Documente Academic
Documente Profesional
Documente Cultură
Introduction
Presentation Objectives
Background
Overview
Security View Details
Next Steps
Q&A
2
Presentation Objectives
Drivers
Security at the front not as an
afterthought
Information & IT Security Capability
confidentiality, integrity, availability, non-
repudiation, and audit-ability
of defence information and the supporting
systems and networks.
Pan-enterprise Security
Background
Collaborators
Security is special
normally involves Specialists
has unique perspectives
IM & IT Security at the forefront
Key Collaborators:
IM & IT Security (D IM Secur)
IT Engineering & Integration (DIMEI)
Background
Outcome
Redesign and partitioning of SecV-1 into
1a and 1b
No change to existing SecV-2 and 3
Discovery of new business
requirements leading to SecV-4, 5, 6 &
7
Overview
Draft Sub-views
SecV-1a: Asset Security Domain & Valuation Rating
SecV-1b: Asset-at-Node Security Strength Requirement
SecV-2: Data Element Security Matrix
SecV-3: Aggregated Information Security Matrix
SecV-4: Security Control Specification
SecV-5: Security Control Profile
SecV-6: Security Control Service Profile
SecV-7: Asset-At-Node Threat Mitigation
Security Methodology (1/1)
SecV-1a SecV-1b SecV-2 SecV-3
Asset Asset-at- Data Aggregated
Security Node Element Information
Domain & Security Security Security
Valuation Strength Matrix Matrix
Rating Requiremen
t
8
Security Methodology (2/2)
SecV-4 SecV-5 SecV-6 SecV-7
Security Security Security Asset-at-
Control Control Control Node Threat
Specificatio Profile Service Mitigation
n Profile
Establish Security
Define Security
Establish Security Services to
Define Security Services;
Control Profile for address
Controls Establish Security
Asset (FoS) & Asset-at-Node
(CSEC & DND) Control Service
Asset-at-Node Security Needs
Profile
Security
Security Security Asset-at-Node
Service
Control Control Profile Threat
Taxonomy &
Taxonomy for Asset & Mitigation
Service
Asset-at-Node Specification
Profiles
9
SecV-1a Purpose
SecV-1a : Asset Security Domain and Valuation Rating
10
Asset within FoS Structure
Asset
IT System
Weapons Communications
e.g. SAP
11
Security Classification
Taxonomy
Security Domain (e.g.) Security Caveat (e.g.)
UNCLASSIFIED CANUK
PROTECTED A NATO
PROTECTED B AUSCANNZUKUS
PROTECTED C CANUS
CONFIDENTIAL FOUR EYES
SECRET FIVE EYES
TOP SECRET
SecV-1a Conceptual Model
Recommends Asset Determines
Statement of Sensitivity
Results in
Information Systems
Resource
Personnel Sub Types Real Property
13
SecV-1a Attribution
Template
15
SecV-1b Conceptual Model
Asset-at-Node
Recommends Determines
Threat Risk Assessment
(TRA)
Security Strength
Requirement Matrix
3 3 4 4 4 5 5 5
3 3 4 4 4 5 5 5 Assignment of Security
Exposure
Assigned to Node
Asset
Operational Node
Refer OV-2
16
SecV-1b Attribution
Template
18
SecV-2 Data Model (DADM)
SECURITY-CLASSIFICATION CAVEAT
classifies restricts
is classified by is restricted by
CAVEATED-SECURITY-CLASSIFICATION
restricts is for
is restricted by
SYSTEM-EXCHANGE
uses
is used by has
DATA-ATTRIBUTE
19
SecV-3 Purpose
20
SecV-3 Data Model (DADM)
AGGREGATE-TYPE
classifies SECURITY-CLASSIFICATION CAVEAT
classifies restricts
is classified by
is for
has
DATA-ATTRIBUTE
has
21
SecV-4 Purpose
SecV-4 Security Control Specification
22
SecV-4 Conceptual Model
INCLUDES:
Security Control Management
Class Technical
Operational
Comprises
For Example:
Security Control Access Control
Family Awareness and Training
Personnel Security
Organizes
XREF links to
Knowledge
Security Links
Artifacts in
Control
For Example: Corporate Memory,
AC 17 Remote Access Web or elsewhere
23
SecV-4 Attribution Template
25
SecV-5 Conceptual Model
Security Deployed
Control to
26
SecV-5 Attribution Template
Security Services
reusable security mitigation mechanisms.
can be automated or manual
automated security services can be further defined in terms
of its hardware and software components.
28
SecV-6 Conceptual Model
(1/2)
Security
Service
Sub-Type
Automated Non-Automated
Security Service Security Service
Comprises
29
SecV-6(1) Attribution
Template
Manages
Security Control
Service Profile
Mitigated By
Security
Service
31
SecV-6(2) Attribution
Template
33
SecV-7 Conceptual Model
Node Asset-At-Node Security Refer
Asset Control Profile SecV-5
Refer
Asset-at-Node Threat SecV-6
Mitigation Package Selects
Security Service
34
SecV-7 Attribution Template
37
EA
Security View Road Map
IOC FOC
Today
Contacts:
VINCENT.QUESNEL@forces.gc.a
EA Programme Support
(613) 993-6164
GREG.ERICKSON@forces.gc.ca
EA Development
(613) 990-8341
39
SecV-1a Class Diagram
40
SecV-1b Class Diagram
41
SecV-2 Class Diagram
42
SecV-3 Class Diagram
43
SecV-4 Class Diagram
44
SecV-5 Class Diagram
45
SecV-6 Class Diagram
46
SecV-7 Class Diagram
47