Information System Security Engineering and Management - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

Information System Security Engineering and Management

Description:

Students who want to send a fake transcript. Risk Management Approach (HW 2) ... Authentication of Students: MyPoly User ID/Password authentication ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 12
Provided by: isis1
Category:

less

Transcript and Presenter's Notes

Title: Information System Security Engineering and Management


1
Information System Security Engineering and
Management
  • Risk Analysis and
  • System Security Engineering
  • Homework (2, 3)
  • Dr. William Hery
  • hery_at_isis.poly.edu

2
GTS System Description
  • Poly is going to set up a new, streamlined grade
    and transcript server (GTS). There is already a
    grade database on a secure server (SGDB) that is
    used for entering and maintaining grade records.
    The new server will allow students to
  • view grades without directly accessing the SGDB
  • generate full transcripts to be sent to grad
    schools and potential employers from Poly in such
    a manner as to have the recipients of the
    transcripts trust that they are authentic.
  • For the homework, assume that SGDB is already
    secure, but there will now be a new
    application/server accessing it. Also assume that
    students can access GTS from the Poly intranet,
    or from the Internet.

3
GTS Architecture
SGDB
Poly Intranet
email
Employer Or Grad School
GTS
Internet
Poly Intranet
Student
Student
4
Assets at Risk (HW 2)
  • Integrity of the grade database (but this is
    assumed to be a secure system for our purposes)
  • Privacy of the student grades
  • Integrity of the grades presented to the student
  • Integrity of the transcripts sent out (and the
    trust the recipients have in that integrity)
  • Availability of the GTS service
  • Poly's reputation as a premier institution in
    information security and an NSA COE in IA

5
Threats (HW 2)
  • Students who want to do general mischief or
    target specific students
  • Outsiders who want to do general mischief or
    target specific students
  • Students who want to send a fake transcript

6
Risk Management Approach (HW 2)
  • Integrity of the grade database transfer risk to
    SGDB owner
  • privacy of the student grades mitigate with
    technology (authentication of user via password)
    accept some risk of stolen password
  • integrity of the grades presented to the student
    mitigate with technology (protect GTS system)
  • integrity of the transcripts sent out mitigate
    by digitally signing transcripts
  • availability of the GTS service mitigate with
    firewall accept some risk of breaking through
    firewall
  • Poly's reputation as a premier institution in
    information security mitigate with all of the
    above

7
Systems Engineering First Steps
  • Mission Needs Statement
  • A system to allow students to securely access
    their grades, and to allow them to have
    authenticated transcripts emailed to prospective
    employers and grad schools.
  • CONOPS A student logs into the GTS Server over
    the Internet or Polys Intranet. A user friendly
    GUI allows the student to see which courses they
    have taken and what their grades have been. The
    student can also request a complete transcript be
    emailed to prospective employers and grad
    schools. For security reasons, the GTS will be a
    separate server from the existing, secure grade
    database, the SGDB.

8
System Architecture and Functional Requirements
  • Architecture see first slide
  • GTS Functional Requirements
  • User (student) interface must authenticate user,
    accept user query, format response
  • SGDB interface must format grade query, send to
    SGDB, accept response
  • Individual grade request
  • Complete transcript request
  • GTS must be able to create and send authenticated
    transcripts via email

9
Hig Level Security Requirements
  • Authentication of Students
  • Protect SGDB from attack at SGDB/GTS interface
    (preserve integrity and privacy of the grade
    database)
  • Protect all networks from snooping (privacy of
    grades)
  • Protect confidentiality and integrity of all
    processing on the GTS server
  • Provide a digital signature service to sign
    emailed transcripts from GTS
  • Protect GTS from denial of service attacks

10
Revised GTS Architecture With External Security
Components
MyPoly user Password auth.
SGDB
Poly Intranet
Poly Signing Service
email
Employer Or Grad School
GTS
Internet
Poly Intranet
Student
Student
11
Security Requirements Allocation
  • Authentication of Students MyPoly User
    ID/Password authentication
  • Protect SGDB from attack at SGDB/GTS interface
    Custom interface to prevent attack (application
    firewall)
  • Protect all networks from snooping Encrypted
    network links
  • Protect confidentiality and integrity of all
    processing on the GTS server Server security
  • Provide a digital signature service to sign
    emailed transcripts from GTS Poly Digital
    Signature Service
  • Protect GTS from denial of service attacks
    firewalls, secured server
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Information System Security Engineering and Management" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!