A Methodology, a Language, and a Tool to Provide Information Security Assurance Arguments
Abstract
As information systems become more complex and industry and military rely more on their correct operation, the need for survivable, secure systems becomes more pressing. System designers and assessors need to clearly understand the causality, relationships, vulnerabilities, threats, system-level view points, and objectives of an entire enterprise. To design a system that can be trusted or assess security properties in a system, the related assurance arguments need to be developed and described effectively in a well-organized format by means of a sound language. To satisfy this requirement, we introduce a methodology, ECM (Enterprise Certification Methodology), to derive and organize the related assurance arguments effectively. We have developed a visual language, CAML (Composite Assurance Mapping language), to build the map of the assurance argument using ECM. This map depicts the claim trees for the assurance arguments related to the enterprise security objective. We have also developed a tool, VRNM (Visual Network Rating Methodology), to help users develop a map to assurance arguments in CAML based on 11CM and document it with related descriptions in a common environment.
Document Details
- Document Type
- Technical Report
- Publication Date
- Feb 15, 2002
- Accession Number
- ADA399505
Entities
People
- Andrew Moore
- Beth Strohmayer
- Bruce Montrose
- Joon-Hyuk Park
- Judith Froscher
Organizations
- United States Naval Research Laboratory