IS Security StandardsIS Security Standards

Gurpreet DhillonGurpreet Dhillon

Virginia Commonwealth UniversityVirginia Commonwealth University

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

Importance of IS Security Importance of IS Security StandardsStandards

IS security plays a vital roleIS security plays a vital role IS security: as strong as the weakest linkIS security: as strong as the weakest link Confusing: Plethora of standardsConfusing: Plethora of standards How do we make sense of these How do we make sense of these

standards?standards? Which standard to adopt?Which standard to adopt?

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

Classification of IS Security Classification of IS Security StandardsStandards

Security development Security development Security managementSecurity managementSecurity evaluationSecurity evaluationRisk managementRisk management

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

IS Security Life CycleIS Security Life Cycle

Security Development

Security Management

Risk management

Security Evaluation

Implementation

Changes

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

Classification of IS Security Classification of IS Security StandardsStandards

Security development Security development Improvement and assessment of IS security-Improvement and assessment of IS security-

engineering capabilityengineering capability Security managementSecurity management

Objectives or controls necessary for managing IS Objectives or controls necessary for managing IS securitysecurity

Security evaluationSecurity evaluation Examination and testing of the security features of Examination and testing of the security features of

an information systeman information system Risk managementRisk management

Identification, analysis, control, and Identification, analysis, control, and communication of IS security risks to which an communication of IS security risks to which an organization is exposedorganization is exposed

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

Security DevelopmentSecurity Development

CMM SE-CMMSSE-CMM(ISO/IEC

DIS 21827)

Systems Security Engineering Capability Maturity Model (SEE-Systems Security Engineering Capability Maturity Model (SEE-CMM)CMM)CMM & SE-CMM do not deal with IS securityCMM & SE-CMM do not deal with IS security

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

SSE-CMMSSE-CMM Describes essential characteristics of security Describes essential characteristics of security

engineering processes.engineering processes. Addresses the continuity, repeatability, Addresses the continuity, repeatability,

efficiency, and assurance qualities required in efficiency, and assurance qualities required in the production and operation of secure systems the production and operation of secure systems and products and products

ScopeScope: entire secure system or product life : entire secure system or product life cycle, the whole organization, and concurrent cycle, the whole organization, and concurrent interactions with other organizations. interactions with other organizations.

Two dimensionsTwo dimensions:: DomainDomain: “base practices” that collectively define : “base practices” that collectively define

security engineering security engineering CapabilityCapability: “generic practices” that indicate process : “generic practices” that indicate process

management and institutionalization capability management and institutionalization capability

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

OECD Guidelines(1992)

BS 7799(1995)

ISO/IEC 17799(2000)

GASSP(1995)

GAISP(2003)

ISO/IEC TR13335(1996)

Code of PracticeUK DTI (1993)

Security ManagementSecurity Management

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

ISO/IEC 17799ISO/IEC 17799Code of Practice for Information Security ManagementCode of Practice for Information Security Management

Set of controls that are important to achieve the security objectives of an organization

The standard is organized into ten major sections. Each section addresses an area important for IS security

and lists best practices in form of controls for that particular area.

36 Objectives and 127 controls Guiding areas for implementing IS security:

Security policy, organizational security, personnel security, business continuity management, compliance.

Other areas: Asset classification & control, physical & environmental

security, communications & operations management, access control, systems development & maintenance.

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

ISO/IEC TR 13335ISO/IEC TR 13335Guidelines for the management of IT Security (GMITS) Guidelines for the management of IT Security (GMITS)

A technical report that provides suggestions A technical report that provides suggestions rather than prescribe practice. rather than prescribe practice.

ScopeScope: IT security and not information security. : IT security and not information security. It comprises of five parts. It comprises of five parts. Part 1Part 1: basic concepts and models for the IT : basic concepts and models for the IT

security. security. Part 2Part 2: managing and planning IT security. : managing and planning IT security. Part 3Part 3: techniques for the management of IT : techniques for the management of IT

security. security.  Part 4Part 4: provides guidance on the selection of : provides guidance on the selection of

safeguards for the management of risk. safeguards for the management of risk. Part 5Part 5: management guidance on network : management guidance on network

securitysecurity

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

OECD GuidelinesOECD GuidelinesOrganization for Economic Cooperation and DevelopmentOrganization for Economic Cooperation and Development

It recognizes the commonality of security It recognizes the commonality of security requirements across various requirements across various organizations.organizations.

Developed an integrated approach Developed an integrated approach outlined in the form of nine principles:outlined in the form of nine principles:Accountability, awareness, ethics, Accountability, awareness, ethics,

multidisciplinary, proportionality, integration, multidisciplinary, proportionality, integration, timeliness, reassessment, equity. timeliness, reassessment, equity.

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

GAISPGAISPGenerally Accepted Information Security Principles

Documents information security principles that have been proven in practice and accepted by practitioners.

GAISP is organized into three major sections that form a hierarchy.

Pervasive Principles: Targets organizational governance and executive management. outlines the principles advocated in OECD guidelines.

Broad Functional Principles: Targets management. It describes specific building blocks (what to do) that comprise

the Pervasive Principles. Detailed Principles:

Targets IS security professional. Provides specific (how to) guidance for implementation of

optimal IS security practices.

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

Security evaluationSecurity evaluation

Common Criteria

Green book

TCSEC MSFR Federal Criteria

CTCPEC

ITSEC ISO/IEC 15408

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

TCSECTCSEC Trusted Computer System Evaluation Criteria Trusted Computer System Evaluation Criteria

Addresses military security needs and Addresses military security needs and policies. policies.

Focus:Focus:mainframe systems. mainframe systems. protection of confidentialityprotection of confidentiality

Four major sets ofFour major sets of criteriacriteria: : security policy, accountability, assurance, and security policy, accountability, assurance, and

documentation. documentation. TCSEC was “interpreted” for both networks TCSEC was “interpreted” for both networks

and databases. and databases.

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

Green book & CTCPECGreen book & CTCPECGerman Green BookGerman Green Book Division of security requirements into: Division of security requirements into:

Functionality and Assurance requirementsFunctionality and Assurance requirements

Canadian Trusted Computer Evaluation Criteria Canadian Trusted Computer Evaluation Criteria (CTCPEC)(CTCPEC)

address complex systems address complex systems CTCPEC classifies the functionality and CTCPEC classifies the functionality and

assurance requirements separately. assurance requirements separately. Functional criteria comprises of confidentiality, Functional criteria comprises of confidentiality,

integrity, availability, and accountability integrity, availability, and accountability Assurance criteria are applied across the Assurance criteria are applied across the

entire system.entire system.

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

Security evaluationSecurity evaluationMinimum Security Functional Requirements Minimum Security Functional Requirements

(MSFR)(MSFR) Follows ITSECFollows ITSEC

separates the functionality and assurance criteria. separates the functionality and assurance criteria. takes Security Target approach.takes Security Target approach.

Federal Criteria (FC)Federal Criteria (FC) Focus: IT SecurityFocus: IT Security Introduces Protection Profile Introduces Protection Profile

implementation-independent set of functionality and implementation-independent set of functionality and assurance requirements for a category of products. assurance requirements for a category of products.

Follows ITSEC’s Security Target approach. Follows ITSEC’s Security Target approach.

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

ITSECITSECInformation Technology Security Evaluation CriteriaInformation Technology Security Evaluation Criteria

ITSEC identifies ITSEC identifies Target of Evaluation (TOE)Target of Evaluation (TOE) as as either a system or product. either a system or product.

Evaluation factors of TOEEvaluation factors of TOE: correctness and : correctness and effectiveness. effectiveness.

Evaluation of correctnessEvaluation of correctness: examines correct : examines correct implementation of security functions and implementation of security functions and mechanismsmechanisms

Evaluation of effectivenessEvaluation of effectiveness: examines : examines compatibility of security mechanisms and the compatibility of security mechanisms and the stated security objectives.stated security objectives.

TOE’s functionality suitability and integration, TOE’s functionality suitability and integration, consequences of vulnerabilities, and ease of use consequences of vulnerabilities, and ease of use are also evaluated. are also evaluated.

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

Common Criteria (CC)Common Criteria (CC) CC v2.1 was published in 1999 and adopted as ISO/IEC CC v2.1 was published in 1999 and adopted as ISO/IEC

IS 15408. IS 15408. CC is organized into three parts. CC is organized into three parts. Introduction and General Model: Introduction and General Model:

Introduces the general model and concepts of IT security Introduces the general model and concepts of IT security evaluation. evaluation.

Three types of security requirement constructs defined: Three types of security requirement constructs defined: Package, Protection Profile, and Security Target. Package, Protection Profile, and Security Target.

Follows ITSEC: separates the functionality and assurance Follows ITSEC: separates the functionality and assurance requirements. requirements.

Security Functional Requirements: Security Functional Requirements: addresses the functional requirements of security. addresses the functional requirements of security.

Standardized Security Assurance Requirements: Standardized Security Assurance Requirements: defines the criteria for evaluating Protection Profiles, Security defines the criteria for evaluating Protection Profiles, Security

Targets, and TOEs (target of evaluations). Targets, and TOEs (target of evaluations).

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

ISO/IEC IS 15408ISO/IEC IS 15408Evaluation Criteria for IT Security (ECITS)Evaluation Criteria for IT Security (ECITS)

ECITS is organized into three parts: ECITS is organized into three parts: model, functionality classes, and assurance.model, functionality classes, and assurance.

Influenced by:Influenced by: ITSEC: separates the functionality and ITSEC: separates the functionality and

assurance criteria.assurance criteria.CTCPEC: Functionality classes.CTCPEC: Functionality classes.

ECITS also addresses privacy protection. ECITS also addresses privacy protection. identifies four functional privacy families: identifies four functional privacy families:

anonymity, pseudonymity, unlinkability, and anonymity, pseudonymity, unlinkability, and unobservability. unobservability.

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

Risk managementRisk management

ISO/IEC TR 13335 Part-3 ISO/IEC TR 13335 Part-4

NIST Spec Pub 800-30

Risk Mgmt

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

Risk managementRisk management

ISO/IEC TR13335ISO/IEC TR13335 Part 4: provides the guidelines for selection of

safeguards for the risk management. Part 3: outlines and provides interpretation of the risk

assessment principles.

NIST Special Publication 800-30 Risk Management NIST Special Publication 800-30 Risk Management Guide for IT SystemsGuide for IT Systems

a national level standard for US. provides an outline of risk management and risk

assessment. The risk mitigation process is associated with selection

of cost-effective security controls. stresses on continuing risk evaluation and assessment. .

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

IS Security Standards FrameworkIS Security Standards FrameworkCategories Definition Issues

SecurityDevelopment

Improvement and assessment of ISsecurity-engineeringcapability

ContinuityRepeatabilityEfficiencyAssurance

SecurityManagement

Objectives or controlsnecessary for managing IS security

ConfidentialityIntegrityAvailabilityResponsibilityIntegrity TrustEthicality

SecurityEvaluation

Examination andtesting of the securityfeatures of aninformation system

EffectivenessCorrectness

Risk Management

Identification, analysis,control, andcommunication of ISsecurity risks to whichan organization is exposed.

ThreatVulnerabilityImpact

Standard Approach/Need

ISO/IEC DIS 21827

Security engineering process, Assurance process, Risk process.

ISO/IEC 17799

Security policy, organizational security, personnel security, business continuity management, compliance.

ISO/IEC IS 15408

Functionality requirements, Assurance requirements, Privacy protection.

ISO/IEC TR 13335 Part 3 and Part 4

NeedRisk assessment, Risk analysis, and Risk mitigation in terms of IS security.

© Dr. Gurpreet Dhillon© Dr. Gurpreet DhillonDo not reproduce without permissionDo not reproduce without permission

Integrated modelIntegrated model

Security Management

Security Evalaution

Security Development

Risk Management