Security Standards. 17.1 BS7799 and ISO17799



Similar documents
Common Criteria. Introduction Magnus Ahlbin. Emilie Barse Emilie Barse Magnus Ahlbin

Korean National Protection Profile for Voice over IP Firewall V1.0 Certification Report

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Information Security: Business Assurance Guidelines

Common Criteria for Information Technology Security Evaluation. Part 3: Security assurance components. September Version 3.

Security Controls What Works. Southside Virginia Community College: Security Awareness

Common Criteria for Information Technology Security Evaluation. Part 1: Introduction and general model. August Version 2.

Cryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik

Common Criteria for Information Technology Security Evaluation. Part 1: Introduction and general model. September Version 3.

INFORMATION TECHNOLOGY SECURITY STANDARDS

Guidelines for Developer Documentation

C015 Certification Report

Joint Interpretation Library. ETR-lite for composition : Annex A Composite smartcard evaluation : Recommended best practice. IC and ES composition

C033 Certification Report

System Assurance C H A P T E R 12

Certification Report - Firewall Protection Profile and Firewall Protection Profile Extended Package: NAT

ISO 27002:2013 Version Change Summary

Common Criteria Evaluations for the Biometrics Industry

INFORMATION SYSTEMS. Revised: August 2013

Intrusion Detection System System Protection Profile

DataPower XS40 XML Security Gateway and DataPower XI50 Integration Appliance Version 3.6. Security Target Version 0.75

Our Commitment to Information Security

Information Security Standards by Dr. David Brewer Gamma Secure Systems Limited Diamond House, 149 Frimley Road Camberley, Surrey, GU15 2PS

Third Party Security Requirements Policy

Security Target. Astaro Security Gateway V8 Packet Filter Version Assurance Level EAL4+ Common Criteria v3.1

IT Governance: The benefits of an Information Security Management System

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

Joint Interpretation Library

Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium , Miami Beach FL / USA

Mobile Billing System Security Target

Extended Package for Mobile Device Management Agents

University of Sunderland Business Assurance Information Security Policy

Protection Profile for Mobile Device Management

Joint Interpretation Library. Security Evaluation and Certification of Digital Tachographs

NSW Government Digital Information Security Policy

Computer Security. Evaluation Methodology CIS Value of Independent Analysis. Evaluating Systems Chapter 21

Protection Profile for Full Disk Encryption

How To Evaluate Watchguard And Fireware V11.5.1

Certification Report

Certification Report StoneGate FW/VPN 5.2.5

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

CERTIFICATION REPORT

Supporting Document Guidance. Security Architecture requirements (ADV_ARC) for smart cards and similar devices. April Version 2.

Joint Interpretation Library

Microsoft s Compliance Framework for Online Services

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5),

Marimba Client and Server Management from BMC Software Release 6.0.3

Common Criteria for Information Technology Security Evaluation. Part 1: Introduction and general model. September Version 3.

Security Target. McAfee Enterprise Mobility Management Document Version 1.16

Certification Report

The Software Development Life Cycle: An Overview. Last Time. Session 8: Security and Evaluation. Information Systems Security Engineering

Understanding Management Systems Concepts

John Essner, CISO Office of Information Technology State of New Jersey

Polish Financial Supervision Authority. Guidelines

Information Security Management Systems

Certification Report

Information security controls. Briefing for clients on Experian information security controls

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

A Decision Maker s Guide to Securing an IT Infrastructure

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Enterasys Networks, Inc. Netsight/Network Access Control v Security Target

NSW Government Digital Information Security Policy

MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN

Certification Report

Information System Audit Guide

UF Risk IT Assessment Guidelines

Certification Report

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Integrated Information Management Systems

ISO27001 Controls and Objectives

Catalog of Security Tactics linked to Common Criteria Requirements

THE EVOLUTION OF INFORMATION SECURITY GOALS

Governance and Management of Information Security

Newcastle University Information Security Procedures Version 3

Security Target. Securonix Security Intelligence Platform 4.0. Document Version January 9, 2015

(Instructor-led; 3 Days)

Standard Protection Profile for Enterprise Security Management Access Control

SAMSUNG SDS FIDO Server Solution V1.1 Certification Report

ISO 27001: Information Security and the Road to Certification

Writing a Protection Profile for a Security Service Package

Bellevue University Cybersecurity Programs & Courses

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

ISO/IEC Information Security Management. Securing your information assets Product Guide

Transcription:

17 Security Standards Over the past 10 years security standards have come a long way from the original Rainbow Book series that was created by the US Department of Defense and used to define an information security. Today we have security standards that allow us to define information assurance at both the technical and organisational level. 17.1 BS7799 and ISO17799 ISO17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining and improving information security management systems (ISMS) in an organisation and based on the British Standard BS7799. The objectives outlined provide general guidance on the commonly accepted goals of information security management (ISM). BS7799 defines a six-stage process model as shown in figure 17.1. BS7799 makes some assumptions. It assumes that you have already defined all of your key information assets that exist within an organisation. When performing a risk assessment, it assumes that you have also conducted a threat/vulnerability and impact study on your organisation and its key information assets. The most important part of BS7799 is that it requires senior management buy-in to the whole security standard process. It also does not mandate any security solution, but it does require that some person in the organisation has thought about each of the Best Practice sections. BS7799 also requires that the security policy is placed under constant review and becomes a living document that will evolve over time. BS7799-2:2002 instructs you how to apply ISO17799 and how to build, operate, maintain and improve an ISMS. The 1999 edition only instructed you to apply ISO17799 and build an ISMS. ISO17799:2005 contains best practices of control objectives and controls in the following areas of ISM: security policy, organisation of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management, business continuity management and compliance. 235

236 17. Security Standards Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Define the Information Security Policy Define the Scope of the ISMS Undertake Risk Assessment Manage the Risk Select Control Objectives and Controls to be Implemented Prepare Statement of Applicability Information Assets Threats, Vulnerabilities, Impact Organisation's Approach to Risk Management BS7799 Control objectives and Controls Additional Controls FIGURE 17.1. The BS7799 Process Model The control objectives and controls in ISO17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organisational security standards and effective security management practices and to help build confidence in inter-organisational activities. The ISO17799 standard consists of recommended information security practices. These recommended practices are found in Sections 3 12 of the standard. 3. Security Policy 3.1 Establish an information security policy. 4. Organisational Security 4.1 Establish a security infrastructure. 4.2 Control third party access to facilities. 4.3 Control outsourced information processing. 5. Asset Classification and Control 5.1 Make information asset owners accountable. 5.2 Use an information classification system. 6. Personnel Security Management 6.1 Control your personnel recruitment process. 6.2 Provide information security training. 6.3 Respond to information security incidents. 7. Physical and Environmental Security 7.1 Use secure areas to protect facilities. 7.2 Protect equipment from hazards. 7.3 Control access to information and property. 8. Communications and Operations Management 8.1 Establish operational procedures. 8.2 Develop plans to provide future capacity.

ISO13335 237 8.3 Protect against malicious software. 8.4 Establish housekeeping procedures. 8.5 Safeguard your computer networks. 8.6 Protect and control computer media. 8.7 Control inter-organisational exchanges. 9. Information Access Management Control 9.1 Control access to information. 9.2 Manage the allocation of access rights. 9.3 Encourage responsible access practices. 9.4 Control access to computer networks. 9.5 Restrict access at operating system level. 9.6 Manage access to application systems. 9.7 Monitor system access and use. 9.8 Protect mobile and teleworking assets. 10. Systems Development and Maintenance 10.1 Identify system security requirements. 10.2 Build security into your application systems. 10.3 Use cryptography to protect information. 10.4 Protect your organisation s system files. 10.5 Control development and support. 11. Business Continuity Management 11.1 Design a continuity management process. 12. Compliance Management 12.1 Comply with legal requirements. 12.2 Perform security compliance reviews. 12.3 Carry out operational system audits. 17.2 ISO13335 The aim of ISO13335 is to describe and recommend techniques for the successful management of information technology (IT) security. These techniques can be used to assess security requirements and risks and help to establish and maintain the appropriate security safeguards, i.e. the correct IT security level. The results achieved in this way may need to be enhanced by additional safeguards dictated by the actual organisation and environment. ISO13335 provides guidelines for the Management of IT Security, and these are: 1. Concepts and Models 2. Management and Planning 3. Techniques for IT Security Management 4. Selection of Safeguards 5. External Connections

238 17. Security Standards 17.3 Common Criteria The Common Criteria (CC) defines standards to be used as the basis for evaluation of security properties of IT Products and Systems. The aim of the CC is to allow for people to have confidence in the evaluation of a product and what that level of evaluation means. So for example when we perform a security assessment and arrive at the conclusion that we require an EAL4 firewall, what we are really saying is that we require a firewall that has been methodologically designed, tested and reviewed. The CC permits comparability between the results of independent security evaluations. The CC does so by providing a common set of requirements for the security functionality of (collections of) IT products and for assurance measures applied to these IT products during a security evaluation. The evaluation process establishes a level of confidence that the security functionality of these products and the assurance measures applied to these IT products meet these requirements. Evaluation should lead to objective and repeatable results that can be cited as evidence, even if there is no totally objective scale for representing the results of a security evaluation. The existence of a set of evaluation criteria is a necessary pre-condition for evaluation to lead to a meaningful result and provides a technical basis for mutual recognition of evaluation results between evaluation authorities. As the application of criteria contains both objective and subjective elements, precise and universal ratings for IT security are infeasible. The evaluation results may help consumers to determine whether these IT products fulfil their security needs. The standard addresses protection of information from unauthorised disclosure, modification or loss of use, in particular: User view: A way to define IT security requirements for some IT products: hardware, software and combinations of hardware and software Developer view: A way to describe security capabilities of their specific product Evaluator/scheme view: A tool to measure the confidence we may place in the security of a product What the CC is a Common structure and language for expressing product/system IT security requirements and a set of Catalogs of standardised IT security requirement components and packages. The CC Version 3 consists of three parts: 1. Introduction and general model 2. Security fundamental components 3. Security assurance components The CC is used to: (a) develop protection profiles (PP) and security targets (ST) specific IT security requirements for products and systems consumers then use them for decisions and (b) evaluate products and systems against known and understood requirements. A typical CC evaluation will only look at a single

Common Criteria 239 configuration of the product. This is called the Target of Evaluation (TOE). The CC defines two types of requirements: functional and assurance. The role and function of a functional requirements (FR) is to define what the product does, while the role and function of an assurance requirement is to define the build quality of the product and whether it is fit for purpose. A PP is a template for an ST. An ST always describes a specific TOE, whereas a PP is intended to describe a TOE type (e.g. firewalls). In general, an ST describes requirements for a TOE and is written by the developer of that TOE, while a PP describes the general requirement for a TOE type. Figure 17.2 gives the structure of a PP or an ST. A PP is therefore typically written by the following: 1. A user community seeking to come to a consensus on the requirements for a given TOE type 2. A group of developers of similar TOEs wishing to establish a minimum baseline for that type of TOE 3. A government or large corporation specifying its requirements as part of its acquisition process The PPs can be evaluated (by applying the APE criteria to them). The goal of such an evaluation is to demonstrate that the PP is complete, consistent and technically sound and suitable for use as a template to build an ST on. Security functional components, as defined in the CC, are the basis for the security functional requirements (SFRs) expressed in a PP or an ST. These SFRs describe the desired security behaviour of a TOE and are intended to meet the security objectives for the TOE as stated in a PP or an ST. PP (or) ST Introduction ST Additions TOE Description Security Environment Security Objectives IT Security Requirements TOE Summary Specification PP Claims Threats Security Policies Secure Usage Assumptions TOE IT Security Objectives Environmental Security Objectives TOE IT Functional & Assurance Requirements Requirements for IT environment TOE IT Security Functions TOE Assurance Measures FIGURE 17.2. Structure of PP/ST

240 17. Security Standards While the FRs are composed of the following classes: FDP: data protection and privacy FIA: identification, authentication and binding FAU: audit FPT: protection of TSF FMI: miscellaneous The assurance requirements are composed of the following classes: APE: PP evaluation ASE: ST evaluation ADV: development AGD: guidance documents ALC: life cycle support ATE: tests AVA: vulnerability assessment ACO: composition The evaluated assurance levels specify levels of detail associated with the development of the TOE are given below: EAL1: functionally tested EAL2: structurally tested EAL3: methodologically tested and checked EAL4: methodologically designed, tested and reviewed EAL5: semi-formally designed and tested EAL6: semi-formally verified design and tested EAL7: formally verified designed and tested 17.4 Summary The infromation assurance professionals world standards have a vital role to play. They allow the security professional to speak with a common language. They also facilitate in the specification and development of security solutions to problems by providing a common set of components and processes that allow for reproducibility and function to increase confidence. BS7799 and ISO17799 approach security from an organisational perspective, while the CC approach security from a technical perspective. Together they attempt to provide an integrated solution to the security problem.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information