Download presentation
1
ISO Information Security Management
PRESENTATIONS IN NETWORK SECURITY ISO Information Security Management Saad Haj Bakry, PhD, CEng, FIEE Saad Haj Bakry, PhD, CEng, FIEE
2
Objectives / Contents Past Development Contents of ISO 17799
ISO Information Security Management Objectives / Contents Past Development Contents of ISO 17799 Refinement of Contents (12 Sections) Suggested Work References Saad Haj Bakry, PhD, CEng, FIEE
3
ISO: International Standards Organization
Past Development ISO Information Security Management ISO: International Standards Organization International Organization Started in 1946 Membership Over 90 countries: ANSI (USA) / BSI (UK) / SASO (SA) Technical Committee Over 200 TC(s) (for technical recommendations) ISO 9000 family Quality Management ISO family Environment Management ISO 17799 Information Security Management Saad Haj Bakry, PhD, CEng, FIEE
4
Past Development ISO Information Security Management BS 7799 / ISO 17799 BS 7799 Started 1995 British Standard Institute: BSI Part 1: Code of Practice for Information Security Management Part 2: Specification for Information Security Management Systems ISO 17799 1999 Adopted: BS Part 1 Part 2 In use for auditing “Information Security Management Systems” Saad Haj Bakry, PhD, CEng, FIEE
5
ISO 17799: Contents 1. Scope 7. Physical & Environmental Security
Contents of ISO 17799 ISO Information Security Management ISO 17799: Contents 1. Scope 7. Physical & Environmental Security 2. Terms & Definitions 8. Communications & Operations Management 3. Security Policy 9. Access Control 4. Organizational Security 10. Systems Development & Maintenance 5. Asset Classification & Control 11. Business Continuity Management 6. Personnel Security 12. Compliance Saad Haj Bakry, PhD, CEng, FIEE
6
Scope of ISO 17799 Objective For Who Output Use
ISO Information Security Management 1. Scope of ISO 17799 Scope of ISO 17799 Objective To provide recommendations for “information security management”. For Who Those concerned with initiating, implementing and maintaining security in their organizations. Output Common “base” for developing “organizational security standards”. Effective security management “practice”. “Confidence” in inter-organizational dealings. Use Select and use. Use in accordance with applicable laws and regulations. Saad Haj Bakry, PhD, CEng, FIEE
7
ISO 17799 Terms and Definitions
ISO Information Security Management 2. Terms and Definitions ISO Terms and Definitions Information Security (IS): Preserving “Information” CIA Confidentiality Integrity Availability Risk Assessment: “Risk” on Information & Information Processing Facilities (I&IPF) Threats to Impact on Vulnerability of Risk Management: “Management of Security Risks” for an “Acceptable Cost” Identifying Controlling Minimizing Eliminating Saad Haj Bakry, PhD, CEng, FIEE
8
ISO 17799 Security Policy Target “Information Security: (IS)”.
ISO Information Security Management 3. Security Policy ISO Security Policy Target “Information Security: (IS)”. Objectives Clear policy “directions”. Management “support”. Policy / Authority Policy “across the organization”. “Issue” & “approval” of policy. “Maintenance” of policy. Saad Haj Bakry, PhD, CEng, FIEE
9
ISO 17799 Security Policy (Continued)
ISO Information Security Management 3. Security Policy ISO Security Policy (Continued) Policy Document Periodic Reviews & Evaluations Definitions & Scope Management Statement Policy Effectiveness: “recorded security incidents” (nature / number / impact) Business Efficiency: “cost & impact” of security control. Effects of “Technology Changes” Requirements: Legal / Contractual Security education Virus / malicious software issues. Business continuity Security violation issues. Responsibilities & reporting. Appendices (details) & references. Saad Haj Bakry, PhD, CEng, FIEE
10
Organizational Security
ISO Information Security Management 4. Organizational Security Organizational Security Section IS Infrastructure Third Party Access Outsourcing Objective To manage “IS” within the organization To maintain the security of “I&IPF” accessed by 3rd party To maintain “IS” when some responsibility (s) are outsourced Approach Establishing “management framework” to initiate and implement IS. Applying “control” to access by Outsourcing contracts should address IS issues Saad Haj Bakry, PhD, CEng, FIEE
11
Asset Classification Control
ISO Information Security Management 5. Asset Classification Control Asset Classification Control Section Accountability of Assets Information Classification Objective To maintain appropriate protection of “organizational assets” To ensure that “information assets” receive an appropriate level of protection Approach Major information should be accounted for and have “nominated owner” Classifying information to indicate the “need, priorities, and degree of protection” Saad Haj Bakry, PhD, CEng, FIEE
12
Security in Job Definition & Responding to Incidents & Malfunctions
ISO Information Security Management 6. Personnel Security Personnel Security Section Security in Job Definition & Re-sourcing User Training Responding to Incidents & Malfunctions Objective To reduce the risks of “human errors, theft, fraud, or misuse” of facilities To ensure that users are “aware” of IS threats & concerns, and are equipped to support “organizational security policy”. To minimize the“damage” from incidents & malfunctions , and to “monitor & learn from them”. Approach Security responsibilities are addressed at recruitment, and monitored at work Users should be trained in “security procedures” and correct use of “facilities” to “minimize risk” Incidents affecting security should be reported on time, & through appropriate channels Saad Haj Bakry, PhD, CEng, FIEE
13
Physical & Environmental Security
ISO Information Security Management 7. Physical & Environmental Security Physical & Environmental Security Section Secure Areas Equipment Security General Controls Objective To prevent “unauthorized access, damage, & interference” to “business premises & information” To prevent “loss, damage, or compromise” of “assets” and “interruption” to “business activities”. To prevent “compromise” or “theft” of “I&IPF” Approach Housing critical “I&IPF” in secure areas with a defined “security perimeter”, “barriers”, & “entry controls”. Equipment should be “physically” protected from “threats and environmental hazards”. Protecting “I&IPF” from “disclosure to modifications, or theft”; minimizing “loss or damage” Saad Haj Bakry, PhD, CEng, FIEE
14
Communications & Operations Management
ISO Information Security Management 8. Communications & Operations Management Communications & Operations Management Section Operational Procedures & Responsibilities System Planning & Acceptance Objective To ensure correct and secure operations of “IPF” To minimize the risk of systems failures Advanced system planning Projection of capacity to avoid overloading Testing new systems before acceptance. Approach Assignment of responsibilities & development of procedures, including operating instructions & incident response procedures. Saad Haj Bakry, PhD, CEng, FIEE
15
Protection from Malicious Software
ISO Information Security Management 8. Communications & Operations Management Communications & Operations Management Section Protection from Malicious Software Housekeeping Network Management Objective To protect the “integrity of software & information” To maintain the “availability” of “information processing and communications”. To protect: information in networks; and the supporting infrastructure. Approach Detect / prevent “malicious software” (e.g. Viruses) Back-up strategy. Back-up copies. Environment. Faults. Testing. Network protection beyond organizational boundaries. (e.g. Data flow in public networks) Saad Haj Bakry, PhD, CEng, FIEE
16
Media Handling & Security Exchanges of Information & Software
ISO Information Security Management 8. Communications & Operations Management Communications & Operations Management Section Media Handling & Security Exchanges of Information & Software Objective To prevent damage to assets and interruption of business: media control & physical protection. To prevent loss, modifications, or misuse of information exchanged between organizations. Control of information exchange, according to relevant legislations. Examples: , EDI, e-Commerce (applications) Approach Operating procedure to protect: computer media & data, from damage, theft & unauthorized access. Saad Haj Bakry, PhD, CEng, FIEE
17
Business Requirements for Access Control User Access Management
ISO Information Security Management 9. Access Control Access Control Section Business Requirements for Access Control User Access Management Objective To “control access to information”. To “prevent unauthorized access to information” Approach Access according to “business security requirements” & “policies of information dissemination & authorization” Procedures for “access rights” from registration to de-registration. Special attention to “privileged access” Saad Haj Bakry, PhD, CEng, FIEE
18
Access Control (Continued)
ISO Information Security Management 9. Access Control Access Control (Continued) Section User Responsibilities Network Access Control Operating System Access Control Objective To “prevent unauthorized user access” To “protect network services” To “prevent unauthorized network access”. Approach Awareness & responsibilities of users Password rules Cooperation of users Interfacing with other networks. Authentication: users / equipment User access to services. User: identity / location Recording: success/ failure. Quality passwords. Limiting connection time (if appropriate) Saad Haj Bakry, PhD, CEng, FIEE
19
Access Control (Continued)
ISO Information Security Management 9. Access Control Access Control (Continued) Section Application Access Control Monitoring System Access & Use Mobile Computing & Tele-working Objective To “prevent unauthorized access to information in information systems” To detect unauthorized activities. To “insure IS in mobile computing & tele-working” Approach User access control Attention: access to critical SW Security of related systems (shared). Restricting access. Monitoring deviations from access policy. Control effectiveness Important Issues: Environment. Special risks. Tele-working sites Saad Haj Bakry, PhD, CEng, FIEE
20
System Development & Maintenance
ISO Information Security Management 10. System Development & Maintenance System Development & Maintenance Section Security Requirements of Systems Security in Application Systems Objective To “ensure that security is built into information systems”. To “prevent loss, modification, or misuse of user data in application systems”. Approach Infrastructure Business applications User-development applications. Security requirements: identified & agreed early Application systems design: include control & audit. Validation of: input data; internal processing; output results. Saad Haj Bakry, PhD, CEng, FIEE
21
System Development & Maintenance
ISO Information Security Management 10. System Development & Maintenance System Development & Maintenance Section Cryptographic Control Security in System Files Security in Development & Support Processes Objective To “protect the confidentiality, authenticity, and integrity of IS” To “ensure that IT projects and support activities are conducted in a secure manner”. To “maintain the security of application system software & information” Approach Use of cryptographic techniques. Control access to system files. Responsibility of application owner. Strict control on: project development Reviewing, testing & checking. Saad Haj Bakry, PhD, CEng, FIEE
22
Business Continuity Management
ISO Information Security Management 11. Business Continuity Management Business Continuity Management Section Aspects of Business Continuity Management Objective To “counterattack interruption of business activities”. To “protect critical business processes from the effect of major failures or disasters”. Approach Implementation of “business continuity management process” using “prevention & recovery” controls Problems: Disasters Security failures. Saad Haj Bakry, PhD, CEng, FIEE
23
Compliance Section Compliance with Legal Requirements
ISO Information Security Management 12. Compliance Compliance Section Compliance with Legal Requirements Security Policy & Technical Compliance System Audit Considerations Objective To “avoid breaches of any criminal & civil law, statutory, regulatory, or contractual obligations, and of any security requirements”. To “ensure compliance with organizational security policies & standards” To “maximize the effectiveness & minimize the interference to/from system audit process” Approach Regular review of security policy: Standards / Technical Platform No misuse of audit tools. Operation control during audit Saad Haj Bakry, PhD, CEng, FIEE
24
Suggested Work Detailed Review Considering: Derivation of Procedures:
ISO Information Security Management Suggested Work Detailed Review Considering: Strategy / Technology / Organization / People / Environment Challenges / Protection Techniques / Security Measures Main Levels / System Levels BS 7799 Part 2 Derivation of Procedures: Investigation of current state. Diagnosing problems. Proposing solutions ISO Compatibility / Accreditation. Saad Haj Bakry, PhD, CEng, FIEE
25
ISO Information Security Management
References ISO/IEC 17799: Information Technology: Code of Practice for Information Security Management. Reference number: ISO/IEC 17799:2000(E). S.H. Bakry, “Development of a security policy for private networks”, International Journal of Network Management, Vol. 12, 2002. Saad Haj Bakry, PhD, CEng, FIEE
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.