PowerPoint 簡報 - paul
advertisement
Lecture 4: Standards, Certification, Accreditation and Regulation James Backhouse LSE Developing Security Three Key Terms Evaluation: assessment of a product or service against defined security evaluation criteria/standards Certification: the issue of a formal statement (certificate) confirming the results of the security evaluation Accreditation: the procedure for accepting a product, a service, a system for use within a particular environment Standards by types Compatibility standards - allowing products to work together Minimum quality standards - set a certain level of quality Standards by objects Product standards - X.509, ISO/IEC 9796-2 Management standards - ISO 17799, ISO 9000 Professional standards - ACCA/ACA/CIMA/CIPFA Standards by the origin de facto standards - developed through competitive market process de jure (institutional ) standards - the force of the law, through formal standard-setting bodies Voluntary standards - developed in the public forum Impacts of standards Enhance compatibility or interoperability Reduced uncertainty Reduced consumer lock-in Competition for the market vs. competition in the market Competition on price vs. features (Shapiro and Varian, 1999) Established Accept Prefer Discourage Wait Emerging Proprietary Open (source: Lacey 2003) Security Product Evaluation and Certification TCSEC Security Evaluation criteria first developed in 1983 in USA Trusted Computer System Evaluation Criteria known as the Orange Book Hierarchy of security levels ranges from D (poorly secured) A1 (all aspects of design, development and implementation covered) Europeans play catch-up Germany (GISA) published ZSIEC France (Service Central de la Securité des Systèmes d’Information) produced the Blue-White Book UK (DTI) 1991 produced the Green Book EEC 1990 produced the harmonised White Book ITSEC: Information Technology Security Evaluation Criteria - June 1991・ ITSEM: Information Technology Security Evaluation Manual - September 1993 UK ITSEC Scheme - 1990 “The objectives of the (ITSEC) scheme are to meet the needs of Industry and Government for cost effective and efficient security evaluation and certification of IT products and systems. The Scheme also aims to provide a framework for the international mutual recognition of certificates” Common Criteria Common Criteria - harmonisation of ITSEC and US and Canadian criteria Common Criteria EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 ITSEC E1 E2 E3 E4 E5 E6 To lead to an international standard (ISO) Harmonised Criteria “Users of systems need confidence in the security of the system they are using. They also need a yardstick to compare the security capabilities of IT products they are thinking of purchasing…” Information Technology Security Criteria Introduction (ITSEC) Dept of Trade and Industry, June 1991 CLEF- Commercial Evaluation Facilities CLEFs provide evaluation services which lead to certification for a range of services or products: access control and authentication systems real-time and fault-tolerant systems secure workstations communications etc What is a CLEF? CLEFs perform evaluation under the UK ITSEC Scheme Provisional or Full CLEFs subject to requirements and conditions-UKSP02 BT; EDS; IBM Global Services; LogicaCMG; SiVenture ITSEC certification for Products Sun Solaris 8 02/02 Sun MicroSystems Computer Open INGRES/Enhanced Associates Security 1.2/01 Datacryptor 2000 Application Software Version Thales eSecurity ITSEC certification for FIREWALLS 3Com® Embedded Firewall 3Com Business Connectivity Company Sidewinder Firewall Version 5.2.1 Secure Computing Corporation VCS Firewall Version 3.0 The Knowledge Group IS Security Management Certification ISO 27001/BS7799 Certification ISO/IEC 27001:2005 was published on the 15th Oct 2005. ISO ISMS standard replaced BS 7799 Part 2:2002 Business decision, not mandatory Recognised in many countries. ISO 27001/BS7799 adopted in many parts of the world as a “common language” for information security management: to ensure business continuity, minimise business damage by preventing and minimising the impact of security incidents and to maximise business investments and opportunities (source: ISMS 2003) Accrediting the accreditors UKAS is root accrediting agency for UK Organisations awarding accreditation must be impartial, competent, effectively managed Surveillance annually Reassessment every four years (source: ISMS 2003) International Register of ISMS Certificates Jan 2007 Number of Certificates per Country Jan 2006 Japan 1190* Czech Republic 6 South Africa 2 UK 219 Brazil 5 Bahrain 1 India 146 Greece 5 Chile 1 Taiwan 74 Spain 5 Egypt 1 Germany 52 Turkey 5 Lebanon 1 Italy 41 Croatia 4 Lithuania 1 Korea 35 Iceland 4 Luxemburg 1 USA 31 Philippines 4 Macau 1 Hungary 24 Saudi Arabia 4 Macedonia 1 Netherlands 22 Argentina 3 Morocco 1 China 21 Kuwait 3 New Zealand 1 Hong Kong 20 Mexico 3 Qatar 1 Australia 18 UAE 3 Romania 1 Finland 15 Belgium 2 Russian Federation 1 Norway 13 Canada 2 Serbia and Montenegro 1 Switzerland 13 Colombia 2 Slovenia 1 Ireland 11 Denmark 2 Thailand 1 Singapore 11 France 2 Austria 9 Isle of Man 2 Poland 7 Malaysia 2 Relative Total 2082 Sweden 7 Slovak Republic 2 Absolute Total 2068* Number of Certificates per Country Jan 2004 Japan 225 Norway 8 Iceland 3 Macau 1 UK 118 Australia 7 Brazil 2 Malaysia 1 Korea 20 Ireland 7 Denmark 2 Netherlands 1 Germany 17 Taiwan 7 Greece 2 Poland 1 India 16 Hungary 6 Mexico 2 Slovenia 1 Hong Kong 15 China 5 Switzerland 2 South Africa 1 Italy 12 USA 5 UAE 2 Spain 1 Singapore 10 Sweden 4 Argentina 1 Relative Total 517 Finland 8 Austria 3 Egypt 1 Absolute Total 513 The Absolute Total represents the actual number of certificates. The Relative Total reflects 4 certificates that represent multi-nation registrations. This table is © ISMS International User Group 2002-2004 IS Security Professional Certification Professional Certification Objectives: to evaluate individual competence to provide mechanism for maintaining the desired level of competence to provide management objective criteria for personnel selection and promotion Professional Certification Requirements passing a series of examinations providing proof of at least a few years of practical auditing experience Certified Information Systems Auditor (CISA) - sponsored by Information Systems Audit and Control Association (ISACA) - more 26,000 members in over 100 countries Certified Information Systems Auditor (CISA) Requirement: - passed the CISA exam - acquired the relevant information systems auditing, control or security experience - abide by the Code of Professional Ethics - continued to undertake the Continuing Education Program Source: ISACA,2003 Certified Information Systems Security Professional (CISSP) - sponsored by International Information Systems Security Certification Consortium, Inc. (ISC²) - well-recognised in the industry worldwide Certified Information Systems Security Professional (CISSP) Requirement: - passed the CISSP exam (up to 6 hours) - Three years of direct experiences with a college degree from an accredited university or college Certified Information Systems Security Professional (CISSP) Examination structure: - - - Access Control Systems & Methodology Applications & Systems Development Business Continuity Planning Cryptography Law, Investigation & Ethics Operations Security Physical Security Security Architecture & Models Security Management Practices Telecommunications, Network & Internet Security The Institute of Information Security Professionals (IISP)…SKILL SET Information Security Concepts and Principles Information Risk Management Audit, Review and Monitoring Information Security Governance Information Security Strategy Legal and Regulatory Environment Security Architecture Security Technology Security Engineering Secure Development Information Security Management Operations and Service Delivery Incident Management Business Continuity Management Awareness Education and Training Third Party Management Mandatory Core Skills (IISP) Mandatory Core Skills (IISP) Information Security Concepts and Principles Interpreting, explaining and communicating the concepts, definitions, principles of, and the need for, and benefits of, information security to specialists and business clients within their community or organisation. (Z1) Mandatory Core Skills (IISP) Information Risk Management Recognising the different forms of threat to, and vulnerabilities of, information systems and assets. (B01) Assessing and managing the risks relating to information systems and assets. (B02) Mandatory Core Skills (IISP) Audit, Review and Monitoring Leading (or contributing to) the execution of quality assurance or otherwise accreditation processes and techniques used in verifying compliance against the requirements of legislation, industry standards and local (community or organisational) policy regulations. (I0) Optional Core Skills (IISP) Information Security Governance Determining, establishing and maintaining appropriate corporate governance (including processes, roles and responsibilities) for information security for which the professional has formal responsibility within their community or organisation (A1) Specific Skills (IISP) Information Security Governance Establishing frameworks to develop and maintain appropriate expertise within an organisation (A2) Maintaining the balance of cost against security risk for the business. (A3) Gaining management commitment and resources to support the governance structure (A4) Incorporating physical and environmental issues into the overall security governance process. (A5) Optional Core Skills (IISP) Policy and Standards Persuading others of the need for, and selecting, appropriate methods of delivery for security policies, standards and guidelines, including reference to common legislation, public standards and local (community or organisational) policy guidelines (G0) Security Architecture Recommending generally how security architecture relates to business needs and how information security can be realised. (E0) Optional Core Skills (IISP) Security Technology Identifying the generic types of security controls available to prevent, detect and recover from security incidents and thus mitigate risk. (Y0) Security Engineering Recommending, or selecting, generic or specific security tools, products, standards and protocols that can be included effectively in security architectures. (F0) Optional Core Skills (IISP) Secure Development Recommending, or selecting, the appropriate formal measures for technical assurance, approval and other accountable corroborative mechanisms that confirm systems adequately address their assessed risk profiles. (J0) Information Security Management Directing, or materially contributing to, project management and other relevant issues involved in all aspects of developing and maintaining a security programme, including reacting appropriately to new threats and vulnerabilities as they are identified. (C0) Optional Core Skills (IISP) Incident Management Applying security measures, in consultation with appropriate subject experts, that comply with principles and common practices, including the requirements of legislation, industry standards and local (community or organisational) policy regulations Optional Core Skills (IISP) Business Continuity Management Establishing with others the need for, and directing (or contributing substantially to) the processes for establishing business continuity for information assets. (D0) Legal and Regulatory Environment Understanding of the general principles of law, legal jurisdiction and associated topics that may affect information security governance and execution. (V0) Optional Core Skills (IISP) Third Party Management Providing guidance on, or participating in effective agreements for, addressing security requirements for information assets managed wholly or partially by third parties - including managed services, development or procurement projects and information assets shared with, or managed by, business partners, clients and contractors. (W0) Specific Skills (IISP) Policy and Standards Interpreting external requirements and standards in terms of an organisation (G1) Developing appropriate organisational security policies, standards and procedures (G2) Providing advice on the interpretation of policy (G3) Managing implementation of security programmes, and coordinating security activities across the organisation (G4) ET CETERA (Mercuri,2003) Regulations and legislation towards trust services provision for ecommerce Three legal approaches UNCITRAL Model Law on Electronic Commerce Legislation approaches towards authentication technologies Technology prescriptive Technology neutral Two-tier Jurisdiction Argentina Australia Austria Belgium Brazil Canada Chile China Czech Republic Demark EU Finland France Germany Greece Hong Kong Hungary India Ireland Israel Italy Name of Legislation Digital Signature Law 2001 Electronic Transaction Act 1999 Electronic Signature Ordinance 2000 Bill on Certification Authorities and Qualified Certificates Provisional Executive Act 2200 Personal Information Protection and Electronic Documents Act 2000 Electronic Signature Act 2005 Electronic Signature Act 2000 Electronic Signature Act 2000 Directive 1999/93/EC Draft Electronic Signature Act 2000 Digital Signature Law 1997 Presidential Act 2001 Electronic Transactions Ordinance 2000 Digital Signature Act 2001 Information Technology Act 2000 Electronic Commerce Act 2000 Electronic Signature Act 2001 Digital Document Regulations 1997 Japan Korea Luxembourg Malaysia New Zealand Norway Poland Singapore South Korea Spain Sweden Switzerland Taiwan Thailand The Netherlands U.K. United States Law Concerning Electronic Signatures and Certification Services 2001 Electronic Signature Act 1999 Electronic Commerce Act 2000 Digital Signature 1997 Electronic Transaction Bill 2001 Electronic Signature Act 2001 Drafting Electionic Transaction Act 1998; Electronic Transaction (CA) Regulations 1999 Electronic Signature Act 2001 Royal Decree on Digital Signatures 1999 Act on Qualified Electronic Signature 2000 Electronic Signature Act 2001 Electronic Transaction and Electronic Signature Bill 2000 Electronic Signature Act (draft) 2001 Electronic Communication Act 2000 Uniform Electronic Transaction Act
