Transcript ISO 17799 - Information Systems and Internet Security

ISO 17799
InfoSec: Can you dig it?
Agenda
1.
2.
3.
4.
5.
6.
7.
8.
9.
Introduction and Purpose
Risk Assessment, Controls and Guiding Principles
Success Factors
Examples of it in terms of InfoSec Policy and Organizational
Security
Implementing an Information Security Management Systems
Environment
Gaining ISO17799 Certification: A Blue Print
Using the SANS auditing template
A risk assessment with ISO17799 Pitfalls
Conclusion and Questions
Is it ISO or just BS?



International Standard ISO/IEC 17799 was
prepared by the British Standards Institution (as
BS 7799) and was adopted, under a special
“fast-track procedure”, by Joint Technical
Committee ISO/IEC JTC 1, Information
technology, in parallel with its approval by
national bodies of ISO and IEC.
Provides common approaches to manage risks
Not applicable to every system and not always
practical in smaller organizations
ISO17799   BS17799

ISO 17799:2000



Code of Practice For
Information Security
Management
Best practices framework
From 7.2.1, Equipment
siting and protection:
Equipment should be sited
or protected to reduce the
risks from environmental
threats….

BS 7799-2:2002




Information Security
Management Systems
Specification With
Guidance For Use
Auditing specification
From 7.2.1, Equipment
shall be sited or
protected….
ISO has begun the study
period of BS 7799-2:2002
towards adoption
10 Areas: To have and to hold





Security policy: Adopting a security process that outlines an organization's
expectations for security, which can then demonstrate management's
support and commitment to security.
Security organization: Having a management structure for security,
including appointing security coordinators, delegating security management
responsibilities and establishing a security incident response process.
Asset classification and control: Conducting a detailed assessment and
inventory of an organization's information infrastructure and information
assets to determine an appropriate level of security.
Personnel security: Making security a key component of the human
resources and business operations. This includes writing security
expectations in job responsibilities (IT admins and end users), screening
new personnel for criminal histories, using confidentiality agreements when
dealing with sensitive information and having a reporting process for
security incidents.
Physical and environmental security: Establishing a policy that protects
the IT infrastructure, physical plant and employees. This includes controlling
building access, having backup power supplies, performing routine
equipment maintenance and securing off-site equipment.
10 Areas: To have and to hold





Communications and operations management: Preventing security
incidents by implementing preventive measures, such as using antivirus
protection, maintaining and monitoring logs, securing remote connections
and having incident response procedures.
Access control: Protecting against internal abuses and external intrusions
by controlling access to network and application resources through such
measures as password management, authentication and event logging.
Systems development and maintenance: Ensuring that security is an
integral part of any network deployment or expansion, and that existing
systems are properly maintained.
Business continuity management: Planning for disasters--natural and
man-made--and recovering from them.
Compliance: Complying with any applicable regulatory and legal
requirements, such as the Health Insurance Portability and Accountability
Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and cryptography export
controls.
Need for Security

Establishing Security Requirements
 Three
main sources
Risk Assessment – identified, evaluated and
estimated
 Legal, Statutory, Regulatory – contractual
requirements the organization must fill
 Principle and Objectives – requirements to support
operations

Assessing Risks

Risk Assessment

Considered on a systematic basis



Business impact to CIA
Likelihood of impact – threat vs controls
Guides and determines actions and priorities


Process of selecting controls is iterative per business unit and
system
Reviews based on




Changing business requirements
New threats and vulnerabilities
Confirmation that current controls are effective
Assessments performed at a high level and then more
specifically for detailed risk.
Selecting Controls

Should be selected based on a cost
benefit analysis.
 Ex.

$1000.00 fence around a $50.00 asset.
Reputation should also be a factor in that
decision.
InfoSec Guiding Principles

Two Points of View

Legislative
 InfoSec Best Practice

Legislative
Data protection and privacy of personal
information
b) Safeguarding of organizational records
c) Intellectual property rights
a)
InfoSec Guiding Principles

InfoSec Best Practices
a)
b)
c)
d)
e)
Information security policy document
Allocation of information security
responsibilities
Information security education and training
Reporting security incidents
Business continuity management
*Note: These are suggestions and should only be implemented based upon the risk
assessment.
Code of Practice
71 Pages of Security Management
Goodness
 Similar to CISSP and derived partially from
TCSEC, Common Criteria. Its apparent in
the requirements
 Some of it is infeasible and is a utopian
organization, politics acceptance changing
culture.

Critical Success Factors

The following is a list of factors which are found to be essential to
the implementation of InfoSec at an organization
Security policy, objectives and activities that reflect business objectives
An approach to implementing security that is consistent with the
organizational culture*
3. Visible support and commitment from management*
4. A good understanding of the security requirements, risk assessment
and risk management
5. Effective marketing of security to all managers and employees
6. Distribution of guidance on information security policy and standards to
all employees and contractors
7. Providing appropriate training and education*
8. A comprehensive and balanced system of measurement which is used
to evaluate performance in information security management and
feedback suggestions for improvement.
*Most important factors.
1.
2.
A brief peek inside
Information Security Policy
 Organizational Security

Information Security Policy



To provide management direction and support
for information security.
A policy document should be approved by
management, published and communicated, as
appropriate, to all employees. It should state
management commitment and set out the
organization’s approach to managing information
security.
Policy owner should periodically review the
policy; on effectiveness, efficiency and controls.
Information Security Policy

Essential Requirements:
 Definition
of InfoSec, objectives and scope.
 Management statement of support.
 Definition of responsibilities of management in
InfoSec.
 Brief explanation of policies, principles
standards and compliance.
 References to documents that support the
policy with details for specific systems.
Organizational Security
A management framework should be
established to initiate and control the
implementation of information security
within the organization.
 Details

 Management
Information Security Forum
Requires a Champion to lead it.
 Reviews, Monitors and Approves


Responsibilities, incidents, threats enhancements
Organizational Security

Information security co-ordination
 Cross
functional forum of management reps
(geared at large company)
Assigns roles and responsibilities
 Agrees on methodology and process
 Supports awareness programs
 Assures security a place in the SDLC and planning
 Evaluates implementations of controls
 Review incidents
 Give infoSec high visibility

Organizational Security

Allocation of information security
responsibilities
 Assign

responsibilities
Ex. Appoint an owner for each information asset and its dayto-day operations. It can then be further delegated, but owner
takes responsibility.
 Responsibility



Clearly identify and define security processes for each
system
Responsibility should be documented and agreed in some
kind of SLA
Clearly define authorization levels.
Organizational Security

Authorization process for information
processing facilities
 A management
authorization process for new
information processing facilities should be
established.
 Controls to be considered


User management, hardware and software compatibility,
personal information processing facilities
Specialist information security advice
 Consultation
by internal or external security
specialists at the onset of an incident. He/she will
coordinate in-house knowledge and experience to
ensure consistency.
Organizational Security

Co-operation between organizations




Appropriate contacts with law enforcement authorities, regulatory
bodies, information service providers and telecommunications
operators should be maintained
Membership of security groups and industry forums should be
considered.
Exchanges of security information should be restricted to ensure
that confidential information of the organization is not passed to
unauthorized persons.
Independent review of information security

The Information Security Policy should receive independent
reviews from a third party. (Internal auditor, manager or
specializing third party)
Organizational Security

Security of third party access


To maintain the security of organizational
information processing facilities and information
assets accessed by third parties.
Identification of risks from third party access

Two Types
1.
2.

Physical access, e.g. to offices, computer rooms, filing
cabinets;
Logical access, e.g. to an organization’s databases,
information systems.
Reasons for access

Provide services to an organization and are not located onsite but may be given physical and logical access
Organizational Security

Security requirements in third party
contracts
 General
InfoSec policy, Procedures and
controls for asset protection, Integrity and
Availability, NDA, liability etc.

Outsourcing
 To
maintain the security of information when
the responsibility for information processing
has been outsourced to another organization.
Organizational Security

Asset classification and control
 Accountability for assets
 To maintain appropriate protection of organizational assets.
 All major information assets should be accounted for and
have a nominated owner.
 Accountability ensures appropriate protection is maintained.
 Owners should be identified for all major assets and the
responsibility for the maintenance of appropriate controls
should be assigned.
 Responsibility for implementing controls may be delegated.
 Accountability should remain with the nominated owner of the
asset.
Information Security Management
System (ISMS)

Manage and maintain secure information system
environment


A framework to facilitate a relationship between processes and
products.
Implementation and maintenance or process and procedures; and
must address the following,





ID InfoSec needs
Strategy to meet those needs
Measurement of results
Improving strategies over time
Approach must be Hollistic
 Human
 Technology
 Process
PDCA Model Applied to ISMS

Plan (establish the ISMS)


Do (implement and operate the ISMS)


Implement and operate the security policy, controls, processes and
procedures.
Check (monitor and review the ISMS)


Establish security policy, objectives, targets, processes and procedures
relevant to managing risk and improving information security to deliver
results in accordance with an organization’s overall policies and
objectives.
Assess and, where applicable, measure process performance against
security policy, objectives and practical experience and report the
results to management for review.
Act (maintain and improve the ISMS)

Take corrective and preventive actions, based on the results of the
management review, to achieve continual improvement of the ISMS.
PDCA Model Applied to ISMS
ISMS
Defining Scope and Relationships
Identifying Intangible Assets
ISMS

Process ISMS – security policy forms the basis of the process

Two phase approach


Planning
Implementation – the controls or guidelines as provided by ISO17799.



First step: pick a process



Assess whether the guidelines apply
Third party audit
Implement process ex. New employee screening
Then check to see if all new employees are screened
Second step: check for compliance



Plan-Do-Check-Act
Iterative process that requires feedback
Must be tailored to fit
ISMS

Product ISMS
 Evaluation
of software products
Third party eval
 Software is subject to detailed series of tests
 Ex. TCSEC B2

For example, Class B2: ‘Structured Protection’
 Trusted Oracle8i was evaluated EAL4 under the
Common Criteria (CC 2002)

ISMS

Certified product categories – protection class/control area
ISMS – Protection Classes

Implementation of the controls in each one of the ten
sections of ISO17799.



You can define 4 classes of protection
Class 1: Inadequate protection
Sections of a code-of-practice will be classified in this class if no effort was made
by the organization to implement any of the recommended controls for their
specific requirements. This is the lowest class. Certified products Do not have
any influence on the classification of sections on this level.
Class 2: Minimal protection
If minimal effort was put into implementing some of the recommended controls, it
will be possible to classify some sections in this class. The same requirement as
for Class 1 is applicable for the code-of-practice controls in some of the sections.
Certified products do not have any influence on the classification of sections on
this level either.
ISMS


Class 3: Reasonable protection
The same requirement as for Class 2 is applicable for the code-of-practice
controls in some of the sections. The majority of the sections must satisfy
additional requirements based on implemented processes and procedures to
prove that the recommended controls from the code-of-practice are implemented
on a reasonable level. Some sections have an additional requirement for certified
products to be used.
Class 4: Adequate protection
For a section to be classified as adequately protected, it must be verifiable that
considerable effort was made to implement the complete set of recommended
controls for the section. This implies full compliance to a code-of practice for that
specific section. Furthermore, the majority of sections have an additional
requirement that certified products, in all the product categories, must be
implemented to illustrate adequate protection. If there are no related product
categories for an ISO17799 section, it is possible for that section to advance to
this class in the absence of certified products.
ISMS

Illustration of protection classes
ISO17799 A Blue Print
1.
2.
3.
4.
5.
6.
7.
Client board decides to implement
Senior Management must visually
commit to adopting the standard
Decide InfoSec Policy
InfoSec policy once adopted must
be furnished to all trained
employees
Senior Mngmt then decides which
business units will be offered up
for certification
The orgs scope fo rthis project
produces an SMS Scope Doc
The Risk Assessment (RA) is
carried out for the Scope Doc(ID
asset , threat , vuln.).= RA doc
8.
9.
10.
11.
12.
13.
Org decides risk approach and
determines acceptable degree of
risk
Org must decide to how to
manage the id’d risk so that
residual deg. of risk is within
acceptable limits.
Once action, accountability and
ownership are established, it is
documented
Controls to required to reduce risk
to acceptable levels are identified.
Controls selected from ISO17799
and documented
Selected controls must be
traceable to the risk they address.
This is documented in the
Statement of Acceptibality (SoA)
Achieving ISO Compliance
ISO17799 A Blue Print
Sans Auditing Template

10 Areas of Audit
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.


Security Policy
Organizational Security
Asset Classification and Control
Personnel Security
Physical and Environmental Security
Communications and Operations Management
Access Control
System Development and Maintenance
Business Continuity Planning
Compliance
36 Control Objectives
127 Controls
Sans Auditing Template
ISO17799: The world is not enough

The standard's flexibility, however, is also its Achilles' heel. Critics
say ISO 17799 is too vague and too loosely structured to have any
real value. In some cases, they charge, the standard could
inadvertently give an organization a false sense of security.
 Lawrence Walsh, Information Security Magazine

Mile Wide and an Inch Deep




BSI says 7799 was never intended to be a technical standard. Unlike
other security standards--such as the Commonly Accepted Security
Practices and Regulations (CASPR) or ISO 15408/Common Criteria-ISO 17799 provides a broad, nontechnical framework for protecting
information in any form.
No certification portion as in PII of BS17799
Meant for any organization: rarely is that possible
Rarely attempts to provide guidance in evaluating or understanding
existing security measures.



Doesn’t discuss pro’s and con’s of different controls
No common sense advice (don’t enable all defaults)
Expensive and short on methodology
Future of ISO17799

Most U.S. public companies will need to
seriously manage the security of their
information assets
 Tangible
and intangible
 People, process, technology


ISO 17799 compliance will be necessary to
play in many markets for U.S. informationintensive businesses
ISO 17799 certification will be a discriminator
Questions