A General Overview of Information Security

Senior advisor Mona Naomi Lintvedt

221008

Agenda

• Why information security?

• Legal sources for information security

• OECD guidelines

• International standards

• Computer Emergency Report Team

• Norwegian National Security Authority

• NorCERT

• SERTIT

• International bodies

Why information security? (1)

• Security = Risk management

• Protecting information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction

• Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print or other forms

• Necessary for trust

• Privacy – protection of personal data

Why information security? (2)

• Confidentiality– Preventing disclosure of information to unauthorised individuals or systems

• Integrity– Correct and unaltered information: Data cannot be modified without

authorisation

• Availabilty– For any information system to serve its purpose, the information must be

available when it is needed: The computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly

• Authentication– Validate that both parties involved are who they claim they are. Ensure that

the data, transactions, communications or documents (electronic or physical) are genuine.

Some legal sources for information security

• OECD Guidelines for the Security of Information Systems and Networks - Towards a Culture of Security:

– a focus on security in the development of information systems and networks, and the adoption of new ways of thinking and behaving when using and interacting within information systems and networks

• OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

• European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR)

• EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

• EU Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

OECD Guidelines – nine principles (1)

• Awareness. Participants should be aware of the need for security information system and networks and what they can do to enhance security.

• Responsibility. Participants are responsible for the security of information systems and networks.

• Response. Participants should act in a timely and cooperative manner to prevent, detect, and respond to security incidents.

• Ethics. Participants should respect the legitimate interests of others and recognize that their action or inaction may harm others.

• Democracy. The security of information systems and networks should be compatible with essential values of a democratic society.

OECD Guidelines – nine principles (2)

• Risk Assessment. Participants should conduct risk assessments to identify threats and vulnerabilities to their information systems

• Security Design and Implementation. Participants should incorporate security as an essential element of information systems and networks.

• Security Management. Participants should adopt a comprehensive approach to security management.

• Reassessment. Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, measures, and practices.

International standards

• ISO/IEC 27002 Information technology - Security techniques - Code of practice for information security management– lists security control objectives and recommends a range of specific

security controls

• ISO/IEC 27001 Information Technology - Security techniques - Information security management systems - Requirements– covers all types of organizations (e.g. commercial enterprises,

government agencies, not-for profit organizations)

– specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System

– designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties

– adopting the "Plan-Do-Check-Act" (PDCA) model

Computer Emergency Response Team

• Almost everything in both the public and private sectors depend on Internet access today.

• The amount of vulnerabilities in these sectors have therefore increased considerably in recent years.

• Well-organised ICT attacks intended to disable, damage or make benefit of computerized functions in society may harm a country’s vital infrastructure.

• CERT (Computer Emergency Response Team)

• 187 CERT-groups from 37 countries

• One Norwegian group: NorCERT (Norwegian CERT), a department of the Norwegian National Security Authority

Norwegian National Security Authority

• Established 1 Jan 2003 as a directorate (NSM)

• Reports to the Minister of Defence (military sector) and the Minister of Justice (civil sector)– Cross-sectoral professional and supervisory authority within the

protective security services in Norway

– Security Act, Defence Secrets Act, Defence Inventions Act, Protective Security Services Act

• The purpose of protective security is to counter threats to the independence and security of the realm and other vital national security interests, primarily espionage, sabotage or acts of terrorism.

• Protective security measures shall not be more intrusive than strictly necessary, and shall serve to promote a robust and safe society.

NorCERT

• Norwegian Computer Emergency Response Team– Formally Established 1 January 2006

• NorCERT is an operational department in NSM consisting of two integrated sections:– VDI: The Norwegian Alert and Early Warning System for Digital

Infrastructure - identifying, classifying and issuing warnings about IT attacks against Norway.

– Incident Handling: Norway’s national centre coordinating the handling of attacks against vital Norwegian ICT security.

• Together both sections operate the Operation Centre where they maintain an up-to-date view of the ICT threat assessment.– Available 24/7

– Approximately 20 IT-security specialists

NorCERT’s tasks

• Coordinating responses to serious IT security breaches against vital infrastructure and information

• Gathering information related to serious IT security threatening incidents

• Coordinating early patching of serious vulnerabilities in vital computer systems in our society

• Sharing information with other response teams regarding new threats

• Having an up-to-date view of IT related threats

• Assisting other response teams and aiding national readiness measures

• Being Norway’s point of contact for similar organizations abroad

SERTIT• The public Certification Authority for IT Security in Norway

• Primary task: – Issue Certificates and Certification Reports

– Formulation of framework and to make sure that the rules are followed by all the parties involved

– Representing Norway as a member of the international community Arrangement on the Recognition of the Common Criteria Certificates in the field of Information Technology Security (CCRA).

• Companies that want to join the Certification Scheme as an IT Security Evaluation Facility (ITSEF) has to be approved by SERTIT

• The purpose of the Certification Scheme is to meet the need of the authorities and of industry for a cost-effective and efficient security evaluation and certification of IT-products and systems.

• Responsible for approving IT Security Evaluation Facilities (ITSEF) who carry out evaluations in accordance with more detailed Scheme criteria

• The Norwegian Certification Scheme Sd001E

International Organisations - cooperation

• European Government CERT Group (EGC)

• Forum of Incident Response and Security Teams (FIRST)

• International Watch and Warning Network (IWWN)

• NATO Computer Incident Response Capability (NATO CIRC)

• European Network and Information Security Agency (ENISA)