Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 108 views

    Iso 17799 Security

    Uploaded by

    cmsc1
    The document discusses ISO 17799, a security standard that was revised in 2005 and became ISO 27001. ISO 27001 is a certification standard for information security management systems (ISMS) based on ISO 17799. It describes the components and process model of ISO 27001 certification. The document also maps how ISO 17799 fits within the broader ISO 27000 series of standards and other international standards bodies for information security.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Iso 17799 Security

    Uploaded by

    cmsc1
    108 views29 pages
    The document discusses ISO 17799, a security standard that was revised in 2005 and became ISO 27001. ISO 27001 is a certification standard for information security management systems (ISMS) based on ISO 17799. It describes the components and process model of ISO 27001 certification. The document also maps how ISO 17799 fits within the broader ISO 27000 series of standards and other international standards bodies for information security.

    Original Description:

    Iso 17799

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses ISO 17799, a security standard that was revised in 2005 and became ISO 27001. ISO 27001 is a certification standard for information security management systems (ISMS) based on ISO 17799. It describes the components and process model of ISO 27001 certification. The document also maps how ISO 17799 fits within the broader ISO 27000 series of standards and other international standards bodies for information security.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    108 views29 pages

    Iso 17799 Security

    Uploaded by

    cmsc1
    The document discusses ISO 17799, a security standard that was revised in 2005 and became ISO 27001. ISO 27001 is a certification standard for information security management systems (ISMS) based on ISO 17799. It describes the components and process model of ISO 27001 certification. The document also maps how ISO 17799 fits within the broader ISO 27000 series of standards and other international standards bodies for information security.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 29

    ISO 17799 Security

    Standard
    How Will It Fit with Other Standards

    Don Holden, CISSP-ISSMP


    dholden@concordantinc.com
    Concordant, Inc

    January 2006 1
    Agenda

    ¾ Do We Need a Security Standard?


    ¾ History of ISO 17799
    ¾ New and Improved 17799
    ¾ A Certification Standard – 27001
    ¾ Benefits of Certification
    ¾ Other Security Standards
    ¾ Is There a Map for this Maize
    ¾ A New Framework
    ¾ Other Sources

    Concordant, Inc. | www.concordantinc.com


    Why Standardization
    Security Visibility among Business Partners

    Source: NIST Presentation

    Source:
    Concordant, NIST
    Inc. | www.concordantinc.com
    Desired End State

    Source: NIST Presentation

    Concordant, Inc. | www.concordantinc.com


    History of ISO17799

    ¾ Began in 1989 as “User Code of Practice” (UK’s


    DTI)
    ¾ Became BSI 7799 “Code of Practice for
    Information Security Management” in 1995
    ¾ Submitted to ISO but defeated
    ¾ Part 2 was added in 1998
    ¾ Revised in 1999 and Part 1 submitted to ISO for
    fast track approval.
    ¾ Opposed by other large countries but passed in
    2000 as ISO 17799:2000
    Concordant, Inc. | www.concordantinc.com
    ISO17799-2005
    New and Improved

    ¾ Additions
    „ 17 new controls
    „ 8 new control objectives
    ¾ Deletions – 9 controls deleted
    ¾ Improvements
    „ Rewording for clarity
    „ Reformatting
    „ Relocating controls and text

    Concordant, Inc. | www.concordantinc.com


    ISO 17799
    Reformatted Clauses
    Security Policy Security Policy

    Security Organization Organizing Information Security

    Asset Classification & Control Asset Management

    Personnel Security Human Resource Security

    Physical & Environmental Security Physical & Environmental Security

    Communications & Operations Mgt Communications & Operations Mgt

    Access Control Access Control

    IS Acquisitions, Development &


    Systems Development & Maintenance
    Maintenance

    IS Incident Management

    Business Continuity Management Business Continuity Management

    Compliance Compliance

    Concordant, Inc. | www.concordantinc.com


    ISO 17799 Improvements

    Concordant, Inc. | www.concordantinc.com


    IS Management Systems Certification

    ¾ There have been no “ISO 17799 certifications”.


    „ ISO 17799 is a code of practice, with recommended
    controls, not a requirements specification.
    „ Certifications have been done for Information Security
    Management Systems using BS7799-Part 2

    Concordant, Inc. | www.concordantinc.com


    ISO 27001:2005 ISMS - Requirements

    ¾ The Certification Standard


    „ Based on BS 7799-2002 Part 2
    „ Aligned with ISO 9001 and 14001 (EMS)
    ¾ Concepts in 27001
    „ All activities must follow a process (PDCA)
    „ Must specify security goals
    „ Controls based on risk analysis
    „ Choice of offered controls
    „ Continuous verification process
    „ Continuous improvement process

    Concordant, Inc. | www.concordantinc.com


    ISO 27001
    ISMS Process Model

    Source: ISO 27001:2005

    Concordant, Inc. | www.concordantinc.com


    Components of 27001
    4 Information security management 5 Management responsibility
    system ¾ 5.1 Management commitment
    ¾ 4.1 General requirements ¾ 5.2 Resource management
    ¾ 4.2 Establishing and managing ¾ 5.2.1 Provision of resources
    the ISMS ¾ 5.2.2 Training, awareness and
    ¾ 4.2.1 Establish the ISMS competence
    ¾ 4.2.2 Implement and operate the 6 Internal ISMS audits
    ISMS 7 Management review of the ISMS
    ¾ 4.2.3 Monitor and review the
    ¾ 7.1 General
    ISMS
    ¾ 7.2 Review input
    ¾ 4.2.4 Maintain and improve the
    ISMS ¾ 7.3 Review output
    ¾ 4.3 Documentation 8 ISMS improvement
    requirements 8.1 Continual improvement
    ¾ 4.3.1 General
    ¾ 4.3.2 Control of documents
    ¾ 4.3.3 Control of records

    Concordant, Inc. | www.concordantinc.com


    Why Certify to 27001

    ¾ Some Reasons for Certifying:


    „ Meeting U.S. legislative requirements directly and
    indirectly
    „ As part of a supplier management program
    „ As a measure and independent evidence that industry best
    practices are being followed.
    „ To reduce insurance premiums
    „ As part of a corporate governance program
    „ May offer competitive advantage

    Concordant, Inc. | www.concordantinc.com


    ISO 27000 Series
    What’s Next
    ¾ Provide guidance (not mandatory requirements )
    for 27001 processes (PDCA)
    ¾ Defining scopes for information security
    management systems
    ¾ Risk assessment
    ¾ Identification of assets
    ¾ Effectiveness of information security

    Concordant, Inc. | www.concordantinc.com


    Planned 27000 Series
    ISMS Framework
    ¾ 27000 (P) Fundamentals and Vocabulary
    ¾ 27001-2005 Requirements – (PDCA)
    ¾ 27002 (P) Code of Practice (17799-2005)
    ¾ 27003 (P) Implementation Guidance – (PDCA)
    ¾ 27004 (D) IS Metrics and Measurements
    ¾ 27005 (D) Risk Management
    „ Supports 27001 Certifications
    „ Based upon BS7799-3 ISMS Guidelines for
    Information Security Risk Management

    Concordant, Inc. | www.concordantinc.com


    ISMS Framework – 2700x

    ¾ Potential Standards
    „ Monitoring and Review
    „ Internal Auditing
    „ Continual Improvement

    Concordant, Inc. | www.concordantinc.com


    ISO SubCommitee on Security
    ISO/IEC JTC SC27

    Concordant, Inc. | www.concordantinc.com


    SC27 Working Group 1
    ¾ Management of ICT security (MICTS) Risk - ISO/IEC 13335
    ¾ Code of practice for information security management - ISO/IEC
    17799
    ¾ IT Network security - ISO/IEC 18028
    ¾ Selection, deployment and operations of intrusion detection
    systems - ISO/IEC 18043
    ¾ Information security incident management - ISO/IEC 18044
    ¾ ISMS Requirements specification – ISO 27001
    ¾ ISMS Metrics and measurements – draft ISO 27004
    „ Proposed inclusion of NIST 800-55
    „ CISWG Best Practices and Metrics

    Concordant, Inc. | www.concordantinc.com


    SC27 Working Group 2
    ¾ Digital signature schemes giving message recovery -
    ISO/IEC 9796
    ¾ Message authentication codes - ISO/IEC 9797
    ¾ Entity authentication - ISO/IEC 9798
    ¾ Modes of operation for an n-bit block cipher algorithm -
    ISO/IEC 10116
    ¾ Hash-functions - ISO/IEC 10118
    ¾ Key management - ISO/IEC 11770
    ¾ Digital signatures with appendix - ISO/IEC 14888

    Concordant, Inc. | www.concordantinc.com


    SC27 Working Group 3
    ¾ Cryptographic techniques based on elliptic curves -
    ISO/IEC 15946
    ¾ Time stamping services - ISO/IEC 18014
    ¾ Random bit generation - ISO/IEC 18031
    ¾ Prime number generation - ISO/IEC 18032
    ¾ Encryption algorithms - ISO/IEC 18033
    ¾ Data encapsulation mechanisms - ISO/IEC 19772
    ¾ Biometric template protection - ISO/IEC 24745

    Concordant, Inc. | www.concordantinc.com


    Mapping the Maize

    ¾ Standards and
    guidelines that
    support ISO 17799

    Concordant, Inc. | www.concordantinc.com


    Mapping to 17799

    Source: SC27 N4476 WG1 Road Map Source: SC27/WG1 “WG1 Road Map”
    Concordant, Inc. | www.concordantinc.com
    Security Standards Framework

    Concordant, Inc. | www.concordantinc.com Source: SC27 Business Plan


    Source ISO/IEC SC27
    Other ISO Security
    TC 68 SC2 Banking Security
    ¾ Some Security Standards:
    „ Message authentication
    „ Digital Signatures
    „ Encryption Techniques
    „ Protection Profiles
    „ Security guidelines
    „ Biometrics

    Concordant, Inc. | www.concordantinc.com


    How does the U.S. Participate?

    ¾ InterNational Committee Information Technology


    Standards (INCITS)
    „ ANSI Technical Advisory Group for ISO/IEC JTC1
    „ INCITS is sponsored by the Information Technology
    Industry Council (ITI)
    „ Originally founded as Accredited Standards Committee X3
    „ INCITS Cyber Security 1 (CS1) formed in April 2005 for
    security standards
    „ CS1 working on a draft standard- “Implementation of Role-
    Based Access Controls”

    Concordant, Inc. | www.concordantinc.com


    Other Sources of Guidance

    ¾ NIST 800 Series Publications


    ¾ CISWG Best Practices and Metrics – Report to
    Congress
    ¾ PCI Data Security
    ¾ Technical Benchmarks
    „ Center for Internet Security
    „ NSA
    „ NIST
    „ Vendor Security Recommendations

    Concordant, Inc. | www.concordantinc.com


    Concordant, Inc. | www.concordantinc.com
    What Concordant Does
    ¾ IT infrastructure services for regulated
    industries
    ¾ Security services
    „ Secure & Compliant
    Assessment
    „ Implementation/
    Remediation
    „ Maintenance and
    Support

    Concordant, Inc. | www.concordantinc.com


    References
    ¾ “Frequently Asked Questions” ATSEC http://www.atsec.com/01/index.php?id=06-0101-01
    ¾ CISWG Report of the Best Practices and Metrics Team
    http://www.cisecurity.org/Documents/BPMetricsTeamReportFinal111704Rev11005.pdf
    ¾ INCITS CS1 www. www.ncits.org/tc_home/cs1.htm
    ¾ ISO/IEC 13335-1:2004, Management of information and communications technology security — Part1:
    Concepts and models for managing and planning ICT security.
    ¾ ISO/IEC TR 13335-3:1998, Guidelines for the Management of IT Security — Part 3: Techniques for the
    management of IT security.
    ¾ ISO/IEC TR 13335-4:2000, Guidelines for the Management of IT Security — Part 4: Selection of
    ¾ Safeguards
    ¾ ISO/IEC TR 18044:2004, Security techniques — Information Security Incident Management
    ¾ NIST SP 800-30, Risk Management Guide for Information Technology Systems
    ¾ Gamma Secure Systems Ltd http://www.gammassl.co.uk/index.html
    ¾ NIST Presentation “New FISMA Standards & Guidelines”, Ross, Don; Katzke, S.
    ¾ OECD Guidelines for the Security of Information Systems and Networks — Towards a Culture of Security.
    Paris: OECD, July 2002. www.oecd.org

    Concordant, Inc. | www.concordantinc.com

    You might also like