Difference between revisions of "Cybersecurity Framework for Mobile Credentials"
(→Context) |
(→Context) |
||
Line 8: | Line 8: | ||
# To help the current generation of architects, developers and testers using mobile credentials, | # To help the current generation of architects, developers and testers using mobile credentials, | ||
# To be a model use case for future NIST standardization of cyber security frameworks. | # To be a model use case for future NIST standardization of cyber security frameworks. | ||
+ | |||
+ | It is planned that a future document like this one address credentials that are created by commerce and industry. | ||
==System Risk Model== | ==System Risk Model== |
Revision as of 17:02, 11 February 2023
Contents
Full Title
A cyber security analysis of privacy enhancing mobile credentials issued to residents by a sovereign entity for the purposes of granting access to controlled privileges with identity assurance appropriate to the value of the license granted.
Context
Following in the model of the evolving NIST cyber security framework, this analysis will begin with a full system risk model, including the risk of alienating an already anxious public given the insecurity of existing digital databases.
This paper is designed for three purposes:
- To guide the development of standards in this area,
- To help the current generation of architects, developers and testers using mobile credentials,
- To be a model use case for future NIST standardization of cyber security frameworks.
It is planned that a future document like this one address credentials that are created by commerce and industry.
System Risk Model
In line with the NIST effort to integrate Cybersecurity with Enterprise Risk Management[1] While NIST indicates that cybersecurity risk receives proper attention, this document presumes that Cybersecurity risk and Conduct Risk are the primary problems in any enterprise that employs Mobile Credentials as a integral part of any primary service offering must place these two threats as the top consideration. The principal reason that Conduct Risk is included here is that in many organizations security spending is minimized to maintain current profit reporting and thus the two are intimately co-mingled. The terms risk profile, risk appetite and risk tolerance used in the NIST document are subsumed here in the term Conduct Risk. For an executive summary on enterprise risk please see thee NIST document. The other term user here, Risk Register is defined in OMB Circular A-11 as a repository of risk information including the data understood about risk over time. If your enterprise does not have risk defined in such a registry, there is no chance that you can make good choices about risk. An Enterprise for the purposes of this paper will be any organization that has at least one risk registry and so can make informed risk decisions. All of the concepts of the NIST document are included by reference including: communicating risk, consistently identifying threats and risks, estimating likelihood and impartial, calculating risk exposure, establishing and using risk reserves, monitoring risk, reporting risk and integrating with other Enterprise systems.
Conduct Risk covers all of the consequences of decisions made by management. or Mobile Credentials many of these will be difficult value judgments such as the level of assurance of strong identification versus the harm of not allowing access to a needed resource, for example, the risk imperfect patient identity versus the need for immediate care, either of which could lead to death, or the risk of allowing a person with an impairment of any sort to drive a motor vehicle versus the risk of preventing that individual from getting to work to earn a living for their family. By far the most common conduct risk is exposed by the tradeoff between paying for strong cybersecurity versus paying good dividends or advancing some program that could provide immense benefit to a large part of the population. The best protection for managers facing these decision is a strong risk analysis that was consulted when the decision was made.
When new programs are put into place a good risk and threat analysis should be completed before important decision points, such as when the system architecture is signed off and before significant new or changed designs are deployed to unwary populations of any sort. It is unacceptable to defer cybersecurity analysis till after deployment. In the US military this is known as acquiring Authority to Operate.
Audience
All risk decisions need to start (in the corporate world) at the board of directors. This means that at least the executive summary of any risk document (including this one) is addressed to that level of control. But immediately after management, the system architect must be aware of the risk and include mitigates for the threats in every design. At the end of the day, the security of the system will reside with the policies and procedures that are followed by the programmers and the builders. Once they have completed their task, the finished product also needs to be evaluated and documentation prepared that can be reviewed by the final audience, the auditors and pen testers.
Gaps in Managing Cybersecurity Riks
References
- ↑ Kevin Stine (NIST) + 3, Integrating Cybersecurity and Enterprise Risk Management (ERM) NISTIR 8286 https://csrc.nist.gov/publications/detail/nistir/8286/final or as https://doi.org/10.6028/NIST.IR.8286