Development of an Audit Classification Index (ACI) for Federal e-learning Systems Security Vulnerabilities

Johnson, Gerald Deawne

01 January 2012

As U.S federal government agencies have increased the use of the Internet to utilize technologies such as e-learning, U.S. federal government information systems have become more exposed to security vulnerabilities that may contribute to system attacks and system exploitation. U.S. federal government agencies are required to come up with their own security solutions for ensuring their information systems are secured, however, security experts are having difficulties identifying what is needed to classify their information systems as secured. The aim of this developmental study is to develop an audit classification index (ACI) to assist in identifying vulnerabilities and classifying electronic learning (e-learning) systems at U.S. federal government agencies. The study identified the requirements for performing an audit of e-learning systems in U.S. federal government agencies. After the requirements were identified, the study used the ACI to audit the federal e-learning systems using a black-box approach and classified the e-learning systems based on the results of the audit. Additionally, a comparative group of electronic government (e-government) systems were also audited and classified using the ACI to compare the results against the e-learning systems. This study sought to contribute to the body of knowledge regarding the information security of U.S. federal e-learning systems by developing an ACI that can be used to identify vulnerabilities and classify U.S. federal e-learning systems as secured, good, marginal, unsatisfactory, or unsecured. By identifying the vulnerabilities of a particular information system, security experts should have a better understanding of what is needed to secure and determine the security level of U.S. federal information systems.

e-learning

FISMA

information security

information systems

information technology

vulnerabilities

Computer Sciences

Information Processing System To Security Standard Compliance Measurement: A Quantitative Approach Using Pathfinder Networks (Pfnets)

Hulitt, Elaine

11 December 2009

Continuously changing system configurations and attack methods make information system risk management using traditional methods a formidable task. Traditional qualitative approaches usually lack sufficient measurable detail on which to base confident, cost-effective decisions. Traditional quantitative approaches are burdened with the requirement to collect an abundance of detailed asset value and historical incident data and to apply complex calculations to measure the data precisely in work environments where there are limited resources to collect and process it. To ensure that safeguards (controls) are implemented to protect against a majority of known threats, industry leaders are requiring information processing systems to comply with security standards. The National Institute of Standards and Technology (NIST) Federal Information Risk Management Framework (RMF) and the associated suite of guidance documents describe the minimum security requirements for non-national-security federal information and information systems as mandated by the Federal Information Security Management Act (FISMA), enacted into law on December 17, 2002, as Title III of the E-Government Act of 2002. This study proposes using the Pathfinder procedure to mathematically model an information system FISMA-required security control state and an actual information system security control state. A comparison of these two security control states using the proposed method will generate a quantitative measure of the status of compliance of the actual system with the FISMA-required standard. The quantitative measures generated should provide information sufficient to plan risk mitigation strategy, track system compliance to standard, and allow for the discussion of system compliance with the FISMA-required standard in terms easily understood by participants at various levels of an organization without requiring all to have detailed knowledge of the internals of the security standard or the targeted system. The ability to clearly articulate system compliance status and risk mitigation requirements is critical to gaining the support of upper-level management whose responsibility it is to allocate funds sufficient to support government security programs.

Secure Architecture Modeling

Risk Analysis

Standards Compliance Modeling

FISMA

RMF

Pathfinder Networks

Assuring Post Processed Telemetry Data Integrity With a Secure Data Auditing Appliance

Kalibjian, Jeff, Wierenga, Steven

10 1900

ITC/USA 2005 Conference Proceedings / The Forty-First Annual International Telemetering Conference and Technical Exhibition / October 24-27, 2005 / Riviera Hotel & Convention Center, Las Vegas, Nevada / Recent federal legislation (e.g. Sarbanes Oxley, Graham Leach Bliley) has introduced requirements for compliance including records retention and records integrity. Many industry sectors (e.g. Energy, under the North American Energy Reliability Council) are also introducing their own voluntary compliance mandates to avert possible additional federal regulation. A trusted computer appliance device dedicated to data auditing may soon be required in all corporate IT infrastructures to accommodate various compliance directives. Such an auditing device also may have application in telemetry post processing environments, as it maybe used to guarantee the integrity of post-processed telemetry data.

Compliance

Audit

Hardware Security Modules (HSM)

Common Criteria (CC)

security boundary

key management