ISO 17799 Project Review
OWASP
AppSec
June 2004 NYC
Stan Guzik, CISSP, MCP
Chief Technology Officer
Immediatech Corp.
ISO 17799 Project Lead
sguzik@immediatech.com
Copyright © 2004 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
http://www.owasp.org
What Will Be Covered?
 Background On The ISO 17799 Project
 What Is Information Security?
 Information Security Threats
 Developing Security Management Policies/Procedures
 What Is The ISO 17799?
 ISO 17799 OWASP Project Details
 Implementation Example
 Critical Success Factors
 OWASP Needs Your Feedback
 References
OWASP AppSec 2004
2
Background On The ISO 17799 Project
 OWASP Holistic Approach To Security
 Top Ten
 Guide
 Testing
 WebGoat
 ISO 17799
 Challenges Of Today’s Web Applications
 Security - CIA
 24x7x365 uptime
 Fast and easy to use
 Integration with external systems
 Fast SDLC due to market pressures
 Bug free
 Customers expect it at no/low cost
OWASP AppSec 2004
3
Background On The ISO 17799 Project
 Management Of Web Applications In Production
 Traditional IT organizations are not familiar with web app security
management
 Auditors as head of IT (EDP)
 Internet applications
 20 Year old policy/procedures do not apply
 Benefits Of Applying ISO 17799
 Increased security
 Increased uptime
 ROI – Fighting Fires
 Keep your job
OWASP AppSec 2004
4
What Is Information Security?
 Information Is An Asset – Value
 Information Protection – Ensure Business Continuity, minimize
damage, legal requirements
 Information Forms – Electronic, Paper, Spoken, and etc…
 Information Preservation
 Confidentiality – Information is not disclosed to unauthorized
subjects
 Integrity – Accuracy and completeness of information and only
modified by authorized subjects
 Availability – Authorized subjects are granted assess to information.
(SLA)
 Information Security Controls
organizational structure, and HW/SW.
–
Policies, procedures, practices,
OWASP AppSec 2004
5
Information Security Threats








Viruses
Hackers
Espionage
Sabotage
Vandalism
Fire
Flood
Employee With
A Big Mouth
(HR Info)
OWASP AppSec 2004
6
Information Security Threats
 Today Organizations Are More Vulnerable
 Interconnected public and private networks
 System complexities in achieving access controls
 Lack of security conscious developers – focus on functionality &
performance.
 Shorter Time To Market
 Supplement Secure Applications With Appropriate Security
Management Policies/Procedures
 Secure applications running in an unsecured environments
 Secure applications and a secured environment running with insecure
operations
 Etc…
OWASP AppSec 2004
7
Develop Security Management Policies/Procedures
 Legal, Regulatory, Contractual Requirements, Due Diligence
 Risk Assessment – Threats to Assets
 The likelihood a threat will occur and evaluate its impact on an asset
 Quantitative Risk Assessment
– Annual Loss Expectancy (ALE) – Yearly cost of all instances of a specific
realized threat against a specific asset:
» ALE = ARO * SLE
– Annual Rate of Occurrence (ARO) – Expected frequency that a specific threat
or risk will occur (probability determination)
– Single Loss Expectancy (SLE) –- Cost associated with a single realized risk
against a specific asset.
» SLE = Asset Value * EF
– Exposure Factor (EF) – Loss Potential of a specific asset by a realized risk
– Example – DOS Web Application (Input Validation)
» Asset Values = $2,000,000
» EF = 20%
» SLE =$2,000,000 * 20% = $400,000
» ARO = 10%
» ALE = 10% * $400,000 = $40,000
OWASP AppSec 2004
8
Develop Security Management Policies/Procedures
 Qualitative Risk Assessment
– Scenario/Judgment Based
– Experience Based …
 Risk Assessment Results
 Determine the appropriate management actions
 Set priorities for managing information security risk
 Implement controls to protect against realized risk
OWASP AppSec 2004
9
Develop Security Management Policies/Procedures
 Select Appropriate Security Controls
 Implement controls to ensure risks are reduced to an acceptable level.
 Controls should be selected based on the cost of implementation in
relation to the risk being reduced and the potential losses if a security
breach occurs.
OWASP AppSec 2004
10
What Is The ISO 17799 Standard?
 ISO – International Organization for Standardization
 Complete Set Of Controls To Ensure The Best Practices For
Information Security
 The Major Standard - Internationally Recognized
Information Security Standard
 Guideline - Guiding principle providing a good starting point for
implementing information security. They are either based on essential
legislative requirements or considered to be common best practices for
information security.
 Legislative Controls
 12.1.4 – Data Protection and Privacy of Personal Information
 12.1.3 – Safeguarding of Organizational Records
 12.1.2 – Intellectual Property Rights
 Best Practices
 3.1 – Information Security Policy Document
 4.1.3 – Allocation of Information Security Responsibilities
 6.2.1 – Information Security Education and Training
 6.3.1 – Reporting Security Incidents
 11.1 Business Continuity Management
OWASP AppSec 2004
11
What Is The ISO 17799 Standard?
 10 Sections
 Security Policy – To provide management direction & support for information
security
 Organizational Security – Manage information security within the organization
 Asset Classification and Control – To maintain appropriate protection of
organizational assets
 Personnel Security – To reduce the risk of human error, theft, fraud or misuse
of facilities
 Physical & Environmental Security – To prevent unauthorized access,
damage and interference to business premises and information
 Communications and Operations Management – To ensure the correct and
secure operations of information processing facilities
 Access Control – Control access to information
 System Development and Maintenance – To ensure security is built into
information systems
 Business Continuity Management – To counteract interruptions to business
activities and to protect critical business processes from the effects of major
failures or disasters
 Compliance – To avoid breaches of any criminal and civil law, statutory,
regulatory or contractual
OWASP AppSec 2004
12
ISO 17799 OWASP Project Details
 Documentation Project
 Toolbox Of Sample Templates Of ISO 17799 Policies & Procedures
 What Exists Today
 ISO 17799 Is A Standard Not a tool
 Not Many Publicly Available Templates
 Commercial Licensed Templates Are
Poor Quality
OWASP AppSec 2004
13
Implementation Example
 8.1.2 Operational Change Control
 Inadequate control may cause system or security failures
 Formal management responsibilities and procedures should be in place
 Operational programs subject to strict change control
 Current State Of Project
 Many templates
 Todo: Pull all templates together into
a consistent format and publish
OWASP AppSec 2004
14
Critical Success Factors





Targeted Risk Assessment
Implement Good Controls
Use Already Proven Policies & Procedures
Training & Awareness
Get Some More Sleep At Night!!!
OWASP AppSec 2004
15
OWASP Needs Your Feedback!
 Send Us Your Templates
 Modifications To Existing Templates
 Can you get involved?
OWASP AppSec 2004
16
References
 ISO/IEC 17799:2000(E)
 CISSP:Certified Information Systems Security Professional Study
Guide, Ed Tittel
 OWASP ISO 17799 Project
OWASP AppSec 2004
17