SIT382 Assessment 1
The reliance of our society on IT systems has dramatically increased over recent years. Unfortunately,
the value of the assets that could be compromised through an IT system extends beyond the monetary
value: it is impossible to ignore that the security of IT often affects the safety of Operational
IT systems suffer from failures in maintaining security because of their increasing
complexity, the evolution of attackers’ capabilities, and the increasing value of the assets that they
hold. Exploitable vulnerabilities and risks will always exist, and their characteristics can change over
the course of an IT system’s life. There is, however, a need to manage within acceptable parameters
these errors, vulnerabilities and risks over the life of IT system. The task of those responsible for the
security of IT systems is to establish acceptable levels of security assurance and risk objectives for the
In terms of IT security, adequate security assurance signifies that specific predefined security
requirements have been addressed through the presentation of a security assurance case: it is the
result of performing appropriate security assurance processes and activities. These security assurance
processes and activities need to be described in the form of a reasoned and compelling argument (or
many arguments), supported by a body of evidence for a security-related claim. Such a claim is
typically about certain Security Targets being met by product, system, service or organisation.
Security assurance requirements are determined from the security problem posed by the deliverable
(and potentially other factors), influencers, security requirements, and the target environment for the
deliverable. As such, it is important to understand and specify the scope and boundaries for a
deliverable that is subject to a security assessment.
Security assurance arguments substantiate security assurance claims which means that the arguments
should be structured in the appropriate manner. In general, security assurance arguments can be
constructed in many different ways and drawn from many different sources. However, for this
assessment Target of Evaluation (TOE) is a product or service. Security assurance argument must be
based on one of the following alternatives:
(a) Tools/methods used to test and evaluate TOE;
(b) Tools/methods used to design TOE.
In order to score a higher grade for their essay, students must follow specific pattern: the essay should
contain the main security argument, counterargument and defence of the main security argument.
The scope of security problems for your essay is bounded by those occurring in authentication and
access control systems. In the essay, a student is encouraged to develop an assurance argument that
contributes to one of the following security requirements:
– Human user identification and authentication;
– Machine (e.g. IoT) identification and authentication;
– Account management;
– Authenticator management;
– Strength of password-based authentication;
– Strength of public key authentication;
– Authorization enforcement;
– Auditable events;
It is not required to develop a complete security assurance case for one of the listed requirements.
For the essay, it is sufficient to evolve around argument(s) that can fit within potential assurance case.
For instance, an argument that claims security/privacy of attribute-based authentication may fit
within the assurance cases for ‘Human user identification and authentication’, ‘Machine (e.g. IoT)
identification and authentication’, ‘Authorization enforcement’. However, it is the student’s task to
demonstrate ‘how?’ security assurance argument fits there. The length of the essay should be 1500-
2000 words (minimum 1500 words, single spaced, 12pt font, on the A4-sized paper).
本网站支持 Alipay WeChatPay PayPal等支付方式
E-mail: firstname.lastname@example.org 微信号:vipnxx