ISO-IEC 17799 the New International Standard for Information Security Management
-
Upload
jay-r-yuson -
Category
Documents
-
view
51 -
download
1
Transcript of ISO-IEC 17799 the New International Standard for Information Security Management
![Page 1: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/1.jpg)
1
ISO-IEC 17799The New International
Standard for Information Security Management
Caroline Hamilton
RiskWatch, Inc.With assistance from:
Mike Nash, Gamma Secure Systems Ltd
Camberley, United Kingdom
![Page 2: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/2.jpg)
2
IMPORTANCE OF STANDARDS
Examples from America’s past include
Railroad Tracks
Shoe Sizing
![Page 3: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/3.jpg)
3
FOUNDING OF NIST - 1901
At that time, the United States had few, if any, authoritative national standards for any quantities or products. What it had was a patchwork of locally and regionally applied standards, often arbitrary, that were a source of confusion in commerce. It was difficult for Americans to conduct fair transactions or get parts to fit together properly. Construction materials were of uneven quality, and household products were unreliable. Few Americans worked as scientists, because most scientific work was based
overseas.
![Page 4: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/4.jpg)
4
The Baltimore Fire of 1904 The need for standards was dramatized in 1904,
when more than 1,500 buildings burned down in Baltimore, Md., because of a lack of standard fire-hose couplings. When firefighters from Washington and as far away as New York arrived to help douse the fire, few of their hoses fit the hydrants. NIST had collected more than 600 sizes and variations in fire-hose couplings in a previous investigation and, after the Baltimore fire, participated in the selection of a national standard.
![Page 5: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/5.jpg)
5
Competing Standards
US-Government - -NIST Standards
BS 7799 -- ISO-IEC 17799 Standard
![Page 6: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/6.jpg)
6
International Standards International Standards in Information Security are
developed by Security Techniques Committee ISO/IEC JTC 1 SC 27
Three Areas– WG 1 - Security Management– WG 2 - Security Algorithms/Techniques– WG 3 - Security Assessment/Evaluation
Includes responsibility for ISO/IEC 17799 (BS 7799), the main topic for today.
![Page 7: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/7.jpg)
7
History
SC 27 formed in 1990– Replaced previous ISO/IEC security committee
which was failing to make progress– Scope excluded standardisation of algorithms
» (now relaxed)
![Page 8: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/8.jpg)
8
Membership
Members of SC 27 are National Standards Bodies– Participating or Observing– Also liaisons from other standards making
bodies or committees Working Groups are composed of experts
nominated by National Bodies– Up to 200 participating experts
![Page 9: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/9.jpg)
9
Participating Members SAI Australia IBN Belgium ABNT Brazil SCC Canada CSBTS/CESI China CSNI Czech Rep DS Denmark SFS Finland AFNOR France DIN Germany MSZT Hungary BIS India UNINFO Italy JISC Japan
KATS Korea, Rep of DSM Malaysia NEN Netherlands NTS/IT Norway PKN Poland GOST R Russian Fed SABS South Africa AENOR Spain SIS Sweden SNV Switzerland BSI UK DSTU Ukraine ANSI USA
![Page 10: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/10.jpg)
10
Adoption of New Standard
Australia/New Zealand AS/NZS ISO/IEC 17799:2000 The primary information security standard
in Australia was AS4444, and in New Zealand was NZS4444. These have been replaced with a new international standard, 17799. See Standards Australia OnLine at http://www.standards.com.au.
![Page 11: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/11.jpg)
11
Observers ASRO Romania DSN Indonesia EVS Estonia IPQ Portugal IRAM Argentina NSAI Ireland
ON Austria PSB Singapore SII Israel SNZ New Zealand SUTN Slovakia SZS Yugoslavia
![Page 12: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/12.jpg)
12
WG 2 Security Techniques There are International Standards for:
– Encryption (WD 18033)– Modes of Operation (IS 8372)– Message Authentication Codes (IS 9797)– Entity Authentication (IS 9798)– Non-repudiation Techniques (IS 13888)– Digital Signatures (IS 9796, IS 14888))– Hash Functions (IS 10118)– Key Management (IS 11770)– Elliptic Curve Cryptography (WD 15946)– Time Stamping Services (WD 18014)
![Page 13: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/13.jpg)
13
Other Standards
US Government Standards– Data Encryption Standard (DES) (FIPS 46)– Advanced Encryption Standard (AES)
(FIPS 197) (FIPS - Federal InformationProcessing Standard)
Proprietary Standards– e.g. RSA (The Rivest Shamir Adleman
algorithm)
![Page 14: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/14.jpg)
14
WG 3 Security Evaluation
Third Party Evaluation– Criteria for an independent body to form an
impartial and repeatable assessment of the presence, correctness and effectiveness of security functionality
“Common Criteria” (CC) (IS 15408)
![Page 15: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/15.jpg)
15
Common Criteria Produced by a consortium of Government
bodies in North America / European Union– Mainly National Security Agencies
Influenced by International Standardisation committee– Adopted as International Standard 15408
Adopted and recognised by other major Governments– All EU, Australia, Japan, Russia
Replaces “Orange Book” (US) and ITSEC (EU)
![Page 16: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/16.jpg)
16
Content of CC Part 1 – Introduction and General Model Part 2 – Functional Components Part 3 – Assurance Components Related standards:
– Protection Profile Registration Procedures (IS 15292)– Framework for Assurance (WD 15443)– Guide on Production of Protection Profiles (WD
15446)– Security Evaluation Methodology (WD 18045)
![Page 17: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/17.jpg)
17
Relevance of CC
The Common Criteria and its predecessors (Orange Book, ITSEC) raised the level and reliability of security functionality found in standard products– Operating Systems, Databases, Firewalls
Important for major product vendors Important for high-risk Government systems Important for Smart Cards Irrelevant to everyone else
![Page 18: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/18.jpg)
18
Why?
Common Criteria is complex Evaluation is complex and time consuming Limited number of approved Evaluation
Facilities– Expensive– Inflexible
Money is usually better spent improving security
![Page 19: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/19.jpg)
19
WG 1 Security Management Two key standards:
– Guidelines for Information Security Management (GMITS) (TR 13335)
– Code of Practice for Information Security Management (IS 17799)
Other standards:– Guidelines on the use and management of trusted third
parties (TR 14516)
– Guidelines for implementation, operation and management of Intrusion Detection Systems (WD 18043)
– Guidelines for security incident management (WD 18044)
![Page 20: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/20.jpg)
20
GMITS and 17799
GMITS developed by ISO/IEC JTC 1 SC 27 (standards committee)
IS 17799 is (almost) identical to BS 7799-1– BS 7799-1 was the most widely purchased security standard
worldwide
Officially, no overlap– This is rubbish
GMITS is dying– Scope is IT security, not Information Security– Only a TR (Technical Report)– Editors of GMITS are moving to work on 17799
![Page 21: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/21.jpg)
21
ISO/IEC 17799 and BS7799-2
IS 17799 is a catalogue of good things to do BS 7799 Part 2 is a specification for an ISMS
(Information Security Management System) ISMS compliance can be independently
assessed
![Page 22: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/22.jpg)
22
What is an ISMS?
![Page 23: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/23.jpg)
23
ISO/IEC 17799 Layout
10 Major Headings 36 Objectives 127 Major Controls Several Thousand Pieces of Guidance
![Page 24: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/24.jpg)
24
The 10 Major Headings
Security Policy Security Organisation Asset Classification and Control Personnel Security Physical and Environmental Security Comms and Operational Management Access Control Systems Development and Maintenance Business Continuity Management Compliance
![Page 25: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/25.jpg)
25
Security Objectives
Security Policy Security Organisation Asset Classification and Control Personnel Security Physical and Environmental Security Comms and Operational Management Access Control Systems Development and Maintenance Business Continuity Management Compliance
• Secure Areas• Equipment Security• General Controls
![Page 26: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/26.jpg)
26
Security Controls
Security Policy Security Organisation Asset Classification and Control Personnel Security Physical and Environmental Security Comms and Operational Management Access Control Systems Development and Maintenance Business Continuity Management Compliance
• Secure Areas• Equipment Security• General Controls
• Siting• Power Supplies• Cabling• Maintenance• Off-premises• Disposal/reuse
![Page 27: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/27.jpg)
27
ISO/IEC 17799 A standard for Information Security Management
– Very wide acceptance Based on British Standard BS 7799
– Replaced Part 1 of BS 7799
– Part 2 of BS 7799 still exists and is current
– Part 2 describes how to build and assess a security management system
– National equivalents to BS 7799-2 exist in most developed countries
– Except North America
![Page 28: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/28.jpg)
28
BS 7799-2
ISMS Requirements– Scope
– Security Policy
– Risk Assessment
– Statement of Applicability
– Develop./maintain ISMS
– Documentation
ISO/IEC 17799 Controls (in imperative format)
![Page 29: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/29.jpg)
29
Complying with BS 7799-2
Security Policy Risk Assessment Statement of Applicability Management System
![Page 30: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/30.jpg)
30
Security Policy
Scope Confidentiality Integrity Availability Accountability Assets Risk Assessment Regulatory/Legal
![Page 31: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/31.jpg)
31
Risk Assessment
AssetAsset VulnerabilityVulnerabilityThreatThreat
RISKRISK
![Page 32: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/32.jpg)
32
Statement of Applicability
Identifies actual security controls Must consider all 7799-2 listed controls
– include or exclude with justification
Select applicable controls by business and risk analysis
![Page 33: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/33.jpg)
33
![Page 34: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/34.jpg)
34
![Page 35: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/35.jpg)
35
Security Management
The means by which Management Monitors and Controls security
Requires regular checks that:– Controls are still in place and effective– Residual risks are still acceptable– Assumptions about threats etc. remain valid
![Page 36: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/36.jpg)
36
Revision of IS 17799
ISO/IEC 17799 was identical in technical content to BS 7799-1:1999
Part of the negotiations for adoption was the initiation of an immediate major revision process
Revision started April 2002– First meeting in Berlin failed to finish its agenda– Lot of fuss over philosophy and definitions e.g. “What is security?”– Editors sent away to finish the job – Having difficulties finding enough changes to justify a major
revision
![Page 37: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/37.jpg)
37
Revision of BS 7799-2
BS 7799-2:2002 issued as draft for comment in March 2002– Aligned with other continuous review standards (“Plan-
Do-Check-Act”)
– Comment period now closed
Final text agreed 10th June 2002 Publication as a British Standard in July
2002
![Page 38: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/38.jpg)
38
In closing
Information Security Standards matter Many standards are for a specialist audience ISO/IEC 17799 is relevant to every security
professional
![Page 39: ISO-IEC 17799 the New International Standard for Information Security Management](https://reader034.fdocuments.us/reader034/viewer/2022052212/5540e8d3550346777c8b4be1/html5/thumbnails/39.jpg)
39
For more info about ISO 17799
Gamma Secure Systems Ltd
http://www.gammassl.co.uk/
Caroline Hamilton
RiskWatch, Inc.