1 Information Security Standards Gary Gaskell © 2001.

Slides:



Advertisements
Similar presentations
Presentation by Rachel Su’a
Advertisements

The International Security Standard
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
IT Security Evaluation By Sandeep Joshi
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
Security Controls – What Works
Network System Architects, Inc. (NSAi) Capabilities Briefing
COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
1 Copyright © 2010 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5 Chapter 54 “Security Audits, Standards and Inspections”
1 K P M G L L P A D V I S O R Y Information Security: Policy, Awareness and Training, and Compliance Graham J. Hill IT Advisory Services November 21, 2007.
Stephen S. Yau CSE , Fall Evaluating Systems for Functionality and Assurance.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
OSR/Aug 02 Data Security E2002, Lecture 1 August 30, History Background - Batch - Remote access, DB, RACF - Orange Book - ITSec, Common Criteria.
Copyright Security-Assessment.com 2004 Security Governance and Regulatory Controls by Peter Benson.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.
Security Certification
Fraud Prevention and Risk Management
Chapter Nine Conducting the IT Audit. Audit Standards AICPA — Statements of Auditing Standards (SASs) AICPA — Statements of Auditing Standards (SASs)
Introduction to IT Auditing
Gurpreet Dhillon Virginia Commonwealth University
Principles of Information System Security: Text and Cases
Auditing for Security Management By Cyril Onwubiko Network Security Analyst at COLT Telecom Invited Guest Lecture delivered at London Metropolitan University,
Information Security Framework & Standards
SEC835 Database and Web application security Information Security Architecture.
Introduction to ISO International Organization for Standardization (ISO) n Worldwide federation of national standards bodies from over 100 countries,
The Other Side of Information Security Wilco van Ginkel – Ubizen
Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:
Evaluating Systems Information Assurance Fall 2010.
Chapter Three IT Risks and Controls.
IT Pro Day Auditing in SQL Server 2012 Charley Hanania Principal Consultant, QS2 AG – Quality Software Solutions
WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
Challenges in Infosecurity Practices at IT Organizations
© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.
Presented by : Miss Vrindah Chaundee
CERTIFICATION In the Electronics Recycling Industry © 2007 IAER Web Site - -
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Unix Systems security and security evaluation criteria.
You say to-mah-to, I say to-mae-to: why isn’t there a single solution to Information Security Assurance? Apostol Vassilev atsec information security &
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Engineering Essential Characteristics Security Engineering Process Overview.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Certification and Accreditation CS Syllabus Ms Jocelyne Farah Mr Clinton Campbell.
Management Information Systems The Islamia University of Bahawalpur Delivered by: Tasawar Javed Lecture 19.
Security fundamentals Topic 2 Establishing and maintaining baseline security.
Security consulting What about the ITSEC?. security consulting What about the ITSEC? Where it came from Where it is going How it relates to CC and other.
Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Raya for Information Technology. About US  Raya IT, established in 1998, operates in the field of systems integration and IT business solutions.  A.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Chapter 8: Principles of Security Models, Design, and Capabilities
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
Information Security tools for records managers Frank Rankin.
CSCE 727 Awareness and Training Secure System Development and Monitoring.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
Session 11 Other Assurance Services
Presenter’s Name, Title May 26, 2009
Presentation transcript:

1 Information Security Standards Gary Gaskell © 2001

Gary Gaskell, 3 May Contents u Overview of security standards u Type of standards u List of standards u Quick insight to each standard u Conclusions

Gary Gaskell, 3 May Types of Standards u Risk based u Management u Technical u Lightweight u Thorough u System-wide focus u Product focus u Assurance based u Prescriptive controls u Checklists

Gary Gaskell, 3 May Security Standards - Pick One! u AS/NZS 4444 (BS 7799, ISO 17799) u US TCSEC (Rainbow series) u ITSEC (Europe) u Common Criteria (ISO 15408) u IETF Site Security Handbook (RFC 2196) u Vendor handbooks and checklists, B.S.I., SANS u Website certification services u SAS-70

Gary Gaskell, 3 May AS/NZS 4444 u Information Security Management Standard u Part u Part u JANZAS u Based BS7799 u BS7799 based on industry - Shell Oil etc

Gary Gaskell, 3 May AS 4444 u Good internal security management u Information Security Management System u Explicit Target - trusted interconnection u Catalogue of controls u Recommended baselines u Risk based assessments

Gary Gaskell, 3 May AS4444 Controls u Security policy u Asset classification and control u Physical and environmental security u Access control u Business continuity management u Security organisation u Personnel security u Communications and operations management u Systems development and maintenance u Compliance

Gary Gaskell, 3 May TCSEC u Trusted Computer Security Evaluation Criteria u US Government specification u “Orange book” and “Raindbow series” u Origin of C2, B1, B3 etc u Functionality & Assurance tightly coupled u Superceded by still in use

Gary Gaskell, 3 May ITSEC u Information Technology Security Evaluation Criteria u UK, France, Germany & The Netherlands u Used by Australia u System and product use u prod.html u Superceded but still in use

Gary Gaskell, 3 May Common Criteria u Common Criteria for Information Technology Security Evaluation u ISO (CC v 2.1) u Merge of TCSEC & ITSEC u Emerging standard u Assurance level separate from functionality level u Mutual recognition agreement - 13 countries

Gary Gaskell, 3 May RFC 2196 u IETF Site Security Handbook u Developed by CERT/CC of the CMU u Response oriented u Good practical advice u Explicit about system hardening and patch installation

Gary Gaskell, 3 May Vendor Checklists u SGI u Compaq/Digital u Sun Microsystems (Blue prints) u AIX (redbooks) u Microsoft u Apache u Oracle

Gary Gaskell, 3 May Vendor Checklists - Continued u Explicit and specific u Good for specification in designs or outsourcing u “how to” oriented u Sometimes too light

Gary Gaskell, 3 May Third Party Vendor Checklists u AusCERT/CERT Unix security checklist u Windows NT 4 NSA/Trusted Systems checklist ( u Windows 2000 security checklist ( u Books - e.g. Practical Unix and Internet Security - Spafford & Garfinkel

Gary Gaskell, 3 May BSI u Bundesamt fuer Sicherheit in der Informationstechnik u u IT Baseline Protection Manual u More practical than other government attempts

Gary Gaskell, 3 May SANS u System and Network Security u u Advice on policy and controls u training (& certification ?) u Checklists u Vulnerability service

Gary Gaskell, 3 May Website Certification Programs u TruSecure (ICSA/TruSecure) u Web trust u beTRUSTed (PwC) u SysTrust (AICPA) u Others?

Gary Gaskell, 3 May SAS-70 u Statement on Auditing Standards u American Institute of Certified Public Accountants u Formal Audit Standard - background of financial audits u Two levels 8Type I - inspections of key area 8Type II - testing of effective of controls

Gary Gaskell, 3 May Miscellaneous u IS 18 - Qld Government u VISA - security for merchants sites u NIST - FIPS 102 u US - HIPAA u OECD - Guidelines for the Security of Information Systems u ISO Guidelines for the Management of IT Security

Gary Gaskell, 3 May Miscellaneous - continued u System Security Engineering Capability Maturity Model (SSE-CMM) - International Systems Security Engineering Association (ISSEA) u CoBIT - “IT Governance” - AICPA

Gary Gaskell, 3 May Conclusions u Great choice of standards u None are a full solution

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.