PROPIEDADES - LA PROBABILIDAD EN LA EDUCACIÓN PRIMARIA EN ESPAÑA

LA PROBABILIDAD EN LA EDUCACIÓN PRIMARIA EN ESPAÑA

2.9. PROPIEDADES

Early mainframe computers were staffed with operators. Although the computers often were festooned with hundreds of lights and switches, most operators relied on its console display to track the computer’s behavior. The console contained a printer, and its printout was called the console log. Every major event that occurred inside the computer was reported on the log. This helped the operators keep the computer running efficiently. The log also reported security relevant events, like login failures on a timesharing system.

As computers shrank in size and cost, vendors eliminated the console and its log.

This made the computers cheaper and easier to operate, but it also eliminated a lot of

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC

NOT FOR SALE OR DISTRIBUTION

4.5 Monitoring Cyber System Security 165

Sharing Files

information about what the system was doing. In 1983, the U.S. Department of Defense (DOD) published requirements for “trusted operating systems” titled Trusted Computer System Evaluation Criteria (TCSEC), often called the Orange Book. One requirement was that operating systems keep a log of security relevant events. This requirement remained when the Orange Book was replaced by a new set of standards called the Common Criteria in 2000.

The Orange Book and Common Criteria are examples of standards that establish cybersecurity requirements, including logging requirements. The risk management frameworks call for system monitoring, which usually includes event logging.

l

aWS

, r

egulaTionS

, a

i

nduSTry

r

uleS

Recent U.S. laws, regulations, and industry rules establish security requirements for computer systems and are listed below. In general, the rules require organizations to monitor their computer systems for intrusions or other misuse; the organizations must provide evidence that they do so.

• SOX (Sarbanes-Oxley Act), enacted by Congress in 2002, establishes requirements for financial and accounting practices.

• HIPAA (Health Insurance Portability and Accountability Act), passed in 1996, establishes security standards for certain types of health information. Rules governing HIPAA implementation call for system logging.

• GLBA (Gramm-Leach-Bliley Act), passed in 1999, requires financial institutions to protect customer information against security threats.

• FISMA (Federal Information Security Management Act), passed in 2002, requires U.S. government agencies to implement agency-wide information security programs.

NIST promotes its Risk Management Framework to comply with FISMA.

• PCI DSS (Payment Card Industry Data Security Standard) is an industry standard followed by everyone who issues and processes credit and debit cards. One requirement is that organizations track all access to network resources and cardholder data.

• ISO 27000 is a family of international standards for information security based on continuous process improvement. The standards call for continuous security monitoring, both to detect security problems and to assess the effectiveness of the security processes themselves.

Some, but not all, of these specifically require logging and log monitoring. In practice, effective logging can show that the organization complies with more general security rules. Standards for financial accounting may also persuade an organization to keep logs, and the logs may play an important role in subsequent financial audits.

Many organizations set up their logs to meet auditing requirements. Corporations routinely hire independent accounting firms to perform annual audits of the company’s financial status. The accounting firm must have access to the computers used to process

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC

NOT FOR SALE OR DISTRIBUTION

the corporation’s financial data. The audit process examines cybersecurity measures and uses the logs to verify that the measures have been working.

Financial audits aren’t the only reason a company keeps logs. If a company accepts credit card transactions, the computers that handle those transactions are subject to PCI DSS requirements, and these mandate event logging. If the company has an in-house clinic, its records are covered by HIPAA regulations, which also require security event logging.

e

XTernal

r

equiremenTS

a

T

S

ecuriTy

P

roceSS

In the risk management frameworks, we implement security controls based on elements analyzed in earlier steps: requirements, risks, threat agents, and ultimately on the assets we protect. When external requirements oblige us to incorporate particular security measures, we need to include them in the framework. This isn’t always an easy task.

What if our assessment doesn’t yield any risks that these requirements address?

For example, enterprise-grade Internet firewalls often earn a Common Criteria certification based on a “protection profile.” The profile places many requirements on the firewall product. Some of these requirements might not directly address threats the vendor has identified. This may be an error on the vendor’s part, or the Common Criteria evaluation may pose requirements that this particular product doesn’t really need. In either case, the vendor must choose between saving money on the product implementation or earning Common Criteria certification.

To incorporate these additional requirements, we take one of three approaches:

1. Interpret external requirements in the context of our identified risks and then combine them with our other security requirements.

2. Analyze as risks any legal or contractual problems that could arise from lacking a certification.

3. Treat certifications as assets.

We do not want to simply add the external requirements to our policy. While this is the easiest way to do the planning and design, it may yield the most risk. For example, the external requirement may call for “strong authentication,” and the implementation may simply choose a product that a vendor claims will provide “strong authentication.”

This solution may be more expensive than comparably strong alternatives. Moreover, the “strong authentication” may defend against the wrong types of attacks.

The first approach is also the simplest from a practical standpoint: We add to our policy by interpreting these external requirements. This allows us to integrate the external requirements with our strategy to address the threats. This works in situations where we develop a policy based on someone else’s risk assessment.

The second approach acknowledges that we face risks if we ignore the external requirements. At some point, every organization makes an explicit or implicit assessment of the risks and benefits of complying with external rules. Most organizations make

NOT FOR SALE OR DISTRIBUTION

4.6 Resources 167

Sharing Files

In document EVALUACIÓN Y DESARROLLO DEL CONOCIMIENTO MATEMÁTICO PARA LA ENSEÑANZA DE LA PROBABILIDAD EN FUTUROS PROFESORES DE EDUCACIÓN PRIMARIA (página 81-88)