Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Metholodogies and Security Standards
1. Security Standards
& Methodologies
Vicente Aceituno
FIST November/Madrid 2003 @ UPSAM
www.sia.es
Developing the infrastructures that enable e-business ®
2. What are standards good for?
Most standards are the result of agreements on the
behaviour of a component or the connection between
components.
Using standards a company can create products and
services that work well with others, without any previous
agreement between the product makers.
Standards enable “teamwork” without permanent
coordination, becoming a “coordination by default”.
3. Who makes standards?
International Organization for Standardization.
International Electrotechnical Commission.
British Standards Institute.
Internet Engineering Task Force.
ISACA.
International Information Security Foundation.
National Institute of Standards and Technology (USA)
AENOR (Spain)
AICPA.
BSI.
Software Engineering Institute.
ISECOM
W3C
IETF
Private companies.
ISSA...and so on.
4. What is covered by standards?
Benchmarks.
Algorithms.
Products.
Operations.
Management.
Organization.
Auditing.
5. Why there are so many standards?
Andrew Tanenbaum famously quipped that “The good
thing about standards is that there are so many to choose
from”.
The reasons are manifold. Politics, Economics and
other interests...
6. What is a perfect standard?
Clear concepts framework.
Provides guidance to move from theory to
practice.
Compliance can be tested.
It scales: It can be used both for small and
large organizations, enterprises and
government.
It considers the environment where the
organization operates.
7. Some Security Standards
ISO 17799 based on BS 7799 of the British Standards Institute.
ISO/IEC TR 13335-4 by ISO/IEC Joint Technical Committee 1.
RFC2196 by Internet Engineering Task Force.
Cobit by ISACA.
800-14 GAASP by National Institute of Standards and Technology.
ISO15408 - Common Criteria from National Institute of Standards and Technology.
Standard of Good Practice for Information Security from ISF.
SysTrust by AICPA.
IT Baseline Protection Manual from BSI.
OCTAVE by Software Engineering Institute.
CSEAT Review Criteria from National Institute of Standards and Technology.
OSSTMM from ISECOM.
RFC2078 GSS API by Internet Engineering Task Force.
RFC3365 by Internet Engineering Task Force.
RSA PKCS.
GAISP by ISSA.
8. Information Security Management
ISO 17799 based on BS 7799 of the British Standards Institute.
ISO/IEC TR 13335-4 by ISO/IEC Joint Technical Committee 1.
Cobit by ISACA.
800-14 GAASP by National Institute of Standards and
Technology.
Standard of Good Practice for Information Security from ISF.
SysTrust by AICPA.
9. Testing and Auditing
IT Baseline Protection Manual from BSI
OCTAVE by Software Engineering Institute.
CSEAT Review Criteria.
OSSTMM from ISECOM.
10. Technology
Products: ISO15408 - Common Criteria.
API: RFC2078 - Generic Security Service Application Program
Interface.
Protocols: RFC3365 - Strong Security Requirements for
Internet Engineering Task Force Standard Protocols.
PKI: PKCS, X.509
Encryption: Advanced Encryption Standard (FIPS 197)
XML:
XML encryption (Xenc)
XML signatures (XML-SIG)
XML key management specification (XKMS)
Security assertion markup language (SAML)
eXtensible access control markup language (XACML)
...just too many to tell them all.
11. ISO 17799:2000
It is based on BS 7799-1.
BS 77991-1 is a Code of Practice provides 127
security controls; It contains requirements of a general
nature.
BS 77991-2 is a information security management
system. It provides a formal methodology for setting up
an Information Security Management System.
•http://www.bsi-global.com/Training/Infosec/index.xalter
12. ISO/IEC Technical Report 13335 - Guidelines for the
management of IT Security
1996 -- Part 1: Concepts and models for IT Security.
1997 -- Part 2: Managing and planning IT Security .
1998 -- Part 3: Techniques for the management of IT Security.
2000 -- Part 4: Selection of safeguards.
2001 -- Part 5: Management guidance on network Security.
•http://www.iso.org/iso/en/ISOOnline.frontpage
13. COBIT
The purpose of COBIT is to provide an Information
Technology (IT) governance model that helps managing the
risks associated with IT.
COBIT aims to make a clear and distinct link between
information technology and business goals
The COBIT framework identifies 318 detailed control
objectives contained within this classification.
Quality Control Components: Quality, Cost and Delivery
Fiduciary Control Components: Effectiveness, Efficiency,
Reliability of information, Compliance.
Security Control Components: Confidentiality, Integrity and
Availability
•http://www.isaca.org/
14. GAISP & 800-14
It’s just a series of principles.
It doesn’t provide a way to test if the
principles are being followed.
It’s been used a information source
for other standards.
•http://www.issa.org/gaisp.html
•http://web.mit.edu/security/www/gassp1.html
•http://csrc.nist.gov/publications/nistpubs/
15. Standard of Good Practice
This standard is being pushed as “the
standard” by the proponents, with scarce
results.
•http://www.isfsecuritystandard.com/index_ns.htm
16. SysTrust/WebTrust
Focused on systems reliability for
e-commerce activities.
•http://www.cica.ca/index.cfm/ci_id/635/la_id/1.htm
17. IT Baseline protection
Describes organizational, personnel, infraestructure
and technical standards.
Globally assumed threat scenario.
Detailed descriptions of safeguards.
Description of the process involved in maintaining
an appropriate level of IT security.
Procedure for ascertaining the level of IT security.
•http://www.bsi.bund.de/gshb/english/menue.htm
18. OCTAVE
Involves internal personnel, providing security
awareness and understanding of the business
continuity needs.
Introduces extensible project management
techniques.
It’s supposed to facilitate adaption to security
requirements evolution.
•http://www.cert.org/octave/
19. CSEAT Review Criteria
Big list of things to do.
Provides no conceptual framework.
•http://csrc.nist.gov/cseat/
20. Open Source Security Testing Methodology Manual
Methodology for Penetration Testing.
GNU-FDL Licenced.
•http://www.isecom.org/projects/osstmm.shtml
21. FIST November/Madrid 2003
Security Standards & Methodologies
Vicente Aceituno
Developing the infrastructures that enable e-business ®
Notes de l'éditeur
En algunas ocasiones no existe un acuerdo, sino que la fuerza del mercado hace de ciertos productos un estándar. Con frecuencia surgen problemas por distintas implementaciones del estándar por distintas compañías. Esto suele deberse a que existen varios estándares alternativos, que compiten por el mismo espacio, otras veces a que el estándar no está definido más allá de cualquier diferencia de interpretación, y deja ciertas partes a discreción del implementador, y por último hay fabricantes que deciden no seguir el estándar al pié de la letra.
CC It’s the succesor of ITSEC. CC It’s a very complex specification for security products. It’s lengthy and expensive process for certification leads to very few products being certified.
You can be certified on BS 7799-2, but not on ISO 7799 = BS 7799-1
Impopular No auditable Se centra mucho en la gestión de IT