Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
IMPORTANCE OF STANDARDS
Railroad Tracks
Shoe Sizing
At that time, the United States had few, if any, authoritative national standards for any quantities or products. What it had was a patchwork of locally and regionally applied standards, often arbitrary, that were a source of confusion in commerce. It was difficult for Americans to conduct fair transactions or get parts to fit together properly. Construction materials were of uneven quality, and household products were unreliable. Few Americans worked as scientists, because most scientific work was based overseas.
3
The need for standards was dramatized in 1904, when more than 1,500 buildings burned down in Baltimore, Md., because of a lack of standard firehose couplings. When firefighters from Washington and as far away as New York arrived to help douse the fire, few of their hoses fit the hydrants. NIST had collected more than 600 sizes and variations in firehose couplings in a previous investigation and, after the Baltimore fire, participated in the selection of a national standard.
Competing Standards
International Standards
International Standards in Information Security are developed by Security Techniques Committee ISO/IEC JTC 1 SC 27 Three Areas
Includes responsibility for ISO/IEC 17799 (BS 7799), the main topic for today.
History
SC 27 formed in 1990
Replaced previous ISO/IEC security committee which was failing to make progress Scope excluded standardisation of algorithms
(now relaxed)
Membership
Participating Members
SAI Australia IBN Belgium ABNT Brazil SCC Canada CSBTS/CESI China CSNI Czech Rep DS Denmark SFS Finland AFNOR France DIN Germany MSZT Hungary BIS India UNINFO Italy
KATS Korea, Rep of DSM Malaysia NEN Netherlands NTS/IT Norway PKN Poland GOST R Russian Fed SABS South Africa AENOR Spain SIS Sweden SNV Switzerland BSI UK DSTU Ukraine ANSI USA
10
Observers
ASRO Romania DSN Indonesia EVS Estonia IPQ Portugal IRAM Argentina NSAI Ireland
ON Austria PSB Singapore SII Israel SNZ New Zealand SUTN Slovakia SZS Yugoslavia
11
WG 2 Security Techniques
12
Other Standards
US Government Standards
Data Encryption Standard (DES) (FIPS 46) Advanced Encryption Standard (AES) (FIPS 197) (FIPS - Federal Information Processing Standard)
Proprietary Standards
e.g. RSA (The Rivest Shamir Adleman algorithm)
13
WG 3 Security Evaluation
14
Common Criteria
Content of CC
Part 1 Introduction and General Model Part 2 Functional Components Part 3 Assurance Components Related standards:
Protection Profile Registration Procedures (IS 15292) Framework for Assurance (WD 15443) Guide on Production of Protection Profiles (WD 15446) Security Evaluation Methodology (WD 18045)16
Relevance of CC
The Common Criteria and its predecessors (Orange Book, ITSEC) raised the level and reliability of security functionality found in standard products
Operating Systems, Databases, Firewalls
Important for major product vendors Important for high-risk Government systems Important for Smart Cards Irrelevant to everyone else 17
Why?
Common Criteria is complex Evaluation is complex and time consuming Limited number of approved Evaluation Facilities
Expensive Inflexible
WG 1 Security Management
Other standards:
Guidelines on the use and management of trusted third parties (TR 14516) Guidelines for implementation, operation and management of Intrusion Detection Systems (WD 18043) Guidelines for security incident management (WD 19 18044)
Officially, no overlap
This is rubbish
GMITS is dying
Scope is IT security, not Information Security Only a TR (Technical Report) Editors of GMITS are moving to work on 17799
20
21
What is an ISMS?
22
23
24
Security Objectives
Security Policy Security Organisation Secure Areas Asset Classification and Control Personnel Security Equipment Security Physical and Environmental Security General Controls Comms and Operational Management Access Control Systems Development and Maintenance Business Continuity Management Compliance
25
Security Controls
Security Policy Secure Areas Security Organisation Equipment Security Asset Classification and Control General Controls Personnel Security Physical and Environmental Security Siting Comms and Operational Management Power Supplies Access Control Cabling Systems Development and Maintenance Maintenance Business Continuity Management Off-premises Compliance 26 Disposal/reuse
ISO/IEC 17799
27
BS 7799-2
ISMS Requirements
Scope Security Policy Risk Assessment Statement of Applicability Develop./maintain ISMS Documentation
29
Security Policy
30
Risk Assessment
Asset Threat Vulnerability
RISK
31
Statement of Applicability
Identifies actual security controls Must consider all 7799-2 listed controls
32
33
34
Security Management
The means by which Management Monitors and Controls security Requires regular checks that:
Controls are still in place and effective Residual risks are still acceptable Assumptions about threats etc. remain valid
35
Revision of IS 17799
ISO/IEC 17799 was identical in technical content to BS 7799-1:1999 Part of the negotiations for adoption was the initiation of an immediate major revision process Revision started April 2002
First meeting in Berlin failed to finish its agenda Lot of fuss over philosophy and definitions e.g. What is security? Editors sent away to finish the job Having difficulties finding enough changes to justify a36 major revision
Revision of BS 7799-2
Final text agreed 10th June 2002 Publication as a British Standard in July 2002
37
In closing
Information Security Standards matter Many standards are for a specialist audience ISO/IEC 17799 is relevant to every security professional
38