEC 15408 Used? ¥ Protection Profile Ð Environmental assumptions Ð Threats Ð Policies Ð Objectives Ð Functional Requirements Ð Assurance Requirements Ð Environmental Requirements
7
How is ISO/IEC 15408 Used? Environment
Policies
Assumptions
Objectives
Functional Requirements
Assurance Requirements
Environment Requirements
8
4
4/13/2000
How is ISO/IEC 15408 Used? ¥ Protection Profile Creation Ð Top-down, broad interest Ð Bottom-up to define product families from piece-parts ¥ Security Target Ð Take a Protection Profile Ð Add implementation specifics
9
Why is ISO/IEC 15408 Not Used? ¥ Pragmatically É Ð Healthcare IT systems are not monolithic. Ð Systems are subject to frequent changes. Ð System implementers are not security experts. Ð System users often donÕt care about security. Ð There are severe budget and time constraints. Ð Managers are often impatient.
10
5
4/13/2000
Key Strategic Challenges ¥ Bridge to the Future Ð Now: A pile of disconnected tools Ð Future ¥ Robust Security Administration ¥ Prudent Technology Choices ¥ Seen As Valuable By Users
¥ A Complete Solution
11
Key Pragmatic Strategies ¥ Focus Ð Central Concerns Ð User Benefits Ð Scope and Scale ¥ Assurance Ð Benefits at Reasonable Cost Ð Incremental Results
12
6
4/13/2000
Focus on Central Concerns Pick a Security need that É ¥ Contains a significant business process ¥ Is well-bounded ¥ Has limited threats, e.g., is not Internetbased or with unmanaged user population ¥ Preferably, is the entry-point case for less well-bounded or more threatened cases
13
Focus on Central Concerns Affiliates Referrals
Patients
Scheduling Point of Care ADT
Staff
Laboratory
Radiology Payers
14
7
4/13/2000
Focus on User Benefits Fulfill Security needs that É ¥ Attract and promote willing compliance ¥ Contain significant business processes ¥ Are well-bounded ¥ Have limited threats, e.g., not an unmanaged user population ¥ Preferably, may form the basis for less wellbounded or more threatened cases 15
Focus on User Benefits Example: Single Sign-On ¥ Highly desired by current users ¥ Well-bounded case ¥ Threats are limited ¥ A basic enabler for É Ð Physician use Ð Patient access
16
8
4/13/2000
Focus on User Benefits Example: Single Sign-On ¥ Core identification/authentication functions ¥ Added functions: Ð Ð Ð Ð Ð Ð Ð
Auditing Cryptography Protecting authentication data Administrative Functions Protecting Administrative Functions System access rules Trusted paths 17
Focus on User Benefits Drop acronyms and jargon!
¥ TOE = the system or the application ¥ TSF = the Security functions ¥ TSF data = the Security database ¥ SFP = Security policies
18
9
4/13/2000
Focus on Scope and Scale ¥ Who are your users? ¥ How many? ¥ How few? ¥ How much? ¥ Where?
One Size Does Not Fit All
19
Assure Benefits (at reasonable cost) ¥ Evaluation Assurance Level Choices ¥ Development Assurance ¥ Deployment Assurance ¥ Operational Assurance ¥ Auditing Ð Internal Ð External
20
10
4/13/2000
Assure Incremental Results ItÕs always a moving target T3
Now
T1
T2
21
Discussion What has your organization been doing about Healthcare Security and Privacy? ¥ Are you satisfied with priorities? ¥ Are your users fully enrolled? ¥ Will the planned results fit the needs?
22
11
4/13/2000
Discussion What will your organization continue to do about Healthcare Security and Privacy ? ¥ Measure costs vs. benefits? ¥ Achieve incremental compliance?
23
Discussion How are you transitioning your current assurance approaches and implementation into the future requirements? ¥ Are you involving Risk Management? ¥ Where in the organization will the Security Officer reside? ¥ Who is responsible and accountable for conducting É Ð Internal audits? Ð External audits? 24
12
4/13/2000
Questions? Fragen? ÀPreguntas? Domande?
25
Thank you Danke Merci Gracias Grazie
26
13
Pragmatic Use of ISO/IEC 15408 (The Common Criteria) HL7 International Affiliates Joint Meeting August 25, 2000 Dresden, Germany Glen Marshall [email protected]
1
What is ISO/IEC 15408? ¥ A framework defining criteria for evaluating IT products and systems. ¥ A standard for information protection Ð Ð Ð
Confidentiality Integrity Availability
¥ Human Activity Centered Ð Technology and Assurance Functions
2
1
4/13/2000
What ISO/IEC 15408 Is Not ¥ A Security Standard ¥ A Prescription ¥ ÒSecurity for DummiesÓ ¥ A Panacea
3
What is ISO/IEC 15408 Good For? ¥ Consumer Decision Assistance Ð What is Ògood enoughÓ? Ð Have we covered the right risks effectively?
¥ Comparisons Among Alternatives Ð Everyone plays by the same rules Ð Vendor products & systems Ð In-house development efforts
4
2
4/13/2000
What is ISO/IEC 15408 Good For? ¥ For Healthcare IT É Ð Translating regulations to actions Ð Responding to external audits Ð Assuring healthcare stakeholders Ð Establishing trust among systems Ð Planning systems changes
5
What is ISO/IEC 15408 Not For? ¥ Non-IT administrative security ¥ Specifying the evaluation method Ð Business framework Ð Legal requirements
¥ Accreditation procedures ¥ Esoteric technical aspects
6
3
4/13/2000
How is ISO/IEC 15408 Used? ¥ Protection Profile Ð Environmental assumptions Ð Threats Ð Policies Ð Objectives Ð Functional Requirements Ð Assurance Requirements Ð Environmental Requirements
7
How is ISO/IEC 15408 Used? Environment
Policies
Assumptions
Objectives
Functional Requirements
Assurance Requirements
Environment Requirements
8
4
4/13/2000
How is ISO/IEC 15408 Used? ¥ Protection Profile Creation Ð Top-down, broad interest Ð Bottom-up to define product families from piece-parts ¥ Security Target Ð Take a Protection Profile Ð Add implementation specifics
9
Why is ISO/IEC 15408 Not Used? ¥ Pragmatically É Ð Healthcare IT systems are not monolithic. Ð Systems are subject to frequent changes. Ð System implementers are not security experts. Ð System users often donÕt care about security. Ð There are severe budget and time constraints. Ð Managers are often impatient.
10
5
4/13/2000
Key Strategic Challenges ¥ Bridge to the Future Ð Now: A pile of disconnected tools Ð Future ¥ Robust Security Administration ¥ Prudent Technology Choices ¥ Seen As Valuable By Users
¥ A Complete Solution
11
Key Pragmatic Strategies ¥ Focus Ð Central Concerns Ð User Benefits Ð Scope and Scale ¥ Assurance Ð Benefits at Reasonable Cost Ð Incremental Results
12
6
4/13/2000
Focus on Central Concerns Pick a Security need that É ¥ Contains a significant business process ¥ Is well-bounded ¥ Has limited threats, e.g., is not Internetbased or with unmanaged user population ¥ Preferably, is the entry-point case for less well-bounded or more threatened cases
13
Focus on Central Concerns Affiliates Referrals
Patients
Scheduling Point of Care ADT
Staff
Laboratory
Radiology Payers
14
7
4/13/2000
Focus on User Benefits Fulfill Security needs that É ¥ Attract and promote willing compliance ¥ Contain significant business processes ¥ Are well-bounded ¥ Have limited threats, e.g., not an unmanaged user population ¥ Preferably, may form the basis for less wellbounded or more threatened cases 15
Focus on User Benefits Example: Single Sign-On ¥ Highly desired by current users ¥ Well-bounded case ¥ Threats are limited ¥ A basic enabler for É Ð Physician use Ð Patient access
16
8
4/13/2000
Focus on User Benefits Example: Single Sign-On ¥ Core identification/authentication functions ¥ Added functions: Ð Ð Ð Ð Ð Ð Ð
Auditing Cryptography Protecting authentication data Administrative Functions Protecting Administrative Functions System access rules Trusted paths 17
Focus on User Benefits Drop acronyms and jargon!
¥ TOE = the system or the application ¥ TSF = the Security functions ¥ TSF data = the Security database ¥ SFP = Security policies
18
9
4/13/2000
Focus on Scope and Scale ¥ Who are your users? ¥ How many? ¥ How few? ¥ How much? ¥ Where?
One Size Does Not Fit All
19
Assure Benefits (at reasonable cost) ¥ Evaluation Assurance Level Choices ¥ Development Assurance ¥ Deployment Assurance ¥ Operational Assurance ¥ Auditing Ð Internal Ð External
20
10
4/13/2000
Assure Incremental Results ItÕs always a moving target T3
Now
T1
T2
21
Discussion What has your organization been doing about Healthcare Security and Privacy? ¥ Are you satisfied with priorities? ¥ Are your users fully enrolled? ¥ Will the planned results fit the needs?
22
11
4/13/2000
Discussion What will your organization continue to do about Healthcare Security and Privacy ? ¥ Measure costs vs. benefits? ¥ Achieve incremental compliance?
23
Discussion How are you transitioning your current assurance approaches and implementation into the future requirements? ¥ Are you involving Risk Management? ¥ Where in the organization will the Security Officer reside? ¥ Who is responsible and accountable for conducting É Ð Internal audits? Ð External audits? 24
12
4/13/2000
Questions? Fragen? ÀPreguntas? Domande?
25
Thank you Danke Merci Gracias Grazie
26
13
Related Documents
Marshall
November 2019 21
Marshall
October 2019 24
Marshall
June 2020 13
Marshall
December 2019 27
Plan Marshall
November 2019 10