Technical Security Metrics Model in Compliance With ISO/IEC 27001 Standard
Technical Security Metrics Model in Compliance With ISO/IEC 27001 Standard
The Society of Digital Information and Wireless Communications (SDIWC), 2012 (ISSN: 2305-0012)
ABSTRACT 1 INTRODUCTION
280
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(4): 280-288
The Society of Digital Information and Wireless Communications (SDIWC), 2012 (ISSN: 2305-0012)
281
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(4): 280-288
The Society of Digital Information and Wireless Communications (SDIWC), 2012 (ISSN: 2305-0012)
282
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(4): 280-288
The Society of Digital Information and Wireless Communications (SDIWC), 2012 (ISSN: 2305-0012)
283
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(4): 280-288
The Society of Digital Information and Wireless Communications (SDIWC), 2012 (ISSN: 2305-0012)
• Operational controls:
The total of technical security controls Configuration Management
from NIST SP800-53 guidelines is (CM), Maintenance (MA),
seventy-five (75). In the Appendix H of Media Protection (MP),
[18], the technical security controls are Physical and Environmental
extracted from Table H-2. This table is Protection (PE), Personnel
mapping from the security controls in Security (PS), System and
ISO/IEC 27001 (Annex A) to NIST Information Integrity (SI).
Special Publication 800-53. We extract
and analyze these technical security Figure 1: Technical Security Metrics Model
controls. We discover that: (TSMM)
(1) Within three (3) main domains
from ISO/IEC 27001 (Annex A)
284
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(4): 280-288
The Society of Digital Information and Wireless Communications (SDIWC), 2012 (ISSN: 2305-0012)
(AVD) model [19] and Common connectivity of hosts, and possible attack
Vulnerability Scoring System (CVSS) - paths. These factors are modeled into
Base Metric [20] are used to determine three network dimensions: Vulnerability,
this weighted-index. We will extent and Exploitability, and Attackability. The
include the criticality or impact of loss to overall VEA-bility score, a numeric
the organization. The CVSS base score value in the range [0,10], is a function of
is calculated using the information these three dimensions.
provided by the U.S. National
Vulnerability Database (NVD) Common At this phase, the data collection must be
Vulnerability Scoring System Support easily obtainable and the measurements
v2 [21] and other relevant Cyber are not complicated. The measurement
Emergency Response Team (CERT) should be able to cater for current
Advisories and Report. (through audit report and evidence of
events) and future attacks.
3.2 DO Phase: (Effective
Measurement) 3.3 CHECK Phase: (Security
Indicators and Corrective Action)
The security requirements describe the
actual security functional for technical In verifying the effectiveness of controls,
security controls in protecting the we measure how much the control
information systems. Security functional decreases the probability of realization
includes the identification and of the described risks. The attributes
authentication, access control, must be significant in determining the
configurations/algorithm, architecture increase or decrease of risk. The
and communication. expected measure function can be
A set of performance objectives is derived by the percentage of the
developed for each security requirement. successful or failure occurrences. For
Vulnerability Assessment (VA) Index: example, number of patches successfully
The VA index is that can be derived by installed on information systems (>
conducting the security or vulnerability 95%), number of security incidents
assessment to the information systems caused by attacks from the network (<
through a simulation assessment, 3%). The determination of the
vulnerability scanning or penetration percentage should consider that even
testing. This is based on the current though the security controls are
assessment of potential attacks and will implemented, the risk of attacks can still
be weighted-index using the numeric occur. Therefore, the percentage depicts
CVSS scores: "Low" severity (CVSS the strength of the existing security
base score of 0.0-3.9), "Medium" controls in mitigating the risks.
severity (CVSS score of 4.0-6.9) and
"High" severity ( CVSS base score of Security Indicator Index: If the measure
7.0-10.0). The VAI can also be derived is equal to or below the
from Vulnerability-Exploits-Attack recommendation, the risk is adequately
(VEAbility) metrics [22]. The VEAbility controlled, thus explain the effectiveness
measures the security of a network that of the security controls. The proposed
is influenced by the severity of existing indicators are the trends of the derived
vulnerabilities, distribution of services, measures and they must be within the
285
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(4): 280-288
The Society of Digital Information and Wireless Communications (SDIWC), 2012 (ISSN: 2305-0012)
286
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(4): 280-288
The Society of Digital Information and Wireless Communications (SDIWC), 2012 (ISSN: 2305-0012)
287
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(4): 280-288
The Society of Digital Information and Wireless Communications (SDIWC), 2012 (ISSN: 2305-0012)
288