1. Security Standards
& Methodologies
Vicente Aceituno
FIST November/Madrid 2003 @ UPSAM
www.sia.es
Developing the infrastructures that enable e-business ®

2. What are standards good for?
Most standards are the result of agreements on the
behaviour of a component or the connection between
components.
 Using standards a company can create products and
services that work well with others, without any previous
agreement between the product makers.
Standards enable “teamwork” without permanent
coordination, becoming a “coordination by default”.

3. Who makes standards?
International Organization for Standardization.
International Electrotechnical Commission.
British Standards Institute.
Internet Engineering Task Force.
ISACA.
International Information Security Foundation.
National Institute of Standards and Technology (USA)
AENOR (Spain)
AICPA.
BSI.
Software Engineering Institute.
ISECOM
W3C
IETF
Private companies.
ISSA...and so on.

4. What is covered by standards?
Benchmarks.
Algorithms.
Products.
Operations.
Management.
Organization.
Auditing.

5. Why there are so many standards?
Andrew Tanenbaum famously quipped that “The good
thing about standards is that there are so many to choose
from”.
The reasons are manifold. Politics, Economics and
other interests...

6. What is a perfect standard?
Clear concepts framework.
Provides guidance to move from theory to
practice.
Compliance can be tested.
 It scales: It can be used both for small and
large organizations, enterprises and
government.
It considers the environment where the
organization operates.

7. Some Security Standards
 ISO 17799 based on BS 7799 of the British Standards Institute.
 ISO/IEC TR 13335-4 by ISO/IEC Joint Technical Committee 1.
 RFC2196 by Internet Engineering Task Force.
 Cobit by ISACA.
 800-14 GAASP by National Institute of Standards and Technology.
 ISO15408 - Common Criteria from National Institute of Standards and Technology.
 Standard of Good Practice for Information Security from ISF.
 SysTrust by AICPA.
 IT Baseline Protection Manual from BSI.
 OCTAVE by Software Engineering Institute.
 CSEAT Review Criteria from National Institute of Standards and Technology.
 OSSTMM from ISECOM.
 RFC2078 GSS API by Internet Engineering Task Force.
 RFC3365 by Internet Engineering Task Force.
 RSA PKCS.
GAISP by ISSA.

8. Information Security Management
ISO 17799 based on BS 7799 of the British Standards Institute.
ISO/IEC TR 13335-4 by ISO/IEC Joint Technical Committee 1.
Cobit by ISACA.
800-14 GAASP by National Institute of Standards and
Technology.
Standard of Good Practice for Information Security from ISF.
SysTrust by AICPA.

9. Testing and Auditing
 IT Baseline Protection Manual from BSI
 OCTAVE by Software Engineering Institute.
 CSEAT Review Criteria.
 OSSTMM from ISECOM.

10. Technology
 Products: ISO15408 - Common Criteria.
 API: RFC2078 - Generic Security Service Application Program
Interface.
 Protocols: RFC3365 - Strong Security Requirements for
Internet Engineering Task Force Standard Protocols.
 PKI: PKCS, X.509
 Encryption: Advanced Encryption Standard (FIPS 197)
 XML:
XML encryption (Xenc)
XML signatures (XML-SIG)
XML key management specification (XKMS)
Security assertion markup language (SAML)
eXtensible access control markup language (XACML)
...just too many to tell them all.

11. ISO 17799:2000
It is based on BS 7799-1.
BS 77991-1 is a Code of Practice provides 127
security controls; It contains requirements of a general
nature.
BS 77991-2 is a information security management
system. It provides a formal methodology for setting up
an Information Security Management System.
•http://www.bsi-global.com/Training/Infosec/index.xalter

12. ISO/IEC Technical Report 13335 - Guidelines for the
management of IT Security
 1996 -- Part 1: Concepts and models for IT Security.
 1997 -- Part 2: Managing and planning IT Security .
 1998 -- Part 3: Techniques for the management of IT Security.
 2000 -- Part 4: Selection of safeguards.
 2001 -- Part 5: Management guidance on network Security.
•http://www.iso.org/iso/en/ISOOnline.frontpage

13. COBIT
The purpose of COBIT is to provide an Information
Technology (IT) governance model that helps managing the
risks associated with IT.
COBIT aims to make a clear and distinct link between
information technology and business goals
 The COBIT framework identifies 318 detailed control
objectives contained within this classification.
Quality Control Components: Quality, Cost and Delivery
Fiduciary Control Components: Effectiveness, Efficiency,
Reliability of information, Compliance.
Security Control Components: Confidentiality, Integrity and
Availability
•http://www.isaca.org/

14. GAISP & 800-14
It’s just a series of principles.
It doesn’t provide a way to test if the
principles are being followed.
It’s been used a information source
for other standards.
•http://www.issa.org/gaisp.html
•http://web.mit.edu/security/www/gassp1.html
•http://csrc.nist.gov/publications/nistpubs/

15. Standard of Good Practice
This standard is being pushed as “the
standard” by the proponents, with scarce
results.
•http://www.isfsecuritystandard.com/index_ns.htm

16. SysTrust/WebTrust
 Focused on systems reliability for
e-commerce activities.
•http://www.cica.ca/index.cfm/ci_id/635/la_id/1.htm

17. IT Baseline protection
 Describes organizational, personnel, infraestructure
and technical standards.
 Globally assumed threat scenario.
 Detailed descriptions of safeguards.
 Description of the process involved in maintaining
an appropriate level of IT security.
 Procedure for ascertaining the level of IT security.
•http://www.bsi.bund.de/gshb/english/menue.htm

18. OCTAVE
 Involves internal personnel, providing security
awareness and understanding of the business
continuity needs.
 Introduces extensible project management
techniques.
 It’s supposed to facilitate adaption to security
requirements evolution.
•http://www.cert.org/octave/

19. CSEAT Review Criteria
Big list of things to do.
Provides no conceptual framework.
•http://csrc.nist.gov/cseat/

20. Open Source Security Testing Methodology Manual
Methodology for Penetration Testing.
GNU-FDL Licenced.
•http://www.isecom.org/projects/osstmm.shtml

21. FIST November/Madrid 2003
Security Standards & Methodologies
Vicente Aceituno
Developing the infrastructures that enable e-business ®