Home	About Gamma	Tour our Web Site	Events	White Papers	Services	Visitors' Book	How to contact us
				IMS	Internal Control	ISMS	Smart Cards	Common Criteria

Control Classes

They are directly related to the time metrics defined in our fundamental model. These relationships are presented in Table 2.

Note that ΔTw_j cannot be measured directly.  If there is no impact, all we can say is that Tf_j  is less than Tw_j .  If there is an impact, Tw_j equals the time at which the impact occurred. All others can be measured directly.

We will now explore the relationship between these control classes and the behaviour of real ICSs.  In particular we examine control failure, self-policing procedures and unanticipated events and impacts. This examination allows us to specify the criteria for operationally effective ICSs and thereby categorise them into different levels of effectiveness.

Control Failures

It is important to recognise that all controls may fail, as exemplified earlier.

We should note that it is possible for detective controls to be downgradable. A particular failure mode of a Class 2 or 3 control is that the time to fix the problem takes longer than anticipated.  The delay causes the control to behave as if it was of a less effective class, i.e. a Class 2 control may behave as a Class 3 or at worst a Class 4.  Likewise, a Class 3 may behave as a Class 4.  In the case where a Class 3 is really "just in time" before the expiry of the time window, downgrading is quite likely.

Figure 6: The potentially disastrous effect of control failures

Self-Policing Procedures

The defence is to have some other control to address failures in the first.  In practice there will be a sequence of controls as illustrated in Figure 7.

Figure 7: A sequence of controls to defend against control failures

Such a sequence is known as a self-policing procedure.  It is a sequence of controls that have been constructed so that any error or failure perpetrated during execution is capable of prompt detection.

Initial detection is performed by a Class 2 control.  It must be Class 2 in order to guarantee prompt detection and give sufficient time for the appropriate action to be taken before expiry of the time window.

As an example, consider a network monitoring system.  When there is a failure it raises a "problem flag" and automatically sends this to the engineers responsible for fixing that type of problem.  When the problem has been fixed, the engineers clear the problem flag. The engineers can falsely claim to fix the problem, but they cannot clear the alarm that raised the flag in the first place without actually fixing the problem.  Think of this as a safety interlock.  In addition, if the alarm is not cleared within a specified time, another problem flag is raised and sent to a higher level of management.  Thus, falsely claiming to have fixed a problem or not fixing it at all does not silence the alarm but merely escalates it to a higher level of management.  This is a rather well-honed example of a fail-safe self-policing procedure.  Note, however, that if corrective action is never taken, the overall procedure degrades to a Class 4.

Unanticipated Events and Impacts

If there is an unanticipated event or impact it is possible, by good luck or sound judgement, that the ICS will contain something that deals with it most satisfactorily.  If not, we need, almost by default, a Class 7 control to deal with it. Such a control, in some circles, is referred to as an ad hoc procedure.

Effectiveness Principles and Criteria

Extremes of effectiveness and ineffectiveness

Let us start by imagining what the most operational ineffective ICS might look like:

• Whatever controls it did have, if they did not work you would not find out until it was too late. 

• Indeed, all the detective controls would be so slow to detect an event that the time window would always expire before the problem could be fixed.

• There would be no BCPs.  When an incident happened, management would always be unprepared.

In contrast, let us imaging what the most operationally effective ICS might look like:

• Whatever controls it had, if they did not work you would find out immediately and be able to take appropriate action well within the time window.  In fact all of the controls would be fail-safe self-policing procedures.

• Indeed, all the detective controls would work so fast that they would be Class 2 non-degradable.  The reactive controls would all be Class 5.

• The BCPs would be so comprehensive that, when an incident did happen, management would always find that its existing Class 5 BCPs would deal with the problem entirely.

Each of these two extremes describes three principles by which we can judge the operational effectiveness of an ICS.  We call them respectively robustness, speed and anticipation:

• The robustness of the ICS in the event of a control failure

• The speed at which the ICS can react to events

• The ability of the ICS to deal with the unexpected.

Some middle ground

We hope that no organisation ever has to suffer such an ineffective ICS as described above.  In the categorisation below we will therefore exclude it.  Likewise, we exclude the most effective ICS described above as it is too perfect.  We therefore postulate some middle ground, which ideally ought to reflect good practice, and base our criteria around that.  We propose for the middle ground:

• There would be some self-policing procedures, some of which may be fail-safe. [robustness].

• There would be a mixture of Class 2, 3 and even Class 4 detective controls. The Class 2 and 3 controls that were not protected by fail-safe self-policing procedures may degrade to Class 4. [speed].

• There would be at least one Class 6 BCP dealing with some catastrophe such as fire.   Other incidents would be dealt with through an ad hoc procedure. [anticipation].

Above and below average

If we now think of the middle ground being some average, then we can contemplate some ICS which is below average and one that is above average.  Below average, would perhaps mean that the ICS fails one of the middle ground criteria.  Well below average would imply that it fails on two, but not all of them because that would describe our worst case position, which we wish to exclude.  Likewise, we can consider an ICS that is above average as being one that exceeds one of the middle ground criteria.  Well above average therefore exceeds two or more such criteria.

Robustness

The middle ground criterion is:

R1 - There are some self-policing procedures, some of which may be fail-safe. 

A stronger criterion is:

R2 - There are some self-policing procedures, at least one of which is fail-safe.

Speed

The middle ground criterion is:

S1 - There is a mixture of Class 2, 3 and even Class 4 detective controls. The Class 2 and 3 controls that are not protected by fail-safe self-policing procedures may degrade to Class 4.

A stronger criterion is:

S2 - There is a majority of Class 2 detective controls, with possibly some Class 3 or even Class 4. The Class 2 and 3 controls that are not protected by fail-safe self-policing procedures may degrade to Class 4.

Anticipation

The middle ground criterion is:

A1 - There is at least one Class 6 BCP dealing with some catastrophe (e.g. fire).   Other unexpected events incidents are dealt with through an ad hoc procedure.

A stronger criterion is:

A2 - There are a variety of BCPs (some of which may be Class 5) dealing the failure of control or some catastrophe (e.g. fire). Other unexpected events incidents are dealt with through an ad hoc procedure.

We can apply the criteria and determine the category of the ICS using a simple marking scheme.  We award 3 marks for each of R1, S1 and A1 and award 1 extra mark if it is exceeded.

The resulting categorisation is:

• Well above average (AAA rating) 11 or higher

• Above average (A*) 10

• Average (A) 9

• Below average (B) 6 - 8

• Well below average (C) 4 or lower.

Example 1

To achieve a AAA rating, we need to satisfy all three criteria and surpass at least two.  Thus we gain 3 marks for each criterion that is satisfied, giving 3 x 3 = 9, plus 1 mark for each criterion exceeded, giving 9 + 2 = 11.  If we exceed all three criteria, then the total mark is 9 + 3 = 12, i.e. for AAA rating we need to score 11 or higher.

Example 2

To achieve a B rating, we fail one criterion, but we might exceed either or both those that we pass.  We achieve 3 marks for passing a criterion and 4 if we exceed it.  Thus, for a B rating, at worst we just pass two (i.e. the total mark is 3 + 3 = 6) and at best we exceed two (i.e. the total mark is 4 + 4 = 8).  If we pass two and exceed one, the total mark is 3 + 4 = 7. Thus the range of marks that give a B rating are 6 - 8.