Maintaining Herd Communication - Standards Used In IT And Cyber Security Laura Kuiper
So what is Cyber Security? According to ITU-T X.1205 Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user s assets. Organization and user s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Availability Integrity, which may include authenticity and non-repudiation Confidentiality **ITU-T X.1205 Guidelines for CyberSecurity
So Many Standards Bodies Which organization should I be looking at? NIST ITU IEEE OASIS ISO IETF DHS BSIA CEN SIA ANSI
Cyber Security Topics Under Development Anti-Spam Mal-ware protection Botnet protection Home Security Identity Management Service Oriented Architecture (SOA) Biometricsi Critical Infrastructure
ITU Work Identity Management Preventing Worms spreading Network Security Management Privacy Incident Management Information Sharing
ISO Work ISO/IEC 27001/27002 Revision Identity Management/Privacy Responsible Vulnerability Disclosure ISO/IEC 27032 Guidelines for CyberSecurity Sector to Sector Communications Security for E-Government Network Security Risk Management ICT Readiness Auditing Industry Specific Standards
Other SDOs IETF Domain Name System (DNS) security, authentication protocols, public key infrastructure, email security, IEEE Wireless Security
So Much Complexity and Confusion DHS IEEE NIST ITU OASIS ISO IETF BSIA CEN SIA ANSI
Reducing the Complexity and Confusion Definition Documents ITU and ISO compatible standards ISO Standards d to support implementation ti SDO Liaisons Between SDOs With Industry Organizations
Definition Documents Information and Communications Technology (ICT) Security Standards Roadmap [2] Internet Security Glossary from the Internet Engineering Task Force (IETF), RFC 4949 [3] International ti Telecommunications Union Telecommunication Standardization Sector (ITU-T) T) approved security definitions iti [4]
Compatible Standards Identity Management ITU-T Focus Group Involvement of Major Industry organizations Simultaneous creation in ISO using same base documents CyberSecurity Standard ITU-T and ISO Liaison as editor Reducing duplication of effort Industry Specific
IS0 Implementation Standards ISO/IEC 27000 Family of Standards ISO/IEC 27003 - Information security management system implementation guidance ISO/IEC 27033 2 - Network Security Design and Implementation ISO/IEC 27004 ISM Measurements ISO/IEC 27034 Guidelines for Application Security
ISO Support Standards ISO/IEC 27005 Information Security Risk Management ISO/IEC 27007 ISMS Auditor Guidelines ISO/IEC 27031 ICT Readiness for Business Continuity it ISO/IEC 27035 Information Security Incident Management
Standard Relationships
Other Relationships Compliance Requirements Sarbanes Oxley (SOX) HIPAA PCI Extended Control Sets
What about Compliance? Which standard to use? Does this meet the requirements for regulations? What about conflicting standards NIST FIPS 200
Extended Control Set (ECS) Additional Controls for standards and controls beyond ISO/IEC 27001 Used with HIPAA, PCI, Sarbanes Oxley, etc Used to create an Information Security Management System (ISMS) for all requirements
Example of Using ECS
On the Horizon(1) Critical Infrastructure Sector to Sector Communications Sector/Industry Specific Guidelines ITU-D Cyber Security for Emerging Countries Security for E-Government
On the Horizon (2) Forensics Digital Forensics Communication Incident Response and Management Responsible Vulnerability Disclosure Incident Response Home Network Security Anti-Spam, Malware protection
Summary
References [1]http://www.pcmag.com/encyclopedia_term/0,2542,t=cyber security&i=40643,00.asp [2]ITU-T, European Network and Information Security Agency (ENISA), Network and Information Security Steering Group (NISSG). ICT Security Standards d Roadmap, version 2.2, 22 September 2007. <http://www.itu.int/itu- T/studygroups/com17/ict/index.html>. [3]Internet Engineering Task Force. Internet Security Glossary, August 2007. <http://www.ietf.org/rfc/rfc4949.txt>. [4] ITU T l i ti St d di ti S t S it [4] ITU Telecommunication Standardization Sector. Security Compendium, Part 2 Approved ITU-T Security Definitions. <http://www.itu.int/dms_pub/itut/oth/0a/0d/t0a0d00000a0001mswe.doc>.