Add to collection(s) Add to saved
  1. No category

presentation (MS Powerpoint)

advertisement 
Information Security
Standards
Gary Gaskell
© 2001
1
Contents
Overview of security standards
 Type of standards
 List of standards
 Quick insight to each standard
 Conclusions

Gary Gaskell, 3 May 2001
2
Types of Standards





Risk based
Management
Technical
Lightweight
Thorough





System-wide focus
Product focus
Assurance based
Prescriptive controls
Checklists
Gary Gaskell, 3 May 2001
3
Security Standards - Pick
One!
AS/NZS 4444 (BS 7799, ISO 17799)
 US TCSEC (Rainbow series)
 ITSEC (Europe)
 Common Criteria (ISO 15408)
 IETF Site Security Handbook (RFC 2196)
 Vendor handbooks and checklists, B.S.I.,
SANS
 Website certification services
Gary Gaskell, 3 May 2001
 SAS-70

4
AS/NZS 4444
Information Security Management
Standard
 Part 1 - 1999
 Part 2 - 2000
 JANZAS
 Based BS7799
 BS7799 based on industry - Shell Oil etc

Gary Gaskell, 3 May 2001
5
AS 4444
Good internal security management
 Information Security Management System
 Explicit Target - trusted interconnection
 Catalogue of controls
 Recommended baselines
 Risk based assessments

Gary Gaskell, 3 May 2001
6
AS4444 Controls





Security policy
Asset classification
and control
Physical and
environmental
security
Access control
Business continuity
management





Security organisation
Personnel security
Communications and
operations
management
Systems development
and maintenance
Compliance
Gary Gaskell, 3 May 2001
7
TCSEC
Trusted Computer Security Evaluation
Criteria - 1983
 US Government specification
 “Orange book” and “Raindbow series”
 Origin of C2, B1, B3 etc
 Functionality & Assurance tightly coupled
 Superceded by still in use

Gary Gaskell, 3 May 2001
8
ITSEC
Information Technology Security
Evaluation Criteria - 1991
 UK, France, Germany & The Netherlands
 Used by Australia
 System and product use
 http://www.dsd.gov.au/infosec/aisep/EPL/
prod.html
 Superceded but still in use

Gary Gaskell, 3 May 2001
9
Common Criteria
Common Criteria for Information
Technology Security Evaluation - 1999
 ISO 15408 (CC v 2.1)
 Merge of TCSEC & ITSEC
 Emerging standard
 Assurance level separate from
functionality level
 Mutual recognition agreement - 13
Gary Gaskell, 3 May 2001
countries

10
RFC 2196
IETF Site Security Handbook
 Developed by CERT/CC of the CMU
 Response oriented
 Good practical advice
 Explicit about system hardening and patch
installation

Gary Gaskell, 3 May 2001
11
Vendor Checklists
SGI
 Compaq/Digital
 Sun Microsystems (Blue prints)
 AIX (redbooks)
 Microsoft
 Apache
 Oracle

Gary Gaskell, 3 May 2001
12
Vendor Checklists Continued
Explicit and specific
 Good for specification in designs or
outsourcing
 “how to” oriented
 Sometimes too light

Gary Gaskell, 3 May 2001
13
Third Party Vendor
Checklists
AusCERT/CERT Unix security checklist
 Windows NT 4 NSA/Trusted Systems
checklist
(http://www.trustedsystems.com)
 Windows 2000 security checklist
(http://www.systemexperts.com)
 Books - e.g. Practical Unix and Internet
Security - Spafford & Garfinkel

Gary Gaskell, 3 May 2001
14
BSI
Bundesamt fuer Sicherheit in der
Informationstechnik
 http://www.bsi.de/gshb/english/etc/inhalt
.htm
 IT Baseline Protection Manual
 More practical than other government
attempts

Gary Gaskell, 3 May 2001
15
SANS
System and Network Security
 http://www.sans.org
 Advice on policy and controls
 training (& certification ?)
 Checklists
 Vulnerability service

Gary Gaskell, 3 May 2001
16
Website Certification
Programs
TruSecure (ICSA/TruSecure)
 Web trust
 beTRUSTed (PwC)
 SysTrust (AICPA)
 Others?

Gary Gaskell, 3 May 2001
17
SAS-70
Statement on Auditing Standards
 American Institute of Certified Public
Accountants
 Formal Audit Standard - background of
financial audits
 Two levels

Type I - inspections of key area
Type II - testing of effective of controls
Gary Gaskell, 3 May 2001
18
Miscellaneous
IS 18 - Qld Government
 VISA - security for merchants sites
 NIST - FIPS 102
 US - HIPAA
 OECD - Guidelines for the Security of
Information Systems
 ISO 13335 - Guidelines for the
Management of IT Security

Gary Gaskell, 3 May 2001
19
Miscellaneous - continued
System Security Engineering Capability
Maturity Model (SSE-CMM) - International
Systems Security Engineering Association
(ISSEA)
 CoBIT - “IT Governance” - AICPA

Gary Gaskell, 3 May 2001
20
Conclusions
Great choice of standards
 None are a full solution

Gary Gaskell, 3 May 2001
21
Related documents
Looking for Work by Gary Soto
Looking for Work by Gary Soto
TO MRS. ELIZABETH GASKELL, 11 NOVEMBER 1859 Holly Lodge
TO MRS. ELIZABETH GASKELL, 11 NOVEMBER 1859 Holly Lodge
Summer Reading List Sixth Grade.doc
Summer Reading List Sixth Grade.doc
Biography on Francis Gary Powers, Jr.
Biography on Francis Gary Powers, Jr.
Short Story RAFT- “The Grandfather”
Short Story RAFT- “The Grandfather”
Gary R. Moss - Grant Thornton
Gary R. Moss - Grant Thornton
Managing director CV template sample
Managing director CV template sample
EXAMPLE EXAMPLE END OF CORE MODULE REPORT 2010
EXAMPLE EXAMPLE END OF CORE MODULE REPORT 2010
Download
advertisement