From information security baselines to information security profiles

Abstract

To protect the information systems of an organization an appropriate set of security controls needs to be installed and managed properly. Many organizations that can afford it conduct either a risk analysis exercise themselves or outsource the process to some consultant. Through such an exercise, the most effective set of controls are recommended. Organizations that cannot afford a risk analysis exercise or cannot conduct it themselves, install controls on an ad hoc basis, with the result that many important business areas may be under- or over-protected. Security baselines have provided some guidelines to these organizations on which controls are, under general circum­stances, the most effective to install in order to provide an acceptable level of protection. Although security baselines have contributed towards a more secure information technology fraternity, most security baselines prescribe some analysis or identification process to determine the most applicable set of security controls for that specific situation. This analysis or identification process can be subjective. A possible solution to this subjective analysis or identification of applicable controls, may be the definition of suitable protection profiles that will include the best suitable security controls for specific information technology environments. A simple selection of the most suitable protection profile for the specific environment will free the specific organization from a subjective analysis or identification process. However, the protection profile as defined by the Common Criteria, makes assumptions about the surrounding environment. This paper will provide some guidelines in the determination of an information security profile that will encompass all aspects of security such that no assumptions need to be made, thereby leading towards a totally secure organization.