Download - Standards
1
Information Security Standards
Gary Gaskell© 2001
Gary Gaskell, 3 May 2001 2
Contents
Overview of security standards Type of standards List of standards Quick insight to each standard Conclusions
Gary Gaskell, 3 May 2001 3
Types of Standards
Risk based Management Technical Lightweight Thorough
System-wide focus Product focus Assurance based Prescriptive
controls Checklists
Gary Gaskell, 3 May 2001 4
Security Standards - Pick One!
AS/NZS 4444 (BS 7799, ISO 17799) US TCSEC (Rainbow series) ITSEC (Europe) Common Criteria (ISO 15408) IETF Site Security Handbook (RFC 2196) Vendor handbooks and checklists, B.S.I.,
SANS Website certification services SAS-70
Gary Gaskell, 3 May 2001 5
AS/NZS 4444
Information Security Management Standard
Part 1 - 1999 Part 2 - 2000 JANZAS Based BS7799 BS7799 based on industry - Shell Oil
etc
Gary Gaskell, 3 May 2001 6
AS 4444
Good internal security management Information Security Management
System Explicit Target - trusted
interconnection Catalogue of controls Recommended baselines Risk based assessments
Gary Gaskell, 3 May 2001 7
AS4444 Controls
Security policy Asset classification
and control Physical and
environmental security
Access control Business continuity
management
Security organisation Personnel security Communications and
operations management
Systems development and maintenance
Compliance
Gary Gaskell, 3 May 2001 8
TCSEC
Trusted Computer Security Evaluation Criteria - 1983
US Government specification “Orange book” and “Raindbow series” Origin of C2, B1, B3 etc Functionality & Assurance tightly
coupled Superceded by still in use
Gary Gaskell, 3 May 2001 9
ITSEC
Information Technology Security Evaluation Criteria - 1991
UK, France, Germany & The Netherlands Used by Australia System and product use http://www.dsd.gov.au/infosec/aisep/
EPL/prod.html Superceded but still in use
Gary Gaskell, 3 May 2001 10
Common Criteria
Common Criteria for Information Technology Security Evaluation - 1999
ISO 15408 (CC v 2.1) Merge of TCSEC & ITSEC Emerging standard Assurance level separate from functionality
level Mutual recognition agreement - 13
countries
Gary Gaskell, 3 May 2001 11
RFC 2196
IETF Site Security Handbook Developed by CERT/CC of the CMU Response oriented Good practical advice Explicit about system hardening and
patch installation
Gary Gaskell, 3 May 2001 12
Vendor Checklists
SGI Compaq/Digital Sun Microsystems (Blue prints) AIX (redbooks) Microsoft Apache Oracle
Gary Gaskell, 3 May 2001 13
Vendor Checklists - Continued
Explicit and specific Good for specification in designs or
outsourcing “how to” oriented Sometimes too light
Gary Gaskell, 3 May 2001 14
Third Party Vendor Checklists
AusCERT/CERT Unix security checklist Windows NT 4 NSA/Trusted Systems
checklist (http://www.trustedsystems.com)
Windows 2000 security checklist (http://www.systemexperts.com)
Books - e.g. Practical Unix and Internet Security - Spafford & Garfinkel
Gary Gaskell, 3 May 2001 15
BSI
Bundesamt fuer Sicherheit in der Informationstechnik
http://www.bsi.de/gshb/english/etc/inhalt.htm
IT Baseline Protection Manual More practical than other
government attempts
Gary Gaskell, 3 May 2001 16
SANS
System and Network Security http://www.sans.org Advice on policy and controls training (& certification ?) Checklists Vulnerability service
Gary Gaskell, 3 May 2001 17
Website Certification Programs
TruSecure (ICSA/TruSecure) Web trust beTRUSTed (PwC) SysTrust (AICPA) Others?
Gary Gaskell, 3 May 2001 18
SAS-70
Statement on Auditing Standards American Institute of Certified Public
Accountants Formal Audit Standard - background
of financial audits Two levels
Type I - inspections of key area Type II - testing of effective of controls
Gary Gaskell, 3 May 2001 19
Miscellaneous
IS 18 - Qld Government VISA - security for merchants sites NIST - FIPS 102 US - HIPAA OECD - Guidelines for the Security of
Information Systems ISO 13335 - Guidelines for the
Management of IT Security
Gary Gaskell, 3 May 2001 20
Miscellaneous - continued
System Security Engineering Capability Maturity Model (SSE-CMM) - International Systems Security Engineering Association (ISSEA)
CoBIT - “IT Governance” - AICPA
Gary Gaskell, 3 May 2001 21
Conclusions
Great choice of standards None are a full solution