ACSAC Conference

December, 2010

ISO Cyber Security and ICT SCRM Standards

1Agenda

Cyber Security Standards and ICT SCRM Standards Landscape

ISO Cyber Security Standards Portfolio

ICT SCRM and Software Supply Chain Standards

2The Landscape

3Within the ISO structure, ISO/IEC JTC1 SC27 focuses on cyber security

ISO/IEC

Joint Technical Committee 1

(Information Technology)

Subcommittee 27 (SC27)

(IT Security Techniques)

Working Group 1

Information Security

Management Systems

Working Group 2

Cryptography and

Security Mechanisms

Working Group 3

Security Evaluation

Criteria

Working Group 4

Security Controls and

Services

Working Group 5

Identity Management

and Privacy

Technologies

4Within the US CS1 focuses on Cyber, while SC7 TAG works in system and software engineering

5ISO/IEC 27000 Overview and Vocabulary

ISO/IEC 27006 Audit & Certification Requirements

ISO/IEC 27001 ISMS Requirements

ISO/IEC 27002 Code of Practice

ISO/IEC 27003 ISMS Guidelines

ISO/IEC 27004 Measurement

ISO/IEC 2700X (concept) Sector-Specific Guidelines

Te

rmin

olo

gy

Req

uir

em

en

tsG

uid

eli

ne

s

ISO/IEC Information Security Management System (ISMS)

Family of Standards (WG1)

Governance (WG1)

Implementation (WG4)

ISO/IEC 27034Application Security

ISO/IEC 27036Supplier Relationships

ISO/IEC 27033Network Security

ISO/IEC 27007 Audit

Guidelines

ISO/IEC 27008 Guidance for auditors

on ISMS controls

ISO/IEC 27005 Risk Management

Security Engineering (WG3)

ISO/IEC 15408 -

Common Criteria

ISO/IEC 21913 Secure System Engineering

Principles and Techniques

Tamper Protection

Study Period

ISO/IEC 20004-Secure software development and

evaluation under ISO/IEC 15408 and ISO/IEC 18405

6ISO/IEC JTC1 SC7, System and Software Engineering Relationship of Key Life Cycle Process Standards

Revised 15288:

Life cycle

processes for

systems

Common vocabulary, process architecture, and process description conventions

Revised 12207:

Life cycle

processes for

SW

15026:

Additional

practices for

higher

assurance

systems

Other

standards

providing

details of

selected SW

processes Interoperation

Revised

15939:

Measure-

ment

Revised

16085:

Risk

Mgmt

+

Other

standards

providing

details of

selected

system

processes

24748: Guide to Life Cycle Management

Revised

16326:

Project

Mgmt

Revised

15289:

Document-

ation

Revised 15288:

Life cycle

processes for

systems

Common vocabulary, process architecture, and process description conventions

Revised 12207:

Life cycle

processes for

SW

15026:

Additional

practices for

higher

assurance

systems

Other

standards

providing

details of

selected SW

processes Interoperation

Revised

15939:

Measure-

ment

Revised

15939:

Measure-

ment

Revised

16085:

Risk

Mgmt

+

Other

standards

providing

details of

selected

system

processes

24748: Guide to Life Cycle Management

Revised

16326:

Project

Mgmt

Revised

16326:

Project

Mgmt

Revised

15289:

Document-

ation

Revised

15289:

Document-

ation

Source: J. Moore, SC7

Liaison Report, IEEE

Software and Systems

Engineering Standards

Committee, Executive

Committee Winter

Plenary Meeting,

February 2007.

Assurance

Case

7SC22 Programming Languages, ISO/IEC TR 24772, Programming Language Vulnerabilities

Targets building software that is inherently less vulnerable through improving the programming languages, or, at least, improve the usage of them in coding

A catalog of 60+ issues that arise in coding when using any language and how those issues may lead to security and safety vulnerabilities

Cross-referenced to CWE

Each discussion includes

Description of the mechanism of failure

Recommendations for programmers: How to avoid or mitigate the problem.

Recommendations for standardizers: How to improve programming language specifications.

First edition will be published in 2010

Second edition will add annexes specific to particular programming languages

Courtesy of Jim Moore, MITRE

8Over the past 2 years one of the focus areas for the US has been ICT SCRM standards

ICT SCRM And Hoc Group was established in February 2009

Joint group between CS1 and SC7 TAG

Substantial industry and government participation

Contributed ICT SCRM-related content to several new and under revision standards (ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27036)

Developed consensus-based USNB proposal for ICT Supply Chain Assurance Standard and presented at SC27 meeting in November 2009

Based on the US proposal a Study Period was established to explore the need to develop ICT Supply Chain Security Standard

The following slides tell the story of what happened at the conclusion of the study period

9Study Period was active for a year with the report briefed out in October 2010 at SC27 meeting in Berlin

Inputs

ICT Supply Chain Study Period Report

National Body contributions Japan and UK

ISF proposal for a joint standard to address information security in Third Party relationships

US Goals

US had a strong going in position that a standard is needed

10

When we arrived

Four sets of meetings were scheduled to discuss:

ISF proposal

ICT Supply Chain Security Study Period Results

ISO/IEC 27036, Guidelines for Security of Outsourcing 3rd WD review

Cloud Computing Security Proposal

We were worked with SC27 leadership and delegates to sequence these meetings to

ensure logical flow and to allow for attendance by all interested parties

Wednesday

ICT SCRM Study Period

Thursday

ISO/IEC 27036

ICT SCRM Study Period

Tuesday Afternoon

ICT SCRM Study Period

11

Attendance of these meetings and discussion by delegates exceeded expectations

Heads of Delegation / Experts from following national Bodies

Belgium

Canada

France

Japan

Korea

Luxembourg

Malaysia

Russia

Singapore

South Africa

Sweden

Switzerland

United Kingdom

United States of America

Liaison Officers

ISF

ISACA

12

Results exceeded expectations too the group decided that

Current ISO/IEC 27036 was too narrow, and a broader standard was needed to address all concerns related to ensuring information security in supplier relationships

ISF proposal and results of ICT Supply Chain Security Study Period provided good material for restructuring and expanding ISO/IEC 27036

ICT SCRM Study Period should be closed

ISO/IEC 27036 should be restructured into a 4-part standard with the following new title: Information technology Security techniques Information Security for Supplier Relationships

Part 1 Overview and Concepts(ISF proposal, 27036), to introduce the topic

Part 2 Common Requirements (ISF proposal, 27036), to provide requirements that acquirers can use in contracts

Part 3 Guidelines for ICT Supply Chain (study period outcomes), to address ICT SCRM specifically

Part 4 Guidelines for Outsourcing (placeholder for the current text, remain at WD3 to determine future course of action)

13

Expanded ISO/IEC 27036 scope

This international standard covers information security in relationships between acquirers and suppliers to provide appropriate information security management for all parties. In particular,

it also includes management of information security risks related to these relationships.

This International Standard applies to all types of organisations (e.g., commercial enterprises, public sector organisations, not-for-profit organisations, and partnerships). It specifies the

information security requirements and guidance associated with managing a supplier

relationship (e.g., identifying and categorizing suppliers; agreeing, monitoring, validating, and

changing supplier arrangements; and exiting).

This International Standard covers all types of supplier relationships, including outsourcing, product and service acquisition, and cloud computing. The intent of this standard is that

supplier relationships cover ICT and other types of supplier relationships (e.g. power supply,

human resources, facilities management) that have information security implications.

14

The expanded standard will make many connections with existing standards to ensure that they are referenced appropriately

Relevant standards to be considered

Management Systems: ISO/IEC 27000 family; ISO 28000, Supply Chain Resiliency; ISO/IEC 20000, IT Service Management

Risk Management: ISO 31000, ISO/IEC 27005, and ISO/IEC 16085

Lifecycle Processes and Practices, software acquisition, and software assurance ISO/IEC/IEEE 15288 (systems), ISO/IEC/IEEE 12207 (software), IEEE 1062 (software acquisition), ISO/IEC15026 (software assurance)

ISO TMB NWIP on Outsourcing

Proposed liaisons with other standards bodies

Information Security Forum (ISF)

ISO/IEC JTC1 SC7 Systems and Software Engineering

ISO PC246 Anti-Counterfeiting Tools

ISO TC247 Fraud Countermeasures and Controls

ISO TC8 Ships and Marine Technology (home of ISO 28000)

ISO TC223 Societal Security (home of resiliency standards)

15

Whats next?

Preliminary drafts of ISO/IEC 27036 Parts 1, 2, and 3 are due to SC27 Secretariat no later than December 18

ISO/IEC 27036 editors will restructure existing text into new Parts 1 and 2

ISO/IEC 27036 Part 3 editor will create an outline and preliminary draft based on the ICT SCRM Study Period outputs

Preliminary drafts will be distributed to the National Bodies for comment and reviewed and revised at the Spring 2010 meeting

CS1 will review all drafts and comment back to SC27

And then we will go to the next meeting, review, revise, and repeat until we are done within the required timeframe of 3-5 years

16

Booz Allen Hamilton Inc.

One Preserve Parkway

Rockville, MD 20852

Tel (301) 922-9537

bartol_nadya@bah.com

Nadya BartolSenior Associate