Security metrics guide for information technology systems

Swanson, Marianne; Bartol, Nadya; Sabato, John; Hash, Joan; Graffo, Laurie

doi:10.6028/nist.sp.800-55

Cited by 136 publications

(73 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Za projektovanje i implementaciju ISMS u turističkim agencijama (TA) na raspolaganju su široko prihvaćeni međunarodni standardi najbolje prakse za: upravljanje rizikom; mere (kontrole) za smanjenje rizika na prihvatljiv nivo; opšte prihvaćene principe zaštite; sertifikaciju i akreditaciju ISMS; metrike zaštite; integraciju digitalne forenzike u sistem zaštite itd. [2, 3, 4, 5,6,7,8,14,15,16,19,20,21]. Kako implementacija ISMS generalno zahteva značajne resurse, u praksi se često zaštita informacija pojedostavljuje, improvizuje bez procene rizika i neadekvatno primenjuje što je možda i glavni razlog za optimizaciju, pošto se stvara iluzija o zaštiti, a istovremeno brojni gosti izlažu riziku online krađe brojeva platnih kartica i privatnih informacija iz lokalnih baza podataka TA.…”

Section: Uvodunclassified

Optimizacija zaštite turističkih agencija od kompjuterskog kriminala

Grubor¹,

Ristić²,

Simeunović³

et al. 2017

SNG

View full text Add to dashboard Cite

Sažetak -Nauka i praksa bezbednosti informacija na Internetu ušla je u svoju zreliju fazu. Dostupni su brojne metodologije za procenu rizika (preko 200), standardi zaštite, katalozi ranjivosti, pretnji i mera (kontrola) zaštite. Metodologija za procenu rizika informacija (ISO/IEC 27005:2008) usvojena je i u finansijskom sektoru u sporazumu BASEL II za procenu operativnog rizika. Iako standardizacija značajno smanjuje kompleksnost uvođenja sistema zaštite, implementacija osnovnih mera zaštite za smanjenje rizika na prihvatljiv nivo, još uvek je složena, skupa i zahteva specifična znanja i iskustva. Problem online krađe ličnih podataka i brojeva platnih kartica odnosi se upravo na turističke agencije gde klijenti masovno plaćaju račune platnim karticama. U ovom radu autori sugerišu optimalan okvir za upravljanje zaštitom informacija u Internet okruženju u turističkim agencijama, sa ciljem da se smanji kompleksnost i da se iste ohrabre da organizovano uvode sistem i praksu zaštite informacija, prema svojim potrebama i resursima.Ključne reči -pretnje, menadžment rizika, zaštita informacija, optimizacija zaštite, forenzička spremnost Abstract -Science and practice of information security on Internet come in its mature phase. Numerous risk management methodologies (over 200), security standards, lists of vulnerabilities and threats and security controls are available on Internet. Information risk methodology ISO/IEC 27005:2008 is adopted in financial sector through BASEL II agreement for assessment of operative risk. Though standardization essentially decreases establishment of security system and implementation of basic security controls for increasing risk to acceptable level, this process is still complex and costly, and requires specific knowledge and experience. Online stealing of personal data and credit cards credentials directly related to the touristic agencies, where clients pay bills by cards. In this piece of paper authors suggest an optimal information security management framework in Internet environment in travel agencies. Main goal of this work is to decrease complexity and to encourage travel agencies to implement information security system and practice through an organized method, according to their needs and resources.Keywords -threats, risk management, information security, optimal security, forensic readiness I. UVOD Svi standardi za upravljanje i zaštitu informacione imovine (čiste, fizičke i humane) ili informacija kao najznačajnije imovine [1], polaze od toga da se sistem zaštite i menadžment sistem bezbednosti informacija -ISMS (Information Security Managament System), uvode integralno na sistematičan i organizovan način uz punu podršku menadžmenta i obezbeđenje resursa uključujući kvalifikovan tim za procenu rizika i zaštitu informacija. Za projektovanje i implementaciju ISMS u turističkim agencijama (TA) na raspolaganju su široko prihvaćeni međunarodni standardi najbolje prakse za: upravljanje rizikom; mere (kontrole) za smanjenje rizika na prihvatljiv nivo; opšte prihvaćene principe zaštit...

show abstract

Section: Uvodunclassified

Optimizacija zaštite turističkih agencija od kompjuterskog kriminala

Grubor¹,

Ristić²,

Simeunović³

et al. 2017

SNG

View full text Add to dashboard Cite

show abstract

“…The often-used division into technical, operational and organizational security metrics (see e.g. [7] and [8]) does not sufficiently emphasize the technical system as a target. Most security metrics are needed during R&D, mainly by secure software developers and other personnel in the development project (viewpoints 1 and 2); and 3.…”

Section: Main Viewpoints On Targetmentioning

confidence: 99%

“…This provided an initial basis around which to organize taxonomy of security met-rics [6]. The U. S. National Institute of Information Standards and Technology (NIST) presents security metrics taxonomies in NIST Special Publication 800-26 [7] and 800-55 [8], suggesting the same three categories, and 17 sub-categories, mainly from an organizational perspective. In our SMOS model introduced in this article, technical metrics can be mapped to security-enforcing mechanisms and the security quality of system viewpoints, operational metrics to all three viewpoints, and organizational metrics to the secure lifecycle, project and business management viewpoint.…”

Section: Related Workmentioning

confidence: 99%

A Security Metrics Taxonomization Model for Software-Intensive Systems

Savola¹

2009

Journal of Information Processing Systems

View full text Add to dashboard Cite

Abstract:We introduce a novel high-level security metrics objective taxonomization model for software-intensive systems. The model systematizes and organizes security metrics development activities. It focuses on the security level and security performance of technical systems while taking into account the alignment of metrics objectives with different business and other management goals. The model emphasizes the roles of security-enforcing mechanisms, the overall security quality of the system under investigation, and secure system lifecycle, project and business management. Security correctness, effectiveness and efficiency are seen as the fundamental measurement objectives, determining the directions for more detailed security metrics development. Integration of the proposed model with riskdriven security metrics development approaches is also discussed.

show abstract

“…Most of them use security metrics to measure the situations. Such metrics are tools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performancerelated data [10]. IT security metrics monitor the accomplishment of the goals and objectives by quantifying the level of implementation of the security controls and the effectiveness and efficiency of the controls, analyzing the adequacy of security activities and identifying possible improvement actions.…”

Section: Literature Surveymentioning

confidence: 99%

ICARFAD: A Novel Framework for Improved Network Security Situation Awareness

Sharma¹,

Kate²

2014

IJCA

View full text Add to dashboard Cite

Networking components and technologies is continuously proving their presence in various core areas of business like IT, Health Care, Stocks, and Emergencies with Military systems. It is possible by applying multiple system phenomenons of compatibility, interoperability and integration of different categories of devices and users. As the usage of information is increasing the transaction and data security needs to be provided effectively. It will serve as a critical and important task which assures data protection. This unexpected and frequent changes in the system is measured which gives a direction of vulnerable behaviour and the criticality of affecting the process. Accessing this information through actual network conditions and changes for improving the security is comes under the area of situational awareness system. This work proposes a novel ICARFAD (Information Collection, Assessment and Response, Feedback and Alerts Decisions) based situation awareness mechanism which gathers current network condition and clearly defines the boundaries by which security solutions can be designed effectively. It reflects all the changes made in configurations and methods taken as a security measures by maintaining a database which later on used to make the decisions for network security improvements. It also makes the visualization of attack conditions by making the graphs and plots which greatly improves the rate and the quality measures of persons or machines decision making. General TermsNetwork Security Situation Awareness (NSSA)

show abstract

Security metrics guide for information technology systems

Abstract: SP 800-55 is superseded in its entirety by the publication of SP 800-55 Revision 1

Cited by 136 publications

References 0 publications

Optimizacija zaštite turističkih agencija od kompjuterskog kriminala

Optimizacija zaštite turističkih agencija od kompjuterskog kriminala

A Security Metrics Taxonomization Model for Software-Intensive Systems

ICARFAD: A Novel Framework for Improved Network Security Situation Awareness

Contact Info

Product

Resources

About