Information Security Standards

Transcript Information Security Standards

Luděk Novák

CISA, CISSP

Information Security Standards

2 nd May 2007

Agenda

      Sub-commission JTC 1/SC 27 – IT Security techniques Information security management standards (ISO/IEC 27000 family) Cryptographical standards Security evaluation standards Security controls and services Identity management and privacy  IT Service management

Tutorial aims

  Introduction to activities of organizations for standardization • ISO – International Organization for Standardization http://www.iso.org

• ČNI – Czech standards institute http://www.cni.cz

Compact overview of new and upcoming information security standards • Activities of sub-commission JTC1/SC27 – IT Security techniques  It is not possible discussed details of the standards

Introduction of sub-commission JTC 1/SC 27

  Focus of sub-commission JTC 1/SC 27 – IT Security techniques • Identification of generic requirements (including requirements methodology) for IT system security services • Development of security techniques and mechanisms (including registration procedures and relationships of security components) • Development of security guidelines (e.g., interpretative documents, risk analysis) • Development of management support documentation and standards (e.g., terminology and security evaluation criteria) Sub-commission activities review • Over 80 projects (nearly 50 active) • • More than 50 published information security standards A lot of interesting suggestion has shown up recently

Structure of JTC1/SC 27 – IT Security techniques

From 2006

 JTC 1/SC 27/WG 1 Information security management systems (ISMS)  JTC 1/SC 27/WG 4 Security controls and services    JTC 1/SC 27/WG 2 Cryptography a security mechanisms JTC 1/SC 27/WG 3 Security evaluation and assessment JTC 1/SC 27/WG 5 Identity management and privacy technologies

Till 2006

 JTC 1/SC 27/WG 1 Requirements, security services and guidelines   JTC 1/SC 27/WG 2 Security techniques and mechanisms JTC 1/SC 27/WG 3 Security evaluation criteria

Working group aims

Source: JTC 1/SC 27

Work programme for WG1: Information Security Management System (ISMS)

Published

 ISO/IEC 27001:2005 Information security management system – Requirements  ISO/IEC 27002:2005 security management (ISO/IEC 17799) Code of practice for information  ISO/IEC 27006:2007 Requirements for the accreditation of bodies providing certification of ISMS  ISO/IEC 13335 Management of information and communications technology security  ISO/IEC TR 13335 Guidelines for the management of IT Security

Upcoming

 ISO/IEC 27005 Information security risk management  ISO/IEC 27004 Information security management metrics and measurements  ISO/IEC 27000 Information security management system fundamentals and vocabulary  ISO/IEC 27003 Information security management system implementation guidance  ISO/IEC 27007 Information security management system auditor guidelines (not approved)

ISO/IEC 27000 family

   New family accepted in the spring 2005 • Different numbers for BS 7799 based standards (ISO/IEC 17799 vice versa ISO/IEC 24743) Harmonization of two concepts • ISO/IEC 13335 – academic approach • BS 7799 – pragmatic approach ISO/IEC 27000 family criteria • Provide direct support or detailed guidance and interpretation for the implementation of the PDCA processes and requirements of defined in ISO/IEC 27001 (e.g. risk assessment, identification of assets, ISMS effectiveness) • Address conformity assessments or sector-specific requirements for ISMS • • • Contribute and add value to ISO/IEC 27001 of the PDCA processes Specification of a relationship to ISO/IEC 27001 Standards excluded from this ISMS family are those that only address the implementation of controls from ISO/IEC 27002 – see WG4 activities

ISO/IEC 27000 family review

Risk management BS 7799-3:2006 ISO/IEC 27005:2007? (ISO/IEC TR 13335-3:1998) ISMS Overview and vocabulary ISO/IEC 27000:2008? (ISO/IEC 13335-1) ISMS Certification scheme ISO/IEC 27006:2007 (EA 7/03)

ISMS Requirements ISO/IEC 27001:2005 (BS 7799-2:2002)

Annex A ISMS Measurement ISO/IEC 27004:2008?

ISMS Implementation guidelines ISO/IEC 27003:2008?

ISMS Code of practice ISO/IEC 27002:2005 (ISO/IEC17799)

ISMS Auditor Guidelines ISO/IEC 27007?

Specific standards and guidelines

ISO/IEC 27001:2005

(formerly BS 7799-2)

  Information security management system • • Standards is based on BS 7799-2:2002 ISO/IEC 27001 published in October 2005 – Requirements (BS 7799-2 validity was finished) • Czech version ( ČSN ISO/IEC 27001:2006) published in October 2006 ISMS Certification is based on this standard !!!

• Transformation period for BS 7799-2 is 1,5 year i.e. till 14 th April 2007 • • Audits after 14 th April 2006 should follow ISO/IEC 27001 Accreditation bodies specifies necessary details

ISO/IEC 27001:2005 principles

 Definition of requirements on Information Security Management System – ISMS  Information security management process based on PDCA Model • Plan – Do – Check – Act  Ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties  All defined requirements are mandatory and it is not possible to exclude anyone •

But it is not necessary to implement all security controls !!!

Plan

Requirements Requirements

Do Act

Satisfaction Satisfaction

Check 11

Plan – Establish ISMS

ISMS process requirements

   ISMS Scope ISMS Policy Risk management (BS 7799-3) • Define a risk management approach • • Identify and assess risks Evaluate risk treatment options • Select security controls (ISO/IEC 27002:2005)  Management approval • ISMS Operation • Residual risks  Statement of applicability

Recommendations

 Assign a responsible security manager  ISMS training • • Project team Asset owners  Appropriate risk management • • Adequate approach to risks Assets and their owners identification • Maintenance of the risk catalog 

Statement of applicability

•

Key document for any security manager 12

Implement and operate ISMS

       Plan – outline of activities during a year/cycle Manual – ISMS long term policies, rules and procedures Measurement – ISMS effectiveness indicators and metrics Awareness – people should know, understand and follow the policies Sources – there is no ISMS without people (and tools) Documentation – document live cycle rules

!!! Records

– evidence of particular ISMS activities

Monitor and review ISMS

 ISMS monitoring and checking • Management and responsible persons • Security incidents assessment • Results of ISMS measurements  ISMS Internal audits • Internal auditors  ISMS Reviews • Senior management

Maintain and improve ISMS

 Continual improvement • Positively based – using chances to improve ISMS   Corrective actions Preventive actions • Negatively based – eliminate nonconformities, mistakes, failures, …

ISO/IEC 27001:2005 main changes

Slightly revised BS 7799-2:2002

  New requirement to measure effectiveness of ISMS ISMS internal linkages are more important • Demonstrate relationship from selected controls back to risk assessment and treatment  New requirements on statement of applicability • Information if control is currently implemented  Review of risk assessment as a part of ISMS management review (at least annually)  Small changes in text and structure • • ISMS Internal audit as the chapter 6 – formerly 6.4

Annex B was removed – Guidance on use of the standard (it will be transferred to ISO/IEC 27003) • Using of security controls from ISO/IEC 17799:2005

ISO/IEC 27002:2005 (ISO/IEC 17799)

Code of practice for information security management

• Complex and balanced set of controls how to protect information assets • Code of practice is respected internationally • • • Published in June 2005 Czech edition in August 2006 ISO/IEC 27002 should be used since spring 2007

Information security „best practice “ is described

• • • • 11 security clauses 39 control objectives 133 controls Structured description • Control • • Implementation guidance Other information • Verb „should“ is used

There is no management system in the standard

 There are no management techniques how to select and enforce security controls (see ISO/IEC 27001)

Structure of ISO/IEC 27002:2005

(ISO/IEC 17799)

Security clauses

Security policy Asset management Organizing information security Human resources security Physical and environmental security Access control Communications and operations management Information systems acquisition, development and maintenance Business continuity management Information security incident management Compliance Source: ISO/IEC 17799:2005

Main changes in ISO/IEC 27002:2005

(ISO/IEC 17799) Formal changes

 Structured control description • Control, implementation guidance, other information  More precise terminology • Security forum -> Management commitment to information security

Selected changes in control catalogue

 External subject security • Merge of third parties and outsourcing, customer access security  New approach to human resource security • Follows employment live-cycle: prior to employment, duding employment, termination or change of employment   New clause for information security incident management New controls related to progress of security needs • Responsibility for assets (ownership of assets and acceptable use of assets) • • • Controls against mobile codes On-line transactions Technical vulnerability management  Removal of some so technical controls • Cryptography, data network, ...

!!! ISO/IEC 17799:2000 using danger !!!

Attention! There are a lot of mistakes and inaccuracies in the version from 2000 – high risk of using inappropriate methodology

including ČSN ISO/IEC 17799:2001 or ČSN ISO/IEC 17799:2005

 Big disadvantage of the old version is that authorizations are not taken away • There is no control for employment termination • • It has influence to a lot of security controls A lot of trivialities are missing vendors , … – e.g. changing of passwords set by  ISO/IEC 27002:2005 solves the problems • Operating system access controls are also applicable e.g. on DBMS

ISMS Overview and vocabulary

ISO/IEC 27000 – ISMS Overview and vocabulary

  Fundamental principles, concepts and vocabulary for ISMS Based on OECD principles • • • • • • • • •

Awareness Responsibility Response Ethics

respecting legitimate interests

Democracy

of the need for information security assignment of information security to prevent and detect information security incidents to ensure information security is compatible with society values

Risk Management

providing levels of assurance towards acceptable risks

Security design and implementation Security management

ensuring a comprehensive approach

Continuous improvement

incorporated as an essential element of information security  Harmonization with other management systems (QMS, EMS, ITSMS, …)  Publishing planed at the end of 2008 • ISO/IEC 13335-1:2004 will be withdrawn

ISMS Implementation guidance

   

ISO/IEC 27003 – Information Security Management System Implementation Guidance

Recommendation how to implement ISMS effectively Critical success factors Deep explanation of all ISMS requirements following PDCA • Objectives • • • • • Preconditions Organizing the work Who to involve How is it done Results Document and record recommendations  Be published at the end of 2008

ISMS Measurements

ISO/IEC 27004 Information Security Management Measurements

 A tool for definition of ISMS metrics and indicators  Pre-defined structure for metrics and how to deal with metrics •

Measure name and code

• • • • • •

Purpose of measure Measurement calculation details Value and scale –

Nominal, Ordinal, Interval, Ratio

Data Collection Procedure Stakeholders

– Owner, Customer, Collector, Communicator, Reviewer

Life cycle

– frequency of collection, periodicity of reporting, period of analysis etc.

•

Decision criteria

  Completely new standard – publishing is planed in 2008 (middle) Important for the future – indicator based argumentation

ISMS Measurement as a feedback

Business needs Security management

Risk management Security measures Source: draft of ISO/IEC 27004

Security effectiveness Decision criteria

Indicators Define measurement priorities Information flows Measurement methods

Examples of ISMS metrics

         Percentage (%) of system users/security personnel that have received basic awareness training Average frequency of audit records review and analyses for inappropriate activity Percentage of systems using automated mechanisms to conduct analysis and reporting of inappropriate activities Percentage (%) of systems that are compliant with the baseline configuration Percentage (%) of systems successfully addressed in the testing of the contingency plan Percentage of accounts not associated with specific users Percentage (%) of system components that undergo maintenance on schedule Cost of information security incidents of unauthorized access to information systems, due to physical security failures Percentage (%) of employees who signed acknowledgement that they have read and understood rules of behavior, before being authorized access to the information system Source: NIST SP 800-80 Guide for Developing Performance Metrics for Information Security (draft) http://csrc.nist.gov/publications/drafts/draft-sp800-80-ipd.pdf

Risk management

 

ISO/IEC 27005

–



Information Security Risk Management

Based on ISO/IEC TR 13335-3 • • A lot of texts, where essential is a bit hidden BS 7799-3 as pragmatic approach  Concept interprets risk assessment and treatment requirements of ISO/IEC 27001 Wide catalogues of threats and vulnerabilities Harmonization with general risk management rules (upcoming standard ISO/IEC 25700 – Risk management)  Publishing planed at the end of 2007 • ISO/IEC TR 13335 – parts 3 and 4 will be withdrawn

Information Security Risk Management

  

BS 7799-3:2006 – Guidelines for Information Security Risk Management

Risk assessment • Asset identification • • • • •

Legal, regulatory and contractual requirements

Asset valuation Identification and assessment of threats and vulnerabilities Risk calculation and evaluation Risk assessor Risk treatment and management decision-making •

Decision-making

• • Risk treatment (reduce/accept/avoid/transfer risks) Residual risk

Ongoing risk management activities

•

Maintenance and monitoring

http://www.bsi-global.com/ICT/Security/bs7799-3.xalter

ISMS certification rules

  

ISO/IEC 27006 – Requirements for the accreditation of bodies providing certification of information security management systems

Hot issue • Previous rules EA-7/03 follow BS 7799-2:1999 which was not based on PDCA model Close relationship with new compliance rules ISO/IEC 17021:2006 • Certification body requirements • Certification audit requirements • • Certification auditor requirements ISMS audit recommendations Published February 2007

Management of ICT security

(ISO/IEC 13335 future) ISO/IEC 13335 – Management of Information and Communications Technology Security (MICTS)

•

Part 1: Concepts and models for information and communications technology security management

• Merge of part 1 and 2 of previous ISO/IEC TR 13335 • Part 1: Concepts and models for IT Security • Part 2: Managing and planning IT Security • It will be withdrawn by publishing of ISO/IEC 27000 (2004)

ISO/IEC TR 13335 – Guidelines for the management of IT Security (GMITS)

• •

Part 3: Techniques for the management of IT Security Part 4: Selection of safeguards

(2000) (1998) • • • Previously planed as revision of ISO/IEC 13335-2 As ISO/IEC 27005 a member of ISO/IEC 27000 family They will be withdrawn by publishing of ISO/IEC 27005 • •

Part 5: Management guidance on network security

Covered by ISO/IEC 18028 – IT Network security (2001)

BSI

(British Standard Institute)

Guidelines

 BIP 0071 – Guidelines on requirements and preparation for ISMS certification based on ISO/IEC 27001  BIP 0072 – Are you ready for ISMS audit based on ISO/IEC 27001:2005?

 BIP 0073 – Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001  BIP 0074 – Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001 http://www.bsi-global.com/ICT/Security/index.xalter

ISMS for industrial branches

   ISO TR 13569:2005 – Information Security Guidelines for Financial Services ISO 27799 – Security Management in Health Using ISO/IEC 17799 ISO/IEC 27031 – Security management guidelines for telecommunications (ISMS-T X.1051)  Considered projects • ISMS for lotteries • ISMS for transportation • • ISMS for automotive industry ISMS for small and medium business

Financial services security

 

ISO TR 13569:2005

•

– Financial Services – Information Security Guidelines

Corporate information security policy • • • • • • Management of information security – Security programme Organization for information security Risk analysis and assessment Security controls implementation and selection IT systems controls Implementation of specific controls (financial cards, cheques, electronic money, ...) • • • Miscellaneous Follow-up safeguards Incident handling Focused on financial specifics + useful examples Guidelines are not fully compliant with ISO/IEC 27000 family

ISMS in health

 

ISO 27799 – Security Management in Health Using ISO/IEC 17799

Specific requirements for ISMS in health industry • ISO/IEC 27001 – interpretation of ISMS requirements • ISO/IEC 17799 – details for security controls (if necessary) General ISMS is strictly followed  It is a pity that number of ISO/IEC 17799 is changing 

Work programme for WG2: Cryptography and Security Mechanisms (1)

 ISO/IEC 7064 • Published 2003  ISO/IEC 9796 • Digital signature schemes giving message recovery 3 parts published 2002 – 2006, under revision  ISO/IEC 9797 Data processing – Check character systems Message authentication codes (MACs) • 2 parts published 1999 – 2002, under revision, 3 rd part is upcoming  ISO/IEC 9798 • Entity authentication 6 parts published 1997 – 2005  ISO/IEC 10116 • Published 2006  ISO/IEC 10118 • Modes of operation for an n-bit block cipher algorithm Hash-functions  ISO/IEC 11770 • 4 parts published 1998 – 2004 (2006), under revision Key management 4 parts published 1996 – 2006, under revision

Work programme for WG2: Cryptography and Security Mechanisms (2)

 ISO/IEC 13888 •  ISO/IEC 14888 Non-repudiation 3 parts published 1997 – 2004, under revision Digital signatures with appendix • 3 parts published 1998 – 2006, under revision  ISO/IEC 15946 Cryptographic techniques based on elliptic curves • 4 parts published 2002 – 2004, under revision  ISO/IEC 18031 Random bit generation • Published 2005  ISO/IEC 18032 Prime number generation • Published 2005  ISO/IEC 18033 Encryption algorithms • 4 parts published in 2005 – 2006  ISO/IEC 19772 Data encapsulation mechanisms • Upcoming

Work programme for WG3: Security Evaluation and Assessment

Common criteria etc.

 ISO/IEC 15408:2005 Evaluation criteria for IT Security  ISO/IEC 18045:2005 Methodology for IT security evaluation  ISO/IEC TR 19791:2006 Security assessment of operational systems  ISO/IEC 15292:2003 Protection profile registration procedures  ISO/IEC TR 15446:2004 Guide on the production of protection profiles and security targets   ISO/IEC 19790:2006 Security requirements for cryptographic modules ISO/IEC 24759 Test requirements for cryptographic modules  ISO/IEC 21827:2003 Systems Security Engineering – Capability Maturity Model (SSE-CMM)  ISO/IEC 15443 A framework for IT security assurance

Common criteria and their progress

   ISO/IEC 15408 – Evaluation criteria for IT security • • • Part 1: Introduction and general model Part 2: Security functional requirements Part 3: Security assurance requirements ISO/IEC 18045 – Methodology for IT security evaluation ISO/IEC 15446 – Guide for the production of protection profiles and security targets  Common criteria are general framework • Trend to simplify works of evaluators without reduction of evaluation quality

Operational system assessment

ISO/IEC TR 19791:2006 Security assessment of operational systems

 Implementation and operation security aspects enlargement of evaluation scheme based on „Common criteria“ (ISO/IEC 15408)  New groups of requirements • System protection profile (SPP) • System security target (SST)

Operation security requirements

Seven new classes for operation security functions

 FOD – Administration • Security policy, management forum, management review, personnel roles and responsibilities, risk management, incident management, service agreements  FOS – IT Systems • Security requirements, change control, malicious code control, development and operational environment, network security, monitoring, records  FOA – User Assets • User assets management, roles and responsibilities, privacy  FOB – Business • Business impact analysis, fault isolation, business continuity plans, intellectual property  FOP – Facility and Equipment • Equipment, facilities and premises within the operational system  FOT – Third party • Security operational control requirements for third parties  FOM – Management • Management of operational controls (security parameters, classification of assets, security responsibilities, reporting of security incidents)

Nine new classes for operation security assurance 39

CMM

Security

  

ISO/IEC 21827 – Systems Security Engineering – Capability Maturity Model (SSE-CMM ® )

Capability model for security Advantage: more levels to compare security enforcement Not fully compliant with ISMS (ISO/IEC 27001)

SSE-CMM

process structure

Security Base Practices

 PA01 Administer Security Controls           PA02 PA03 PA04 PA05 PA06 PA07 PA08 PA09 PA10 PA11 Assess Impact Assess Security Risk Assess Threat Assess Vulnerability Build Assurance Argument Coordinate Security Monitor Security Posture Provide Security Input Specify Security Needs Verify and Validate Security

Project and Organizational Base Practices

 PA12 – PA 22: Ensure quality, manage configurations, manage project, manage product line evolution, coordinate with suppliers, …  Harmonized with software live cycle rules • ISO/IEC 15504 – Process assessment • ISO/IEC 15288 – System life cycle processes

Cryptographic modules security

ISO/IEC 19790:2006 modules – Security requirements for cryptographic

 International version of FIPS 140-2  Security requirements in 4 levels  Security testing of cryptographic modules outside US  Evaluation methodology defined as ISO/IEC 24759 modules – Test requirements for cryptographic  It is expected that FIPS 140-3 will be incorporated into next revision       

Security features

 Cryptographic module specification  Cryptographic module ports and interfaces  Roles, services, and authentication Finite state model Physical security Operational environment Cryptographic key management Self-tests Design assurance Mitigation of other attacks

IT Security assurance ISO/IEC TR 15443 – A framework for IT security assurance

Some studied methods

         ISO/IEC 12207 – Software Life Cycle Processes ISO/IEC 14598 – Software product evaluation ISO/IEC 15288 – System Life Cycle Processes ISO/IEC 15504 – Software Process Assessment ISO/IEC 13335 – Management of information and communications technology security (MICTS) ISO/IEC 15408 – Evaluation criteria for IT security ISO/IEC 17799 – Code of practice for information security management BS 7799.2 – Information security management systems – Specification with guidance for use ISO/IEC 21827 – Systems Security Engineering – Capability Maturity Model (SSE-CMM ®)          CMM – Capability Maturity Model (for Software) SA-CMM – Software Acquisition Capability Maturity Model SE-CMM – Systems Engineering Capability Maturity Model CMMI – Capability Maturity Model Integration TSDM – Trusted Software Development Methodology IT Baseline Protection Manual Penetration Testing Personnel Assurance – e.g. CISA, CISM, CISSP, CPP Rational Unified Process (RUP) 

CobiT – Control Objectives for Information and related Technology 44

Work programme for WG4: Security Controls and Services

    ISO/IEC 14516 Guidelines on the use and management of Trusted Third Party services ISO/IEC 15945 Specification of TTP services to support the application of digital signatures ISO/IEC 18014 Time stamping services and protocols ISO/IEC 24762 Guidelines for information and communications technology disaster recovery services     ISO/IEC 18028 IT network security ISO/IEC 15947 IT intrusion detection framework ISO/IEC 18043:2006 Guidelines for the selection, deployment and operations of Intrusion Detection Systems (IDS) ISO/IEC TR 18044:2004 Information security incident management

ISO/IEC 18028 – IT network security

 ISO/IEC 18028-1:2006 Part 1: Network security management  ISO/IEC 18028-2:2006 Part 2: Network security architecture  ISO/IEC 18028-3:2005 Part 3: Securing communications between networks using security gateways  ISO/IEC 18028-4:2004 Part 4: Securing remote access  ISO/IEC 18028-5:2005 Part 5: Securing communications across networks using virtual private networks

Network security management ISO/IEC 18028-1:2006 – IT network security Part 1: Network security management

 Using of PDCA Model (Plan – Do – Check – Act)  Harmonized with general approaches to information security management  Security controls harmonized with ISO/IEC 27002 (ISO/IEC 17799)  Security risks and controls for different types of networks • • • • • • Local Area Networking Wide Area Networking Wireless Networks Radio Networks Broadband Networking IP Convergence (data, voice, video)

Concept of network security management

Appropriate Potential Control Areas

         

Network Security Architecture (ISO/IEC 18028-2)

Secure Service Management Framework Network Security Management Technical Vulnerability Management (ISO/IEC 17799:12.6) Identification and Authentication (ISO/IEC 17799:11.4) Network Audit Logging and Monitoring (ISO/IEC 17799:10.10) Intrusion Detection (ISO/IEC 17799:13) Protection against Malicious Code (ISO/IEC 17799:10.4) Common Infrastructure Cryptographic Based Services (ISO/IEC 17799:12.3) Business Continuity Management (ISO/IEC 17799:14)

Tree views on reference architecture ISO/IEC 18028-2:2006 – IT network security Part 2: Network security architecture

 Security Dimension • Grouping of security measures that are used to implement particular aspects of network security  Security Layer • Hierarchy of network equipment and facility groupings  Security Plane • Certain type of network activity protected by the mechanisms

Security Dimension

        Access Control • Authorization for the use of the network resources Authentication • Confirmation of identities or other authorizing attributes of communicating entities.

Non-repudiation • Technical means for preventing an individual or entity from denying having performed a particular action Data Confidentiality • Protection of data from unauthorized disclosure Communication Flow • Ensurance that information flows only between the authorized end points Data Integrity • Ensurance of correctness or accuracy Availability • Ensurance that there is no denial of authorized access to network elements, stored information, information flows, services and applications due to events impacting the network Privacy • Protection of any information that might be derived from the observation of network activities

Security layers

  Application Security Layer • Security of the network-based applications accessed by customers (web, e-mail, ASP, ...) Service Security Layer • Security of services that Service Providers provide to their customers (from basic transport and connectivity to service enablers)  Infrastructure Security Layer • Network transmission facilities as well as individual network elements (routers, switches, servers, communication links, ...)

Security plane

   End-user Security Plane • Security of access and use of the Service Provider's network by customers Control Security Plane • Protection of the activities that enable the efficient delivery of information, services and applications across the network Management Security Plane • Protection of Operations Administration Maintenance and Provisioning (OAM&P) functions of the network elements, transmission facilities, back-office systems (Operations Support Systems, Business Support Systems, Customer Care Systems, etc.) and Data Centres

Reference architecture for network security

Network security policy (example)

     Introduction Starting points Terms and definitions Network security areas • Application services security • • • • Communication services security Infrastructure security Network security control Network security management Policy updating   Security goals Applied controls

Using security gateways

ISO/IEC 18028-3:2005

–

Part 3: Securing communications between networks using security gateways Techniques

• Packet filtering • • • • Stateful packet inspection Application proxy Network Address Translation (NAT) Content analyzing and filtering

Security Gateway Architectures

• Packet filter firewall • • • Dual-homed gateway Screened host Screened subnet

Selection and configuration

• Selection of a security gateway architecture and appropriate components • • • • • • • • Hardware and software platform Configuration Security features and settings Administration Logging Documentation Audit Training and education

Remote access security

 

ISO/IEC 18028-4:2004



– Part 4: Securing remote access

Information on the various types and techniques for remote access and helps the intended audience to identify adequate measures to protect remote access against identified threats Includes wireless access Security policy example

Virtual private networks

ISO/IEC 18028-5:2005 – Part 5: Securing communications across networks using Virtual Private Networks

   VPN Security objectives and requirements Guidelines for the selection of secure VPNs Guidelines for the implementation of secure VPNs  Technologies and protocols used to implement VPNs • Layer 2, layer 3, upper layers • FR, ATM, MPLS, PPP, L2F, L2TP, IPsec, SSL, SShell

Intrusion detection systems

  

ISO/IEC 18043:2006 – Selection, deployment and operations of intrusion detection systems

IDS Selection • Information Security Risk Assessment • • • • • • Host or Network IDS Considerations Tools that complement IDS (SIM, …) Scalability Technical support Training IDS Deployment • Advantages/disadvantages of different IDS types IDS Operations • IDS Tuning • • • • IDS Vulnerabilities Handling IDS Alerts Response Options Legal Considerations

Security incident management

ISO/IEC TR 18044:2004 Information Security Incident Management

    Plan – ISIRT Plan and Prepare • Information Security Incident Management Policy, Scheme and Policies • • Establishment of

Information Security Incident Response Team

Awareness and Training (ISIRT) Do – ISIRT Use • Detection and Reporting • • Event/Incident Assessment and Decision Responses Check – ISIRT review • Further Forensic Analysis • • Lessons Learnt Identification of Security and/or Scheme Improvements Act – ISIRT Improve • Make Security Improvements • • Security Risk Analysis and Management Improvement Make Scheme Improvements

Home network security

ISO/IEC 24767 – Home Network Security

   Secure interconnection of electronic equipments in home networks • Part 1: Security Requirements and Internal Security Services: Secure Communication Middleware Protocol • Part 2: External security service Prepared by sub-commission JTC1/SC25 Published during 2007

Business continuity management (BCM)

 

Complexity of BCM is similar to ISMS Two/tree independent activities related to BCM

• British Standards Institution is preparing a new standard BS 25999 • • Part 1: Code of practice (published 2006) Part 2: Specification (in development) • JTC 1/SC 27 is working on a new standard

ISO/IEC 24762 – Guidelines for information and communications technology disaster recovery services

• Based on Singapore standard SS 507 for Business Continuity/Disaster Recovery (BC/DR) Service Providers • JTC 1/SC 27 is waiting for BCM project approval

Business continuity management (BCM)

 Code of practice – BS 25999-1:2006 • • • • BCM policy BCM programme management Understanding the organization Determining business continuity strategy • Developing and implementing a BCM response • Exercising, maintaining and reviewing BCM arrangements • Embedding BCM in the organization’s culture  BCM Specification will be published as BS 25999-2 during 2007 • BS 25999 replaces PAS 56:2003

Work programme for WG5: Privacy, Identity and Biometric Security

 ISO/IEC 15816 Security information objects for access control  ISO/IEC 19792 A framework for security evaluation and testing of biometric technologies  ISO/IEC 24760 A framework for identity management  ISO/IEC 24745 Biometric template protection   ISO/IEC 29100 A privacy framework ISO/IEC 29101 A privacy reference architecture  ISO/IEC 24761 Authentication context for biometrics

 ISO/IEC 29115 Authentication assurance

Summary of JTC 1/SC 27 work

   Systematic progress and standard harmonization Pragmatic approach to standard development using best practice PDCA Model as basic part for process definition  Standardization future • Security management for small and medium business • Privacy • • Controls for security control failure PDCA Cycle feedback • Monitoring and checking • • ISMS Auditing Continual improvement Source: http://isotc.iso.org/livelink/livelink?func=ll&objId=327974&objAction=browse&sort=name

Security related management systems



Software engineering rules

• • Quality management and software live cycle IT Service management 

High influence on risks in IT environment

• Important security improvements

Quality management (QMS)

   Quality – ability of products/services to satisfies defined and expected requirements QMS is well-known and generally accepted management system • • Tool for communication with other departments and end-users Basic requirements on resource, document and record management etc.

• Primary aim for information technology management ISO/IEC 90003 – Guidelines for the application of ISO 9001:2000 to computer software Management responsibility

ISO/IEC 90003

Quality management system Resource management Product realization Source: ISO Fosus, February 2005

Measurement, analysis and improvements

Concept of software engineering

ISO 9001:2000

–

Quality management ISO/IEC 90003:2004

–

Software quality management ISO/IEC 15504 Process assessment ISO/IEC 9126 Product quality ISO/IEC 14143 Functional size measurement ISO/IEC 16326 Project management ISO/IEC 15846/ISO 10007 Configuration management ISO/IEC 12207 Software life cycle processes ISO/IEC 14102 Evaluation and selection of CASE tools ISO/IEC 15026 System and software integrity levels ISO/IEC 14598 Software product avaluation ISO/IEC 15910 Software user documentation process ISO/IEC 15939 Software measurement process ISO/IEC 14764 Software maitenance

Zdroj: ISO Fosus, February 2005

IT Service management (ITSM)

   IT Service – a described set of facilities, IT and non-IT, supported by the IT service provider that fulfils one or more needs of the Customer and that is perceived by the Customer as a coherent whole ITSM definition • • Specification – ISO/IEC 20000-1:2005 (BS 15000-1) Code of practice – ISO/IEC 20000-2:2005 (BS 15000-2) Other resources • ITIL – IT Infrastructure Library (nowadays version 2) (detail explanation of ISO/IEC 20000 processes) • ITIL version 3 will be released in May 2007 • Some ITIL derivations – IBM, HP, Microsoft, Sun, … Microsoft Operations Framework http://www.microsoft.com/mof • IT Service Management Forum Czech Republic http://www.itsmf.cz

ISO/IEC 20000 Overview

   International standard for IT service management • • Part 1: Specification Part 2: Code of practice ISO/IEC 20000 based on BS 15000 • • • Just small changes and improvements Based on PDCA Model Using of ITIL best practice As ISO published in December 2005 • • Czech version of part 1 published in October 2006 Part 2 will be published during 2007

ISO/IEC 20000 and ITIL relationship

   ISO/IEC 20000 – International standard • • Part 1: Specification (16 pages) Part 2: Code of practice (34 pages) BSI – Interpretations and recommendations • BIP 0005 – A Manager's Guide to Service Management • BIP 0015 – IT Service Management. Self-assessment workbook (72 pages) • BIP 0030 – BIP 0039 Publications ITIL – Detail explanation of processes • • • Service support (~ 300 pages) Service delivery (~ 350 pages) Business perspective (~ 180 pages)

ISO/IEC 20000

BIP 0005 BIP 0015 ITIL

IT service management processes

Planning and implementing new or changed services Service Delivery Processes

Capacity Management Service Level Management Information Security Management Service Continuity and Availability Management

Release Process

Release Management Service Reporting

Control Processes

Configuration Management Change Management

Resolutin Processes

Incident Management Problem Management Budgeting and Accounting for IT services

Relationship Processes

Business Relationship Management Supplier Management Source: ISO/IEC 20000

ISO/IEC 20000 Processes (1)



Service delivery processes

•

Service level management

Objective: To define, agree, record and manage levels of service •

Service reporting

Objective: To produce agreed, timely, reliable, accurate reports for informed decision making and effective communication •

Service continuity and availability management

Objective: To ensure that agreed service continuity and availability commitments to customers can be met in all circumstances •

Budgeting and accounting for IT services

Objective: To budget and account for the cost of service provision •

Capacity management

Objective: To ensure that the service provider has, at all times, sufficient capacity to meet the current and future agreed demands of the customer’s business needs •

Information security management

Objective: To manage information security effectively within all service activities

Source: ISO/IEC 20000

ISO/IEC 20000 Processes (2)

 

Relationship processes

•

Business relationship management

Objective: To establish and maintain a good relationship between the service provider and the customer based on understanding the customer and their business drivers •

Supplier management

Objective: To manage suppliers to ensure the provision of seamless, quality services

Resolution processes

•

Incident management

Objective: To restore agreed service to the business as soon as possible or to respond to service requests •

Problem management

Objective: To minimize disruption to the business by proactive identification and analysis of the cause of incidents and by managing problems to closure.

Source: ISO/IEC 20000

ISO/IEC 20000 Processes (3)



Control processes

•

Configuration management

Objective: To define and control the components of the service and infrastructure and maintain accurate configuration information •

Change management

Objective: To ensure all changes are assessed, approved, implemented and reviewed in a controlled manner 

Release process

•

Release management process

Objective: To deliver, distribute and track one or more changes in a release into the live environment 

Planning and implementing new services

•

Planning and implementing new or changed services

Objective: To ensure that new services and changes to services will be deliverable and manageable at the agreed cost and service quality.

Source: ISO/IEC 20000

PDCA Model for IT service management

Business requirements Customer requirements Request for new/ changed services Other processes e. g. business, supplier, cusromer Service Desk

Implement service management Other teams, e.g. security, IT operations Source: ISO/IEC 20000 and Jenny Dugmore

Manage services

Management responsibility

PLAN

Plan service management

Service Delivery Processes

Capacity Management Service Level Management Information Security Management Service Continuity and Availability Management

Release Process

Release Management

Planning and implementing new or changed services

Service Reporting

Control Processes

Configuration Management Change Management

Resolutin Processes

Incident Management Problem Management Budgeting and Accounting for IT services

Relationship Processes

Business Relationship Management Supplier Management

CHECK

Monitor, measure and review

ACT

Continual improvement

Business results Customer satisfaction New / changed services Other processes e.g. business, suplier, customer Team and people satisfaction

ISO/IEC 20000 Processes (4)



IT service management system processes

•

Requirements for a management system

Objective: To provide a management system, including policies and a framework to enable the effective management and implementation of all IT services •

Plan service management

Objective: To plan the implementation and delivery of service management •

Implement service management and provide the services

Objective: To implement the service management objectives and plan.

•

Monitoring, measuring and reviewing

Objective: To monitor, measure and review that the service management •

Continual improvement

Objective: To improve the effectiveness and efficiency of service delivery and management

Source: ISO/IEC 20000

BSI Publications related to ISO/IEC 20000

          BIP 0030 – Achieving ISO/IEC 20000 Management Decisions BIP 0031 – Achieving ISO/IEC 20000 Why People Matter BIP 0032 – Achieving ISO/IEC 20000 Making Metrics Work BIP 0033 – Achieving ISO/IEC 20000 Managing End-to-end Service BIP 0034 – Achieving ISO/IEC 20000 Finance for Service Managers BIP 0035 – Achieving ISO/IEC 20000 Enabling Change BIP 0036 – Achieving ISO/IEC 20000 Keeping the Service Going BIP 0037 – Achieving ISO/IEC 20000 Capacity Management BIP 0038 – Achieving ISO/IEC 20000 Integrated Service Management

ISO/IEC 20000

BIP 0039 – Achieving ISO/IEC 20000 The Differences Between BS 15000 and ISO/IEC 20000 BIP 0005 BIP 0015 Source: http://www.bsi-global.com/ICT/Service/index.xalter

ITIL

Conclusion

 It is always easier to

copy

beginning than starts form  ISO and ČNI standards are good source for

copying

• Basic vision, what and how can be used, is needed 

Copying

si also needs high level of professionalism  Thanks for your attention and good lack 