IS Security Standards - Information Systems
Download
Report
Transcript IS Security Standards - Information Systems
IS Security Standards
Gurpreet Dhillon
Virginia Commonwealth University
Importance of IS Security
Standards
IS security plays a vital role
IS security: as strong as the weakest link
Confusing: Plethora of standards
How do we make sense of these
standards?
Which standard to adopt?
© Dr. Gurpreet Dhillon
Do not reproduce without permission
Classification of IS Security
Standards
Security development
Security management
Security evaluation
Risk management
© Dr. Gurpreet Dhillon
Do not reproduce without permission
IS Security Life Cycle
Security
Evaluation
Security
Development
Implementation
Security
Management
Risk management
Changes
© Dr. Gurpreet Dhillon
Do not reproduce without permission
Classification of IS Security
Standards
Security development
Security management
Objectives or controls necessary for managing IS
security
Security evaluation
Improvement and assessment of IS securityengineering capability
Examination and testing of the security features of
an information system
Risk management
Identification, analysis, control, and
communication of IS security risks to which an
organization is exposed
© Dr. Gurpreet Dhillon
Do not reproduce without permission
Security Development
CMM
SE-CMM
Systems
SSE-CMM
(ISO/IEC
DIS 21827)
Security Engineering Capability Maturity Model (SEE-CMM)
CMM & SE-CMM do not deal with IS security
© Dr. Gurpreet Dhillon
Do not reproduce without permission
SSE-CMM
Describes essential characteristics of security
engineering processes.
Addresses the continuity, repeatability, efficiency,
and assurance qualities required in the
production and operation of secure systems and
products
Scope: entire secure system or product life
cycle, the whole organization, and concurrent
interactions with other organizations.
Two dimensions:
Domain: “base practices” that collectively define
security engineering
Capability: “generic practices” that indicate process
management and institutionalization
capability
© Dr. Gurpreet Dhillon
Do not reproduce without permission
Security Management
GASSP
(1995)
GAISP
(2003)
OECD Guidelines
(1992)
Code of Practice
UK DTI (1993)
BS 7799
(1995)
ISO/IEC 17799
(2000)
ISO/IEC TR13335
(1996)
© Dr. Gurpreet Dhillon
Do not reproduce without permission
ISO/IEC 17799
Code of Practice for Information Security Management
Set of controls that are important to achieve the
security objectives of an organization
The standard is organized into ten major sections.
Guiding areas for implementing IS security:
Each section addresses an area important for IS security
and lists best practices in form of controls for that
particular area.
36 Objectives and 127 controls
Security policy, organizational security, personnel
security, business continuity management, compliance.
Other areas:
Asset classification & control, physical & environmental
security, communications & operations management,
access control, systems development & maintenance.
© Dr. Gurpreet Dhillon
Do not reproduce without permission
ISO/IEC TR 13335
Guidelines for the management of IT Security (GMITS)
A technical report that provides suggestions rather
than prescribe practice.
Scope: IT security and not information security.
It comprises of five parts.
Part 1: basic concepts and models for the IT
security.
Part 2: managing and planning IT security.
Part 3: techniques for the management of IT
security.
Part 4: provides guidance on the selection of
safeguards for the management of risk.
Part 5: management guidance on network
security
© Dr. Gurpreet Dhillon
Do not reproduce without permission
OECD Guidelines
Organization for Economic Cooperation and Development
It recognizes the commonality of security
requirements across various
organizations.
Developed an integrated approach
outlined in the form of nine principles:
Accountability, awareness, ethics,
multidisciplinary, proportionality, integration,
timeliness, reassessment, equity.
© Dr. Gurpreet Dhillon
Do not reproduce without permission
GAISP
Generally Accepted Information Security Principles
Documents information security principles that have
been proven in practice and accepted by practitioners.
GAISP is organized into three major sections that form a
hierarchy.
Pervasive Principles:
Broad Functional Principles:
Targets organizational governance and executive management.
outlines the principles advocated in OECD guidelines.
Targets management.
It describes specific building blocks (what to do) that comprise
the Pervasive Principles.
Detailed Principles:
Targets IS security professional.
Provides specific (how to) guidance for implementation of
© Dr. Gurpreet Dhillon
optimal IS security practices.
Do not reproduce without permission
Security evaluation
Green
book
TCSEC
ITSEC
MSFR
ISO/IEC 15408
Federal
Criteria
CTCPEC
© Dr. Gurpreet Dhillon
Do not reproduce without permission
Common Criteria
TCSEC
Trusted Computer System Evaluation Criteria
Addresses military security needs and
policies.
Focus:
mainframe systems.
protection of confidentiality
Four major sets of criteria:
security policy, accountability, assurance, and
documentation.
TCSEC was “interpreted” for both networks
and databases.
© Dr. Gurpreet Dhillon
Do not reproduce without permission
Green book & CTCPEC
German Green Book
Division of security requirements into:
Functionality and Assurance requirements
Canadian Trusted Computer Evaluation Criteria
(CTCPEC)
address complex systems
CTCPEC classifies the functionality and
assurance requirements separately.
Functional criteria comprises of confidentiality,
integrity, availability, and accountability
Assurance criteria are applied across the
entire system.
© Dr. Gurpreet Dhillon
Do not reproduce without permission
Security evaluation
Minimum Security Functional Requirements
(MSFR)
Follows ITSEC
separates the functionality and assurance criteria.
takes Security Target approach.
Federal Criteria (FC)
Focus: IT Security
Introduces Protection Profile
implementation-independent set of functionality and
assurance requirements for a category of products.
Follows ITSEC’s Security Target approach.
© Dr. Gurpreet Dhillon
Do not reproduce without permission
ITSEC
Information Technology Security Evaluation Criteria
ITSEC identifies Target of Evaluation (TOE) as
either a system or product.
Evaluation factors of TOE: correctness and
effectiveness.
Evaluation of correctness: examines correct
implementation of security functions and
mechanisms
Evaluation of effectiveness: examines
compatibility of security mechanisms and the
stated security objectives.
TOE’s functionality suitability and integration,
consequences of vulnerabilities, and ease of use
are also evaluated.
© Dr. Gurpreet Dhillon
Do not reproduce without permission
Common Criteria (CC)
CC v2.1 was published in 1999 and adopted as ISO/IEC
IS 15408.
CC is organized into three parts.
Introduction and General Model:
Security Functional Requirements:
Introduces the general model and concepts of IT security
evaluation.
Three types of security requirement constructs defined:
Package, Protection Profile, and Security Target.
Follows ITSEC: separates the functionality and assurance
requirements.
addresses the functional requirements of security.
Standardized Security Assurance Requirements:
defines the criteria for evaluating Protection Profiles, Security
Targets, and TOEs (target of evaluations).
© Dr. Gurpreet Dhillon
Do not reproduce without permission
ISO/IEC IS 15408
Evaluation Criteria for IT Security (ECITS)
ECITS is organized into three parts:
model, functionality classes, and assurance.
Influenced by:
ITSEC: separates the functionality and
assurance criteria.
CTCPEC: Functionality classes.
ECITS also addresses privacy protection.
identifies four functional privacy families:
anonymity, pseudonymity, unlinkability, and
unobservability.
© Dr. Gurpreet Dhillon
Do not reproduce without permission
Risk management
NIST Spec Pub 800-30
Risk Mgmt
ISO/IEC TR 13335 Part-3
ISO/IEC TR 13335 Part-4
© Dr. Gurpreet Dhillon
Do not reproduce without permission
Risk management
ISO/IEC TR13335
Part 4: provides the guidelines for selection of
safeguards for the risk management.
Part 3: outlines and provides interpretation of the risk
assessment principles.
NIST Special Publication 800-30 Risk Management
Guide for IT Systems
a national level standard for US.
provides an outline of risk management and risk
assessment.
The risk mitigation process is associated with selection
of cost-effective security controls.
stresses on continuing risk evaluation and assessment.
© Dr. Gurpreet Dhillon
Do not reproduce without permission
IS Security Standards Framework
Categories
Definition
Issues
Standard
Approach/Need
Security
Development
Improvement and
assessment of IS
security-engineering
capability
Continuity
Repeatability
Efficiency
Assurance
ISO/IEC
DIS 21827
Security engineering
process, Assurance
process, Risk
process.
Security
Management
Objectives or controls
necessary for
managing IS security
Confidentiality
Integrity
Availability
Responsibility
Integrity
Trust
Ethicality
ISO/IEC
17799
Security policy,
organizational
security, personnel
security, business
continuity
management,
compliance.
Security
Evaluation
Examination and
testing of the security
features of an
information system
Effectiveness
Correctness
ISO/IEC
IS 15408
Functionality
requirements,
Assurance
requirements, Privacy
protection.
Risk
Management
Identification, analysis, Threat
ISO/IEC
control, and
Vulnerability
TR 13335
communication of IS
Impact
Part 3 and
security risks to which
Part 4
Dr. Gurpreet Dhillon
an organization is Do not ©reproduce
without permission
exposed.
Need
Risk assessment,
Risk analysis, and
Risk mitigation in
terms of IS security.
Integrated model
Risk
Management
Security
Management
Security
Development
Security
Evalaution
© Dr. Gurpreet Dhillon
Do not reproduce without permission