Information Security Standards Gary Gaskell © 2001 1 Contents Overview of security standards Type of standards List of standards Quick insight to each standard Conclusions Gary Gaskell, 3 May 2001 2 Types of Standards Risk based Management Technical Lightweight Thorough System-wide focus Product focus Assurance based Prescriptive controls Checklists Gary Gaskell, 3 May 2001 3 Security Standards - Pick One! AS/NZS 4444 (BS 7799, ISO 17799) US TCSEC (Rainbow series) ITSEC (Europe) Common Criteria (ISO 15408) IETF Site Security Handbook (RFC 2196) Vendor handbooks and checklists, B.S.I., SANS Website certification services Gary Gaskell, 3 May 2001 SAS-70 4 AS/NZS 4444 Information Security Management Standard Part 1 - 1999 Part 2 - 2000 JANZAS Based BS7799 BS7799 based on industry - Shell Oil etc Gary Gaskell, 3 May 2001 5 AS 4444 Good internal security management Information Security Management System Explicit Target - trusted interconnection Catalogue of controls Recommended baselines Risk based assessments Gary Gaskell, 3 May 2001 6 AS4444 Controls Security policy Asset classification and control Physical and environmental security Access control Business continuity management Security organisation Personnel security Communications and operations management Systems development and maintenance Compliance Gary Gaskell, 3 May 2001 7 TCSEC Trusted Computer Security Evaluation Criteria - 1983 US Government specification “Orange book” and “Raindbow series” Origin of C2, B1, B3 etc Functionality & Assurance tightly coupled Superceded by still in use Gary Gaskell, 3 May 2001 8 ITSEC Information Technology Security Evaluation Criteria - 1991 UK, France, Germany & The Netherlands Used by Australia System and product use http://www.dsd.gov.au/infosec/aisep/EPL/ prod.html Superceded but still in use Gary Gaskell, 3 May 2001 9 Common Criteria Common Criteria for Information Technology Security Evaluation - 1999 ISO 15408 (CC v 2.1) Merge of TCSEC & ITSEC Emerging standard Assurance level separate from functionality level Mutual recognition agreement - 13 Gary Gaskell, 3 May 2001 countries 10 RFC 2196 IETF Site Security Handbook Developed by CERT/CC of the CMU Response oriented Good practical advice Explicit about system hardening and patch installation Gary Gaskell, 3 May 2001 11 Vendor Checklists SGI Compaq/Digital Sun Microsystems (Blue prints) AIX (redbooks) Microsoft Apache Oracle Gary Gaskell, 3 May 2001 12 Vendor Checklists Continued Explicit and specific Good for specification in designs or outsourcing “how to” oriented Sometimes too light Gary Gaskell, 3 May 2001 13 Third Party Vendor Checklists AusCERT/CERT Unix security checklist Windows NT 4 NSA/Trusted Systems checklist (http://www.trustedsystems.com) Windows 2000 security checklist (http://www.systemexperts.com) Books - e.g. Practical Unix and Internet Security - Spafford & Garfinkel Gary Gaskell, 3 May 2001 14 BSI Bundesamt fuer Sicherheit in der Informationstechnik http://www.bsi.de/gshb/english/etc/inhalt .htm IT Baseline Protection Manual More practical than other government attempts Gary Gaskell, 3 May 2001 15 SANS System and Network Security http://www.sans.org Advice on policy and controls training (& certification ?) Checklists Vulnerability service Gary Gaskell, 3 May 2001 16 Website Certification Programs TruSecure (ICSA/TruSecure) Web trust beTRUSTed (PwC) SysTrust (AICPA) Others? Gary Gaskell, 3 May 2001 17 SAS-70 Statement on Auditing Standards American Institute of Certified Public Accountants Formal Audit Standard - background of financial audits Two levels Type I - inspections of key area Type II - testing of effective of controls Gary Gaskell, 3 May 2001 18 Miscellaneous IS 18 - Qld Government VISA - security for merchants sites NIST - FIPS 102 US - HIPAA OECD - Guidelines for the Security of Information Systems ISO 13335 - Guidelines for the Management of IT Security Gary Gaskell, 3 May 2001 19 Miscellaneous - continued System Security Engineering Capability Maturity Model (SSE-CMM) - International Systems Security Engineering Association (ISSEA) CoBIT - “IT Governance” - AICPA Gary Gaskell, 3 May 2001 20 Conclusions Great choice of standards None are a full solution Gary Gaskell, 3 May 2001 21