Security - Telenor
Security - Telenor
Security - Telenor
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
tems as category B, with only a one point difference,<br />
using very different approaches. When<br />
questioned informally, the meticulous user said<br />
that they learned a lot about their system and its<br />
environment, and that the resulting report would<br />
be used as part of the system documentation.<br />
The other user reported that the classification<br />
procedure was acceptable, but that they did not<br />
learn very much from the exercise and that the<br />
main benefit was that their security officer was<br />
satisfied.<br />
Risk Analysis During Product<br />
Development and Introduction<br />
The product development and introduction process,<br />
or P3 as it is more commonly referred to in<br />
<strong>Telenor</strong>, calls for risk analysis both of the project<br />
risks and a security risk analysis of the<br />
future product or service.<br />
The project risk analysis follows an intuitive<br />
process, and is quite straightforward.<br />
On the other hand, the security risk analysis<br />
begins with a security categorisation which<br />
decides the depth of analysis. A review of the<br />
security risk analysis is required for each formal<br />
phase evaluation the project is subjected to.<br />
Given enough time and that the product or service<br />
is categorised A or B, the security risk analysis<br />
is repeated one or more times before the<br />
product or service is launched.<br />
Risk Analysis in Practice<br />
All risk analyses are company confidential in<br />
<strong>Telenor</strong>. Confidentiality is necessary because<br />
one is very vulnerable after a risk analysis. Not<br />
only has the analysis uncovered weaknesses, it<br />
has also exposed and documented the mechanisms<br />
that can be used to exploit the weakness.<br />
Instead of looking into specific risk analysis, this<br />
article will highlight the methodology behind<br />
<strong>Telenor</strong>s Minimal Risk Analysis and some of the<br />
lessons learned.<br />
The Minimal Risk Analysis<br />
Users complained that the previous corporate<br />
risk analysis framework was too demanding,<br />
time consuming, inflexible and too focused on<br />
security risk analysis. Informal discussions with<br />
disapproving users pinpointed problems such as<br />
untrained analysts using semi-formal analysis<br />
methodologies, guidelines written by experts for<br />
expert use and too voluminous template files. In<br />
addition to this, the users had little or no chance<br />
of performing a risk analysis within real-world<br />
time constraints. In short; they felt the corporate<br />
risk analysis standard was impractical and theoretical.<br />
Telektronikk 3.2000<br />
The Minimal Risk Analysis (MRA) was developed<br />
as a response to these complaints. The primary<br />
objective was to propose a generic risk<br />
analysis framework that would give a methodical<br />
user a high success rate. The secondary objective<br />
was to have the Minimal Risk Analysis<br />
take less than one week to plan, execute and<br />
document. This contrasts the then current corporate<br />
methodology requiring a specialist analyst<br />
using perhaps 200 – 300 man-hours in a two to<br />
four month time scale.<br />
The resulting design of the MRA is three-part:<br />
1 A process guide; directing the user through<br />
a proven sequence of activities;<br />
2 A template file; giving the user a skeleton<br />
report;<br />
3 Threat assessment guidelines; assisting the<br />
user in uncovering threats.<br />
The Minimal Risk Analysis is object oriented.<br />
The TOE is described as an object consisting<br />
of sub-components which interact with and are<br />
influenced by external objects. As a minimum,<br />
each object or sub-component will be described<br />
by its internal structure, its function and its interaction<br />
with other objects or sub-components.<br />
The following threat identification phase systematically<br />
explores each object to identify<br />
threats.<br />
The Minimal Risk Analysis differs from the<br />
Standard Risk Analysis in three areas:<br />
• Formal methods are not mandatory in a Minimal<br />
Risk Analysis. This means that risk analysis<br />
expertise is not required, though it is helpful.<br />
However, the lack of formal methods does<br />
not mean that the analysis is unstructured. The<br />
user has a guideline for the work process, a<br />
template file for the report and structured aids<br />
to the security threat identification.<br />
• Acceptance criteria are not developed before<br />
the risk exposure is written. With a finalized<br />
risk exposure the decision-maker quickly sees<br />
which risks are acceptable or unacceptable.<br />
• Causal analysis is omitted from the threat<br />
analysis phase since the causal analysis is not<br />
very useful for the acceptable threats. A causal<br />
analysis is occasionally necessary to identify<br />
cost-effective treatment strategies for unacceptable<br />
threats, but treating an unacceptable<br />
risk is often quite straightforward.<br />
Practical use shows that a Minimal Risk Analysis<br />
of acceptable quality can be performed with-<br />
73