1 Information Security Standards Gary Gaskell © 2001.
-
date post
18-Dec-2015 -
Category
Documents
-
view
227 -
download
0
Transcript of 1 Information Security Standards Gary Gaskell © 2001.
![Page 1: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/1.jpg)
1
Information Security Standards
Gary Gaskell© 2001
![Page 2: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/2.jpg)
Gary Gaskell, 3 May 2001 2
Contents
Overview of security standards Type of standards List of standards Quick insight to each standard Conclusions
![Page 3: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/3.jpg)
Gary Gaskell, 3 May 2001 3
Types of Standards
Risk based Management Technical Lightweight Thorough
System-wide focus Product focus Assurance based Prescriptive
controls Checklists
![Page 4: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/4.jpg)
Gary Gaskell, 3 May 2001 4
Security Standards - Pick One!
AS/NZS 4444 (BS 7799, ISO 17799) US TCSEC (Rainbow series) ITSEC (Europe) Common Criteria (ISO 15408) IETF Site Security Handbook (RFC 2196) Vendor handbooks and checklists, B.S.I.,
SANS Website certification services SAS-70
![Page 5: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/5.jpg)
Gary Gaskell, 3 May 2001 5
AS/NZS 4444
Information Security Management Standard
Part 1 - 1999 Part 2 - 2000 JANZAS Based BS7799 BS7799 based on industry - Shell Oil
etc
![Page 6: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/6.jpg)
Gary Gaskell, 3 May 2001 6
AS 4444
Good internal security management Information Security Management
System Explicit Target - trusted
interconnection Catalogue of controls Recommended baselines Risk based assessments
![Page 7: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/7.jpg)
Gary Gaskell, 3 May 2001 7
AS4444 Controls
Security policy Asset classification
and control Physical and
environmental security
Access control Business continuity
management
Security organisation Personnel security Communications and
operations management
Systems development and maintenance
Compliance
![Page 8: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/8.jpg)
Gary Gaskell, 3 May 2001 8
TCSEC
Trusted Computer Security Evaluation Criteria - 1983
US Government specification “Orange book” and “Raindbow series” Origin of C2, B1, B3 etc Functionality & Assurance tightly
coupled Superceded by still in use
![Page 9: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/9.jpg)
Gary Gaskell, 3 May 2001 9
ITSEC
Information Technology Security Evaluation Criteria - 1991
UK, France, Germany & The Netherlands Used by Australia System and product use http://www.dsd.gov.au/infosec/aisep/
EPL/prod.html Superceded but still in use
![Page 10: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/10.jpg)
Gary Gaskell, 3 May 2001 10
Common Criteria
Common Criteria for Information Technology Security Evaluation - 1999
ISO 15408 (CC v 2.1) Merge of TCSEC & ITSEC Emerging standard Assurance level separate from functionality
level Mutual recognition agreement - 13
countries
![Page 11: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/11.jpg)
Gary Gaskell, 3 May 2001 11
RFC 2196
IETF Site Security Handbook Developed by CERT/CC of the CMU Response oriented Good practical advice Explicit about system hardening and
patch installation
![Page 12: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/12.jpg)
Gary Gaskell, 3 May 2001 12
Vendor Checklists
SGI Compaq/Digital Sun Microsystems (Blue prints) AIX (redbooks) Microsoft Apache Oracle
![Page 13: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/13.jpg)
Gary Gaskell, 3 May 2001 13
Vendor Checklists - Continued
Explicit and specific Good for specification in designs or
outsourcing “how to” oriented Sometimes too light
![Page 14: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/14.jpg)
Gary Gaskell, 3 May 2001 14
Third Party Vendor Checklists
AusCERT/CERT Unix security checklist Windows NT 4 NSA/Trusted Systems
checklist (http://www.trustedsystems.com)
Windows 2000 security checklist (http://www.systemexperts.com)
Books - e.g. Practical Unix and Internet Security - Spafford & Garfinkel
![Page 15: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/15.jpg)
Gary Gaskell, 3 May 2001 15
BSI
Bundesamt fuer Sicherheit in der Informationstechnik
http://www.bsi.de/gshb/english/etc/inhalt.htm
IT Baseline Protection Manual More practical than other
government attempts
![Page 16: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/16.jpg)
Gary Gaskell, 3 May 2001 16
SANS
System and Network Security http://www.sans.org Advice on policy and controls training (& certification ?) Checklists Vulnerability service
![Page 17: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/17.jpg)
Gary Gaskell, 3 May 2001 17
Website Certification Programs
TruSecure (ICSA/TruSecure) Web trust beTRUSTed (PwC) SysTrust (AICPA) Others?
![Page 18: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/18.jpg)
Gary Gaskell, 3 May 2001 18
SAS-70
Statement on Auditing Standards American Institute of Certified Public
Accountants Formal Audit Standard - background
of financial audits Two levels
Type I - inspections of key area Type II - testing of effective of controls
![Page 19: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/19.jpg)
Gary Gaskell, 3 May 2001 19
Miscellaneous
IS 18 - Qld Government VISA - security for merchants sites NIST - FIPS 102 US - HIPAA OECD - Guidelines for the Security of
Information Systems ISO 13335 - Guidelines for the
Management of IT Security
![Page 20: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/20.jpg)
Gary Gaskell, 3 May 2001 20
Miscellaneous - continued
System Security Engineering Capability Maturity Model (SSE-CMM) - International Systems Security Engineering Association (ISSEA)
CoBIT - “IT Governance” - AICPA
![Page 21: 1 Information Security Standards Gary Gaskell © 2001.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d235503460f949f9aae/html5/thumbnails/21.jpg)
Gary Gaskell, 3 May 2001 21
Conclusions
Great choice of standards None are a full solution