1. Gurpreet Dhillon Virginia Commonwealth University
IS Security Standards
Gurpreet Dhillon
Virginia Commonwealth University

2. Importance of IS Security Standards
IS security plays a vital role
IS security: as strong as the weakest link
Confusing: Plethora of standards
How do we make sense of these standards?
Which standard to adopt?
© Dr. Gurpreet Dhillon
Do not reproduce without permission

3. Classification of IS Security Standards
Security development
Security management
Security evaluation
Risk management
© Dr. Gurpreet Dhillon
Do not reproduce without permission

4. Do not reproduce without permission
IS Security Life Cycle
© Dr. Gurpreet Dhillon
Do not reproduce without permission

5. Classification of IS Security Standards
Security development
Improvement and assessment of IS security-engineering capability
Security management
Objectives or controls necessary for managing IS security
Security evaluation
Examination and testing of the security features of an information system
Risk management
Identification, analysis, control, and communication of IS security risks to which an organization is exposed
© Dr. Gurpreet Dhillon
Do not reproduce without permission

6. Do not reproduce without permission
Security Development
CMM
SE-CMM
SSE-CMM
(ISO/IEC
DIS 21827)
Systems Security Engineering Capability Maturity Model (SEE-CMM)
CMM & SE-CMM do not deal with IS security
© Dr. Gurpreet Dhillon
Do not reproduce without permission

7. Do not reproduce without permission
SSE-CMM
Describes essential characteristics of security engineering processes.
Addresses the continuity, repeatability, efficiency, and assurance qualities required in the production and operation of secure systems and products
Scope: entire secure system or product life cycle, the whole organization, and concurrent interactions with other organizations.
Two dimensions:
Domain: “base practices” that collectively define security engineering
Capability: “generic practices” that indicate process management and institutionalization capability
© Dr. Gurpreet Dhillon
Do not reproduce without permission

8. Do not reproduce without permission
Security Management
GASSP
(1995)
GAISP
(2003)
OECD Guidelines
(1992)
Code of Practice
UK DTI (1993)
BS 7799
(1995)
ISO/IEC 17799
(2000)
ISO/IEC TR13335
(1996)
© Dr. Gurpreet Dhillon
Do not reproduce without permission

9. ISO/IEC 17799 Code of Practice for Information Security Management
Set of controls that are important to achieve the security objectives of an organization
The standard is organized into ten major sections.
Each section addresses an area important for IS security and lists best practices in form of controls for that particular area.
36 Objectives and 127 controls
Guiding areas for implementing IS security:
Security policy, organizational security, personnel security, business continuity management, compliance.
Other areas:
Asset classification & control, physical & environmental security, communications & operations management, access control, systems development & maintenance.
© Dr. Gurpreet Dhillon
Do not reproduce without permission

10. ISO/IEC TR 13335 Guidelines for the management of IT Security (GMITS)
A technical report that provides suggestions rather than prescribe practice.
Scope: IT security and not information security.
It comprises of five parts.
Part 1: basic concepts and models for the IT security.
Part 2: managing and planning IT security.
Part 3: techniques for the management of IT security. 
Part 4: provides guidance on the selection of safeguards for the management of risk.
Part 5: management guidance on network security
© Dr. Gurpreet Dhillon
Do not reproduce without permission

11. OECD Guidelines Organization for Economic Cooperation and Development
It recognizes the commonality of security requirements across various organizations.
Developed an integrated approach outlined in the form of nine principles:
Accountability, awareness, ethics, multidisciplinary, proportionality, integration, timeliness, reassessment, equity.
© Dr. Gurpreet Dhillon
Do not reproduce without permission

12. GAISP Generally Accepted Information Security Principles
Documents information security principles that have been proven in practice and accepted by practitioners.
GAISP is organized into three major sections that form a hierarchy.
Pervasive Principles:
Targets organizational governance and executive management.
outlines the principles advocated in OECD guidelines.
Broad Functional Principles:
Targets management.
It describes specific building blocks (what to do) that comprise the Pervasive Principles.
Detailed Principles:
Targets IS security professional.
Provides specific (how to) guidance for implementation of optimal IS security practices.
© Dr. Gurpreet Dhillon
Do not reproduce without permission

13. Do not reproduce without permission
Security evaluation
Green
book
ITSEC
ISO/IEC 15408
Federal
Criteria
TCSEC
MSFR
Common Criteria
CTCPEC
© Dr. Gurpreet Dhillon
Do not reproduce without permission

14. TCSEC Trusted Computer System Evaluation Criteria
Addresses military security needs and policies.
Focus:
mainframe systems.
protection of confidentiality
Four major sets of criteria:
security policy, accountability, assurance, and documentation.
TCSEC was “interpreted” for both networks and databases.
© Dr. Gurpreet Dhillon
Do not reproduce without permission

15. Do not reproduce without permission
Green book & CTCPEC
German Green Book
Division of security requirements into:
Functionality and Assurance requirements
Canadian Trusted Computer Evaluation Criteria (CTCPEC)
address complex systems
CTCPEC classifies the functionality and assurance requirements separately.
Functional criteria comprises of confidentiality, integrity, availability, and accountability
Assurance criteria are applied across the entire system.
© Dr. Gurpreet Dhillon
Do not reproduce without permission

16. Do not reproduce without permission
Security evaluation
Minimum Security Functional Requirements (MSFR)
Follows ITSEC
separates the functionality and assurance criteria.
takes Security Target approach.
Federal Criteria (FC)
Focus: IT Security
Introduces Protection Profile
implementation-independent set of functionality and assurance requirements for a category of products.
Follows ITSEC’s Security Target approach.
© Dr. Gurpreet Dhillon
Do not reproduce without permission

17. ITSEC Information Technology Security Evaluation Criteria
ITSEC identifies Target of Evaluation (TOE) as either a system or product.
Evaluation factors of TOE: correctness and effectiveness.
Evaluation of correctness: examines correct implementation of security functions and mechanisms
Evaluation of effectiveness: examines compatibility of security mechanisms and the stated security objectives.
TOE’s functionality suitability and integration, consequences of vulnerabilities, and ease of use are also evaluated.
© Dr. Gurpreet Dhillon
Do not reproduce without permission

18. Do not reproduce without permission
Common Criteria (CC)
CC v2.1 was published in 1999 and adopted as ISO/IEC IS
CC is organized into three parts.
Introduction and General Model:
Introduces the general model and concepts of IT security evaluation.
Three types of security requirement constructs defined: Package, Protection Profile, and Security Target.
Follows ITSEC: separates the functionality and assurance requirements.
Security Functional Requirements:
addresses the functional requirements of security.
Standardized Security Assurance Requirements:
defines the criteria for evaluating Protection Profiles, Security Targets, and TOEs (target of evaluations).
© Dr. Gurpreet Dhillon
Do not reproduce without permission

19. ISO/IEC IS 15408 Evaluation Criteria for IT Security (ECITS)
ECITS is organized into three parts:
model, functionality classes, and assurance.
Influenced by:
ITSEC: separates the functionality and assurance criteria.
CTCPEC: Functionality classes.
ECITS also addresses privacy protection.
identifies four functional privacy families: anonymity, pseudonymity, unlinkability, and unobservability.
© Dr. Gurpreet Dhillon
Do not reproduce without permission

20. Do not reproduce without permission
Risk management
NIST Spec Pub
Risk Mgmt
ISO/IEC TR Part-3
ISO/IEC TR Part-4
© Dr. Gurpreet Dhillon
Do not reproduce without permission

21. Do not reproduce without permission
Risk management
ISO/IEC TR13335
Part 4: provides the guidelines for selection of safeguards for the risk management.
Part 3: outlines and provides interpretation of the risk assessment principles.
NIST Special Publication Risk Management Guide for IT Systems
a national level standard for US.
provides an outline of risk management and risk assessment.
The risk mitigation process is associated with selection of cost-effective security controls.
stresses on continuing risk evaluation and assessment.
© Dr. Gurpreet Dhillon
Do not reproduce without permission

22. IS Security Standards Framework
Categories
Definition
Issues
Security
Development
Improvement and
assessment of IS
security-engineering
capability
Continuity
Repeatability
Efficiency
Assurance
Management
Objectives or controls
necessary for
managing IS security
Confidentiality
Integrity
Availability
Responsibility
Trust
Ethicality
Evaluation
Examination and
testing of the security
features of an
information system
Effectiveness
Correctness
Risk
Identification, analysis,
control, and
communication of IS
security risks to which
an organization is
exposed.
Threat
Vulnerability
Impact
Standard
Approach/Need
ISO/IEC DIS 21827
Security engineering process, Assurance process, Risk process.
ISO/IEC 17799
Security policy, organizational security, personnel security, business continuity management, compliance.
ISO/IEC
IS 15408
Functionality requirements, Assurance requirements, Privacy protection.
ISO/IEC
TR Part 3 and Part 4
Need
Risk assessment, Risk analysis, and Risk mitigation in terms of IS security.
© Dr. Gurpreet Dhillon
Do not reproduce without permission

23. Do not reproduce without permission
Integrated model
Risk
Management
Security
Management
Security
Development
Security
Evalaution
© Dr. Gurpreet Dhillon
Do not reproduce without permission