ISO 17799 The International Security Standard WHAT IS IT? • “A comprehensive set of controls comprising best practices in information security” • Comprises TWO parts - a code of practice (ISO 17799) and a specification for an information security management system (ISO 27001) • Basically… an internationally recognized generic information security standard Terminology • Policy – General regulations everyone must follow; should be short, clear • Standard – Collection of system-specific requirements that must be met • Guidelines – Collection of system-specific suggestions for best practice. They are not required, but are strongly recommended • Procedures – A series of steps to accomplish a task Data Security Example • Policy – All university data must be classified according to the K-State data classification schema and protected according to the K-State data security standards. Data Security Example • Standard – Confidential data must be encrypted in transit and when stored on a mobile device • Guideline – Confidential data should not be stored on a mobile device such as a laptop computer, PDA, USB drive, etc. Data Security Example • Procedures – How to encrypt a file – How to install and operate full-disk encryption on a laptop – How to recover encrypted data when the private key is lost Why ISO 17799? • “It is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce” • Framework for comprehensive IT security program • International standard • Meshes well with EDUCAUSE/I2 direction • Certification for institution available ISO 17799 Copyright, License • Copyright from the ISO standard document: “Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO’s member body in the country of the requester.” ISO 17799 Copyright, License • From the license agreement: – Is licensed to “Kansas State University” – “…grants to the organisation… a non-exclusive and non-transferable license to use for the Licensee’s own personal or internal business purposes…” – Cannot “redistribute any information from or via the software to other workstations, users or systems which are not covered by the license;” – “…may copy the Software for back-up and archival purposes only…” ISO 17799 Copyright, License • E-mail from licensor: “With respect to the standards themselves, no, definitely not. They are single copy license. This is made clear within the PDFs themselves. With respect to the other items in the toolkit (eg: policies), yes, you may share them internally.” History • First published as DTI Code of Practice in UK • Re-badged and published as Version 1 of BS7799 published in Feb 1995 • NOT widely embraced - for various reasons History • A major revision of BS7799 undertaken... Version 2 published in May 1999 • Formal certification and accreditation schemes proposed by BSI in the same year • Supporting tools start to appear • Fast track ISO initiative accelerated • First published as an ISO standard in Dec 2000 History • May 2002: BS7799-2 published. This focused specifically upon the Information Security Management System • Formal certification schemes established • June 2005: New version of ISO 17799 published • Oct 2005: BS7799-2 published as an ISO standard, ISO 27001 Sections (“Clauses”) in ISO 17799 • • • • • • • • Security Policy Organizing Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development, and Maintenance • Information Security Incident Management • Business Continuity Management • Compliance Controls in Each Clause • Control objective stating what is to be achieved • One or more controls to achieve the objective • Each control contains: – Control statement – Implementation guidance (the details) – Other information Example Clause 8 – “Human Resources Security” 8.1 – Prior to employment 8.1.1 – Roles and responsibilities 8.1.2 – Screening 8.1.3 – Terms and conditions of employment 8.2 – During employment 8.2.1 – Management responsibilities 8.2.2 – Information security awareness, education, and training 8.2.3 – Disciplinary process 8.3 – Termination or change of employment 8.3.1 – Termination responsibilities 8.3.2 – Return of assets 8.3.3 – Removal of access rights Extensible… “This code of practice may be regarded as a starting point for developing organization specific guidelines. Not all of the controls and guidance in this code of practice may be applicable. Furthermore, additional controls and guidelines not included in this standard may be required.” EDUCAUSE/Internet2 Security Policy • Security Task Force developing model security policy • Based on SANS, NIST, ISO 17799, ISC2 • Links to existing policies • 10 sections follow ISO 17799 closely • https://wiki.internet2.edu/confluence/display/secg uide/Security+Policies+and+Procedures Policy Sections • • • • • • • • • • Security Policy Organizational Security Asset Classification Personnel Security Physical Security Communications and Operations Mgmt Access Control System Development and Maintenance Business Continuity Management Compliance Recommendation • Structure IT security policies based on EDUCAUSE/I2 recommendations • Incorporate existing security policies into it • Base standards and guidelines on ISO 17799 • Incorporate audit recommendations into both • Develop procedures as priorities dictate • Consider ISO 17799 certification in future • Questions?