ISO 17799 Security Standard How Will It Fit with Other Standards Don Holden, CISSP-ISSMP
[email protected] Concordant, Inc January 2006
11
Agenda 1¾ 2¾ 3¾ 4¾ 5¾ 6¾ 7¾ 8¾ 9¾
Do We Need a Security Standard? History of ISO 17799 New and Improved 17799 A Certification Standard – 27001 Benefits of Certification Other Security Standards Is There a Map for this Maize A New Framework Other Sources Concordant, Inc. | www.concordantinc.com
Why Standardization Security Visibility among Business Partners
Source: NIST Presentation
Source: NIST
Concordant, Inc. | www.concordantinc.com
Desired End State
Source: NIST Presentation Concordant, Inc. | www.concordantinc.com
History of ISO17799 1¾
2¾
3¾ 4¾ 5¾
6¾
Began in 1989 as “User Code of Practice” (UK’s DTI) Became BSI 7799 “Code of Practice for Information Security Management” in 1995 Submitted to ISO but defeated Part 2 was added in 1998 Revised in 1999 and Part 1 submitted to ISO for fast track approval. Opposed by other large countries but passed in 2000 as ISO 17799:2000 Concordant, Inc. |
www.concordantinc.com
ISO17799-2005 New and Improved 1¾
Additions 17 new controls 8 new control objectives
2¾ 3¾
Deletions – 9 controls deleted Improvements Rewording for clarity Reformatting Relocating controls and text Concordant, Inc. | www.concordantinc.com
ISO 17799 Reformatted Clauses Security Policy
Security Policy
Security Organization
Organizing Information Security
Asset Classification & Control
Asset Management
Personnel Security
Human Resource Security
Physical & Environmental Security
Physical & Environmental Security
Communications & Operations Mgt
Communications & Operations Mgt
Access Control
Access Control
Systems Development & Maintenance
IS Acquisitions, Development & Maintenance
IS Incident Management Business Continuity Management
Business Continuity Management
Compliance
Compliance
Concordant, Inc. | www.concordantinc.com
ISO 17799 Improvements
Concordant, Inc. | www.concordantinc.com
IS Management Systems Certification 1¾
There have been no “ISO 17799 certifications”. ISO 17799 is a code of practice, with recommended controls, not a requirements specification. Certifications have been done for Information Security
Management Systems using BS7799-Part 2
Concordant, Inc. | www.concordantinc.com
ISO 27001:2005 ISMS - Requirements 1¾
The Certification Standard Based on BS 7799-2002 Part 2 Aligned with ISO 9001 and 14001 (EMS)
2¾
Concepts in 27001 All activities must follow a process (PDCA) Must specify security goals Controls based on risk analysis Choice of offered controls Continuous verification process Continuous improvement process Concordant, Inc. | www.concordantinc.com
ISO 27001 ISMS Process Model
Source: ISO 27001:2005 Concordant, Inc. | www.concordantinc.com
Components of 27001 4 Information security management system ¾ 4.1 General requirements ¾ 4.2 Establishing and managing the ISMS ¾ 4.2.1 Establish the ISMS ¾ 4.2.2 Implement and operate the ISMS ¾ 4.2.3 Monitor and review the ISMS ¾ 4.2.4 Maintain and improve the ISMS ¾ 4.3 Documentation requirements 1¾ 4.3.1 General 2¾ 4.3.2 Control of documents 3¾ 4.3.3 Control of records
5 Management responsibility ¾ 5.1 Management commitment ¾ 5.2 Resource management ¾ 5.2.1 Provision of resources ¾ 5.2.2 Training, awareness and competence 6 Internal ISMS audits 7 Management review of the ISMS ¾ 7.1 General ¾ 7.2 Review input ¾ 7.3 Review output 8 ISMS improvement 8.1 Continual improvement
Concordant, Inc. | www.concordantinc.com
Why Certify to 27001
1¾
Some Reasons for Certifying: Meeting U.S. legislative requirements directly and indirectly As part of a supplier management program As a measure and independent evidence that industry best practices are being followed. To reduce insurance premiums As part of a corporate governance program May offer competitive advantage Concordant, Inc. | www.concordantinc.com
ISO 27000 Series What’s Next 1¾
2¾
3¾ 4¾ 5¾
Provide guidance (not mandatory requirements ) for 27001 processes (PDCA) Defining scopes for information security management systems Risk assessment Identification of assets Effectiveness of information security Concordant, Inc. | www.concordantinc.com
Planned 27000 Series ISMS Framework 1¾ 2¾ 3¾ 4¾ 5¾ 6¾
27000 (P) Fundamentals and Vocabulary 27001-2005 Requirements – (PDCA) 27002 (P) Code of Practice (17799-2005) 27003 (P) Implementation Guidance – (PDCA) 27004 (D) IS Metrics and Measurements 27005 (D) Risk Management Supports 27001 Certifications Based upon BS7799-3 ISMS Guidelines for Information Security Risk Management Concordant, Inc. | www.concordantinc.com
ISMS Framework – 2700x 1¾
Potential Standards Monitoring and Review Internal Auditing Continual Improvement
Concordant, Inc. | www.concordantinc.com
ISO SubCommitee on Security ISO/IEC JTC SC27
Concordant, Inc. | www.concordantinc.com
SC27 Working Group 1 1¾ 2¾
3¾ 4¾
5¾ 6¾ 7¾
Management of ICT security (MICTS) Risk - ISO/IEC 13335 Code of practice for information security management ISO/IEC 17799 IT Network security - ISO/IEC 18028 Selection, deployment and operations of intrusion detection systems - ISO/IEC 18043 Information security incident management - ISO/IEC 18044 ISMS Requirements specification – ISO 27001 ISMS Metrics and measurements – draft ISO 27004 Proposed inclusion of NIST 800-55 CISWG Best Practices and Metrics Concordant, Inc. | www.concordantinc.com
SC27 Working Group 2 1¾
2¾ 3¾ 4¾
5¾ 6¾ 7¾
Digital signature schemes giving message recovery ISO/IEC 9796 Message authentication codes - ISO/IEC 9797 Entity authentication - ISO/IEC 9798 Modes of operation for an n-bit block cipher algorithm ISO/IEC 10116 Hash-functions - ISO/IEC 10118 Key management - ISO/IEC 11770 Digital signatures with appendix - ISO/IEC 14888
Concordant, Inc. | www.concordantinc.com
SC27 Working Group 3 1¾
2¾ 3¾ 4¾ 5¾ 6¾ 7¾
Cryptographic techniques based on elliptic curves ISO/IEC 15946 Time stamping services - ISO/IEC 18014 Random bit generation - ISO/IEC 18031 Prime number generation - ISO/IEC 18032 Encryption algorithms - ISO/IEC 18033 Data encapsulation mechanisms - ISO/IEC 19772 Biometric template protection - ISO/IEC 24745 Concordant, Inc. | www.concordantinc.com
Mapping the Maize 1¾
Standards and guidelines that support ISO 17799
Concordant, Inc. | www.concordantinc.com
Mapping to 17799
Source: SC27 N4476 WG1 Road Map
Source: SC27/WG1 “WG1 Road Map”
Concordant, Inc. | www.concordantinc.com
Security Standards Framework
Concordant, Inc. | www.concordantinc.com
Source ISO/IEC SC27
Source: SC27 Business Plan
Other ISO Security TC 68 SC2 Banking Security 1¾
Some Security Standards: Message authentication Digital Signatures Encryption Techniques Protection Profiles Security guidelines
Biometrics
Concordant, Inc. | www.concordantinc.com
How does the U.S. Participate? 1¾
InterNational Committee Information Technology Standards (INCITS) ANSI Technical Advisory Group for ISO/IEC JTC1 INCITS is sponsored by the Information Technology Industry Council (ITI) Originally founded as Accredited Standards Committee X3 INCITS Cyber Security 1 (CS1) formed in April 2005 for security standards CS1 working on a draft standard- “Implementation of Role-
Based Access Controls” Concordant, Inc. | www.concordantinc.com
Other Sources of Guidance 1¾ 2¾
3¾ 4¾
NIST 800 Series Publications CISWG Best Practices and Metrics – Report to Congress PCI Data Security Technical Benchmarks Center for Internet Security NSA NIST Vendor Security Recommendations Concordant, Inc. | www.concordantinc.com
Concordant, Inc. | www.concordantinc.com
What Concordant Does 1¾
2¾
IT infrastructure services for regulated industries Security services Secure & Compliant Assessment Implementation/ Remediation Maintenance and Support Concordant, Inc. | www.concordantinc.com
References 1¾ “Frequently Asked Questions” ATSEC http://www.atsec.com/01/index.php?id=06-0101-01 2¾ CISWG Report of the Best Practices and Metrics Team http://www.cisecurity.org/Documents/BPMetricsTeamReportFinal111704Rev11005.pdf 3¾ INCITS CS1 www. www.ncits.org/tc_home/cs1.htm 4¾ ISO/IEC 13335-1:2004, Management of information and communications technology security — Part1: Concepts and models for managing and planning ICT security. 5¾ ISO/IEC TR 13335-3:1998, Guidelines for the Management of IT Security — Part 3: Techniques for the management of IT security. 6¾ ISO/IEC TR 13335-4:2000, Guidelines for the Management of IT Security — Part 4: Selection of 7¾ Safeguards 8¾ ISO/IEC TR 18044:2004, Security techniques — Information Security Incident Management 9¾ NIST SP 800-30, Risk Management Guide for Information Technology Systems 10¾ Gamma Secure Systems Ltd http://www.gammassl.co.uk/index.html 11¾ NIST Presentation “New FISMA Standards & Guidelines”, Ross, Don; Katzke, S. 12¾ OECD Guidelines for the Security of Information Systems and Networks — Towards a Culture of Security. Paris: OECD, July 2002. www.oecd.org
Concordant, Inc. | www.concordantinc.com
