TUTCRIS - Tampereen teknillinen yliopisto

TUTCRIS

Model for efficient development of security audit criteria

Tutkimustuotosvertaisarvioitu

Yksityiskohdat

AlkuperäiskieliEnglanti
OtsikkoProceedings of the 17th European Conference on Cyber Warfare and Security, ECCWS 2018
KustantajaCurran Associates
Sivut244-252
Sivumäärä9
ISBN (elektroninen)9781911218852
TilaJulkaistu - 2018
OKM-julkaisutyyppiA4 Artikkeli konferenssijulkaisussa
TapahtumaEuropean Conference on Cyber Warfare and Security - Oslo, Norja
Kesto: 28 kesäkuuta 201829 kesäkuuta 2018

Conference

ConferenceEuropean Conference on Cyber Warfare and Security
MaaNorja
KaupunkiOslo
Ajanjakso28/06/1829/06/18

Tiivistelmä

Cyber-attacks have grown in importance to become a matter of national security. A growing number of states and organisations around the world have been developing defensive and offensive capabilities for cyber warfare. Security criteria are important tools for defensive capabilities of critical communications and information systems (CIS). Various criteria have been developed for designing, implementing and auditing CIS. However, the development of criteria is inadequately supported by currently available guidance. The relevant guidance is mostly related to criteria selection. The abstraction level of the guidance is high. This may lead to inefficient criteria development work. In addition, the resulting criteria may not fully meet their goals. To ensure efficient criteria development, the guidance should be supported with concrete level implementation guidelines. This paper proposes a model for efficient development of security audit criteria. The model consists of criteria design goals and concrete implementation guidelines to achieve these goals. The model is based on the guidance given by ISACA and on the criteria development work by FICORA, the Finnish Communications Regulatory Authority. During the years 2008-2017, FICORA has actively participated in development and usage of three versions of Katakri, the Finnish national security audit criteria. The paper includes a case study that applies the model to existing security criteria. The case study covers a review of the criteria composed of the Finnish VAHTI-instructions. During the review, all supported design goals and implementation guidelines of the model were scrutinised. The results of the case study indicate that the model is useful for reviewing existing criteria. The rationale is twofold. First, several remarkable shortcomings were identified. Second, the identification process was time-efficient. The results also suggest that the model would be useful for criteria under development. Addressing the identified shortcomings during the development phase would have made the criteria more efficient, usable and understandable.