University of Oulu

Kelo, T., Eronen, J., Experiences from development of security audit criteria., 16th European Conference on Cyber Warfare and Security, ECCWS 2017, ISSN: 2048-8602, p. 208-215

Experiences from development of security audit criteria

Saved in:
Author: Kelo, Tomi1; Eronen, Juhani2
Organizations: 1Department of Pervasive Computing, Tampere University of Technology, Finland
2Department of Computer Science and Engineering, University of Oulu, Finland
Format: article
Version: accepted version
Access: open
Online Access: PDF Full Text (PDF, 0.1 MB)
Persistent link:
Language: English
Published: Academic Conferences and Publishing International, 2017
Publish Date: 2020-04-30


Cyber-attacks have grown in importance to become a matter of national security. A growing number of states and organisations around the world have been developing defensive and offensive capabilities for cyber warfare. Security criteria are important tools for defensive capabilities of critical communications and information systems (CIS). Various criteria have been developed for designing, implementing and auditing CIS. The paper is based on work done from 2008 to 2016 at FICORA, the Finnish Communications Regulatory Authority. FICORA has actively participated in development and usage of three versions of Katakri, the Finnish national security audit criteria. Katakri is a tool for assessing the capability of an organisation to safeguard classified information. While built for governmental security authorities, usefulness for the private sector has been a central design goal of the criteria throughout its development. Experiences were gathered from hundreds of CIS security audits conducted against all versions of Katakri. Feedback has been gathered also from CIS audit target organisations including governmental authorities and the private sector, from other Finnish security authorities, from FICORA’s accredited third party Information Security Inspection Bodies, and from public sources. This paper presents key lessons learnt and discusses recommendations for the design and implementation of security criteria. Security criteria have significant direct impacts on CIS design and implementation. Criteria design is always a trade-off between the varying goals of the target users. Katakri has tried to strike a balance between the different needs for security criteria. The paper recommends that criteria design should stem from a small set of strictly defined use cases. Trying to cover the needs of a wide variety of different use cases quickly renders the criteria useless as an assessment tool. In order to provide sufficient information assurance, security criteria should describe requirements on a reasonably concrete level, but also provide support for the security and risk management processes of the target users.

see all

Series: Proceedings of the European conference on information warfare and security
ISSN: 2048-8602
ISSN-E: 2048-8629
ISSN-L: 2048-8602
ISBN: 978-1-911218-44-9
ISBN Print: 978-1-911218-43-2
Pages: 208 - 215
Host publication: 16th European Conference on Cyber Warfare and Security, ECCWS 2017
Host publication editor: Scanlon, M.
Le-Khac, N.-A.
Conference: European Conference on Cyber Warfare and Security
Type of Publication: A4 Article in conference proceedings
Field of Science: 113 Computer and information sciences
Copyright information: © The Authors 2017. All rights reserved.