Towards Optimal Risk-Aware Security Compliance of a Large IT System
暂无分享,去创建一个
A modern information technology IT system may consist of thousands of servers, software components and other devices. Operational security of such a system is usually measured by the compliance of the system with a group of security policies. However, there is no generally accepted method of assessing the risk-aware compliance of an IT system with a given set of security policies. The current practice is to state the fraction of non-compliant systems, regardless of the varying levels of risk associated with violations of the policies and their exposure time windows. We propose a new metric that takes into account the risk of non-compliance, along with the number and duration of violations. This metric affords a risk-aware compliance posture in a single number. It is used to determine a course of remediation, returning the system to an acceptable level of risk while minimizing the cost of remediation and observing the physical constraints on the system, and the limited human labor available. This metric may also be used in the course of the normal operation of the IT system, alerting the operators to potential security breaches in a timely manner.
[1] Debra Herrmann,et al. Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI , 2007 .
[2] Klaus Julisch,et al. Security compliance: the next frontier in security research , 2009, NSPW '08.
[3] Reijo Savola,et al. Towards a Security Metrics Taxonomy for the Information and Communication Technology Industry , 2007, International Conference on Software Engineering Advances (ICSEA 2007).
[4] Wayne A. Jansen,et al. Directions in Security Metrics Research , 2009 .