CRSTIP - An Assessment Scheme for Security Assessment Processes
This work addresses the need for efficient and manageable security processes for operators of critical infrastructures, though it appears incremental as it builds on existing assessment frameworks.
The paper tackles the problem of assessing the maturity of security assessment processes in complex networked systems by introducing the CRSTIP scheme, which evaluates compliance, risk assessment, and security testing with a focus on formalisms, integration, and tool-support, as demonstrated in a case study from the RASEN research project.
Complex networked systems are an integral part of today's support infrastructures. Due to their importance, these systems become more and more the target for cyber-attacks, suffering a notable number of security incidents. Also, they are subject to regulation by national and international legislation. An operator of such an infrastructure or system is responsible for ensuring its security and correct functioning in order to satisfy customers. In addition, the entire process of risk and quality control needs to be efficient and manageable. This short paper introduces the Compliance, Risk Assessment and Security Testing Improvement Profiling (CRSTIP) scheme. CRSTIP is an evaluation scheme that enables assessing the maturity of security assessment processes, taking into consideration systematic use of formalisms, integration and tool-support in the areas of compliance assessment, security risk assessment and security testing. The paper describes the elements of the scheme and their application to one of the case studies of the RASEN research project.