SunSAR – Security Adequacy Review
Recently, James McGovern blogged about Sun Microsoft IT Security practices: “Sun’s SAR methodology is an approach to solving the age-old problem of secure coding practices and is in many ways better than Microsoft’s approach yet the world doesn’t even know about it.”
Raj Patel of the Sun IT Security Office provided this explanation of the Sun process:
“Sun Microsystems IT Security Office has developed and implemented SunSAR (Sun Security Adequacy Review) process and technology to ensure that the security provisioning for a given application system is sufficient to support our business model. It not only assesses and quantifies the current risk, but it also specifies the design requirements and security practices for mitigating the risk. Based on industry best practices and principles, the SunSAR implements the dynamic security model. It provides solutions that are both repeatable and deterministic. SunSAR works well for both homogeneous or hetrogeneous operating system environments.
“A primary objective of the SunIT security office (ITSO) is to establish information risk management as an integral part of Sun’s corporate culture and business risk management process. ITSO’s role in meeting this objective is to provide the business areas with tools that facilitate the identification of risks to corporate, customer, partner and employee information and the selection of appropriate controls to mitigate those risks.
“The ITSO has adopted the definitions of information risk and information risk evaluation put forward by the Information Security Forum (ISF) and has adopted a five phase process to support Sun Security Adequacy Review Evaluation:
“Phase I, SOP: SOP is a demographic profile of the application or system, and produces a Security Overview Profile.
“Phase II, BIA: BIA produces a Business Impact Assessment of worst-case situations due to absence/failure of security controls.
“Phase III, TIP: TIP produces a Security Technical Implementation Profile for the application system.
“Phase IV, TVCA: TVCA identifies threats and vulnerabilities that need countermeasure controls for situations with the highest probability of greatest business impact, and documents those countermeasures.
“Phase V, PTA: PTA identifies whether the security provisions implemented by Partners on its communication and computing infrastructure can be trusted.
The 247-page ISF Security Standard, upon which the SunSAR process is based, can be downloaded at no charge from the ISF Website. This authoritative volume addresses five key aspects of Information security:
- Security Management
- Critical Business Applications
- Computer Installations
- Networks
- Systems Development
Technorati Tags:
Sun Microsystems,
SunSAR,
ISF,
Information Security