Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5), 46-49.

Similar documents
ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Top Ten Technology Risks Facing Colleges and Universities

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Governance and Management of Information Security

Information Security Guideline for NSW Government Part 1 Information Security Risk Management

Information Security: Business Assurance Guidelines

ISO Information Security Management Systems Foundation

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

ISO27001 Controls and Objectives

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

ISO Controls and Objectives

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

University of Sunderland Business Assurance Information Security Policy

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Security Controls What Works. Southside Virginia Community College: Security Awareness

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI DSS Requirements - Security Controls and Processes

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Information Security Management Systems

Hengtian Information Security White Paper

March

Get Confidence in Mission Security with IV&V Information Assurance

SRA International Managed Information Systems Internal Audit Report

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Security Controls in Service Management

FINAL May Guideline on Security Systems for Safeguarding Customer Information

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

FISMA Implementation Project

Third Party Security Requirements Policy

Bellevue University Cybersecurity Programs & Courses

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Office of Inspector General

LogRhythm and PCI Compliance

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza

Securing the Microsoft Cloud

Fortinet Solutions for Compliance Requirements

Information Security and Risk Management

TABLE OF CONTENTS INTRODUCTION... 1

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

John Essner, CISO Office of Information Technology State of New Jersey

HIPAA Compliance Evaluation Report

Information Security Policy

INFORMATION SECURITY PROCEDURES

PCI Data Security and Classification Standards Summary

Information technology Security techniques Code of practice for information security controls

(Instructor-led; 3 Days)

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Information Security Program Management Standard

ISMS Implementation Guide

SERV SER ICE DE SIGN

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Accelerating PCI Compliance

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Microsoft s Compliance Framework for Online Services

PCI Compliance for Cloud Applications

Outsourcing and Information Security

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Information security management systems Specification with guidance for use

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

Information Security Management System Policy

Altius IT Policy Collection Compliance and Standards Matrix

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Information Security Management System Information Security Policy

NSW Government Digital Information Security Policy

ISO COMPLIANCE WITH OBSERVEIT

Human Factors in Information Security

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

How To Protect Your Computer System From Being Hacked

PCI DSS COMPLIANCE DATA

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Central Agency for Information Technology

ISO 27001: Information Security and the Road to Certification

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Becoming PCI Compliant

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition AH

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

RUNNING HEAD: ITIL V3 IMPROVES INFORMATION SECURITY MANAGEMENT

PCI Compliance Top 10 Questions and Answers

EXIN Foundation in IT Service Management based on ISO/IEC 20000

INFORMATION SYSTEMS. Revised: August 2013

IBX Business Network Platform Information Security Controls Document Classification [Public]

Estate Agents Authority

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Information Security Specialist Training on the Basis of ISO/IEC 27002

Transcription:

Safeguards Frameworks and Controls Theory of Secure Information Systems Features: Safeguards and Controls Richard Baskerville T 1 F 1 O 1 T 2 F 2 O 2 T 3 F 3 O 3 T 4... T n...... F l O m T F O Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5), 46-49. Loss avoidance Deterrence Loss prevention Loss detection Recovery Vulnerability correction Basic Attributes of Security Baskerville, R., & Sainsbury, R. (2005, 11-12 July). Securing Against the Possibility of an Improbable Event: Concepts for Managing Predictable Threats and Normal Compromises. Paper presented at the European Conference on Information Warfare and Security, Glamorgan University, UK. Eliminate serious threats, prevent attacks, limit intrusion scope, e.g. antivirus, encryption, firewalls, passwords and biometric ID systems. PREVENTATIVE Respond quickly or actively to unprotected security problems, restoration of system after attack, e.g., data backups, drive images, mirrored servers, extra staff RESTORATIVE

Information Security Standards ISO/IEC 27001 ISO/IEC 27002 (17799) CobIT ITIL PCI NIST Common Criteria ISO/IEC 27000 Library of Standards Guidance and Standards: Examples Quality Standards ISO/IEC 27001 Technical Standards ISO/IEC 27002 Professional Standards COBIT (Control Objectives for IT), a generally applicable and accepted standard for good information technology security and control practices in organizations. Industry Practices and Standards ITIL (IT Infrastructure Library) Payment Card Industry (PCI) Standard NIST 800-12 Computer Security Handbook Qualification Criteria ITSEC, TCSEC, Common Criteria Quality Standards Example: ISO/IEC 27001

ISO/IEC 27001 This standard has evolved toward the development of management systems for information security and provides a stronger basis for third party audit and certification. It offers a managerially-oriented complement to operatd the technologically-oriented. Structure of the Information Security Management System (ISMS) ISO 27001 Leadership -top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities. Planning-outlines the process to identify, analyze and plan to treat information security risks, and clarify the objectives of information security. Support-adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled. Operation-a bit more detail about assessing and treating information security risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors). Performance evaluation -monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate. Improvement -address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS Technical Standards ISO/IEC 27002:2005 ISO/IEC 27002 Overview of Controls Security Policy Organization of Information Security Human Resources Security Asset Management Access Control Cryptography Physical And Environmental Security Operations security Communications Security Information Systems Acquisition, Development, Maintenance Supplier Relationships Information Security Incident management Information Security Aspects of Business Continuity Compliance

Specimen control from ISO/IEC 27002:2013 Information Security Policies Provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. Organization of Information Security Establishes a management framework to initiate and control the implementation and operation of information security within the organization Ensure the security of teleworking and use of mobile devices. Human Resource Security Ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. Ensure that employees and contractors are aware of and fulfil their information security responsibilities. Protect the organization s interests as part of the process of changing or terminating employment.

Asset Management Identify organizational assets and define appropriate protection responsibilities. Ensure that information receives an appropriate level of protection in accordance with its importance to the organization. Prevent unauthorized disclosure, modification, removal or destruction of information stored on media. Access Control Limit access to information and information processing facilities. Ensure authorized user access and to prevent unauthorized access to systems and services. Make users accountable for safeguarding their authentication information. Prevent unauthorized access to systems and applications. Cryptography Ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. Physical and Environmental Security Prevent unauthorized physical access, damage and interference to the organization s information and information processing facilities. Prevent loss, damage, theft or compromise of assets and interruption to the organization s operations.

Operations Security Ensure correct and secure operations of information processing facilities. Ensure that information and information processing facilities are protected against malware. Protect against loss of data. Record events and generate evidence. Ensure the integrity of operational systems. Prevent exploitation of technical vulnerabilities. Minimisethe impact of audit activities on operational systems. Communications Security Ensure the protection of information in networks and its supporting information processing facilities. Maintain the security of information transferred within an organization and with any external entity. System Acquisition, Development and Maintenance Ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. Ensure that information security is designed and implemented within the development lifecycle of information systems. Ensure the protection of data used for testing. Supplier Relations To ensure protection of the organization s assets that is accessible by suppliers. Maintain an agreed level of information security and service delivery in line with supplier agreements.

Information Security Incident Management Ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weakness Information Security Aspects of Business Continuity Management Information security continuity should be embedded in the organization s business continuity management systems. Ensure availability of information processing facilities. Compliance Essential Safeguards Avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements Ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

Essential Safeguards Essential Safeguards ITIL Industry Practices & Standards Examples: ITIL PCI NIST 800 IT Infrastructure Library Best practices and guidelines for managing information technology services Integrated, process-based approach Originated as a 1980's UK government drive Focus on quality, efficient, cost-effective delivery of IT services

Major ITIL Volumes ITIL Structure Software asset management Service support Service delivery Planning to implement service management ICT infrastructure management Application management Security management The business perspective Security Management Products Policies Processes Procedures Work instructions Initial Security Effort: Risk Analysis Minimum Security Baseline Security Requirements Modify Report ITIL Securiity Requirements Feasibility Analysis adapted from Weil, Steven, (2004) "How ITIL Can Improve Information Security" Security Focus (http://www.securityfocus.com/infocus/1815) Negotiate & Define SLA SLA Negotiate & Define OLA Customer IT Service Org. Payment Card Industry Data Security Standard Build and Maintain a Secure Network Install and maintain a firewall configuration to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes. Maintain an Information Security Policy Maintain a policy that addresses information security Monitor Implement OLA

NIST Computer Security Handbook Special Publication 800-12 NIST Computer Security Division http://csrc.nist.gov/publications/nistpubs/ SP 800-12 An Introduction to Computer Security: The NIST Handbook, October 1995 SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996 SP 800-18 Guide for Developing Security Plans for Information Technology Systems, December 1998 SP 800-26 Security Self-Assessment Guide for Information Technology Systems, November 2001 SP 800-30 Risk Management Guide for Information Technology Systems, July 2002 SP 800-33 Underlying Technical Models for Information Technology Security, December 2001 SP 800-34 Contingency Planning Guide for Information Technology Systems, June 2002 SP 800-55 Security Metrics Guide for Information Technology Systems, July 2003 SP 800-65 Integrating Security into the Capital Planning and Investment Control Process, January 2005 NIST SP 800-14 Reference Model OECD's Guidelines for the Security of Information Systems Accountability -The responsibilities and accountability of owners, providers and users of information systems and other parties...should be explicit. Awareness -Owners, providers, users and other parties should readily be able, consistent with maintaining security, to gain appropriate knowledge of and be informed about the existence and general extent of measures...for the security of information systems. Ethics -The Information systems and the security of information systems should be provided and used in such a manner that the rights and legitimate interest of others are respected. Multidisciplinary -Measures, practices and procedures for the security of information systems should take account of and address all relevant considerations and viewpoints... Proportionality -Security levels, costs, measures, practices and procedures should be appropriate and proportionate to the value of and degree of reliance on the information systems and to the severity, probability and extent of potential harm... Integration -Measures, practices and procedures for the security of information systems should be coordinated and integrated with each other and other measures, practices and procedures of the organization so as to create a coherent system of security. Timeliness -Public and private parties, at both national and international levels, should act in a timely coordinated manner to prevent and to respond to breaches of security of information systems. Reassessment -The security of information systems should be reassessed periodically, as information systems and the requirements for their security vary over time. Democracy -The security of information systems should be compatible with the legitimate use and flow of data and information in a democratic society. Qualification Criteria Example: Common Criteria

Common Criteria The CC philosophy is to provide assurance based upon an evaluation (active investigation) of the IT product or system that is to be trusted. Evaluation has been the traditional means of providing assurance and is the basis for prior evaluation criteria documents. In aligning the existing approaches, the CC adopts the same philosophy. The CC proposes measuring the validity of the documentation and of the resulting IT product or system by expert evaluators with increasing emphasis on scope, depth, and rigor. (Common Criteria v 2.1, Part 3 p. 2) ISO/IEC 15408 Participants Common Criteria Canada: Communications Security Establishment France: Service Central de la Sécurité des Systèmes d'information Germany: Bundesamt für Sicherheit in der Informationstechnik Netherlands: Netherlands National Communications Security Agency United Kingdom: Communications-Electronics Security Group United States: National Institute of Standards and Technology United States: National Security Agency Context Model Common Criteria Goal Model Common Criteria

Common Criteria Structure Safeguards Frameworks and Controls Richard Baskerville

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information