The 29th IPP Symposium

System Security Methodology: Protecting Your ASSets

Christopher Spirito, EMC

Once you figure out how your systems were compromised and determine how much of your ASSets are and were exposed, you are going to start wondering where you went wrong. In many cases, you have a networking team very savvy in securing their routers and firewalls, an OS team who can lock down their servers, and application developers who usually have no clue how to implement security in their applications but rely upon the other two teams to protect their ASSets, the data.

Using a sound System Security Methodology will bring these teams together to approach their tasks within a common framework. Starting with a somewhat clear mission statement, each team will understand what information or data will be passing across areas of their responsibility. Drafting the Threat & Adversary model will allow the teams to match up their technical and personnel countermeasures with known attacks and exploits, quantifying the quality of countermeasures necessary. Lastly, many industries have regulations that dictate how specific types of information are to be protected.

This approach will allow for a comprehensive defense-in-depth Information Assurance program to be implemented, protecting and defending you and your information.