SecureByDesign-Playbook
Security Terms and Concepts
A Plea
As with all fields Security has its own jargon, some of which is justified. It also has its own tribal terms; for example the loosely-used term ‘cyberspace’ was apocryphally coined by a non-technical author William Gibson writing science fiction. It is not a term that was used by experts in information security, and some may still see it as fashionable rather than technical.
We will attempt to use the terms that make sense to you and your customers, but do bear in mind please that you are many and diverse and so try to be forgiving if some of the terms seem odd.
A Summary
A quick canter through the terms used here and for the Risk Assessment, introducing the main security concepts as they apply to Secure By Design:
What are we protecting?
Essentially we identify the assets that we want to protect, what the impacts or effects are of those assets being compromised (nicked, bricked or tricked - stolen, denied, destroyed, corrupted - confidentiality, integrity or access has failed) and so which ones we want to focus on.
Where is everything we care about?
We map out the space (diagram the networks, visualise the cyber space) and where our assets are located in that space (data at rest), and what channels are used to access them and move them (data on the move). We distinguish between areas of responsibility (areas that we control) and areas of interest (areas that we do not control, but still affect us, and we need to monitor).
Who are the bad guys?
With the assets located in space, we now assess the threats that can apply to these assets in these spaces. For this playbook we focus on threat actors; people and groups that deliberately or accidentally compromise our assets. That is, we are not concerned here with natural threats such as earthquakes as these can and should be managed in different ways.
Threat actors have a range of capabilities and motivations, both in general and specifically applied to our space and assets.
Assembling the ‘Picture’
We combine these into the security picture which is a combination of the space, the assets laid our in that space, and the threats that apply to those assets and space. We can include any of the security controls (protection measures) that are already in place.
From this we can deduce what vulnerabilities still exist and so what other security controls could be applied.
Controlling the situation
This gives us two outputs: a registry of residual technical security risks, and the action plan to add any more security controls.
Cyber security controls are broken down into technical controls to protect the software systems through gateways and authenticators, and administration controls to protect the people through training and procedures. These are then monitored to check they work, and we feed the outputs of that back into the security evaluation
The residual technical security risks are converted into business security risks and added to all the other project risks. The risk owners look over all of these to decide if these are acceptable or not according to the business risk appetite, and to make a call on whether to operate even if some risks still require treating or transferring.