Apparatus and Methods for Assessing and Maintaining Security of a Computerized System under Development

US 20100306852A1
Filed: 05/24/2010
Published: 12/02/2010
Est. Priority Date: 12/19/2005
Status: Active Grant

First Claim

Patent Images

1. A security assessment method for assessing security of a computerized system under development, the system including assets and being managed in accordance with an organization policy, the method including:

providing an organizational computerized system development policy;

classifying the assets in the system under development, thereby generating asset classification information; and

automatically creating at least one security requirement based on said asset classification information and said organization policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security assessment method for assessing security of a computerized system under development, the system including assets and being managed in accordance with an organization policy, the method including providing an organizational computerized system development policy; classifying said assets in said system under development, thereby to generate asset classification information; and automated creation of at least one security requirement based on said asset classification information and said organization policy.

52 Citations

View as Search Results

22 Claims

1. A security assessment method for assessing security of a computerized system under development, the system including assets and being managed in accordance with an organization policy, the method including:
- providing an organizational computerized system development policy;
  
  classifying the assets in the system under development, thereby generating asset classification information; and
  
  automatically creating at least one security requirement based on said asset classification information and said organization policy.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The method recited in claim 1, wherein said policy includes a stipulation of at least one individual required encryption scheme for at least one individual class of assets.
  - 9. The method recited in claim 8, wherein said class of assets includes an asset whose importance from a viewpoint of asset confidentiality maintenance falls within a stipulated range.
  - 10. The method recited in claim 8, wherein said class of assets includes an asset whose importance from a viewpoint of asset integrity maintenance falls within a stipulated range.
  - 11. The method recited in claim 8, wherein said class of assets includes an asset whose importance from a viewpoint of asset availability maintenance falls within a stipulated range.
  - 12. The method recited in claim 1, wherein said policy includes a stipulation of at least one of a server installation process, and an IT hardware configuration process.
  - 13. The method recited in claim 1, wherein said asset classification information quantifies the asset'"'"'s importance from a viewpoint of at least one of asset confidentiality maintenance, asset integrity maintenance and asset availability maintenance.
  - 14. The method recited in claim 8, wherein said automated creation includes generating a security requirement for said at least one required encryption scheme vis-a-vis each individual asset which, according to said asset classification information, belongs to said individual class of assets.

2. A security assessment method for assessing security of a computerized system under development and having at least one security requirement, the method comprising:
- computing a control target level for at least one control existing in a computerized system under development; and
  
  using said control target level to set a risk level for the at least one security requirement.
- View Dependent Claims (15, 22)
- - 15. The method recited in claim 2, wherein said computing the target level includes:
    - combining a CIA vector characterizing an individual control for an individual asset with the asset'"'"'s CIA classification vector, thereby to generate a numerical value; and
      
      using said numerical value in searching through the controls'"'"' different answers to select which answer will satisfy said individual control for said individual asset.
  - 22. The method recited in claim 2, wherein said using includes selecting a control target, setting the security requirement risk level as the CIA vector of the answer whose control'"'"'s MaxAssetClassification value is greater than or equal to the difference between the already-computed requirement risk level and the CIA vector value of the first (less good) answer for said control.

3. A security assessment method for assessing security of a computerized system under development, the method comprising:
- providing at least one initial security requirement definition which applies while said system under development is in a first phase of development; and
  
  translating said at least one initial security requirement that pertains to said first phase to a more detailed security requirement that pertains to a subsequent phase of development.
- View Dependent Claims (4, 5, 6, 7)
- - 4. The method recited in claim 3, wherein said first phase comprises a design phase.
  - 5. The method recited in claim 3, wherein said subsequent phase comprises an implementation phase.
  - 6. The method recited in claim 3, wherein said first and subsequent phases comprise SDLC (Software Development Lifecycle) phases.
  - 7. The method recited in claim 3, wherein said initial security requirement stipulates a desired strength of encryption and said more detailed security requirement stipulates technology to implement said desired strength of encryption.

16. A manufacture comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code having instructions for implementing a security assessment method for assessing security of a computerized system under development, the system including assets and being managed in accordance with an organization policy, the code including instructions for:
- providing an organizational computerized system development policy;
  
  classifying said assets in said system under development, thereby to generate asset classification information; and
  
  automatically creating at least one security requirement based on said asset classification information and said organization policy.

17. A manufacture comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code adapted to be executed to implement a security assessment method for assessing security of a computerized system under development and having at least one security requirement, the code including instructions for:
- computing a control target level for at least one control existing in a computerized system under development; and
  
  using said control target level to set a risk level for the at least one security requirement.

18. A manufacture comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code adapted to be executed to implement a security assessment method for assessing security of a computerized system under development, said code including instructions for:
- providing at least one initial security requirement definition which applies while said system under development is in a first phase of development; and
  
  translating said at least one initial security requirement that pertains to said first phase to a more detailed security requirement that pertains to a subsequent phase of development.

19. A security assessment device for assessing security of a computerized system under development, the system including assets and being managed in accordance with an organization policy, the device including:
- asset classification apparatus classifying said assets in said system under development, thereby to generate asset classification information; and
  
  a requirement generator for automated creation of at least one security requirement based on said asset classification information and an organizational computerized system development policy.

20. A security assessment device for assessing security of a computerized system under development and having at least one security requirement, the device comprising:
- a control target level computer operative for Computing a control target level for at least one control existing in a computerized system under development; and
  
  a security requirement risk level generator using said control target level to set a risk level for the at least one security requirement.

21. A security assessment device for assessing security of a computerized system under development, the device comprising:
- a requirement database including at least one initial security requirement definition which applies while said system under development is in a first phase of development; and
  
  a requirement translator operative for translating said at least one initial security requirement that pertains to said first phase to a more detailed security requirement that pertains to a subsequent phase of development.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
White Cyber Knight Limited
Original Assignee
White Cyber Knight Limited
Inventors
Adar, Eyal

Granted Patent

US 8,392,999 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

G06Q 10/06 Resources, workflows, human...

Apparatus and Methods for Assessing and Maintaining Security of a Computerized System under Development

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

52 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and Methods for Assessing and Maintaining Security of a Computerized System under Development

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links