Security Standards BS7799 and ISO17799

Transcription

1 17 Security Standards Over the past 10 years security standards have come a long way from the original Rainbow Book series that was created by the US Department of Defense and used to define an information security. Today we have security standards that allow us to define information assurance at both the technical and organisational level BS7799 and ISO17799 ISO17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining and improving information security management systems (ISMS) in an organisation and based on the British Standard BS7799. The objectives outlined provide general guidance on the commonly accepted goals of information security management (ISM). BS7799 defines a six-stage process model as shown in figure BS7799 makes some assumptions. It assumes that you have already defined all of your key information assets that exist within an organisation. When performing a risk assessment, it assumes that you have also conducted a threat/vulnerability and impact study on your organisation and its key information assets. The most important part of BS7799 is that it requires senior management buy-in to the whole security standard process. It also does not mandate any security solution, but it does require that some person in the organisation has thought about each of the Best Practice sections. BS7799 also requires that the security policy is placed under constant review and becomes a living document that will evolve over time. BS7799-2:2002 instructs you how to apply ISO17799 and how to build, operate, maintain and improve an ISMS. The 1999 edition only instructed you to apply ISO17799 and build an ISMS. ISO17799:2005 contains best practices of control objectives and controls in the following areas of ISM: security policy, organisation of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management, business continuity management and compliance. 235

2 Security Standards Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Define the Information Security Policy Define the Scope of the ISMS Undertake Risk Assessment Manage the Risk Select Control Objectives and Controls to be Implemented Prepare Statement of Applicability Information Assets Threats, Vulnerabilities, Impact Organisation's Approach to Risk Management BS7799 Control objectives and Controls Additional Controls FIGURE The BS7799 Process Model The control objectives and controls in ISO17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organisational security standards and effective security management practices and to help build confidence in inter-organisational activities. The ISO17799 standard consists of recommended information security practices. These recommended practices are found in Sections 3 12 of the standard. 3. Security Policy 3.1 Establish an information security policy. 4. Organisational Security 4.1 Establish a security infrastructure. 4.2 Control third party access to facilities. 4.3 Control outsourced information processing. 5. Asset Classification and Control 5.1 Make information asset owners accountable. 5.2 Use an information classification system. 6. Personnel Security Management 6.1 Control your personnel recruitment process. 6.2 Provide information security training. 6.3 Respond to information security incidents. 7. Physical and Environmental Security 7.1 Use secure areas to protect facilities. 7.2 Protect equipment from hazards. 7.3 Control access to information and property. 8. Communications and Operations Management 8.1 Establish operational procedures. 8.2 Develop plans to provide future capacity.

3 ISO Protect against malicious software. 8.4 Establish housekeeping procedures. 8.5 Safeguard your computer networks. 8.6 Protect and control computer media. 8.7 Control inter-organisational exchanges. 9. Information Access Management Control 9.1 Control access to information. 9.2 Manage the allocation of access rights. 9.3 Encourage responsible access practices. 9.4 Control access to computer networks. 9.5 Restrict access at operating system level. 9.6 Manage access to application systems. 9.7 Monitor system access and use. 9.8 Protect mobile and teleworking assets. 10. Systems Development and Maintenance 10.1 Identify system security requirements Build security into your application systems Use cryptography to protect information Protect your organisation s system files Control development and support. 11. Business Continuity Management 11.1 Design a continuity management process. 12. Compliance Management 12.1 Comply with legal requirements Perform security compliance reviews Carry out operational system audits ISO13335 The aim of ISO13335 is to describe and recommend techniques for the successful management of information technology (IT) security. These techniques can be used to assess security requirements and risks and help to establish and maintain the appropriate security safeguards, i.e. the correct IT security level. The results achieved in this way may need to be enhanced by additional safeguards dictated by the actual organisation and environment. ISO13335 provides guidelines for the Management of IT Security, and these are: 1. Concepts and Models 2. Management and Planning 3. Techniques for IT Security Management 4. Selection of Safeguards 5. External Connections

4 Security Standards 17.3 Common Criteria The Common Criteria (CC) defines standards to be used as the basis for evaluation of security properties of IT Products and Systems. The aim of the CC is to allow for people to have confidence in the evaluation of a product and what that level of evaluation means. So for example when we perform a security assessment and arrive at the conclusion that we require an EAL4 firewall, what we are really saying is that we require a firewall that has been methodologically designed, tested and reviewed. The CC permits comparability between the results of independent security evaluations. The CC does so by providing a common set of requirements for the security functionality of (collections of) IT products and for assurance measures applied to these IT products during a security evaluation. The evaluation process establishes a level of confidence that the security functionality of these products and the assurance measures applied to these IT products meet these requirements. Evaluation should lead to objective and repeatable results that can be cited as evidence, even if there is no totally objective scale for representing the results of a security evaluation. The existence of a set of evaluation criteria is a necessary pre-condition for evaluation to lead to a meaningful result and provides a technical basis for mutual recognition of evaluation results between evaluation authorities. As the application of criteria contains both objective and subjective elements, precise and universal ratings for IT security are infeasible. The evaluation results may help consumers to determine whether these IT products fulfil their security needs. The standard addresses protection of information from unauthorised disclosure, modification or loss of use, in particular: User view: A way to define IT security requirements for some IT products: hardware, software and combinations of hardware and software Developer view: A way to describe security capabilities of their specific product Evaluator/scheme view: A tool to measure the confidence we may place in the security of a product What the CC is a Common structure and language for expressing product/system IT security requirements and a set of Catalogs of standardised IT security requirement components and packages. The CC Version 3 consists of three parts: 1. Introduction and general model 2. Security fundamental components 3. Security assurance components The CC is used to: (a) develop protection profiles (PP) and security targets (ST) specific IT security requirements for products and systems consumers then use them for decisions and (b) evaluate products and systems against known and understood requirements. A typical CC evaluation will only look at a single

5 Common Criteria 239 configuration of the product. This is called the Target of Evaluation (TOE). The CC defines two types of requirements: functional and assurance. The role and function of a functional requirements (FR) is to define what the product does, while the role and function of an assurance requirement is to define the build quality of the product and whether it is fit for purpose. A PP is a template for an ST. An ST always describes a specific TOE, whereas a PP is intended to describe a TOE type (e.g. firewalls). In general, an ST describes requirements for a TOE and is written by the developer of that TOE, while a PP describes the general requirement for a TOE type. Figure 17.2 gives the structure of a PP or an ST. A PP is therefore typically written by the following: 1. A user community seeking to come to a consensus on the requirements for a given TOE type 2. A group of developers of similar TOEs wishing to establish a minimum baseline for that type of TOE 3. A government or large corporation specifying its requirements as part of its acquisition process The PPs can be evaluated (by applying the APE criteria to them). The goal of such an evaluation is to demonstrate that the PP is complete, consistent and technically sound and suitable for use as a template to build an ST on. Security functional components, as defined in the CC, are the basis for the security functional requirements (SFRs) expressed in a PP or an ST. These SFRs describe the desired security behaviour of a TOE and are intended to meet the security objectives for the TOE as stated in a PP or an ST. PP (or) ST Introduction ST Additions TOE Description Security Environment Security Objectives IT Security Requirements TOE Summary Specification PP Claims Threats Security Policies Secure Usage Assumptions TOE IT Security Objectives Environmental Security Objectives TOE IT Functional & Assurance Requirements Requirements for IT environment TOE IT Security Functions TOE Assurance Measures FIGURE Structure of PP/ST

6 Security Standards While the FRs are composed of the following classes: FDP: data protection and privacy FIA: identification, authentication and binding FAU: audit FPT: protection of TSF FMI: miscellaneous The assurance requirements are composed of the following classes: APE: PP evaluation ASE: ST evaluation ADV: development AGD: guidance documents ALC: life cycle support ATE: tests AVA: vulnerability assessment ACO: composition The evaluated assurance levels specify levels of detail associated with the development of the TOE are given below: EAL1: functionally tested EAL2: structurally tested EAL3: methodologically tested and checked EAL4: methodologically designed, tested and reviewed EAL5: semi-formally designed and tested EAL6: semi-formally verified design and tested EAL7: formally verified designed and tested 17.4 Summary The infromation assurance professionals world standards have a vital role to play. They allow the security professional to speak with a common language. They also facilitate in the specification and development of security solutions to problems by providing a common set of components and processes that allow for reproducibility and function to increase confidence. BS7799 and ISO17799 approach security from an organisational perspective, while the CC approach security from a technical perspective. Together they attempt to provide an integrated solution to the security problem.