Process-oriented Security Risk Analysis and Requirements Engineering

Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016

Process-oriented Security Risk Analysis and Requirements Engineering

Raimundas Matulevičius University of Tartu, Estonia


Domain Model for Security Risk Management

Dubois et al., 2010

3


Content

4

Security Risk-aware BPMN

Security Risk-oriented Patterns

Business Processes and Compliance


Content

5





Business Process Modelling v  Objective

Ø  What organisation needs to do to achieve their business objectives?

v  Advantages Ø  Reasonably intuitive Ø  Explicit declaration of business activities, processes and

sub-processes

v  Disadvantages Ø  Captures only a dynamic picture Ø  Not focused on the business support by technology

6


Business Process Model and Notation

7


Asset Identification and Security Objective Determination

8


Asset Identification and Security Objective Determination

9


Risk Analysis and Assessment

10


Security Requirements Definition

11



12

Altuhhova et al., 2013


Content

13





Security Patterns

14

v  A security pattern describes Ø  a particular recurring security problem Ø  that arises in a specific security context Ø  presents a well-proven generic scheme for a security solution

v  Codify security knowledge in structured and understandable way v  Presentation is familiar to the audience v  Proven solutions improve the integration of security into

enterprises where needed

[Schumacher et al, 2006]



SRP1: Secure data from unauthorized access

SRP2: Secure data transmitted between business entities

SRP3: Secure business activity after data is submitted

SRP4: Secure business services against denial of service attacks

SRP5: Secure data stored in / retrieved from the data store

15

[Ahmed and Matulevičius, 2014]








16









17









18









19









20









21









22









23



Content

24





v Business process management Ø  Instrument to manage enterprise activities Ø Ensure consistent outcomes to bring value to

customers

v Compliance Ø A set of activities an organisation does to ensure that

its core business does not violate the regulations

ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.

25

Business Process and Compliance


ISO/IEC 27001:2013 v  Requirements for managing

sensitive organisation’s information Ø  risk management Ø  risk assessment Ø  risk treatment means

v  Guidance on understanding Ø  Organisation’s context Ø  Leadership Ø  Planning Ø  Operation performance Ø  Physical access Ø  …

v  Checklist of objectives and controls

26



customers




27

To achieve business process compliance with regulations remains rather labour

intensive activity




customers




28


intensive activity


Check compliance

Apply SRPs Check compliance again

Compare results

Alaküla and Matulevičius, 2015



customers




29


intensive activity


Check compliance


Compare results



Insurance Brokerage System

30


Insurance Brokerage System Accept Offer

31


ISO/IEC 27001:2013

32

A.9.4.1 Information access restriction Ø  Access to information and application system functions shall be

restricted in accordance with the access control policy A.13.2.1 Information transfer policies and procedures

Ø  Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.


ISO/IEC 27001:2013

33


restricted in accordance with the access control policy A.13.2.1 Information transfer policies and procedures

Ø  Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.

Abstract terminology

Multiple requirements

Not relevant requirements


ISO/IEC 27001:2013

34


restricted in accordance with the access control policy

A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant quotes, Offer status, and

Selected quotes shall be restricted in accordance with the access control policy.

(ii)  Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy.


35

Check Compliance


36

A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant quotes,

Offer status, and Selected quotes shall be restricted in accordance with the access control policy.


Check Compliance


37




Check Compliance



customers




38


intensive activity


Check compliance


Compare results



Identify Pattern Occurrences

39


Derive Security Model

40

1.  Identify resource 2.  Identify roles 3.  (Assign users) 4.  Identify secured operations 5.  Assign permissions


41


42

SReq.1.1: Only Broker should update offer’s Customer data and Relevant quotes. SReq.1.1.1: Broker should perform Get customer contact data. SReq.1.1.2: Broker should perform Get relevant quotes.

SReq.1.2: Only Broker should read offer’s Offer status. SReq.1.2.1: Broker should view Offer status after operation Email offer. SReq.1.2.2: Broker should view Offer status after operation Cancel offer. SReq.1.2.3: Broker should view Offer status after operation Register customer decision

SReq.1.3: Customer should read offer’s Customer data and Relevant quotes after operation Email offer

SReq.1.4: Only Customer should update offer’s Offer status and Select quotes. SReq.1.4.1: By performing Send response task, Customer should invoke Register customer decision. SReq.1.4.2: By performing Send response task, Customer should invoke Register selected quote if Offer status is “Accepted”.


Introduction of Security Constraints

43



customers




44


intensive activity


Check compliance


Compare results



Check Compliance Again

45






customers




46


intensive activity


Check compliance


Compare results



47

A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant

quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy.


A.13.2.1 Information transfer policies and procedures

(i)  Formal transfer policies shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities.

(ii)  Formal transfer procedures shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities.

(iii)  Formal transfer controls shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities.

A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant

quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy.


A.13.2.1 Information transfer policies and procedures

(i)  Formal transfer policies shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities.

(ii)  Formal transfer procedures shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities.

(iii)  Formal transfer controls shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities.


Lessons Learnt v  Patterns could systematically guide the compliance

manager to achieve compliance

v  Future Work Ø  Patterns does not deal with

ü  (physical) human resource security, media handling, physical and environmental security, equipment and other

48






49






50


Process-oriented Security Risk Analysis and Requirements Engineering

51





52


Limitations

v  Formal compliance checking is not performed v  Future work

v  Business process model is not enriched with security-related activities

53

Compliance checking – “a relationship between the formal representation of a business model and the formal representation of a relevant regulation”

[Governatori and Shek, 2012]

[Sadiq and Governatori, 2015]

Technology

Process-oriented Security Risk Analysis and Requirements Engineering