8/9/2019 Smart Cards and the Bigger Picture

1/15

Fiona Pattinson CISSP, CSDP, CQA

Security Assurance:

Smart Cardsand the

Bigger Picture

CT/ST Washington, DC - April 2004

8/9/2019 Smart Cards and the Bigger Picture

2/15

2004 phi solutions

The Problem

How to address security assurance in acomplex system with many components?

MicroSmart Card is a composite product:

I.C., Operating System, Platform, Application

Macro

Smart Card is a component in a system:Card, on-card application, reader, middleware, host software,issuance, network, PKI, biometrics, privacy

8/9/2019 Smart Cards and the Bigger Picture

3/15

2004 phi solutions

8/9/2019 Smart Cards and the Bigger Picture

4/15

2004 phi solutions

8/9/2019 Smart Cards and the Bigger Picture

5/15

8/9/2019 Smart Cards and the Bigger Picture

6/15

2004 phi solutions

Quality Factors - Software

McCall, Richards and Walters (1997)

8/9/2019 Smart Cards and the Bigger Picture

7/15

2004 phi solutions

A Quality View

Assurance gained by

Risk Management

An Information

Security Management

System

A Quality Management

System

8/9/2019 Smart Cards and the Bigger Picture

8/15

2004 phi solutions

ISO 9001

ISO/IEC 9001 a basic quality managementframework for an organization. 2000 version isprocess based, can host specialist models suchas

SoftwareISO/IEC 12207: Software Lifecycle processes

SEI CMMs : Software Maturity

SSE CMM / IA CMM : Software Security engineering

Agile : Software Development Methodologies

ManufacturingJIT / Cellular / Kan Ban / Taguchi

MasterCard, VISA, GSM manufacturing / Persorequirements

8/9/2019 Smart Cards and the Bigger Picture

9/15

2004 phi solutions

BS 7799-2

BS 7799-2 provides a basic information securitymanagement framework for an organization.

2000 version is process based, can supportframeworks such as

ISO/IEC 15408 / Common Criteria

SSE CMM / IA CMM : Software Security engineering

CobIT Assessments

Support Corporate Governance requirements(Sarbanes Oxley)

ISO 17799: Security for Information SystemsMasterCard, VISA, GSM manufacturing / Persorequirements

Privacy , HIPAA , GLB

8/9/2019 Smart Cards and the Bigger Picture

10/15

2004 phi solutions

Risk: Levels of Abstraction

Risks in Society

Organizational Risk

Project Risk

Insurance Industry

Homeland SecurityCorporate Governance

PoliticalLegal

Finance

Cost

Time

Scope

Quality

Reliability

Liability

Product orService Risk

System Risk

Legislation

Privacy

Integrity

8/9/2019 Smart Cards and the Bigger Picture

11/15

8/9/2019 Smart Cards and the Bigger Picture

12/15

2004 phi solutions

Integrated Management Systems

8/9/2019 Smart Cards and the Bigger Picture

13/15

2004 phi solutions

Conclusion

These techniques can facilitate addressing the

complex security assurance needs in the

bigger picture of the smart card industry.

Need to address assurance at EVERY Step and

industry interfaces.

Take a holistic view quality factors!

Emphasize and understand risk managementUse QMS / ISMS certs as baseline assurance

Use integration techniques to create efficiency.

8/9/2019 Smart Cards and the Bigger Picture

14/15

2004 phi solutions

Discover more about

Information Security Management Systems

Join the US Chapter

ISMS International User Group

WWW.US-ISMS.ORG

Membership is free!

8/9/2019 Smart Cards and the Bigger Picture

15/15

2004 phi solutions

Fiona.Pattinson @ phi-solutions.com

www.phi-solutions.com

+1 512 825 3083