IS Security Standards - Information Systems
advertisement
IS Security Standards Gurpreet Dhillon Virginia Commonwealth University Importance of IS Security Standards IS security plays a vital role IS security: as strong as the weakest link Confusing: Plethora of standards How do we make sense of these standards? Which standard to adopt? © Dr. Gurpreet Dhillon Do not reproduce without permission Classification of IS Security Standards Security development Security management Security evaluation Risk management © Dr. Gurpreet Dhillon Do not reproduce without permission IS Security Life Cycle Security Evaluation Security Development Implementation Security Management Risk management Changes © Dr. Gurpreet Dhillon Do not reproduce without permission Classification of IS Security Standards Security development Security management Objectives or controls necessary for managing IS security Security evaluation Improvement and assessment of IS securityengineering capability Examination and testing of the security features of an information system Risk management Identification, analysis, control, and communication of IS security risks to which an organization is exposed © Dr. Gurpreet Dhillon Do not reproduce without permission Security Development CMM SE-CMM Systems SSE-CMM (ISO/IEC DIS 21827) Security Engineering Capability Maturity Model (SEE-CMM) CMM & SE-CMM do not deal with IS security © Dr. Gurpreet Dhillon Do not reproduce without permission SSE-CMM Describes essential characteristics of security engineering processes. Addresses the continuity, repeatability, efficiency, and assurance qualities required in the production and operation of secure systems and products Scope: entire secure system or product life cycle, the whole organization, and concurrent interactions with other organizations. Two dimensions: Domain: “base practices” that collectively define security engineering Capability: “generic practices” that indicate process management and institutionalization capability © Dr. Gurpreet Dhillon Do not reproduce without permission Security Management GASSP (1995) GAISP (2003) OECD Guidelines (1992) Code of Practice UK DTI (1993) BS 7799 (1995) ISO/IEC 17799 (2000) ISO/IEC TR13335 (1996) © Dr. Gurpreet Dhillon Do not reproduce without permission ISO/IEC 17799 Code of Practice for Information Security Management Set of controls that are important to achieve the security objectives of an organization The standard is organized into ten major sections. Guiding areas for implementing IS security: Each section addresses an area important for IS security and lists best practices in form of controls for that particular area. 36 Objectives and 127 controls Security policy, organizational security, personnel security, business continuity management, compliance. Other areas: Asset classification & control, physical & environmental security, communications & operations management, access control, systems development & maintenance. © Dr. Gurpreet Dhillon Do not reproduce without permission ISO/IEC TR 13335 Guidelines for the management of IT Security (GMITS) A technical report that provides suggestions rather than prescribe practice. Scope: IT security and not information security. It comprises of five parts. Part 1: basic concepts and models for the IT security. Part 2: managing and planning IT security. Part 3: techniques for the management of IT security. Part 4: provides guidance on the selection of safeguards for the management of risk. Part 5: management guidance on network security © Dr. Gurpreet Dhillon Do not reproduce without permission OECD Guidelines Organization for Economic Cooperation and Development It recognizes the commonality of security requirements across various organizations. Developed an integrated approach outlined in the form of nine principles: Accountability, awareness, ethics, multidisciplinary, proportionality, integration, timeliness, reassessment, equity. © Dr. Gurpreet Dhillon Do not reproduce without permission GAISP Generally Accepted Information Security Principles Documents information security principles that have been proven in practice and accepted by practitioners. GAISP is organized into three major sections that form a hierarchy. Pervasive Principles: Broad Functional Principles: Targets organizational governance and executive management. outlines the principles advocated in OECD guidelines. Targets management. It describes specific building blocks (what to do) that comprise the Pervasive Principles. Detailed Principles: Targets IS security professional. Provides specific (how to) guidance for implementation of © Dr. Gurpreet Dhillon optimal IS security practices. Do not reproduce without permission Security evaluation Green book TCSEC ITSEC MSFR ISO/IEC 15408 Federal Criteria CTCPEC © Dr. Gurpreet Dhillon Do not reproduce without permission Common Criteria TCSEC Trusted Computer System Evaluation Criteria Addresses military security needs and policies. Focus: mainframe systems. protection of confidentiality Four major sets of criteria: security policy, accountability, assurance, and documentation. TCSEC was “interpreted” for both networks and databases. © Dr. Gurpreet Dhillon Do not reproduce without permission Green book & CTCPEC German Green Book Division of security requirements into: Functionality and Assurance requirements Canadian Trusted Computer Evaluation Criteria (CTCPEC) address complex systems CTCPEC classifies the functionality and assurance requirements separately. Functional criteria comprises of confidentiality, integrity, availability, and accountability Assurance criteria are applied across the entire system. © Dr. Gurpreet Dhillon Do not reproduce without permission Security evaluation Minimum Security Functional Requirements (MSFR) Follows ITSEC separates the functionality and assurance criteria. takes Security Target approach. Federal Criteria (FC) Focus: IT Security Introduces Protection Profile implementation-independent set of functionality and assurance requirements for a category of products. Follows ITSEC’s Security Target approach. © Dr. Gurpreet Dhillon Do not reproduce without permission ITSEC Information Technology Security Evaluation Criteria ITSEC identifies Target of Evaluation (TOE) as either a system or product. Evaluation factors of TOE: correctness and effectiveness. Evaluation of correctness: examines correct implementation of security functions and mechanisms Evaluation of effectiveness: examines compatibility of security mechanisms and the stated security objectives. TOE’s functionality suitability and integration, consequences of vulnerabilities, and ease of use are also evaluated. © Dr. Gurpreet Dhillon Do not reproduce without permission Common Criteria (CC) CC v2.1 was published in 1999 and adopted as ISO/IEC IS 15408. CC is organized into three parts. Introduction and General Model: Security Functional Requirements: Introduces the general model and concepts of IT security evaluation. Three types of security requirement constructs defined: Package, Protection Profile, and Security Target. Follows ITSEC: separates the functionality and assurance requirements. addresses the functional requirements of security. Standardized Security Assurance Requirements: defines the criteria for evaluating Protection Profiles, Security Targets, and TOEs (target of evaluations). © Dr. Gurpreet Dhillon Do not reproduce without permission ISO/IEC IS 15408 Evaluation Criteria for IT Security (ECITS) ECITS is organized into three parts: model, functionality classes, and assurance. Influenced by: ITSEC: separates the functionality and assurance criteria. CTCPEC: Functionality classes. ECITS also addresses privacy protection. identifies four functional privacy families: anonymity, pseudonymity, unlinkability, and unobservability. © Dr. Gurpreet Dhillon Do not reproduce without permission Risk management NIST Spec Pub 800-30 Risk Mgmt ISO/IEC TR 13335 Part-3 ISO/IEC TR 13335 Part-4 © Dr. Gurpreet Dhillon Do not reproduce without permission Risk management ISO/IEC TR13335 Part 4: provides the guidelines for selection of safeguards for the risk management. Part 3: outlines and provides interpretation of the risk assessment principles. NIST Special Publication 800-30 Risk Management Guide for IT Systems a national level standard for US. provides an outline of risk management and risk assessment. The risk mitigation process is associated with selection of cost-effective security controls. stresses on continuing risk evaluation and assessment. © Dr. Gurpreet Dhillon Do not reproduce without permission IS Security Standards Framework Categories Definition Issues Standard Approach/Need Security Development Improvement and assessment of IS security-engineering capability Continuity Repeatability Efficiency Assurance ISO/IEC DIS 21827 Security engineering process, Assurance process, Risk process. Security Management Objectives or controls necessary for managing IS security Confidentiality Integrity Availability Responsibility Integrity Trust Ethicality ISO/IEC 17799 Security policy, organizational security, personnel security, business continuity management, compliance. Security Evaluation Examination and testing of the security features of an information system Effectiveness Correctness ISO/IEC IS 15408 Functionality requirements, Assurance requirements, Privacy protection. Risk Management Identification, analysis, Threat ISO/IEC control, and Vulnerability TR 13335 communication of IS Impact Part 3 and security risks to which Part 4 Dr. Gurpreet Dhillon an organization is Do not ©reproduce without permission exposed. Need Risk assessment, Risk analysis, and Risk mitigation in terms of IS security. Integrated model Risk Management Security Management Security Development Security Evalaution © Dr. Gurpreet Dhillon Do not reproduce without permission
