Article Preview
TopIntroduction
Evolution is an inherent characteristic of IT systems. IT systems’ models are made to evolve depending on the context, either because of new business or users requirements or owing to changes in the system operating environment (new threats for instance). However, as it is well known, different contexts may harbor different risks and eventually call for different security requirements.
The list of recent, high profile security breaches is daunting; headlines have exposed major leaks among the largest organizations, resulting in loss of customer trust, potential fines and lawsuits (Le Grand, 2005). Vulnerable systems pose a serious risk to successful business operations, so managing that risk is therefore a necessary board-level and executive-level concern. Executives must ensure appropriate steps are being taken to audit and address IT flaws that may leave critical systems open to attack (Le Grand, 2005). As revealed by a study conducted by Wool (2004) on firewall configurations, a common but sometimes overlooked source of IT risks for large distributed and open IS is improper deployment of security measures after a Risk Assessment has been completed. The term security measure within the paper refers security controls. In fact, risk countermeasures may be properly elucidated at Risk Assessment but their actual deployment may be less impressive or unidentified hazards in the system environment may render them less effective. How good, for instance, is a fortified door if the owner, inadvertently, leaves it unlocked? Or considering a more technical example, how relevant is a firewall for a critical system linked to the Internet if it is configured to allow any incoming connections? Therefore, monitoring and reporting on the security status or posture of IT systems can be carried out to determine compliance with security requirements (Jansen, 2009) and to get assurance as to their ability to adequately protect system assets. This remains one of the fundamental tasks of security assurance, which is here defined as the ground for confidence on deployed security measures to meet their objectives. To that extent, our understanding of security assurance is in line with the Common Criteria’s definition of assurance (Common Criteria Sponsoring Organizations, 2006). Unfortunately most of what has been written so far about security assurance is definitional. Published literatures either aim at providing guidelines for identifying metrics example (Vaughn et al., 2002; Seddigh et al., 2004; Savola, 2007), without providing indications on how to combine them into quantitative or qualitative indicators that are important for a meaningful understanding of the security posture of an IT component; target end products (example of the Common criteria Common Criteria Sponsoring Organizations, 2006) or the software development stage (example of assurance cases Strunk & Knight, 2006; UMLSec, Jürjens, 2005; Secure Tropos, Mouratidis & Giorgini, 2007).