Electronic Information Security Documentation

Effective security management depends upon good risk management, which is itself based upon a reliable risk assessment, involving data collection of all the facets influencing system risk. Such data collection is often an extremely onerous task, particularly if a substantial proportion of the required information is not adequately documented. Hence comprehensive, updated information security documentation is a keystone of good information security management. Whilst the recently emerging information security management standards provide some implicit guidance on the development of documentation; there is relatively little support available for security officers attempting to develop and maintain such documentation. Traditionally textual security documents are not necessarily the most appropriate format for describing the security of large complex, networked systems, subject to frequent updates. It has been suggested [1], [2] that a security officer’s workstation, with a database and GUIs, may present a more effective form of security documentation. However, such a tool requires a welldeveloped model of the information system and, as discussed in this paper, a standardised means of representing security entities. This paper proposes an information security model to facilitate the development of electronic security documentation. A proposed security entity classification scheme is first described. Such a classification scheme and the use of object identifiers to identify security entities greatly facilitates the development of a security officer’s workstation. The potential of the model for risk assessment and security design is described. A prototype model was developed in Visual Basic to test the concepts proposed, and a Java based model is currently under development at the City University of Hong Kong.