Browse Prior Art Database

Security Attestation Process

IP.com Disclosure Number: IPCOM000197610D
Original Publication Date: 2010-Aug-10
Included in the Prior Art Database: 2010-Aug-10
Document File: 4 page(s) / 97K

Publishing Venue

Siemens

Related People

Juergen Carstens: CONTACT

Abstract

Information Technology (IT) systems and applications are also used to run critical business or production processes. In order to assure if certain security protection standards are met, the so called IT Security Attestation is used. The Security Attestation is a holistic security assessment of a complete supply chain including the business application or product vendor, delivery (hosting of IT equipment, systems) and development processes of an application/product with the related processes. The assessment is conducted as a combination of reviewing documents, interviews with stakeholders and practical security tests for the IT infrastructure, the business applications or IT based products. The aim of the security attestation is to assess the maturity of the security of the used resources in an IT product measured by actual need for security. It incorporates the following points: • an requirement analysis: details about the risk case scenarios which have to be mitigated • information security related processes and Service Level Agreements (SLA) • IT infrastructure which consists of IT systems and networks • IT business, IT applications and IT products such as human resources application, financial systems, control systems

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 27% of the total text.

Page 1 of 4

Security Attestation Process

Idea: Sven Lehmberg, DE-Munich; Eric Scheer, DE-Munich; Robert Ingruber, DE-Munich

Information Technology (IT) systems and applications are also used to run critical business or

production processes. In order to assure if certain security protection standards are met, the so called

IT Security Attestation is used. The Security Attestation is a holistic security assessment of a complete

supply chain including the business application or product vendor, delivery (hosting of IT equipment,

systems) and development processes of an application/product with the related processes.

The assessment is conducted as a combination of reviewing documents, interviews with stakeholders

and practical security tests for the IT infrastructure, the business applications or IT based products.

The aim of the security attestation is to assess the maturity of the security of the used resources in an

IT product measured by actual need for security. It incorporates the following points:
• an requirement analysis: details about the risk case scenarios which have to be mitigated
• information security related processes and Service Level Agreements (SLA)
• IT infrastructure which consists of IT systems and networks
• IT business, IT applications and IT products such as human resources application, financial

     systems, control systems
In the end a Security Attestation certificate provides details about the actual performance and certain

problems or improvement areas.

Up to now, there are standards which offer assessment frameworks for business applications,

products and solutions. However, these standards are incomplete. The TÜV Trusted Site Security and

Trusted Site Privacy do not provide publicly the exact content of the certification. Further, the content

based on Creative Commons (CC) is about testing infrastructures in regard to penetration. The

business view, the application level and risk evaluation are not considered. The BSI Grundschutz

addresses the good practice guidance on dedicated security settings and processes, technical

security and measures for technical security. However, the business view is not considered and the

possible risk is not evaluated.

Therefore, it is proposed to structure the assessment in form of a waterfall model that includes a Plan-

Do-Check-Act (PDCA) cycle. The steps of the proposed solution are described in the following. In the first step the security requirements and assets are decomposed and Key Performance

Indicators (KPI) for security are defined.
A.1 Business View:
• business case of the application/ product
• external rules and regulations such as data protection act, payment card industry

data security standard
• worst case scenarios for the application/product such as unauthorized access to

confidential information, control unit of a power plant
• Service Level Agreements between the business owner and the application

vendor/ IT delivery service
• related and binding in...