Presentation is loading. Please wait.

Presentation is loading. Please wait.

Principles of Information System Security: Text and Cases

Similar presentations


Presentation on theme: "Principles of Information System Security: Text and Cases"— Presentation transcript:

1 Principles of Information System Security: Text and Cases
Gurpreet Dhillon PowerPoint Prepared by Youlong Zhuang University of Missouri-Columbia

2 Principles of Information System Security: Text and Cases
Chapter Thirteen Information System Security Standards

3 Copyright 2006 John Wiley & Sons, Inc.
Learning Objectives Identify ten control areas of ISO 17799 Understand the Trusted Computer System Evaluation Criteria (TCSEC) and Information Technology Security Evaluation Criteria (ITSEC) Understand Common Criteria (CC) Familiar with other miscellaneous standards and guidelines Copyright 2006 John Wiley & Sons, Inc.

4 Copyright 2006 John Wiley & Sons, Inc.
The Need for Standards We would be living in a chaotic world without standards Airline pilots are trained on aircrafts they would never fly Surgeons trained without any standardized education No need for licensing automobile drivers Copyright 2006 John Wiley & Sons, Inc.

5 Copyright 2006 John Wiley & Sons, Inc.
ISO 17799 The most popular ISO standards to deal with information security management It presents a comprehensive set of controls and best practices It originated by the British Standards Institute, the UK Department of Trade and Industries, and the Commercial Computer Security Centre Copyright 2006 John Wiley & Sons, Inc.

6 Copyright 2006 John Wiley & Sons, Inc.
ISO (cont’d) Several British organizations also participated BS 7799:1995, information security management, code of practice for information security management systems BS :1998, information security management, specification for information security management systems Copyright 2006 John Wiley & Sons, Inc.

7 Copyright 2006 John Wiley & Sons, Inc.
ISO (cont’d) Revision, BS :1999, BS :1999 Many countries adopted BS 7799 In December 2000, ISO/IEC 17799:2000, code of practice for information security management Copyright 2006 John Wiley & Sons, Inc.

8 Copyright 2006 John Wiley & Sons, Inc.
ISO (cont’d) It is intentionally structured as a vague and flexible document Technology constantly changes It is unwise to cover specifics of any particular technology It is being criticized Its real intent is to identify a set of best practices Copyright 2006 John Wiley & Sons, Inc.

9 Copyright 2006 John Wiley & Sons, Inc.
ISO Framework Security Policy Expectations and obligations of the management Basis for ongoing evaluation and assessment How policies are created What aspects need to be understood The standard does not go into details Copyright 2006 John Wiley & Sons, Inc.

10 ISO 17799 Framework (cont’d)
Security Organization Congruence between the control structures and the organizational structures Reporting structures Clarity of roles and responsibilities The standard emphasizes the importance of this control Copyright 2006 John Wiley & Sons, Inc.

11 ISO 17799 Framework (cont’d)
Asset Control and Classification Organizational assets should be identified Assets cannot be controlled without first being identified Level of controls depends on the classification Copyright 2006 John Wiley & Sons, Inc.

12 Attributes and Information Assets, Fig 13.1
Copyright 2006 John Wiley & Sons, Inc.

13 ISO 17799 Framework (cont’d)
Personnel Security Security in job Information security threats and concerns Minimizing the damage from security incidents and malfunctions Copyright 2006 John Wiley & Sons, Inc.

14 ISO 17799 Framework (cont’d)
Physical and Environmental Security Perimeter defenses Protecting boundaries Locks and keys Copyright 2006 John Wiley & Sons, Inc.

15 ISO 17799 Framework (cont’d)
Communications and Operations Management Confidentiality and integrity of data as it’s transmitted System risks Integrity of software and avialbaility of data Copyright 2006 John Wiley & Sons, Inc.

16 ISO 17799 Framework (cont’d)
Business Continuity Management Counteracting interruptions to business activities Protecting critical business processes from failure Plans should be tested and reviewed regularly Copyright 2006 John Wiley & Sons, Inc.

17 ISO 17799 Framework (cont’d)
Compliance Avoid breaches of any law, statutory, regulatory, or contractual security requirements Organizational security policies and standards Maximize the effectiveness of system audit processes Copyright 2006 John Wiley & Sons, Inc.

18 Summary of ISO 17799 Controls
Copyright 2006 John Wiley & Sons, Inc.

19 Summary of ISO 17799 Controls (cont’d)
Copyright 2006 John Wiley & Sons, Inc.

20 Copyright 2006 John Wiley & Sons, Inc.
The Rainbow Series The US Department of Defense published the Trusted Computer System Evaluation Criteria (TCSEC) Orange Book– mainframe and defense oriented Trusted Network Interpretation Red Book – limited courage of database Trusted Database Management System Interpretation Lavender Book Copyright 2006 John Wiley & Sons, Inc.

21 The Rainbow Series (cont’d)
Four basic classes that are ordered in a hierarchical manner (A, B, C, D) Minimal protection (Class D) The systems have been evaluated Do not meet higher level evaluation criteria No security at this level Copyright 2006 John Wiley & Sons, Inc.

22 The Rainbow Series (cont’d)
Discretionary protection (Class C) C1 specifies discretionary security protection and requires identification and authentication mechanisms C2 specifies controlled access protection, users are accountable for login procedures Copyright 2006 John Wiley & Sons, Inc.

23 The Rainbow Series (cont’d)
Mandatory protection (Class B) B1 is labeled security protection B1 incorporates all security requirements of C B1 requires an informal statement of security policy model, data labeling, and mandatory access control B1 mandatory access control policy is defined by the Bell La Padula Copyright 2006 John Wiley & Sons, Inc.

24 The Rainbow Series (cont’d)
Mandatory protection (Class B) B2 specifies structured protection B2 specifies a clearly defined and documented security model A more thorough test is possible A high level descriptive specification of the trusted computing base is required A system is relative resistant to penetration Copyright 2006 John Wiley & Sons, Inc.

25 The Rainbow Series (cont’d)
Mandatory protection (Class B) B3 specifies the security domains The reference monitor (refer to Chapter 3) mediates access of all subjects to objects and is tamperproof The trusted computing base is minimized by excluding non critical modules Highly secure Copyright 2006 John Wiley & Sons, Inc.

26 The Rainbow Series (cont’d)
Verified protection (Class A) A1 is functionally similar to B3 Use formal design specification and verification techniques Formal security model Mathematical proof of consistency an d adequacy Formal top level specification Copyright 2006 John Wiley & Sons, Inc.

27 The Rainbow Series (cont’d)
Verified protection (Class A) Demonstration that formal top level specification corresponds to the model Demonstration that trusted computing base is consistent with formal top level specification Formal analysis of covert channels A2 is beyond the reach of current technology Copyright 2006 John Wiley & Sons, Inc.

28 Copyright 2006 John Wiley & Sons, Inc.
TCSEC Classes, Table 13.2 Copyright 2006 John Wiley & Sons, Inc.

29 TCSEC Classes, Table 13.2 (cont’d)
Copyright 2006 John Wiley & Sons, Inc.

30 Information Technology Security Evaluation Criteria (ITSEC)
It is the European equivalent of the TCSEC It considers the evaluation factors as functionality and the assurance aspect of correctness and effectiveness Functionality refers to enforcing functions of the security targets Correctness assesses the level at which security functions can or cannot be enforced Effectiveness involves an assessment of suitability of target of evaluation functionality, binding of functionality, consequences of known vulnerabilities and ease of use Copyright 2006 John Wiley & Sons, Inc.

31 Copyright 2006 John Wiley & Sons, Inc.
ITSEC Classes, Table 13.3 Copyright 2006 John Wiley & Sons, Inc.

32 International Harmonization, Fig 13.2
Copyright 2006 John Wiley & Sons, Inc.

33 Copyright 2006 John Wiley & Sons, Inc.
Common Criteria (CC) CC is a means to select security measure and evaluate the security requirements CC includes eleven functional classes of requirements – security audit, communication, cryptographic support, user data protection, identification and authentication, management of security functions, privacy, protection of security functions, resource utilization, component access, trusted path of channel Copyright 2006 John Wiley & Sons, Inc.

34 Common Criteria (CC) (cont’d)
CC is very specific to the Target of Evaluation (TOE) CC provides the best practice guideline for well understood problems CC recommends that evaluation be carried out in parallel with development Evaluation evidence as stated in the security targets The target of evaluation The criteria to be used for evaluation, methodology, and scheme Copyright 2006 John Wiley & Sons, Inc.

35 The Evaluation Process, Fig. 13.3
Copyright 2006 John Wiley & Sons, Inc.

36 Common Problems with CC
Identification of the Product, Target of Evaluation (TOE), and TOE Security Function (TSF) Problem of TOEs spanning multiple products Problem of multiple TOEs in a product line Defining TOE within a product Defining TSF Product design Copyright 2006 John Wiley & Sons, Inc.

37 Common Problems with CC (cont’d)
Threat characterization CC lacks a proper definition of threats and their characterization Some progress in this regard has been made Security policies CC makes it optional whether to specify security policies or not Copyright 2006 John Wiley & Sons, Inc.

38 Common Problems with CC (cont’d)
Security requirements for the IT environment CC does not provide clearly details as to how the security requirements should be specified There is also lack of clarity in auditing requirements Copyright 2006 John Wiley & Sons, Inc.

39 Requirements Specification as Espoused by CC
Copyright 2006 John Wiley & Sons, Inc.

40 Other Miscellaneous Standards and Guidelines
RFC 2196 Site Security Handbook It deals with Internet security management specific issues It emphasizes principles of security policy formulation, tradeoffs and mechanisms for regular updates Copyright 2006 John Wiley & Sons, Inc.

41 Other Miscellaneous Standards and Guidelines (cont’d)
ISO/IEC TR Guidelines for the Management of IT Security It is a suggestion rather than a standard The scope is IT security rather than IS security Copyright 2006 John Wiley & Sons, Inc.

42 Other Miscellaneous Standards and Guidelines (cont’d)
Generally Accepted Information Security Principles (GAISP) It intends to develop a common international body of knowledge on security OECD Guidelines for the Security of Information Systems It helps in the development and implementation of coherent measures, practices, and procedures for the security of information systems Copyright 2006 John Wiley & Sons, Inc.

43 Copyright 2006 John Wiley & Sons, Inc.
National Institute for Standards and Technology Security Documents, Table 13.4 Copyright 2006 John Wiley & Sons, Inc.

44 Copyright 2006 John Wiley & Sons, Inc.
National Institute for Standards and Technology Security Documents, Table 13.4 (Cont’d) Copyright 2006 John Wiley & Sons, Inc.

45 Copyright 2006 John Wiley & Sons, Inc.
All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information herein. Copyright 2006 John Wiley & Sons, Inc.


Download ppt "Principles of Information System Security: Text and Cases"

Similar presentations


Ads by Google