Download presentation
Presentation is loading. Please wait.
1
The International Security Standard
ISO 17799 The International Security Standard
2
WHAT IS IT? “A comprehensive set of controls comprising best practices in information security” Comprises TWO parts - a code of practice (ISO ) and a specification for an information security management system (ISO 27001) Basically… an internationally recognized generic information security standard
3
Terminology Policy – General regulations everyone must follow; should be short, clear Standard – Collection of system-specific requirements that must be met Guidelines – Collection of system-specific suggestions for best practice. They are not required, but are strongly recommended Procedures – A series of steps to accomplish a task
4
Data Security Example Policy – All university data must be classified according to the K-State data classification schema and protected according to the K-State data security standards.
5
Data Security Example Standard – Confidential data must be encrypted in transit and when stored on a mobile device Guideline – Confidential data should not be stored on a mobile device such as a laptop computer, PDA, USB drive, etc.
6
Data Security Example Procedures How to encrypt a file
How to install and operate full-disk encryption on a laptop How to recover encrypted data when the private key is lost
7
Why ISO 17799? “It is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce” Framework for comprehensive IT security program International standard Meshes well with EDUCAUSE/I2 direction Certification for institution available
8
ISO Copyright, License Copyright from the ISO standard document: “Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO’s member body in the country of the requester.”
9
ISO 17799 Copyright, License From the license agreement:
Is licensed to “Kansas State University” “…grants to the organisation… a non-exclusive and non-transferable license to use for the Licensee’s own personal or internal business purposes…” Cannot “redistribute any information from or via the software to other workstations, users or systems which are not covered by the license;” “…may copy the Software for back-up and archival purposes only…”
10
ISO 17799 Copyright, License E-mail from licensor:
“With respect to the standards themselves, no, definitely not. They are single copy license. This is made clear within the PDFs themselves. With respect to the other items in the toolkit (eg: policies), yes, you may share them internally.”
11
History First published as DTI Code of Practice in UK
Re-badged and published as Version 1 of BS7799 published in Feb 1995 NOT widely embraced - for various reasons
12
History A major revision of BS7799 undertaken... Version 2 published in May 1999 Formal certification and accreditation schemes proposed by BSI in the same year Supporting tools start to appear Fast track ISO initiative accelerated First published as an ISO standard in Dec 2000
13
History May 2002: BS published. This focused specifically upon the Information Security Management System Formal certification schemes established June 2005: New version of ISO published Oct 2005: BS published as an ISO standard, ISO 27001
14
Sections (“Clauses”) in ISO 17799
Security Policy Organizing Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development, and Maintenance Information Security Incident Management Business Continuity Management Compliance
15
Controls in Each Clause
Control objective stating what is to be achieved One or more controls to achieve the objective Each control contains: Control statement Implementation guidance (the details) Other information
16
Example Clause 8 – “Human Resources Security”
8.1 – Prior to employment 8.1.1 – Roles and responsibilities 8.1.2 – Screening 8.1.3 – Terms and conditions of employment 8.2 – During employment 8.2.1 – Management responsibilities 8.2.2 – Information security awareness, education, and training 8.2.3 – Disciplinary process 8.3 – Termination or change of employment 8.3.1 – Termination responsibilities 8.3.2 – Return of assets 8.3.3 – Removal of access rights
17
Extensible… “This code of practice may be regarded as a starting point for developing organization specific guidelines. Not all of the controls and guidance in this code of practice may be applicable. Furthermore, additional controls and guidelines not included in this standard may be required.”
18
EDUCAUSE/Internet2 Security Policy
Security Task Force developing model security policy Based on SANS, NIST, ISO 17799, ISC2 Links to existing policies 10 sections follow ISO closely
19
Policy Sections Security Policy Organizational Security
Asset Classification Personnel Security Physical Security Communications and Operations Mgmt Access Control System Development and Maintenance Business Continuity Management Compliance
20
Recommendation Structure IT security policies based on EDUCAUSE/I2 recommendations Incorporate existing security policies into it Base standards and guidelines on ISO 17799 Incorporate audit recommendations into both Develop procedures as priorities dictate Consider ISO certification in future
21
Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.