[2600] Proposal for changing how we represent threats and some objectives in the PPs
I know we haven't decided for/against putting PPs into a single Family of
PPs, but while I was working through an example Family PP, I noticed two
things about how we represented threats and objectives. Looking at it
again, I think these are problems whether or not we use a Family of PPs
structure, and they are relatively easy to fix.
Threats:
We currently have "PP Threats", which are roll-ups of related P2600
threats that are mitigated by the same set of objectives.
For example, we mitigate the P2600 threats T.TSF.CRED.NET and
T.TSF.CRED.MGMT with the same objectives (O.I&A, O.ACCESS, O.NETWORK, and
O.MONITOR), and so we rolled them up into a PP threat T.TSF.CRED. The
rationale for doing this was that it simplified the PPs, especially in
Tables 10 and 11 in PP section 4.4.
The problem is that T.TSF.CRED.EM isn't addressed in PP-B and PP-C, and
T.TSF.CRED.MGMT isn't addressed in PP-C (none of them are addressed in
PP-D). Consequently, T.TSF.CRED has different meanings in each of the PPs.
I think this could be confusing for anyone using these PPs to write or
evaluate STs, and may be confusing for whoever evaluates the PPs. There
are other cases like this one (T.DOS.NET and T.TSF.SW).
When we first noticed this problem, we added columns to each threat
description tables in PP section 3.2. Now, I think that the simplification
we realized in Tables 10 and 11 is less important than the confusion we
created in section 3.2, and I think that confusion will propagate into the
SFRs as we try to match up functional requirements with objectives.
Therefore, I propose that we unroll the rolled-up PP threats:
(1) In the tables in PP section 3.2, replace the first column ("Threat")
with the P2600 threat names, replace the second column ("Description")
with the short descriptions from P2600 clause 7.2 table 3 (with minor
modifications to put them in PP terminology, e.g. changing "HCD" to
"TOE"), and remove column 3. This would only need to be done once for
PP-A, and then the other PPs could copy those tables and delete rows that
don't apply to their environment.
Objectives:
In a similar vein, we have objectives that share the same name, but are
used in different ways in different PPs. In many cases, it may not matter
much, but in others, I think it will be a problem. Examples:
O.GENUINE refers to SW updates in A|B|C, but also applets in A|B.
O.NETWORK refers to protecting document data in A|B|C, but not in D.
I'm sure there are some others...
Therefore, I propose that we consider identifying these cases and creating
unique objectives as needed. I haven't worked through all cases and don't
have a proposal for names. I'd like some feedback (and maybe some help!).
See for yourself, I put together yet another spreadsheet which shows which
PPs use which Threat/Objective combos:
http://grouper.ieee.org/groups/2600/presentations/ElSegundo2006/ThreatObje
ctiveEnvironmentWorksheet-24a.xls
(OK, OK, you'll probably need to reassemble this URL...)
Please, let's discuss this stuff on the mailing list and not save it all
up for the El Segundo meeting. It will take a very long time to get this
standard completed if we only discuss matters at the meetings, and I think
that the quality of our decisions would be better if we used the time
between meetings to think about the issues and make thoughtful decisions
rather than feeling compelled to make decisions on the fly in a meeting.
Regards,
--
Brian Smithson
Project Manager
PMP, SSCP, CISSP, CISA
Advanced Imaging and Network Technologies
Ricoh Corporation
(408)346-4435