Abstract
Information Technology (IT) Security Risk Management is a critical task for the organization to protect against the loss of confidentiality, integrity, and availability of IT resources and data. Due to system complexity and sophistication of attacks, it is increasingly difficult to manage IT security risk. This paper describes a two-pronged approach for managing IT security risk: 1) an institutional approach, that addresses automating the process of providing and maintaining security for IT systems and the data they contain; and 2) a project life cycle approach that addresses providing semi-automated means for integrating security into the project life cycle. It also describes the use of a security template with a risk reduction/mitigation tool, the Defect Detection and Prevention (DDP) tool developed at the Jet Propulsion Laboratory (JPL).
Keywords
- Security Risk
- Security Plan
- Risk Management Process
- Capability Maturity Model Integration
- Software Engineer Institute
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Chichester (2001)
GAO-03-98, Government Accounting Office (GAO) Audit: Major Management Challenges and Program Risks: Department of Defense, GAO-03-98 (January 2003), available on the Internet at: http://www.gao.gov/pas/2003/
Howard, M., LeBlanc, D.: Writing Secure Code, 2nd edn. Microsoft Press, Redmond (2002)
NASA CRM Resource Center website, http://www.crm.nasa.gov/knowledge/default.html (accessed 09-15-2003)
Stamatelatos, M.G.: Risk Assessment and Management, Tools and Applications. PowerPoint Presentation, available on NASA CRM Resource Center: http://www.crm.nasa.gov/papers/presentation_1.pdf (accessed 09-20-03)
Witty, R.: Successful Elements of an Information Security Risk Management Program. In: Gartner Symposium ITxpo, U.S. Symposium/ITxpo, Orlando, Florida, October 6–11 (2002)
ArcSight: TruThreat Visualization Software (2003), available at: http://www.arcsight.com/
RiskWatch: Security Risk Management (SRM) software solutions for government and industry. Information downloaded from the Internet on October 10 (2003), http://www.riskwatch.com/
McGraw, G.: Software Risk Management for Security. Citigal White Paper (1999), http://www.cigital.com/whitepapers/
ISO, International Organization for Standardization, ISO 9000:2000 family, Quality Management Systems (2003), http://www.iso.ch/iso/en/iso9000-14000/iso9000/selection_use/iso9000family.html (accessed on September 19, 2003)
Carnegie Mellon University (CMU) Software Engineering Institute (SEI) Capability Maturity Model® Integration (CMMISM), available on the Internet at: http://www.sei.cmu.edu/cmmi/general/ (accessed September 20, 2003)
SEI, Carnegie Mellon University Software Engineering Institute, OCTAVE Method, November 11 (2003), available at: http://www.cert.org/octave/methods.html
NIH CIT (National Institute of Health, Center for Information Technology), NIH Application/System Security Plan Template for Major Applications and General Support Systems (1994)
Bishop, M.: Computer Security: Art and Science. Addison-Wesley Pub. Co. (2002)
Feather, M.S., Cornford, S.L., and Moran, K.: Risk-Based Analysis And Decision Making in Multi-Disciplinary Environments. In: Proceedings of IMECE 2003. ASME International Mechanical Engineering Congress & Exposition Washington, D.C., November 16–21 (2003)
Cornford, S.L., Feather, M.S., Hicks, K.A.: DDP – A tool for life-cycle risk management. In: IEEE Aerospace Conference (March 2001), available on the web at: http://ddptool.jpl.nasa.gov
Cornford, S.L., Feather, M.S., Dunphy, J., Salcedo, J., Menzies, T.: Optimizing Spacecraft Design – Optimization Engine Development: Progress and Plans. In: IEEE Aerospace Conference (March 2003), available on the web at: http://ddptool.jpl.nasa.gov
Feather, M.S., Cornford, S.L., Dunphy, J.: A Risk-Centric Model for Value Maximization. In: Proceedings, 4th International Workshop on Economics-Driven Software Engineering Research, Orlando, Florida, May 21, pp. 10–14 (2002)
Feather, M.S., Hicks, K.A., Johnson, K.R., Cornford, S.L.: Software Support for Improving Technology Infusion. In: Proceedings of the 1st International Conference on Space Mission Challenges for Information Technology (SMC-IT), Pasadena, California, July 2003, pp. 359-367 (2003); JPL Publication 03-13A, Jet Propulsion Laboratory, California Institute of Technology
Cornford, S.: Defect Detection and Prevention (DDP): A Tool for Life Cycle Risk Management: Explanations, Demonstrations and Applications. In: DDP Tool Training Seminar presented at JPL at the Jet Propulsion Lab, March 23 (2001)
Swanson, M.: Guide for Developing Security Plans for Information Technology Systems. NIST Special Publication 800-18 (1998)
FIPS PUB 73, Federal Information processing Standards Publication. Guidelines for Security of Computer Applications (1980)
Heinz, L.: Preventing Security-Related Defects, news@sei interactive, 2Q (2002), downloaded from the Internet at: http://interactive.sei.cmu.edu (August 19, 2003)
Gilliam, D., Wolfe, T., Sherif, J., Bishop, M.: Software Security Checklist for the Software Life Cycle. In: Proc. of the Twelth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Linz, Austria, pp. 243–248
Gilliam, D., Kelly, J., Powell, J., Bishop, M.: Development of a Software Security Assessment Instrument to Reduce Software Security Risk. In: Proc. of the Tenth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Boston, MA, pp. 144–149
Gilliam, D., Powell, J., Kelly, J., Bishop, M.: Reducing Software Security Risk Through an Integrated Approach. In: 26th International IEEE/NASA Software Engineering Workshop, Greenbelt, MD, November 17–29 (2003)
Powell, J., Gilliam, D.: Component Based Model Checking. In: Proceedings of the 6th World Conference on Integrated Design and Process Technology, June 23–28, Pasadena CA, p. 66 and CD
Weiser, M.: Program Slicing. IEEE Transactions on Software Engineering SE-10(4), 352–357 (1984)
Miller, R.L.: JPL’s Infrastructure for Managing IT Security: The Processes and Custom Toolset. In: Presentation to the NASA IT Security Managers’ Workshop (April 2003)
Stoneburner G., Goguen, A., Feringa, A.: Risk Management for Information Technology Systems. The National Institute of Standards and Technology Special Publication 800-30 (2001)
Stoneburner, G., Hayden, C., Feringa, A.: Engineering Principles for Information Technology Security (A Baseline for Achieving Security). NIST Special Publication 800-27
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gilliam, D.P. (2004). Managing Information Technology Security Risk. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds) Software Security - Theories and Systems. ISSS 2003. Lecture Notes in Computer Science, vol 3233. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-37621-7_16
Download citation
DOI: https://doi.org/10.1007/978-3-540-37621-7_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23635-1
Online ISBN: 978-3-540-37621-7
eBook Packages: Springer Book Archive