IS Security Standards Gurpreet Dhillon Virginia Commonwealth University.
-
Upload
bryce-taylor -
Category
Documents
-
view
221 -
download
2
Transcript of IS Security Standards Gurpreet Dhillon Virginia Commonwealth University.
IS Security StandardsIS Security Standards
Gurpreet DhillonGurpreet Dhillon
Virginia Commonwealth UniversityVirginia Commonwealth University
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
Importance of IS Security Importance of IS Security StandardsStandards
IS security plays a vital roleIS security plays a vital role IS security: as strong as the weakest linkIS security: as strong as the weakest link Confusing: Plethora of standardsConfusing: Plethora of standards How do we make sense of these How do we make sense of these
standards?standards? Which standard to adopt?Which standard to adopt?
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
Classification of IS Security Classification of IS Security StandardsStandards
Security development Security development Security managementSecurity managementSecurity evaluationSecurity evaluationRisk managementRisk management
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
IS Security Life CycleIS Security Life Cycle
Security Development
Security Management
Risk management
Security Evaluation
Implementation
Changes
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
Classification of IS Security Classification of IS Security StandardsStandards
Security development Security development Improvement and assessment of IS security-Improvement and assessment of IS security-
engineering capabilityengineering capability Security managementSecurity management
Objectives or controls necessary for managing IS Objectives or controls necessary for managing IS securitysecurity
Security evaluationSecurity evaluation Examination and testing of the security features of Examination and testing of the security features of
an information systeman information system Risk managementRisk management
Identification, analysis, control, and Identification, analysis, control, and communication of IS security risks to which an communication of IS security risks to which an organization is exposedorganization is exposed
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
Security DevelopmentSecurity Development
CMM SE-CMMSSE-CMM(ISO/IEC
DIS 21827)
Systems Security Engineering Capability Maturity Model (SEE-Systems Security Engineering Capability Maturity Model (SEE-CMM)CMM)CMM & SE-CMM do not deal with IS securityCMM & SE-CMM do not deal with IS security
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
SSE-CMMSSE-CMM Describes essential characteristics of security Describes essential characteristics of security
engineering processes.engineering processes. Addresses the continuity, repeatability, Addresses the continuity, repeatability,
efficiency, and assurance qualities required in efficiency, and assurance qualities required in the production and operation of secure systems the production and operation of secure systems and products and products
ScopeScope: entire secure system or product life : entire secure system or product life cycle, the whole organization, and concurrent cycle, the whole organization, and concurrent interactions with other organizations. interactions with other organizations.
Two dimensionsTwo dimensions:: DomainDomain: “base practices” that collectively define : “base practices” that collectively define
security engineering security engineering CapabilityCapability: “generic practices” that indicate process : “generic practices” that indicate process
management and institutionalization capability management and institutionalization capability
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
OECD Guidelines(1992)
BS 7799(1995)
ISO/IEC 17799(2000)
GASSP(1995)
GAISP(2003)
ISO/IEC TR13335(1996)
Code of PracticeUK DTI (1993)
Security ManagementSecurity Management
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
ISO/IEC 17799ISO/IEC 17799Code of Practice for Information Security ManagementCode of Practice for Information Security Management
Set of controls that are important to achieve the security objectives of an organization
The standard is organized into ten major sections. Each section addresses an area important for IS security
and lists best practices in form of controls for that particular area.
36 Objectives and 127 controls Guiding areas for implementing IS security:
Security policy, organizational security, personnel security, business continuity management, compliance.
Other areas: Asset classification & control, physical & environmental
security, communications & operations management, access control, systems development & maintenance.
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
ISO/IEC TR 13335ISO/IEC TR 13335Guidelines for the management of IT Security (GMITS) Guidelines for the management of IT Security (GMITS)
A technical report that provides suggestions A technical report that provides suggestions rather than prescribe practice. rather than prescribe practice.
ScopeScope: IT security and not information security. : IT security and not information security. It comprises of five parts. It comprises of five parts. Part 1Part 1: basic concepts and models for the IT : basic concepts and models for the IT
security. security. Part 2Part 2: managing and planning IT security. : managing and planning IT security. Part 3Part 3: techniques for the management of IT : techniques for the management of IT
security. security. Part 4Part 4: provides guidance on the selection of : provides guidance on the selection of
safeguards for the management of risk. safeguards for the management of risk. Part 5Part 5: management guidance on network : management guidance on network
securitysecurity
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
OECD GuidelinesOECD GuidelinesOrganization for Economic Cooperation and DevelopmentOrganization for Economic Cooperation and Development
It recognizes the commonality of security It recognizes the commonality of security requirements across various requirements across various organizations.organizations.
Developed an integrated approach Developed an integrated approach outlined in the form of nine principles:outlined in the form of nine principles:Accountability, awareness, ethics, Accountability, awareness, ethics,
multidisciplinary, proportionality, integration, multidisciplinary, proportionality, integration, timeliness, reassessment, equity. timeliness, reassessment, equity.
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
GAISPGAISPGenerally Accepted Information Security Principles
Documents information security principles that have been proven in practice and accepted by practitioners.
GAISP is organized into three major sections that form a hierarchy.
Pervasive Principles: Targets organizational governance and executive management. outlines the principles advocated in OECD guidelines.
Broad Functional Principles: Targets management. It describes specific building blocks (what to do) that comprise
the Pervasive Principles. Detailed Principles:
Targets IS security professional. Provides specific (how to) guidance for implementation of
optimal IS security practices.
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
Security evaluationSecurity evaluation
Common Criteria
Green book
TCSEC MSFR Federal Criteria
CTCPEC
ITSEC ISO/IEC 15408
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
TCSECTCSEC Trusted Computer System Evaluation Criteria Trusted Computer System Evaluation Criteria
Addresses military security needs and Addresses military security needs and policies. policies.
Focus:Focus:mainframe systems. mainframe systems. protection of confidentialityprotection of confidentiality
Four major sets ofFour major sets of criteriacriteria: : security policy, accountability, assurance, and security policy, accountability, assurance, and
documentation. documentation. TCSEC was “interpreted” for both networks TCSEC was “interpreted” for both networks
and databases. and databases.
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
Green book & CTCPECGreen book & CTCPECGerman Green BookGerman Green Book Division of security requirements into: Division of security requirements into:
Functionality and Assurance requirementsFunctionality and Assurance requirements
Canadian Trusted Computer Evaluation Criteria Canadian Trusted Computer Evaluation Criteria (CTCPEC)(CTCPEC)
address complex systems address complex systems CTCPEC classifies the functionality and CTCPEC classifies the functionality and
assurance requirements separately. assurance requirements separately. Functional criteria comprises of confidentiality, Functional criteria comprises of confidentiality,
integrity, availability, and accountability integrity, availability, and accountability Assurance criteria are applied across the Assurance criteria are applied across the
entire system.entire system.
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
Security evaluationSecurity evaluationMinimum Security Functional Requirements Minimum Security Functional Requirements
(MSFR)(MSFR) Follows ITSECFollows ITSEC
separates the functionality and assurance criteria. separates the functionality and assurance criteria. takes Security Target approach.takes Security Target approach.
Federal Criteria (FC)Federal Criteria (FC) Focus: IT SecurityFocus: IT Security Introduces Protection Profile Introduces Protection Profile
implementation-independent set of functionality and implementation-independent set of functionality and assurance requirements for a category of products. assurance requirements for a category of products.
Follows ITSEC’s Security Target approach. Follows ITSEC’s Security Target approach.
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
ITSECITSECInformation Technology Security Evaluation CriteriaInformation Technology Security Evaluation Criteria
ITSEC identifies ITSEC identifies Target of Evaluation (TOE)Target of Evaluation (TOE) as as either a system or product. either a system or product.
Evaluation factors of TOEEvaluation factors of TOE: correctness and : correctness and effectiveness. effectiveness.
Evaluation of correctnessEvaluation of correctness: examines correct : examines correct implementation of security functions and implementation of security functions and mechanismsmechanisms
Evaluation of effectivenessEvaluation of effectiveness: examines : examines compatibility of security mechanisms and the compatibility of security mechanisms and the stated security objectives.stated security objectives.
TOE’s functionality suitability and integration, TOE’s functionality suitability and integration, consequences of vulnerabilities, and ease of use consequences of vulnerabilities, and ease of use are also evaluated. are also evaluated.
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
Common Criteria (CC)Common Criteria (CC) CC v2.1 was published in 1999 and adopted as ISO/IEC CC v2.1 was published in 1999 and adopted as ISO/IEC
IS 15408. IS 15408. CC is organized into three parts. CC is organized into three parts. Introduction and General Model: Introduction and General Model:
Introduces the general model and concepts of IT security Introduces the general model and concepts of IT security evaluation. evaluation.
Three types of security requirement constructs defined: Three types of security requirement constructs defined: Package, Protection Profile, and Security Target. Package, Protection Profile, and Security Target.
Follows ITSEC: separates the functionality and assurance Follows ITSEC: separates the functionality and assurance requirements. requirements.
Security Functional Requirements: Security Functional Requirements: addresses the functional requirements of security. addresses the functional requirements of security.
Standardized Security Assurance Requirements: Standardized Security Assurance Requirements: defines the criteria for evaluating Protection Profiles, Security defines the criteria for evaluating Protection Profiles, Security
Targets, and TOEs (target of evaluations). Targets, and TOEs (target of evaluations).
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
ISO/IEC IS 15408ISO/IEC IS 15408Evaluation Criteria for IT Security (ECITS)Evaluation Criteria for IT Security (ECITS)
ECITS is organized into three parts: ECITS is organized into three parts: model, functionality classes, and assurance.model, functionality classes, and assurance.
Influenced by:Influenced by: ITSEC: separates the functionality and ITSEC: separates the functionality and
assurance criteria.assurance criteria.CTCPEC: Functionality classes.CTCPEC: Functionality classes.
ECITS also addresses privacy protection. ECITS also addresses privacy protection. identifies four functional privacy families: identifies four functional privacy families:
anonymity, pseudonymity, unlinkability, and anonymity, pseudonymity, unlinkability, and unobservability. unobservability.
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
Risk managementRisk management
ISO/IEC TR 13335 Part-3 ISO/IEC TR 13335 Part-4
NIST Spec Pub 800-30
Risk Mgmt
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
Risk managementRisk management
ISO/IEC TR13335ISO/IEC TR13335 Part 4: provides the guidelines for selection of
safeguards for the risk management. Part 3: outlines and provides interpretation of the risk
assessment principles.
NIST Special Publication 800-30 Risk Management NIST Special Publication 800-30 Risk Management Guide for IT SystemsGuide for IT Systems
a national level standard for US. provides an outline of risk management and risk
assessment. The risk mitigation process is associated with selection
of cost-effective security controls. stresses on continuing risk evaluation and assessment. .
© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission
IS Security Standards FrameworkIS Security Standards FrameworkCategories Definition Issues
SecurityDevelopment
Improvement and assessment of ISsecurity-engineeringcapability
ContinuityRepeatabilityEfficiencyAssurance
SecurityManagement
Objectives or controlsnecessary for managing IS security
ConfidentialityIntegrityAvailabilityResponsibilityIntegrity TrustEthicality
SecurityEvaluation
Examination andtesting of the securityfeatures of aninformation system
EffectivenessCorrectness
Risk Management
Identification, analysis,control, andcommunication of ISsecurity risks to whichan organization is exposed.
ThreatVulnerabilityImpact
Standard Approach/Need
ISO/IEC DIS 21827
Security engineering process, Assurance process, Risk process.
ISO/IEC 17799
Security policy, organizational security, personnel security, business continuity management, compliance.
ISO/IEC IS 15408
Functionality requirements, Assurance requirements, Privacy protection.
ISO/IEC TR 13335 Part 3 and Part 4
NeedRisk assessment, Risk analysis, and Risk mitigation in terms of IS security.