ACSAC Conference
December, 2010
ISO Cyber Security and ICT SCRM Standards
1Agenda
Cyber Security Standards and ICT SCRM Standards Landscape
ISO Cyber Security Standards Portfolio
ICT SCRM and Software Supply Chain Standards
2The Landscape
3Within the ISO structure, ISO/IEC JTC1 SC27 focuses on cyber security
ISO/IEC
Joint Technical Committee 1
(Information Technology)
Subcommittee 27 (SC27)
(IT Security Techniques)
Working Group 1
Information Security
Management Systems
Working Group 2
Cryptography and
Security Mechanisms
Working Group 3
Security Evaluation
Criteria
Working Group 4
Security Controls and
Services
Working Group 5
Identity Management
and Privacy
Technologies
4Within the US CS1 focuses on Cyber, while SC7 TAG works in system and software engineering
5ISO/IEC 27000 Overview and Vocabulary
ISO/IEC 27006 Audit & Certification Requirements
ISO/IEC 27001 ISMS Requirements
ISO/IEC 27002 Code of Practice
ISO/IEC 27003 ISMS Guidelines
ISO/IEC 27004 Measurement
ISO/IEC 2700X (concept) Sector-Specific Guidelines
Te
rmin
olo
gy
Req
uir
em
en
tsG
uid
eli
ne
s
ISO/IEC Information Security Management System (ISMS)
Family of Standards (WG1)
Governance (WG1)
Implementation (WG4)
ISO/IEC 27034Application Security
ISO/IEC 27036Supplier Relationships
ISO/IEC 27033Network Security
ISO/IEC 27007 Audit
Guidelines
ISO/IEC 27008 Guidance for auditors
on ISMS controls
ISO/IEC 27005 Risk Management
Security Engineering (WG3)
ISO/IEC 15408 -
Common Criteria
ISO/IEC 21913 Secure System Engineering
Principles and Techniques
Tamper Protection
Study Period
ISO/IEC 20004-Secure software development and
evaluation under ISO/IEC 15408 and ISO/IEC 18405
6ISO/IEC JTC1 SC7, System and Software Engineering Relationship of Key Life Cycle Process Standards
Revised 15288:
Life cycle
processes for
systems
Common vocabulary, process architecture, and process description conventions
Revised 12207:
Life cycle
processes for
SW
15026:
Additional
practices for
higher
assurance
systems
Other
standards
providing
details of
selected SW
processes Interoperation
Revised
15939:
Measure-
ment
Revised
16085:
Risk
Mgmt
+
Other
standards
providing
details of
selected
system
processes
24748: Guide to Life Cycle Management
Revised
16326:
Project
Mgmt
Revised
15289:
Document-
ation
Revised 15288:
Life cycle
processes for
systems
Common vocabulary, process architecture, and process description conventions
Revised 12207:
Life cycle
processes for
SW
15026:
Additional
practices for
higher
assurance
systems
Other
standards
providing
details of
selected SW
processes Interoperation
Revised
15939:
Measure-
ment
Revised
15939:
Measure-
ment
Revised
16085:
Risk
Mgmt
+
Other
standards
providing
details of
selected
system
processes
24748: Guide to Life Cycle Management
Revised
16326:
Project
Mgmt
Revised
16326:
Project
Mgmt
Revised
15289:
Document-
ation
Revised
15289:
Document-
ation
Source: J. Moore, SC7
Liaison Report, IEEE
Software and Systems
Engineering Standards
Committee, Executive
Committee Winter
Plenary Meeting,
February 2007.
Assurance
Case
7SC22 Programming Languages, ISO/IEC TR 24772, Programming Language Vulnerabilities
Targets building software that is inherently less vulnerable through improving the programming languages, or, at least, improve the usage of them in coding
A catalog of 60+ issues that arise in coding when using any language and how those issues may lead to security and safety vulnerabilities
Cross-referenced to CWE
Each discussion includes
Description of the mechanism of failure
Recommendations for programmers: How to avoid or mitigate the problem.
Recommendations for standardizers: How to improve programming language specifications.
First edition will be published in 2010
Second edition will add annexes specific to particular programming languages
Courtesy of Jim Moore, MITRE
8Over the past 2 years one of the focus areas for the US has been ICT SCRM standards
ICT SCRM And Hoc Group was established in February 2009
Joint group between CS1 and SC7 TAG
Substantial industry and government participation
Contributed ICT SCRM-related content to several new and under revision standards (ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27036)
Developed consensus-based USNB proposal for ICT Supply Chain Assurance Standard and presented at SC27 meeting in November 2009
Based on the US proposal a Study Period was established to explore the need to develop ICT Supply Chain Security Standard
The following slides tell the story of what happened at the conclusion of the study period
9Study Period was active for a year with the report briefed out in October 2010 at SC27 meeting in Berlin
Inputs
ICT Supply Chain Study Period Report
National Body contributions Japan and UK
ISF proposal for a joint standard to address information security in Third Party relationships
US Goals
US had a strong going in position that a standard is needed
10
When we arrived
Four sets of meetings were scheduled to discuss:
ISF proposal
ICT Supply Chain Security Study Period Results
ISO/IEC 27036, Guidelines for Security of Outsourcing 3rd WD review
Cloud Computing Security Proposal
We were worked with SC27 leadership and delegates to sequence these meetings to
ensure logical flow and to allow for attendance by all interested parties
Wednesday
ICT SCRM Study Period
Thursday
ISO/IEC 27036
ICT SCRM Study Period
Tuesday Afternoon
ICT SCRM Study Period
11
Attendance of these meetings and discussion by delegates exceeded expectations
Heads of Delegation / Experts from following national Bodies
Belgium
Canada
France
Japan
Korea
Luxembourg
Malaysia
Russia
Singapore
South Africa
Sweden
Switzerland
United Kingdom
United States of America
Liaison Officers
ISF
ISACA
12
Results exceeded expectations too the group decided that
Current ISO/IEC 27036 was too narrow, and a broader standard was needed to address all concerns related to ensuring information security in supplier relationships
ISF proposal and results of ICT Supply Chain Security Study Period provided good material for restructuring and expanding ISO/IEC 27036
ICT SCRM Study Period should be closed
ISO/IEC 27036 should be restructured into a 4-part standard with the following new title: Information technology Security techniques Information Security for Supplier Relationships
Part 1 Overview and Concepts(ISF proposal, 27036), to introduce the topic
Part 2 Common Requirements (ISF proposal, 27036), to provide requirements that acquirers can use in contracts
Part 3 Guidelines for ICT Supply Chain (study period outcomes), to address ICT SCRM specifically
Part 4 Guidelines for Outsourcing (placeholder for the current text, remain at WD3 to determine future course of action)
13
Expanded ISO/IEC 27036 scope
This international standard covers information security in relationships between acquirers and suppliers to provide appropriate information security management for all parties. In particular,
it also includes management of information security risks related to these relationships.
This International Standard applies to all types of organisations (e.g., commercial enterprises, public sector organisations, not-for-profit organisations, and partnerships). It specifies the
information security requirements and guidance associated with managing a supplier
relationship (e.g., identifying and categorizing suppliers; agreeing, monitoring, validating, and
changing supplier arrangements; and exiting).
This International Standard covers all types of supplier relationships, including outsourcing, product and service acquisition, and cloud computing. The intent of this standard is that
supplier relationships cover ICT and other types of supplier relationships (e.g. power supply,
human resources, facilities management) that have information security implications.
14
The expanded standard will make many connections with existing standards to ensure that they are referenced appropriately
Relevant standards to be considered
Management Systems: ISO/IEC 27000 family; ISO 28000, Supply Chain Resiliency; ISO/IEC 20000, IT Service Management
Risk Management: ISO 31000, ISO/IEC 27005, and ISO/IEC 16085
Lifecycle Processes and Practices, software acquisition, and software assurance ISO/IEC/IEEE 15288 (systems), ISO/IEC/IEEE 12207 (software), IEEE 1062 (software acquisition), ISO/IEC15026 (software assurance)
ISO TMB NWIP on Outsourcing
Proposed liaisons with other standards bodies
Information Security Forum (ISF)
ISO/IEC JTC1 SC7 Systems and Software Engineering
ISO PC246 Anti-Counterfeiting Tools
ISO TC247 Fraud Countermeasures and Controls
ISO TC8 Ships and Marine Technology (home of ISO 28000)
ISO TC223 Societal Security (home of resiliency standards)
15
Whats next?
Preliminary drafts of ISO/IEC 27036 Parts 1, 2, and 3 are due to SC27 Secretariat no later than December 18
ISO/IEC 27036 editors will restructure existing text into new Parts 1 and 2
ISO/IEC 27036 Part 3 editor will create an outline and preliminary draft based on the ICT SCRM Study Period outputs
Preliminary drafts will be distributed to the National Bodies for comment and reviewed and revised at the Spring 2010 meeting
CS1 will review all drafts and comment back to SC27
And then we will go to the next meeting, review, revise, and repeat until we are done within the required timeframe of 3-5 years
16
Booz Allen Hamilton Inc.
One Preserve Parkway
Rockville, MD 20852
Tel (301) 922-9537
Nadya BartolSenior Associate
Top Related