Maintaining Herd Communication - Standards Used In IT And Cyber Security. Laura Kuiper

Transcription

1 Maintaining Herd Communication - Standards Used In IT And Cyber Security Laura Kuiper

2 So what is Cyber Security? According to ITU-T X.1205 Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user s assets. Organization and user s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Availability Integrity, which may include authenticity and non-repudiation Confidentiality **ITU-T X.1205 Guidelines for CyberSecurity

3 So Many Standards Bodies Which organization should I be looking at? NIST ITU IEEE OASIS ISO IETF DHS BSIA CEN SIA ANSI

4 Cyber Security Topics Under Development Anti-Spam Mal-ware protection Botnet protection Home Security Identity Management Service Oriented Architecture (SOA) Biometricsi Critical Infrastructure

5 ITU Work Identity Management Preventing Worms spreading Network Security Management Privacy Incident Management Information Sharing

6 ISO Work ISO/IEC 27001/27002 Revision Identity Management/Privacy Responsible Vulnerability Disclosure ISO/IEC Guidelines for CyberSecurity Sector to Sector Communications Security for E-Government Network Security Risk Management ICT Readiness Auditing Industry Specific Standards

7 Other SDOs IETF Domain Name System (DNS) security, authentication protocols, public key infrastructure, security, IEEE Wireless Security

8 So Much Complexity and Confusion DHS IEEE NIST ITU OASIS ISO IETF BSIA CEN SIA ANSI

9 Reducing the Complexity and Confusion Definition Documents ITU and ISO compatible standards ISO Standards d to support implementation ti SDO Liaisons Between SDOs With Industry Organizations

10 Definition Documents Information and Communications Technology (ICT) Security Standards Roadmap [2] Internet Security Glossary from the Internet Engineering Task Force (IETF), RFC 4949 [3] International ti Telecommunications Union Telecommunication Standardization Sector (ITU-T) T) approved security definitions iti [4]

11 Compatible Standards Identity Management ITU-T Focus Group Involvement of Major Industry organizations Simultaneous creation in ISO using same base documents CyberSecurity Standard ITU-T and ISO Liaison as editor Reducing duplication of effort Industry Specific

12 IS0 Implementation Standards ISO/IEC Family of Standards ISO/IEC Information security management system implementation guidance ISO/IEC Network Security Design and Implementation ISO/IEC ISM Measurements ISO/IEC Guidelines for Application Security

13 ISO Support Standards ISO/IEC Information Security Risk Management ISO/IEC ISMS Auditor Guidelines ISO/IEC ICT Readiness for Business Continuity it ISO/IEC Information Security Incident Management

14 Standard Relationships

15 Other Relationships Compliance Requirements Sarbanes Oxley (SOX) HIPAA PCI Extended Control Sets

16 What about Compliance? Which standard to use? Does this meet the requirements for regulations? What about conflicting standards NIST FIPS 200

17 Extended Control Set (ECS) Additional Controls for standards and controls beyond ISO/IEC Used with HIPAA, PCI, Sarbanes Oxley, etc Used to create an Information Security Management System (ISMS) for all requirements

18 Example of Using ECS

19 On the Horizon(1) Critical Infrastructure Sector to Sector Communications Sector/Industry Specific Guidelines ITU-D Cyber Security for Emerging Countries Security for E-Government

20 On the Horizon (2) Forensics Digital Forensics Communication Incident Response and Management Responsible Vulnerability Disclosure Incident Response Home Network Security Anti-Spam, Malware protection

21 Summary

22 References [1] security&i=40643,00.asp [2]ITU-T, European Network and Information Security Agency (ENISA), Network and Information Security Steering Group (NISSG). ICT Security Standards d Roadmap, version 2.2, 22 September < T/studygroups/com17/ict/index.html>. [3]Internet Engineering Task Force. Internet Security Glossary, August < [4] ITU T l i ti St d di ti S t S it [4] ITU Telecommunication Standardization Sector. Security Compendium, Part 2 Approved ITU-T Security Definitions. <