Information Security Management, Standards and best practices

1
Information Security Management, Standards and
best practices

• S. ?????????
• ?e t? s??e?sf??? t?? ?. ?a??da ?a? ?. ?s????

2
Standards Standardization Process

• De facto de jure standards
• Standardization bodies
• ISO (International Organization for
  Standardization) National bodies Technical
  Committees
• ???? (????????? ???a??sµ?? ??p?p???s??)
• CEN, ANSI, NIST, BSI
• Processes
• Certification
• Accreditation

3
Why?

• Threat of legal liability
• Organizations and software vendors are being held
  to a higher degree of accountability for
  security, if not in the courtroom, by their
  customers
• Business partners and stakeholders demanding
  security
• Organizations are challenged to prove they are
  managing security to a level that will satisfy
  their business partners and stakeholders.
• Proliferation of standards, regulations and
  legislation
• Organizations face complex requirements to comply
  with a myriad of regulations.

4
Comprehensive IS Management Principles Based

• OECD Guidelines for the Security of Information
  Systems and Networks (2002) 9 pervasive
  principles for information security
• NIST (National Institute of Standards and
  Technology)
• SP 800-14 Generally Accepted Principles and
  Practices for Securing IT Systems, 1996
• SP 800-18, Guide for Developing Security Plans
  for Federal Information Systems,1998 (revised
  2006)
• SP 800-30 Risk Management Guide for IT Systems,
  2002
• IFAC International Guidelines on Information
  Technology ManagementManaging Information
  Technology Planning for Business Impact
  International Federation of Accountants, New
  York, 1999.

5
Comprehensive IS Management - Controls Based

• BS 7799 Parts 1, 2 3 Code of Practice for
  Information Security Management (British
  Standards Institute)
• ISO 27001 Information Technology Information
  Security Management Systems - Requirements
• ISO 27002 Information Technology Code of
  Practice for Information Security Management
  (former ISO 17799)
• ISO 27003 Information Technology Information
  management system implementation guidance
• ISO 27004 Information technology - Information
  security management - Measurement
• ISO 27005 Information Technology Information
  security risk management
• IT Baseline Protection Manual - BSI (Bundesamt
  für Sicherheit in der Informationstechnik)
• NIST
• 800-53 - Recommended Security Controls for
  Federal Information Systems
• Several specific standards (e.g. Secure Web
  Services, PDA security, Implementing HIPAA,
  Contingency planning, etc.)

6
Other categories

• Capability Maturity Model
• ISO 21827 System Security Engineering -
  Capability Maturity Model (SSE-CMM)
• Product Security Models
• ISO 15408 Common Criteria
• TCSEC, ITSEC
• Business Continuity Management
• ISO24762 Information Technology Guidelines for
  information and communication technology disaster
  recovery services
• ISO27031 Information Technology Security
  Techniques Guidelines for ICT readiness for
  Business Continuity
• BS25999 Business Continuity Management
• ISO18044 Information technology Information
  security incident management
• Governance Guides
• ISO38500 Corporate guidance of IT
• COBIT Control Objectives for Information and
  Related Technologies (ISACA)
• IT Governance Implementation Guide (ISACA)

7
OECD Guidelines -1-

• towards a culture of security
• Awareness
• Participants should be aware of the need for
  security of information systems and networks and
  what they can do to enhance security.
• Responsibility
• All participants are responsible for the security
  of information systems and networks.
• Response
• Participants should act in a timely and
  co-operative manner to prevent, detect and
  respond to security incidents.
• Ethics
• Participants should respect the legitimate
  interests of others.
• Democracy
• The security of information systems and networks
  should be compatible with essential values of a
  democratic society.

8
OECD Guidelines -2-

• Risk assessment
• Participants should conduct risk assessments.
• Security design and implementation
• Participants should incorporate security as an
  essential element of information systems and
  networks.
• Security management
• Participants should adopt a comprehensive
  approach to security management.
• Reassessment
• Participants should review and reassess the
  security of information systems and networks, and
  make appropriate modifications to security
  policies, practices, measures and procedures.

9
Information Security Standards

• TCSEC (Orange Book)
• ITSEC
• Common Criteria

10
Standards history -1-

• 1983 Trusted Computer System Evaluation Criteria
  (TCSEC) developed in the United States.
• 1991 Information Technology Security Evaluation
  Criteria (ITSEC) version 1.2 published by the
  European Commission (joint development by France,
  Germany, the Netherlands, and the UK).
• 1993 Canadian Trusted Computer Product
  Evaluation Criteria (CTCPEC) version 3.0,
  published as a combination of the ITSEC and TCSEC
  approaches.

11
Standards history -2-

• 1990 the International Organization for
  Standardization (ISO) starts to develop an
  international standard evaluation criteria for
  general use.
• June 1993 the sponsoring organisations of the
  CTCPEC, FC, TCSEC and ITSEC began a joint
  activity to align their separate criteria into a
  single set of IT security criteria that could be
  widely used. This activity was named the CC
  Project.

12
Common Criteria -1-

• Meant to be used as the basis for evaluation of
  security properties of IT products and systems.
• Permits comparability between the results of
  independent security evaluations.
• Guide for the development of products or systems
  with IT security functions and for the
  procurement of commercial products and systems
  with such functions.
• Addresses protection of information from
  unauthorised disclosure,modification, or loss of
  use (confidentiality, integrity, availability).
• It is applicable to IT security measures
  implemented in hardware, firmware or software.

13
Common Criteria -2-

• Does not contain security evaluation criteria
  pertaining to administrative security measures
  not related directly to the IT security measures.
• De facto standard in the US since 1998.
• Accepted as ISO 15408
• Includes
• CC documents
• CC Evaluation Methodology (CEM)
• CC National Scheme
• 7 Evaluation Assurance Levels
• EAL1 to EAL7
• 11 Functionality Requirements Classes
• 10 Assurance Requirements Classes

14
Evaluation Context
15
Common Criteria Target Group

• Consumers
• They can use the results of evaluations to help
  decide whether an evaluated product or system
  fulfils their security needs. They can also use
  the evaluation results to compare different
  products or systems.
• Developers
• CC can support developers in preparing for and
  assisting in the evaluation of their products or
  systems and in identifying security requirements
  to be satisfied by each of their products or
  systems.
• Evaluators
• The CC contains criteria to be used by
  evaluators when forming judgments about the
  conformance of TOEs to their security
  requirements.
• Others
• Auditors, Security Officers

16
Common Criteria Basic concepts

• Protection Profile (PP)
• An implementation-independent set of security
  requirements for a category of TOEs that meet
  specific consumer needs.
• Target of Evaluation (TOE)
• An IT product or system and its associated
  administrator and user guidance documentation
  that is the subject of an evaluation.
• Security Target (ST)
• A set of security requirements and specifications
  to be used as the basis for evaluation of an
  identified TOE.

17
TOE Development Method

• Protection Profile (PP)
• Target of Evaluation (TOE)
• Security Target (ST)

18
ISO 27002 (former 17799)

• First edition 2000. Current edition 2005
• Prepared by the British Standards Institution (as
  BS 7799) and was adopted by Joint Technical
  Committee ISO/IEC JTC 1, Information Technology,
  in parallel with its approval by national bodies
  of ISO and IEC.
• Information technology Code of practice for
  information security management

19
ISO 27002 as a code of practice

• May be regarded as a starting point for
  developing organization specific guidance.
• Not all of the guidance and controls in this code
  of practice may be applicable.
• Furthermore, additional controls not included in
  this document may be required.

20
ISO 27002

• Gives recommendations for information security
  management for use by those who are responsible
  for initiating, implementing or maintaining
  security in their organization.
• It is intended to provide a common basis for
  developing organizational security standards and
  effective security management practice and to
  provide confidence in inter-organizational
  dealings.
• Recommendations from this standard should be
  selected and used in accordance with applicable
  laws and regulations.

21
ISO 27002 Information Security Policy

• Information security policy document
• Review and evaluation

22
ISO 27002 Organizational Security

• Information security is a business
  responsibility shared by all members of the
  management team.
• Information security infrastructure
• management framework management fora with
  management leadership should be established to
  approve the information security policy, assign
  security roles and co-ordinate the implementation
  of security across the organization
• multi-disciplinary approach to information
  security involving the co-operation and
  collaboration of managers, users, administrators,
  application designers, auditors and security
  staff, and specialist skills in areas such as
  insurance and

23
ISO 27002 Asset classification and control

• Asset accountability
• Accountability should remain with the owner of
  the asset. Responsibility for implementing
  controls may be delegated.
• Information classification
• Information should be classified to indicate the
  need, priorities and degree of protection,
  depending on varying degrees of sensitivity and
  criticality.

24
ISO 27002 Personnel security

• Security in job definition and resourcing
• User training
• Users should be trained in security procedures
  and the correct use of information processing
  facilities to minimize possible security risks.
• Responding to security incidents and malfunctions
• Weaknesses, malfunctions
• Learning from incidents
• Disciplinary process

25
ISO 27002 Physical and environmental security

• Secure areas
• Security perimeter, entry controls
• Protection provided should be commensurate with
  the identified risks.
• Equipment security
• Safety

26
ISO 27002 Communications and operations
management

• Operational procedures and responsibilities
• Incident management procedures
• Segregation of duties
• Separation of development and operational
  facilities
• System planning and acceptance
• Capacity planning, performance requirements,
  system acceptance
• Protection against malicious software
• Back ups, logging
• Network management
• Media handling
• tapes, disks, cassettes
• Information exchange between organizations
• Policy on Email
• Electronic commerce security

27
ISO 27002 Access control

• Access control policy
• User access management
• Access rights, passwords
• User responsibilities
• Network access control
• Network segregation
• Operating system access control
• Application access control
• Monitoring system access and use
• Mobile computing and teleworking

28
ISO 27002 Systems development and maintenance

• Security requirements of systems
• built-in security
• Security in application systems
• Message authentication, hash algorithms,
  cryptography
• Cryptographic controls
• To protect the confidentiality, authenticity or
  integrity of information (encryption, digital
  signatures, key management)

29
ISO 27002 Business continuity management -1-

• To counteract interruptions to business
  activities and to protect critical business
  processes from the effects of major failures or
  disasters.
• A business continuity management process should
  be implemented to reduce the disruption caused by
  disasters and security failures (which may be the
  result of, for example, natural disasters,
  accidents, equipment failures, and deliberate
  actions) to an acceptable level through a
  combination of preventative and recovery controls.

30
ISO 27002 Business continuity management -2-

• The consequences of disasters, security failures
  and loss of service should be analyzed.
  Contingency plans should be developed and
  implemented to ensure that business processes can
  be restored within the required time-scales. Such
  plans should be maintained and practiced to
  become an integral part of all other management
  processes.
• Business continuity management should include
  controls to identify and reduce risks, limit the
  consequences of damaging incidents, and ensure
  the timely resumption of essential operations.

31
ISO 27002 Compliance

• Compliance with legal requirements
• Data protection and privacy of personal
  information
• Intellectual property rights (IPR)
• Regulation of cryptographic controls
• Compliance with security policy

32
ISO/IEC 27001 2005

• Specifies the requirements for establishing,
  implementing, operating, monitoring, reviewing,
  maintaining and improving a documented
  Information Security Management System (ISMS)
  within the context of the organizations overall
  business risks.
• May serve as a suitable basis for ISMS
  certification.

33
ISO/IEC 27001 2005

• Contains requirements for the implementation of
  security controls customized to the needs of
  individual organizations or parts of them.
• Contains requirements in a structure of
• 11 control clauses that include
• 39 control objectives
• 133 controls

34
The PDCA model of ISO/IEC 27001
35
PLAN Establish the ISMS
36
Define the scope of ISMS (a.)

• Definition of the boundaries of the ISMS in terms
  of the characteristics
• the business,
• the organization,
• its location,
• assets,
• technology,
• justified details of any exclusions from the
  scope.

37
Define an ISMS policy (b.)

• Definition of an ISMS policy that
• includes a framework for setting objectives and
  establishes an overall sense of direction and
  principles for action with regard to information
  security
• takes into account business and legal or
  regulatory requirements, and contractual security
  obligations
• aligns with the organizations strategic risk
  management context in which the establishment and
  maintenance of the ISMS will take place
• establishes criteria against which risk will be
  evaluated, and
• has been approved by management.

38
Risk assessment (c.-d.-e.)

• Risk assessment is the process of combining risk
  identification, risk analysis and risk
  evaluation.
• ISO/IEC 13335-1 2004
• The results of the risk assessment will help to
  guide and determine the appropriate management
  action and priorities for managing information
  security risks, and for implementing controls
  selected to protect against these risks.
• ISO/IEC 27002 2005

39
Risk assessment (c.-d.-e.)

• The three stages are risk assessment execution
• Identify a risk assessment methodology that is
  suited to the ISMS, and the identified business
  information security, legal and regulatory
  requirements.
• Develop criteria for accepting risks and identify
  the acceptable levels of risk.
• Identify the risks (assets, threats,
  vulnerabilities, impacts)
• Analyze and evaluate the risks (estimation of
  level of risks and evaluation whether they are
  acceptable or require treatment).

40
Risk Assessment activities

• Risk assessment consists of the following
  activities
• Risk analysis which comprises
• Risk identification
• Risk estimation
• Risk evaluation

41
Prepare Statement of Applicability (j.)

• The Statement of Applicability shall include the
  following
• the control objectives and controls selected and
  the reasons for their selection
• the control objectives and controls currently
  implemented, and
• the exclusion of any control objectives and
  controls in Annex A and the justification for
  their exclusion.

42
DO Implement and Operate the ISMS (1)

• Formulate a risk treatment plan, that shall
  contain
• The method selected for treating the risk
• What controls are in place
• What additional controls are proposed
• Time frame for controls implementation
• Identified acceptable level of risk (and residual
  risk)
• Implement the risk treatment plan in order to
  achieve the identified control objectives.

43
DO Implement and Operate the ISMS (2)

• Implement controls selected to meet the control
  objectives.
• Define how to measure the effectiveness of the
  selected controls.
• Implement training and awareness programs.
• Manage operation of the ISMS.
• Manage resources for the ISMS.
• Implement procedures and other controls capable
  of enabling prompt detection of security events
  and response to security incidents.

44
CHECK Monitor and review (1)

• Execute monitoring and reviewing procedures and
  other controls to
• promptly detect errors
• promptly identify attempted and successful
  security breaches and incidents
• enable management to determine whether the
  security activities delegated to people or
  implemented by information technology are
  performing as expected,
• help detect security events by the use of
  indicators, and
• determine whether the actions taken to resolve a
  breach of security were effective.

45
CHECK Monitor and review (2)

• Undertake regular reviews of the effectiveness of
  the ISMS.
• Measure the effectiveness of controls to verify
  that security requirements have been met.
• Review risk assessments at planned intervals and
  review the residual risks and the identified
  acceptable levels of risks, taking into account
  potential changes.
• Conduct internal ISMS audits at planned
  intervals.
• Update security plans to take into account the
  findings of monitoring and reviewing activities.
• Record actions and events that could have an
  impact on the effectiveness or performance of the
  ISMS.

46
ACT Maintain and Improve the ISMS

• The organization shall regularly
• Implement the identified improvements in the
  ISMS.
• Take appropriate corrective and preventive
  actions
• Apply the lessons learnt from the security
  experiences of other organizations and those of
  the organization itself.
• Communicate the actions and improvements to all
  interested parties
• Ensure that the improvements achieve their
  intended objectives.

47
Required documentation (1)

• Documented statements of the ISMS policy and
  objectives
• The scope of the ISMS
• Procedures and controls in support of the ISMS
• A description of the risk assessment methodology
• The risk assessment report
• The risk treatment plan

48
Required documentation (2)

• Documented procedures needed by the organization
  to ensure the effective planning, operation and
  control of its information security processes and
  describe how to measure the effectiveness of
  controls
• Records required by the ISO/IEC 270012005, and
• The Statement of Applicability (SOA).

49
Annex A - Control objectives and controls

1. Security Policy
2. Organizing Information Security
3. Asset Management
4. Human Resources Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Information Systems Acquisition, Development and
   Maintenance
9. Information Security Incident Management
10. Business Continuity Management
11. Compliance

50
Annex A - Control objectives and controls
Examples (1)

• A5 Security Policy
• Objective To provide management direction and
  support for information security in accordance
  with business requirements and relevant laws and
  regulations

• A5.1 Information security policy document
• Control An information security policy document
  shall be approved by management, and published
  and communicated to all employees and relevant
  external parties.

51
Annex A - Control objectives and controls
Examples (2)

• A.11 Access control
• A.11.2 User access management
• Objective To ensure authorized user access and
  to prevent unauthorized access to information
  systems
• A11.2 User responsibilities
• Objective To prevent unauthorized user access,
  and compromise or theft of information and
  information processing facilities

• A11.2.3 User password management
• Control The allocation of passwords shall be
  controlled through a formal management process
• A11.2.1 Password use
• Control Users shall be required to follow good
  security practices in the selection and use of
  passwords

52
Trends

• More regulatory and legislative oversight.
• Executive and board oversight of information
  security.
• ISO27001/ISO27002 have become the de facto
  standard for information security program.
• ISO27000 series
• ISO27000 Glossary
• ISO27003 Implementation of ISMS
• ISO27004 Measurement and metrics
• ISO27005 Risk management
• ISO27006 Accreditation guidelines
• ISO27k to be continued

53
References

• G???t?a??? S., ??asf???s? ?a? ????????s?
  ?sf??e?a? S?st?µ?t?? ?a? ??????t?? (?ef.9), st?
  ??ts??a? S., G???t?a??? ?. ?a? G???t?a??? S.
  (ep?µ??e?a) ?sf??e?a ?????f???a??? S?st?µ?t??,
  ??d?se?? ???? ?e?????????, ????a 2004, se?.
  267-315.
• ?a??da ?., ????t???? ?sf??e?a? ?????f???a???
  S?st?µ?t??, st? ??ts??a? S., G???t?a??? ?. ?a?
  G???t?a??? S. (ep?µ??e?a) ?sf??e?a ?????f???a???
  S?st?µ?t??, ??d?se?? ???? ?e?????????, ????a
  2004, se?. 377-406.