ISO 17799 The International Security Standard

advertisement
ISO 17799
The International Security Standard
WHAT IS IT?
• “A comprehensive set of controls comprising best
practices in information security”
• Comprises TWO parts - a code of practice (ISO
17799) and a specification for an information
security management system (ISO 27001)
• Basically… an internationally recognized
generic information security standard
Terminology
• Policy – General regulations everyone must
follow; should be short, clear
• Standard – Collection of system-specific
requirements that must be met
• Guidelines – Collection of system-specific
suggestions for best practice. They are not
required, but are strongly recommended
• Procedures – A series of steps to accomplish a
task
Data Security Example
• Policy – All university data must be
classified according to the K-State data
classification schema and protected
according to the K-State data security
standards.
Data Security Example
• Standard – Confidential data must be
encrypted in transit and when stored on a
mobile device
• Guideline – Confidential data should not be
stored on a mobile device such as a laptop
computer, PDA, USB drive, etc.
Data Security Example
• Procedures
– How to encrypt a file
– How to install and operate full-disk encryption
on a laptop
– How to recover encrypted data when the private
key is lost
Why ISO 17799?
• “It is intended to serve as a single reference point
for identifying a range of controls needed for most
situations where information systems are used in
industry and commerce”
• Framework for comprehensive IT security
program
• International standard
• Meshes well with EDUCAUSE/I2 direction
• Certification for institution available
ISO 17799 Copyright, License
• Copyright from the ISO standard document:
“Unless otherwise specified, no part of this
publication may be reproduced or utilized in
any form or by any means, electronic or
mechanical, including photocopying and
microfilm, without permission in writing
from either ISO at the address below or
ISO’s member body in the country of the
requester.”
ISO 17799 Copyright, License
• From the license agreement:
– Is licensed to “Kansas State University”
– “…grants to the organisation… a non-exclusive and
non-transferable license to use for the Licensee’s own
personal or internal business purposes…”
– Cannot “redistribute any information from or via the
software to other workstations, users or systems which
are not covered by the license;”
– “…may copy the Software for back-up and archival
purposes only…”
ISO 17799 Copyright, License
• E-mail from licensor:
“With respect to the standards themselves, no,
definitely not. They are single copy license.
This is made clear within the PDFs
themselves. With respect to the other items
in the toolkit (eg: policies), yes, you may
share them internally.”
History
• First published as DTI Code of Practice in
UK
• Re-badged and published as Version 1 of
BS7799 published in Feb 1995
• NOT widely embraced - for various reasons
History
• A major revision of BS7799 undertaken... Version
2 published in May 1999
• Formal certification and accreditation schemes
proposed by BSI in the same year
• Supporting tools start to appear
• Fast track ISO initiative accelerated
• First published as an ISO standard in Dec 2000
History
• May 2002: BS7799-2 published. This focused
specifically upon the Information Security
Management System
• Formal certification schemes established
• June 2005: New version of ISO 17799 published
• Oct 2005: BS7799-2 published as an ISO
standard, ISO 27001
Sections (“Clauses”) in ISO 17799
•
•
•
•
•
•
•
•
Security Policy
Organizing Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development, and
Maintenance
• Information Security Incident Management
• Business Continuity Management
• Compliance
Controls in Each Clause
• Control objective stating what is to be
achieved
• One or more controls to achieve the
objective
• Each control contains:
– Control statement
– Implementation guidance (the details)
– Other information
Example
Clause 8 – “Human Resources Security”
8.1 – Prior to employment
8.1.1 – Roles and responsibilities
8.1.2 – Screening
8.1.3 – Terms and conditions of employment
8.2 – During employment
8.2.1 – Management responsibilities
8.2.2 – Information security awareness, education, and training
8.2.3 – Disciplinary process
8.3 – Termination or change of employment
8.3.1 – Termination responsibilities
8.3.2 – Return of assets
8.3.3 – Removal of access rights
Extensible…
“This code of practice may be regarded as a
starting point for developing organization specific
guidelines. Not all of the controls and guidance in
this code of practice may be applicable.
Furthermore, additional controls and guidelines
not included in this standard may be required.”
EDUCAUSE/Internet2 Security
Policy
• Security Task Force developing model
security policy
• Based on SANS, NIST, ISO 17799, ISC2
• Links to existing policies
• 10 sections follow ISO 17799 closely
• https://wiki.internet2.edu/confluence/display/secg
uide/Security+Policies+and+Procedures
Policy Sections
•
•
•
•
•
•
•
•
•
•
Security Policy
Organizational Security
Asset Classification
Personnel Security
Physical Security
Communications and Operations Mgmt
Access Control
System Development and Maintenance
Business Continuity Management
Compliance
Recommendation
• Structure IT security policies based on
EDUCAUSE/I2 recommendations
• Incorporate existing security policies into it
• Base standards and guidelines on ISO 17799
• Incorporate audit recommendations into both
• Develop procedures as priorities dictate
• Consider ISO 17799 certification in future
• Questions?
Download