A Methodology, a Language, and a Tool to Provide Information Security Assurance Arguments
NAVAL RESEARCH LAB WASHINGTON DC
Pagination or Media Count:
As information systems become more complex and industry and military rely more on their correct operation, the need for survivable, secure systems becomes more pressing. System designers and assessors need to clearly understand the causality, relationships, vulnerabilities, threats, system-level view points, and objectives of an entire enterprise. To design a system that can be trusted or assess security properties in a system, the related assurance arguments need to be developed and described effectively in a well-organized format by means of a sound language. To satisfy this requirement, we introduce a methodology, ECM Enterprise Certification Methodology, to derive and organize the related assurance arguments effectively. We have developed a visual language, CAML Composite Assurance Mapping language, to build the map of the assurance argument using ECM. This map depicts the claim trees for the assurance arguments related to the enterprise security objective. We have also developed a tool, VRNM Visual Network Rating Methodology, to help users develop a map to assurance arguments in CAML based on 11CM and document it with related descriptions in a common environment.
- Information Science