give a hyphothetical example of security measure fails the r

give a hyphothetical example of security measure fails the reasonable assurance test

Solution

Meaning of Reasonable Assurance

It is the level of assurance/ confidence that an auditor after exercising his professional skills and competence, believes that financial statements are not \"materially misstated\" and that they reflect true and fair view.

Meaning of Absolute Assurance

An auditor can always provide High level of assurance ( termed as reasonable assurance) but not absolute assurance, i.e., not 100% assurance that financial statements are free from any material misstatement due to inherent limitations of an audit.

Fundamental concept of security assurance

With advancement of technology, every organisation face new challenges relating to protection of information due to threats relating:

of data, information and services. Systems are prone to failure and security violations. The industry realised that it is impossible to guarentee an error free, risk free and secure system due to inherent limitations like human errror and oversight, component and equipment failure, etc.

Completely secure systems do not exist. The task of security engineering and management is to manage the security risk by mitigating the vulnerabilities and threats with technological and organizational security measures to achieve a system with acceptable assurance.

Assurance and Confidence

It is important to emphasize that assurance and confidence are not identical and cannot be used in place of one another. Confidence, from the perspective of an individual, is related to the belief that one has in the assurance of an entity, whereas assurance is related to the demonstrated ability of an entity to perform its security objectives. Assurance is determined from the evidence produced by the assessment process of an entity.

For security engineering, “assurance” is defined as the degree of confidence that the security needs of a system are satisfied. Assurance does not add any additional controls to counter risks related to security, but it does provide confidence that the controls that have been implemented will reduce the anticipated risk.

Assurance Requirements:

Security assurance requirements are determined by analyzing the security requirements of the IT system, influencers, policies, business drivers and the IT system’s target environment. Security is concerned with the protection of assets. “Assets” are entities upon which someone places value. Many assets are in the form of information that is stored, processed and transmitted by IT products to meet requirements laid down by owners of the information. Safeguarding assets of interest is the responsibility of the owners who place value on those assets.

A risk assessment is performed to provide an in-depth look at asset sensitivity, vulnerabilities and threats to determine the residual risk and recommendations for existing and proposed safeguards. The recommendations implemented are factored into the original security requirements to revise the security assurance requirements.

It is also important to note that “assurance requirements are unique to each environment due to the myriad business and security requirements of each environment. The same IT system may not be suitable to other environments without modifications because different assurance requirements will usually need to be satisfied.

Selecting security assurance

Selecting a security assurance method and the appropriate amount of assurance should be based on the organizational security assurance policy, business requirements and type of deliverable (i.e., product, process, environment, system, service or personnel). The following are brief descriptions commonly used models:

The selected assurance method should be compatible with the organization’s environment and should be capable of examining the desired attributes and life-cycle stages of the deliverable. The assurance method selection must take into account available resources (e.g., time, personnel, budget) to ensure that the resources expended are reasonable for the type and amount of assurance obtained.

Assurance Aproach

Assurance methods can be categorized into three high-level approaches:

ISO/IEC TR 15443 defines these three high-level approaches as follows. Assessment of a deliverable involves an examination of the deliverable (e.g., product, system, service). In this case, these assurance methods examine the deliverable and its associated security design documentation independent of the development processes.

Assessment of a process involves an examination of the organizational processes used in the production and operation of the deliverable throughout its life cycle (i.e., development, deployment, delivery, testing, maintenance, disposal). Assurance is gained through the inference that the processes implemented by people affect the quality of the development and implementation of the deliverable and, therefore, yield security assurance when applied to ITS deliverables.

Assessment of the environment involves an examination of the environmental factors that contribute to the quality of the processes and the production of the deliverable (it does not examine a deliverable or process directly). These factors include personnel and physical facilities (e.g., development, production, delivery, operation).

Assurance methods produce specific types of assurance depending on their technical and life-cycle focus. Some of the more widely known assurance methods for a given focus include:

Correctness and effectiveness

Assurance can be viewed as the confidence that safeguards will function as intended. This confidence derives from the properties of correctness and effectiveness. “Correctness assurance” refers to the assessment of the deliverable to verify the correct implementation according to the design. In contrast, “effectiveness assurance” refers to the suitability of the deliverable’s security functions to counter the perceived or identified threats.

The concept can be illustrated with two examples from ISO/IEC TR 15443:³⁰

CONCLUSION

Traditionally, assurance has been associated only with IT products and systems composed of hardware or software and referred to as “product assurance” or “system assurance.” It is now recognized that to address a wider range of risks, there is a need for assurance of other security objectives such as a security service, process, personnel, organization or other environmental factors.

Assurance may be sought by the stakeholders of IT systems who have assets at risk in IT systems. Therefore, the determination of an acceptable assurance method and level of assurance may be required/and or influenced by the stakeholders.

Direct qualification or valuation of the contribution of assurance or increased assurance to the organization is not easy to achieve. However, increased assurance of a security control reduces the uncertainty associated with the risk, specifically the vulnerability components of the risk that the control is implemented to address.

It is necessary to understand how each assurance method establishes assurance in order to decide whether a particular assurance method will satisfy the organization’s assurance requirements.

Thus keeping in mind all the above factors, any security measure are influenced by not a single factor but a gamut of factors affecting its correct and complete implementation and hence even reasonable assurance may not be successfully given in such a case.