Download presentation
Presentation is loading. Please wait.
1
1 Information Security Standards Gary Gaskell © 2001
2
Gary Gaskell, 3 May 20012 Contents u Overview of security standards u Type of standards u List of standards u Quick insight to each standard u Conclusions
3
Gary Gaskell, 3 May 20013 Types of Standards u Risk based u Management u Technical u Lightweight u Thorough u System-wide focus u Product focus u Assurance based u Prescriptive controls u Checklists
4
Gary Gaskell, 3 May 20014 Security Standards - Pick One! u AS/NZS 4444 (BS 7799, ISO 17799) u US TCSEC (Rainbow series) u ITSEC (Europe) u Common Criteria (ISO 15408) u IETF Site Security Handbook (RFC 2196) u Vendor handbooks and checklists, B.S.I., SANS u Website certification services u SAS-70
5
Gary Gaskell, 3 May 20015 AS/NZS 4444 u Information Security Management Standard u Part 1 - 1999 u Part 2 - 2000 u JANZAS u Based BS7799 u BS7799 based on industry - Shell Oil etc
6
Gary Gaskell, 3 May 20016 AS 4444 u Good internal security management u Information Security Management System u Explicit Target - trusted interconnection u Catalogue of controls u Recommended baselines u Risk based assessments
7
Gary Gaskell, 3 May 20017 AS4444 Controls u Security policy u Asset classification and control u Physical and environmental security u Access control u Business continuity management u Security organisation u Personnel security u Communications and operations management u Systems development and maintenance u Compliance
8
Gary Gaskell, 3 May 20018 TCSEC u Trusted Computer Security Evaluation Criteria - 1983 u US Government specification u “Orange book” and “Raindbow series” u Origin of C2, B1, B3 etc u Functionality & Assurance tightly coupled u Superceded by still in use
9
Gary Gaskell, 3 May 20019 ITSEC u Information Technology Security Evaluation Criteria - 1991 u UK, France, Germany & The Netherlands u Used by Australia u System and product use u http://www.dsd.gov.au/infosec/aisep/EPL/ prod.html u Superceded but still in use
10
Gary Gaskell, 3 May 200110 Common Criteria u Common Criteria for Information Technology Security Evaluation - 1999 u ISO 15408 (CC v 2.1) u Merge of TCSEC & ITSEC u Emerging standard u Assurance level separate from functionality level u Mutual recognition agreement - 13 countries
11
Gary Gaskell, 3 May 200111 RFC 2196 u IETF Site Security Handbook u Developed by CERT/CC of the CMU u Response oriented u Good practical advice u Explicit about system hardening and patch installation
12
Gary Gaskell, 3 May 200112 Vendor Checklists u SGI u Compaq/Digital u Sun Microsystems (Blue prints) u AIX (redbooks) u Microsoft u Apache u Oracle
13
Gary Gaskell, 3 May 200113 Vendor Checklists - Continued u Explicit and specific u Good for specification in designs or outsourcing u “how to” oriented u Sometimes too light
14
Gary Gaskell, 3 May 200114 Third Party Vendor Checklists u AusCERT/CERT Unix security checklist u Windows NT 4 NSA/Trusted Systems checklist (http://www.trustedsystems.com) u Windows 2000 security checklist (http://www.systemexperts.com) u Books - e.g. Practical Unix and Internet Security - Spafford & Garfinkel
15
Gary Gaskell, 3 May 200115 BSI u Bundesamt fuer Sicherheit in der Informationstechnik u http://www.bsi.de/gshb/english/etc/inhalt.htm u IT Baseline Protection Manual u More practical than other government attempts
16
Gary Gaskell, 3 May 200116 SANS u System and Network Security u http://www.sans.org u Advice on policy and controls u training (& certification ?) u Checklists u Vulnerability service
17
Gary Gaskell, 3 May 200117 Website Certification Programs u TruSecure (ICSA/TruSecure) u Web trust u beTRUSTed (PwC) u SysTrust (AICPA) u Others?
18
Gary Gaskell, 3 May 200118 SAS-70 u Statement on Auditing Standards u American Institute of Certified Public Accountants u Formal Audit Standard - background of financial audits u Two levels 8Type I - inspections of key area 8Type II - testing of effective of controls
19
Gary Gaskell, 3 May 200119 Miscellaneous u IS 18 - Qld Government u VISA - security for merchants sites u NIST - FIPS 102 u US - HIPAA u OECD - Guidelines for the Security of Information Systems u ISO 13335 - Guidelines for the Management of IT Security
20
Gary Gaskell, 3 May 200120 Miscellaneous - continued u System Security Engineering Capability Maturity Model (SSE-CMM) - International Systems Security Engineering Association (ISSEA) u CoBIT - “IT Governance” - AICPA
21
Gary Gaskell, 3 May 200121 Conclusions u Great choice of standards u None are a full solution
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.