EC2ND 2006 - Proceedings of the Second European Conference on Computer Network Defence, in conjunction with the First Workshop on Digital Forensics and Incident Analysis

"A New Approach to Understanding Information Assurance (p. 53-54)

Abstract: The growth of technologies such as ubiquitous and the mobile computing has resulted in the need for a rethinking of the security paradigm. Over the past forty years technology has made fast steps forward, yet most organisations still view security in terms of Confidentiality, Integrity and Availability (CIA). This model of security has expanded to include NonRepudiation and Authentication. However this thinking fails to address the social, ethical and business requirements that the modem use of computing has generated.

Today computing devices are integrated into every facet of business with the result that security technologies have struggled to keep pace with the rate of change. In this paper we will argue that the currently view that most organisations/stakeholders have of security is out-of-date, or in some cases wrong, and that the new view of security needs to be rooted in business impact and business function.

1 Introduction

The growth of technologies related to remote/distance working has lead to the creation of ubiquitous computing and the GRID. GRID and ubiquitous computing function by distributing the processes and storage capacity across a network. This move towards distributed computing has pushed organisations towards the use of shared resources and shared infrastructure. This drive towards co-operative working and resource/infrastructure sharing has resulted in the need to re-think and re-assess the meaning of terms like information assurance, threat and risk management.

2 The Meaning of Security

Before the advent of the personal computer if you wanted to use a computer then you had to make use of a main-frame. These were large computers that where housed in large computer rooms, and costs millions of dollars. The rainbow book series was a series of books that came out of the US Department of Defense .

The Orange book attempted to provide a semantic interpretation of security. It achieved this through the imposition of an ontological framework that allows us to structure and formally represented our understanding of security. This ontological framework views security from a technical/mathematical perspective and lead to the creation of the Bell-LaPadula module of security [5].

Later standards such as ITSEC and Common-Criteria have moved towards a more function descriptive view of security that is cognizant of growth of personal computing devices . While other standards such as BS7799 and ISO-2700 I [2] have attempted to approach security from a business perspective. However all of these standards start from an assumption that the stakeholder who owns the security problem is fully aware of what their security requirements are, and thus is full able to articulate them. In this paper we will present a new meaning of security based upon the concept of business impact upon a set of seven assurance requirements. The term business impact is defined as follows:

"The result of an information security incident on business functions and the effect that a business interruption might have upon them.""