Skip to main content
SpringerLink
Log in

Managing Information Technology Security Risk

  • Conference paper
Software Security - Theories and Systems (ISSS 2003)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3233))

Included in the following conference series:

Abstract

Information Technology (IT) Security Risk Management is a critical task for the organization to protect against the loss of confidentiality, integrity, and availability of IT resources and data. Due to system complexity and sophistication of attacks, it is increasingly difficult to manage IT security risk. This paper describes a two-pronged approach for managing IT security risk: 1) an institutional approach, that addresses automating the process of providing and maintaining security for IT systems and the data they contain; and 2) a project life cycle approach that addresses providing semi-automated means for integrating security into the project life cycle. It also describes the use of a security template with a risk reduction/mitigation tool, the Defect Detection and Prevention (DDP) tool developed at the Jet Propulsion Laboratory (JPL).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Chichester (2001)

    Google Scholar 

  2. GAO-03-98, Government Accounting Office (GAO) Audit: Major Management Challenges and Program Risks: Department of Defense, GAO-03-98 (January 2003), available on the Internet at: http://www.gao.gov/pas/2003/

  3. Howard, M., LeBlanc, D.: Writing Secure Code, 2nd edn. Microsoft Press, Redmond (2002)

    Google Scholar 

  4. NASA CRM Resource Center website, http://www.crm.nasa.gov/knowledge/default.html (accessed 09-15-2003)

  5. Stamatelatos, M.G.: Risk Assessment and Management, Tools and Applications. PowerPoint Presentation, available on NASA CRM Resource Center: http://www.crm.nasa.gov/papers/presentation_1.pdf (accessed 09-20-03)

  6. Witty, R.: Successful Elements of an Information Security Risk Management Program. In: Gartner Symposium ITxpo, U.S. Symposium/ITxpo, Orlando, Florida, October 6–11 (2002)

    Google Scholar 

  7. ArcSight: TruThreat Visualization Software (2003), available at: http://www.arcsight.com/

  8. RiskWatch: Security Risk Management (SRM) software solutions for government and industry. Information downloaded from the Internet on October 10 (2003), http://www.riskwatch.com/

  9. McGraw, G.: Software Risk Management for Security. Citigal White Paper (1999), http://www.cigital.com/whitepapers/

  10. ISO, International Organization for Standardization, ISO 9000:2000 family, Quality Management Systems (2003), http://www.iso.ch/iso/en/iso9000-14000/iso9000/selection_use/iso9000family.html (accessed on September 19, 2003)

  11. Carnegie Mellon University (CMU) Software Engineering Institute (SEI) Capability Maturity Model® Integration (CMMISM), available on the Internet at: http://www.sei.cmu.edu/cmmi/general/ (accessed September 20, 2003)

  12. SEI, Carnegie Mellon University Software Engineering Institute, OCTAVE Method, November 11 (2003), available at: http://www.cert.org/octave/methods.html

  13. NIH CIT (National Institute of Health, Center for Information Technology), NIH Application/System Security Plan Template for Major Applications and General Support Systems (1994)

    Google Scholar 

  14. Bishop, M.: Computer Security: Art and Science. Addison-Wesley Pub. Co. (2002)

    Google Scholar 

  15. Feather, M.S., Cornford, S.L., and Moran, K.: Risk-Based Analysis And Decision Making in Multi-Disciplinary Environments. In: Proceedings of IMECE 2003. ASME International Mechanical Engineering Congress & Exposition Washington, D.C., November 16–21 (2003)

    Google Scholar 

  16. Cornford, S.L., Feather, M.S., Hicks, K.A.: DDP – A tool for life-cycle risk management. In: IEEE Aerospace Conference (March 2001), available on the web at: http://ddptool.jpl.nasa.gov

  17. Cornford, S.L., Feather, M.S., Dunphy, J., Salcedo, J., Menzies, T.: Optimizing Spacecraft Design – Optimization Engine Development: Progress and Plans. In: IEEE Aerospace Conference (March 2003), available on the web at: http://ddptool.jpl.nasa.gov

  18. Feather, M.S., Cornford, S.L., Dunphy, J.: A Risk-Centric Model for Value Maximization. In: Proceedings, 4th International Workshop on Economics-Driven Software Engineering Research, Orlando, Florida, May 21, pp. 10–14 (2002)

    Google Scholar 

  19. Feather, M.S., Hicks, K.A., Johnson, K.R., Cornford, S.L.: Software Support for Improving Technology Infusion. In: Proceedings of the 1st International Conference on Space Mission Challenges for Information Technology (SMC-IT), Pasadena, California, July 2003, pp. 359-367 (2003); JPL Publication 03-13A, Jet Propulsion Laboratory, California Institute of Technology

    Google Scholar 

  20. Cornford, S.: Defect Detection and Prevention (DDP): A Tool for Life Cycle Risk Management: Explanations, Demonstrations and Applications. In: DDP Tool Training Seminar presented at JPL at the Jet Propulsion Lab, March 23 (2001)

    Google Scholar 

  21. Swanson, M.: Guide for Developing Security Plans for Information Technology Systems. NIST Special Publication 800-18 (1998)

    Google Scholar 

  22. FIPS PUB 73, Federal Information processing Standards Publication. Guidelines for Security of Computer Applications (1980)

    Google Scholar 

  23. Heinz, L.: Preventing Security-Related Defects, news@sei interactive, 2Q (2002), downloaded from the Internet at: http://interactive.sei.cmu.edu (August 19, 2003)

  24. Gilliam, D., Wolfe, T., Sherif, J., Bishop, M.: Software Security Checklist for the Software Life Cycle. In: Proc. of the Twelth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Linz, Austria, pp. 243–248

    Google Scholar 

  25. Gilliam, D., Kelly, J., Powell, J., Bishop, M.: Development of a Software Security Assessment Instrument to Reduce Software Security Risk. In: Proc. of the Tenth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Boston, MA, pp. 144–149

    Google Scholar 

  26. Gilliam, D., Powell, J., Kelly, J., Bishop, M.: Reducing Software Security Risk Through an Integrated Approach. In: 26th International IEEE/NASA Software Engineering Workshop, Greenbelt, MD, November 17–29 (2003)

    Google Scholar 

  27. Powell, J., Gilliam, D.: Component Based Model Checking. In: Proceedings of the 6th World Conference on Integrated Design and Process Technology, June 23–28, Pasadena CA, p. 66 and CD

    Google Scholar 

  28. Weiser, M.: Program Slicing. IEEE Transactions on Software Engineering SE-10(4), 352–357 (1984)

    Article  Google Scholar 

  29. Miller, R.L.: JPL’s Infrastructure for Managing IT Security: The Processes and Custom Toolset. In: Presentation to the NASA IT Security Managers’ Workshop (April 2003)

    Google Scholar 

  30. Stoneburner G., Goguen, A., Feringa, A.: Risk Management for Information Technology Systems. The National Institute of Standards and Technology Special Publication 800-30 (2001)

    Google Scholar 

  31. Stoneburner, G., Hayden, C., Feringa, A.: Engineering Principles for Information Technology Security (A Baseline for Achieving Security). NIST Special Publication 800-27

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Jet Propulsion Laboratory, California Institute of Technology, 4800 Oak Grove Dr., MS 144-210, Pasadena, CA, 91109, USA

    David P. Gilliam

Authors
  1. David P. Gilliam
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Japan Advanced Institute of Science and Technology, (JAIST),  

    Kokichi Futatsugi

  2. Faculty of Science and Technology, Tokyo University of Science, Yamazaki 2641, Noda, Chiba, Japan

    Fumio Mizoguchi

  3. Tokyo Institute of Technology,  

    Naoki Yonezaki

Rights and permissions

Reprints and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Gilliam, D.P. (2004). Managing Information Technology Security Risk. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds) Software Security - Theories and Systems. ISSS 2003. Lecture Notes in Computer Science, vol 3233. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-37621-7_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-37621-7_16

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-23635-1

  • Online ISBN: 978-3-540-37621-7

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation