Apparatus and methods for assessing and maintaining security of a computerized system under development

US 8,392,999 B2
Filed: 05/24/2010
Issued: 03/05/2013
Est. Priority Date: 12/19/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A security assessment method for assessing security of a computerized system under development and having at least one security requirement, the method comprising:

computing a control target level for at least one control existing in a computerized system under development; and

using said control target level to set a risk level for the at least one security requirement wherein said computing the target level includes;

combining a CIA vector characterizing an individual control for an individual asset with the asset'"'"'s CIA classification vector, thereby to generate a numerical value; and

using said numerical value in searching through the controls'"'"' different answers to select which answer will satisfy said individual control for said individual asset.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security assessment method for assessing security of a computerized system under development, the system including assets and being managed in accordance with an organization policy, the method including providing an organizational computerized system development policy; classifying said assets in said system under development, thereby to generate asset classification information; and automated creation of at least one security requirement based on said asset classification information and said organization policy.

46 Citations

View as Search Results

39 Claims

1. A security assessment method for assessing security of a computerized system under development and having at least one security requirement, the method comprising:
- computing a control target level for at least one control existing in a computerized system under development; and
  
  using said control target level to set a risk level for the at least one security requirement wherein said computing the target level includes;
  
  combining a CIA vector characterizing an individual control for an individual asset with the asset'"'"'s CIA classification vector, thereby to generate a numerical value; and
  
  using said numerical value in searching through the controls'"'"' different answers to select which answer will satisfy said individual control for said individual asset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A security assessment method according to claim 1, the system including assets and being managed in accordance with an organization policy, the method also including:
    - providing an organizational computerized system development policy;
      
      classifying the assets in the system under development, thereby to generate asset classification information; and
      
      automated creation of at least one security requirement based on said asset classification information and said organization policy.
  - 3. A method according to claim 1 wherein said policy includes a stipulation of at least one individual required encryption scheme for at least one individual class of assets.
  - 4. A method according to claim 3 wherein said class of assets includes an asset whose importance from a viewpoint of asset confidentiality maintenance falls within a stipulated range.
  - 5. A method according to claim 3 wherein said class of assets includes an asset whose importance from a viewpoint of asset integrity maintenance falls within a stipulated range.
  - 6. A method according to claim 3 wherein said class of assets includes an asset whose importance from a viewpoint of asset availability maintenance falls within a stipulated range.
  - 7. A method according to claim 3 wherein said automated creation includes generating a security requirement for said at least one required encryption scheme vis-a-vis each individual asset which, according to said asset classification information, belongs to said individual class of assets.
  - 8. A method according to claim 1 wherein said policy includes a stipulation of at least one of a server installation process, and an IT hardware configuration process.
  - 9. A method according to claim 1 wherein said asset classification information quantifies the asset'"'"'s importance from a viewpoint of at least one of asset confidentiality maintenance, asset integrity maintenance and asset availability maintenance.
  - 10. A security assessment method according to claim 1, the method comprising:
    - providing at least one initial security requirement definition which applies while said system under development is in a first phase of development; and
      
      translating said at least one initial security requirement that pertains to said first phase to a more detailed security requirement that pertains to a subsequent phase of development.
  - 11. A method according to claim 10 wherein said first phase comprises a design phase.
  - 12. A method according to claim 10 wherein said subsequent phase comprises an implementation phase.
  - 13. A method according to claim 10 wherein said first and subsequent phases comprise SDLC (Software Development Lifecycle) phases.
  - 14. A method according to claim 10 wherein said initial security requirement stipulates a desired strength of encryption and said more detailed security requirement stipulates technology to implement said desired strength of encryption.
  - 15. A computer program product, comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code adapted to be executed to implement a security assessment method according to claim 1 for assessing security of a computerized system under development, the system including assets and being managed in accordance with an organization policy, the method also including:
    - providing an organizational computerized system development policy;
      
      classifying said assets in said system under development, thereby to generate asset classification information; and
      
      automated creation of at least one security requirement based on said asset classification information and said organization policy.
  - 16. A computer program product, comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code adapted to be executed to implement a security assessment method according to claim 1 for assessing security of a computerized system under development and having at least one security requirement.
  - 17. A computer program product, comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code adapted to be executed to implement a security assessment method according to claim 1 for assessing security of a computerized system under development, the method also comprising:
    - providing at least one initial security requirement definition which applies while said system under development is in a first phase of development; and
      
      translating said at least one initial security requirement that pertains to said first phase to a more detailed security requirement that pertains to a subsequent phase of development.

18. A security assessment device for assessing security of a computerized system under development and having at least one security requirement, the device comprising:
- a control target level computer operative for Computing a control target level for at least one control existing in a computerized system under development; and
  
  a security requirement risk level generator using said control target level to set a risk level for the at least one security requirement;
  
  wherein said computing the target level by said control target level computer includes;
  
  combining a CIA vector characterizing an individual control for an individual asset with the asset'"'"'s CIA classification vector, thereby to generate a numerical value; and
  
  using said numerical value in searching through the controls'"'"' different answers to select which answer will satisfy said individual control for said individual asset.
- View Dependent Claims (19, 20)
- - 19. A security assessment device according to claim 18, the system including assets and being managed in accordance with an organization policy, the device also including:
    - asset classification apparatus classifying said assets in said system under development, thereby to generate asset classification information; and
      
      a requirement generator for automated creation of at least one security requirement based on said asset classification information and an organizational computerized system development policy.
  - 20. A security assessment device according to claim 18, the device also comprising:
    - a requirement database including at least one initial security requirement definition which applies while said system under development is in a first phase of development; and
      
      a requirement translator operative for translating said at least one initial security requirement that pertains to said first phase to a more detailed security requirement that pertains to a subsequent phase of development.

21. A security assessment method for assessing security of a computerized system under development and having at least one security requirement, the method comprising:
- computing a control target level for at least one control existing in a computerized system under development; and
  
  using said control target level to set a risk level for the at least one security requirement,wherein said using includes selecting a control target, setting the security requirement risk level as the CIA vector of the answer whose control'"'"'s MaxAssetClassification value is greater than or equal to the difference between the already-computed requirement risk level and the CIA vector value of the first (less good) answer for said control.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 22. A security assessment method according to claim 21, the method comprising:
    - providing at least one initial security requirement definition which applies while said system under development is in a first phase of development; and
      
      translating said at least one initial security requirement that pertains to said first phase to a more detailed security requirement that pertains to a subsequent phase of development.
  - 23. A method according to claim 22 wherein said first phase comprises a design phase.
  - 24. A method according to claim 22 wherein said subsequent phase comprises an implementation phase.
  - 25. A method according to claim 22 wherein said first and subsequent phases comprise SDLC (Software Development Lifecycle) phases.
  - 26. A method according to claim 22 wherein said initial security requirement stipulates a desired strength of encryption and said more detailed security requirement stipulates technology to implement said desired strength of encryption.
  - 27. A computer program product, comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code adapted to be executed to implement a security assessment method according to claim 21 for assessing security of a computerized system under development, the system including assets and being managed in accordance with an organization policy, the method also including:
    - providing an organizational computerized system development policy;
      
      classifying said assets in said system under development, thereby to generate asset classification information; and
      
      automated creation of at least one security requirement based on said asset classification information and said organization policy.
  - 28. A computer program product, comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code adapted to be executed to implement a security assessment method according to claim 21 for assessing security of a computerized system under development and having at least one security requirement.
  - 29. A security assessment method according to claim 21:
    - the system including assets and being managed in accordance with an organization policy,the method also including;
      
      providing an organizational computerized system development policy;
      
      classifying the assets in the system under development, thereby to generate asset classification information;
      
      automated creation of at least one security requirement based on said asset classification information and said organization policy.
  - 30. A method according to claim 29 wherein said policy includes a stipulation of at least one individual required encryption scheme for at least one individual class of assets.
  - 31. A method according to claim 30 wherein said class of assets includes an asset whose importance from a viewpoint of asset confidentiality maintenance falls within a stipulated range.
  - 32. A method according to claim 30 wherein said class of assets includes an asset whose importance from a viewpoint of asset integrity maintenance falls within a stipulated range.
  - 33. A method according to claim 30 wherein said class of assets includes an asset whose importance from a viewpoint of asset availability maintenance falls within a stipulated range.
  - 34. A method according to claim 30 wherein said automated creation includes generating a security requirement for said at least one required encryption scheme vis-a-vis each individual asset which, according to said asset classification information, belongs to said individual class of assets.
  - 35. A method according to claim 29 wherein said policy includes a stipulation of at least one of a server installation process, and an IT hardware configuration process.
  - 36. A method according to claim 29 wherein said asset classification information quantifies the asset'"'"'s importance from a viewpoint of at least one of asset confidentiality maintenance, asset integrity maintenance and asset availability maintenance.

37. A security assessment device for assessing security of a computerized system under development and having at least one security requirement, the device comprising:
- a control target level computer operative for computing a control target level for at least one control existing in a computerized system under development; and
  
  a security requirement risk level generator using said control target level to set a risk level for the at least one security requirement;
  
  wherein said using by said security requirement risk level generator includes selecting a control target, setting the security requirement risk level as the CIA vector of the answer whose control'"'"'s MaxAssetClassification value is greater than or equal to the difference between the already-computed requirement risk level and the CIA vector value of the first (less good) answer for said control.
- View Dependent Claims (38, 39)
- - 38. A security assessment device according to claim 37, the device also comprising:
    - a requirement database including at least one initial security requirement definition which applies while said system under development is in a first phase of development; and
      
      a requirement translator operative for translating said at least one initial security requirement that pertains to said first phase to a more detailed security requirement that pertains to a subsequent phase of development.
  - 39. A security assessment device according to claim 37, the system including assets and being managed in accordance with an organization policy, the device also including:
    - asset classification apparatus classifying said assets in said system under development, thereby to generate asset classification information; and
      
      a requirement generator for automated creation of at least one security requirement based on said asset classification information and an organizational computerized system development policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
White Cyber Knight Limited
Original Assignee
White Cyber Knight Limited
Inventors
Adar, Eyal
Primary Examiner(s)
HOFFMAN, BRANDON S

Application Number

US12/785,620
Publication Number

US 20100306852A1
Time in Patent Office

1,016 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

G06Q 10/06 Resources, workflows, human...

Apparatus and methods for assessing and maintaining security of a computerized system under development

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

46 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and methods for assessing and maintaining security of a computerized system under development

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links