1

Information Security Planning GuideInformation Security Planning Guide

CCSDS Security WG Spring 2005 CCSDS Security WG Spring 2005 Athens, GRAthens, GR

Howard WeissNASA/JPL/SPARTA

hsw@sparta.com+1-410-872-1515

April 2005

2

AGENDAAGENDA• 11 April 2005

– 1030-1200: Joint meeting with Space Link Support Area• 13 April 2005

– 0900-0915: Welcome, opening remarks, logistics, agenda bashing– 0915-0930: Review results of Fall 2004 SecWG meeting in Toulouse

Mtg Notes– 0930-1000: Security Architecture Document Discussions (Kenny)– 1000-1030: coffee break– 1030-1200: Security Architecture Document Discussions, cont– 1200-1330: Lunch– 1330-1415: Anti-Jamming/Spread Spectrum (Olsen)– 1415-1500: Final review Threat Document (Weiss)– 1500-1530: coffee break– 1530-1700: Key management discussion (Kenny)

• 14 April 2005– 0900-0930: Information Security Planning Guide (all)– 0930-1000: Security Policy Framework (all)– 1000-1030: break– 1030-1200: Crypto and Authentication Standards (Weiss)

3

What is This?What is This?

• Last seriously discussed in Fall 2003 meeting– Security Guide for the mission planner

• A guide to mission planners beyond the Security Green Book and Threat Document– Cookbook containing the essence of both the Green

Book and the Threat Book?

“Security for Dummies”

4

What Might It Contain?What Might It Contain?

• Sections might include:– Project mission roles and responsibilities– Security overview (a la Green Book)– Threat/risk analysis– Risk mitigation– Security planning (a la Security Architecture document)– Security mechanisms (a la Green Book)– Contingency and disaster mitigation– Etc.

5

Other AlternativesOther Alternatives

• ISO 15408: Common Criteria for Information Technology Security Evaluation – Protection Profiles (PP) are produced as security

“acquisition” documents» Collection of system security requirements that the

system “user” wants to purchase– Security Targets (ST) are produced by vendors to

describe the security characteristics of their system.• Use the CC as the basis for describing the mission

security requirements?– Use the existing CCToolbox?– Extend/modify the CCToolbox for space environments?

6

CCToolboxCCToolbox

• SPARTA-developed for US National Information Assurance Partnership (NIAP)

• Freely available (although no longer supported)– Written in Java– ftp://ftp.sparta.com/pub/columbia/cctb.zip

• “Interviews” PP or ST developer to walk through the developer though the myriad mess of the CC.– Akin to TurboTax that walks folks in the US through

their income tax preparation

7

8

9

10

CCToolbox DemoCCToolbox Demo

• CCToobox Start

11

Discussion ResultsDiscussion Results