Introduction to International Standardization

INTRODUCTION TO INTERNATIONAL STANDARDIZATIONby Kris Kimmerle

ABOUT THE AUTHOR

INTERNATIONAL STANDARDIZATION 2

Hi.

My name is Kris Kimmerle.

I have 9 years of comprehensive and international experience in the following domains.

I have I am training for

Certifications

Disaster Recovery Planning

Risk Management

Vulnerability Management

Threat Profiling

Compliance Management

Auditor

Information Security Instructor

Business Continuity Planning

Network Operations

Asset Management

Third Party Risk Management

Information Security Instructor

Business Operations Management

Security Operations Management

Physical Security Management

Project ManagementSecurity Intelligence Technician

Agile Project Management

SharePoint Administrator

Enterprise Application Development

Enterprise Architecture

Enterprise Security Architecture

Security Analyst

Cloud Computing

Chain of Custody

Change Management

IdM Solutions

Repudiation

Automation

Security Awareness

Access Control

MySQL

Duty Segregation

Defense-in-Depth

Supply Chain Processes

Enterprise Risk Management

ISO 27000 Family of Standards

Simplicity in Complex Security

Flexibility in Security

Interoperability


Let’s get started.


PURPOSE


Basic understanding of standardization terms and definitions✔

Basic understanding of the international standardization organizations✔

Basic understanding of the international standardization development process✔

Basic understanding of key stake holders in technological standardization✔

Basic understanding of the international certification and accreditation process✔INTERNATIONAL STANDARDIZATION 6

TERMINOLOGY


International Standard

Standards developed by international standards organizations. International

standards are available for consideration and use worldwide. One prominent

organization is the International Organization for Standardization.

🌏🌏

Standards Organization

Standards organization, standards body, standards developing organization

(SDO), or standards setting organization (SSO) is any organization whose primary activities are developing, coordinating,

promulgating, revising, amending, reissuing, interpreting, or otherwise

producing technical standards that are intended to address the needs of some

relatively wide base of affected adopters.

🏢🏢

Standardization

The Process of developing and implementing technical standards.

Standardization can help to maximize compatibility, interoperability, safety, repeatability, or quality. It can also

facilitate commoditization of formerly custom processes.

🔃🔃


Accreditation

The formal declaration by a neutral third party that the certification program is administered in a way that meets the

relevant norms or standards of certification program.

👓👓Certification & Accreditation

A two-step process that ensures security of information systems. Certification is the process of evaluating, testing, and examining security controls that have

been pre-determined based on the data type in an information system.

🔦🔦

Certification

The comprehensive evaluation of a process, system, product, event, or skill

typically measured against some existing norm or standard. Industry and/or trade associations will often create certification programs to test and evaluate the skills of those performing services within the

interest area of that association.

📰📰


Protection Profile (PP)

Common Criteria defines this as the implementation-independent statement

of security needs for a TOE type

🔘🔘

Target of Evaluation (TOE)

Common Criteria defines this as a set of software, firmware and/or hardware possibly accompanied by guidance

🎯🎯

INTERNATIONAL STANDARDIZATION

Evaluation Assurance Level (EAL)

Common Criteria defines this as the numerical rating which describes the

depth and rigor of an evaluation. Each EAL corresponds to a package of

security assurance requirements (SARs) which covers the complete development

of a product, with a given level of strictness. Common Criteria lists seven levels, with EAL 1 being the most basic

and EAL 7 being the most stringent

📦📦

10

Security Assurance Requirements (SARs)

Common Criteria defines this as the descriptions of the measures taken

during development and evaluation of the product to assure compliance with

the claimed security functionality.

👍👍Security Functional

Requirements (SFRs)

Common Criteria defines this as the specific individual security functions

which may be provided by a product. The Common Criteria presents a

standard catalogue of such functions.

🔒🔒


Security Target (ST)

Common Criteria defines this as the implementation-dependent statement of

security needs for a specific identified TOE

📄📄

11

OVERVIEW


What is the IEC organization?The International Electrotechnical Commission (IEC) is the leading global organization that publishes consensus-based International Standards and manages conformity assessment systems for electric and electronic products, systems and services, collectively known as electrotechnology. IEC is a non-profit and non-governmental body.

🏦🏦

What is the ISO organization?The International Organization for Standardization (ISO ) is the world’s largest developer of voluntary International Standards. International Standards give state of the art specifications for products, services and good practice, helping to make industry more efficient and effective. Developed through global consensus, they help to break down barriers to international trade. ISO is a non-profit and non-governmental body.

🏦🏦


What is the Common Criteria organization?Common Criteria (CC) aims to: eliminate redundant evaluation activities; reduce/eliminate activities that contribute little to the final assurance of a product; clarify CC terminology to reduce misunderstanding; restructure and refocus the evaluation activities to those areas where security assurance is gained; and add new CC requirements if needed.

The CC permits comparability between the results of independent security evaluations. The CC does so by providing a common set of requirements for the security functionality of IT products and for assurance measures applied to these IT products during a security evaluation. These IT products may be implemented in hardware, firmware or software.

The evaluation process establishes a level of confidence that the security functionality of these IT products and the assurance measures applied to these IT products meet these requirements. The evaluation results may help consumers to determine whether these IT products fulfil their security needs.

💻💻🔐🔐


ISO & IEC

🏦🏦🏦🏦INTERNATIONAL STANDARDIZATION 15

PARTNERSHIPISO and IEC began their partnership in the field of information technology back in 1976 following the boom of

information technology . The two organizations signed an agreement aimed to enable the two parties to collaborate. Ten years later ISO and IEC made a commitment to this partnership by created the ISO/IEC JTC 1

(ISO/IEC Joint Technical Committee) with the focus to cover the vast and expanding field of information technology.

UNITED STATESThe American National Standards (ANSI) is the foremost national standardization organization in the United

States and represents the USA in both ISO and IEC. ANSI is regarded as one of the largest players in ISO and IEC and directly administer over the ISO/IEC Joint-Committees and subgroups. Unlike the BSI the ANSI has

been responsible for ISO/IEC standards that relate to areas outside of the information technology and security.

UNITED KINGDOMThe British Standards Institution (BSI) is the foremost national standardization organization for the United Kingdom and represents the UK in both ISO and IEC. The BSI Group is well-known within the information

security field due to their contributions through their British Standard (BS) 7799. This British standard eventually became what we know today as ISO/IEC 27001 & 27002.


ISO/IEC STANDARDS DEVELOPMENT

🔨🔨INTERNATIONAL STANDARDIZATION 17

ISO/IEC standards are developed by groups of experts, within technical committees (TCs). TCs are made up of representatives of industry, NGOs, governments and other stakeholders, who are put forward by ISO/IEC members. Each TC deals with a different subject, for example there are TCs focusing on screw threads, shipping technology, food products and many, many more.

▶ISO standards respond to a need in the market

ISO does not decide when to develop a new standard. Instead, ISO responds to a request from industry or other stakeholders such as consumer groups. Typically,

an industry sector or group communicates the need for a standard to its national member who then contacts ISO. Contact details for national members can be

found in the list of members.

Respond to a need in the market1

🔽🔽ISO standards are developed by groups of experts from all over the world that are part of larger groups called technical

committees. These experts negotiate all aspects of the standard, including its scope, key definitions and content. Details can be

found in the list of technical committees.

Based on global expert opinion2

◀ISO standards are developed by groups of experts from all over the

world that are part of larger groups called technical committees. These experts negotiate all aspects of the standard, including its

scope, key definitions and content. Details can be found in the list of technical committees.

Developed on a multi-stakeholder process 3

◀ Developing ISO standards is a consensus-based approach and comments from stakeholders are taken into account

Standards are based on a consensus 4

PRINCIPLES OF DEVELOPMENT


STAGES OF DEVELOPMENT

1.Proposal

2.Preparatory

3.Committee

4.Enquiry

5.Approval

6.Publication

Review

Fast Track


FAST TRACK

If a document with a certain degree of maturity is available at the start of a standardization project, for example a standard developed by another organization, it is

possible to omit certain stages.


1. PROPOSAL

The first step in the development of an International Standard is to confirm that a particular International Standard is needed


2. PREPARATORY

Usually, a working group of experts, the chairman (convener) of which is the project leader, is set up by the TC/SC for the preparation of a working draft.


3. COMMITTEE

As soon as a first committee draft is available, it is registered by the ISO Central Secretariat. It is distributed for comment and, if required, voting, by the P-members of the

TC/SC.


4. ENQUIRY

The draft International Standard (DIS) is circulated to all ISO member bodies by the ISO Central Secretariat for voting and comment within a period of three months.


5. APPROVAL

Once a final draft International Standard has been approved, only minor editorial changes, if and where necessary, are introduced into the final text. The final text is sent to

the ISO Central Secretariat which publishes the International Standard.


REVIEW

All International Standards are reviewed at least every five years by all the ISO member bodies.


ISO/IEC TECHNICAL COMMITTEES

📡📡INTERNATIONAL STANDARDIZATION 27

🏦🏦

What are the Technical Committees?ISO/IEC standards are developed by groups of experts, within technical committees (TCs). TCs are made up of representatives of industry, NGOs, governments and other stakeholders, who are put forward by ISO/IEC members. Each TC deals with a different subject, for example there are TCs focusing on screw threads, shipping technology, food products and many, many more.

👤👤👤👤👤👤


This committee represents the standardization in the field of information technology. They are

currently addressing such critical areas as teleconferences and e-meetings, cloud data management interface, biometrics in identity management, sensor networks for smart grid

systems, and corporate governance of ICT implementation.

ISO/IECJoint Technical Committee 1


ISO/IECJoint Technical Committee 1

Subcommittee 27

This subcommittee represents the standardization for information technology security techniques. Standardization activity by this

subcommittee includes general methods, techniques and guidelines to address both security and privacy aspects. The scope of this subcommittee is spilt across (5) working groups. (ISO/IEC JTC 1 - Subcommittee 27, 2014)

All working groups collaborate with the appropriate bodies to ensure the proper development and application of standards and technical reports in

relevant areas. This group is responsible for the ISO 27000 family of standards

- ISO/IEC JTC 1/SC 27/WG 1 - Information security management systems- ISO/IEC JTC 1/SC 27/WG 2 - Cryptography and security mechanisms - ISO/IEC JTC 1/SC 27/WG 3 - Security evaluation, testing and specification- ISO/IEC JTC 1/SC 27/WG 4 - Security controls and services- ISO/IEC JTC 1/SC 27/WG 5 - Identity management and privacy technologies


COMMON CRITERIA

💻💻🔐🔐INTERNATIONAL STANDARDIZATION 31

Common Criteria Evaluation Life Cycle


PP RegistryPP Evaluation Results Evaluated PPEvaluatePP

TOE RegistryTOE Evaluation Results Evaluated TOEEvaluateTOE

ST Evaluation Results Evaluated STEvaluateST

32

Your standard security relationship model.



OWNERS

COUNTERMEASURES

RISK

ASSETTHREATS

THREAT AGENTSTo

redu

ce

Impo

se

Minimize

Value

That

Incr

ease

Give

rise

to

abus

e an

d/or

dam

age

To

To

34

Common Criteria’s security relationship model.



OWNERS

COUNTERMEASURES

RISK

ASSET

CORRECT

SUFFICIENT Pr

ovid

es

EVALUATION

CONFIDENCE

Requ

ire

That Are

Are

ThereforeMinimizing

Ther

efor

eM

inim

izing

to

36

REFERENCES

British Standard Institution

American National Standards institute

Computer History Museum

International Electrotechnical Commission

International Organization for Standardization

ISO/IEC Joint Technical Committee 1

2014

2014

2013

2014

2014

2014

http://www.bsigroup.com

http://www.ansi.org

http://www.computerhistory.org/timeline/?year=1976

http://www.iech.ch/

http://www.iso.org

http://isotc.iso.org/livelink/livelink/open/jtc1

Common Criteria 2014 http://www.commoncriteriaportal.org/

Send me a message.

@KrisKimmerle

http://1drv.ms/1cgfZn0 http://www.linkedin.com/in/kriskimmerle

[email protected]

🔻🔻

Introduction to International Standardization

Documents

Transcript of Introduction to International Standardization