Title: ISO 1779 A Minimum Standard for Maximum Security BCHIMPS Spring Education Session March 15, 2002 Ros
1ISO 1779A Minimum Standard for Maximum
SecurityBCHIMPS Spring Education SessionMarch
15, 2002Ross Fraser Sextant Software
2Agenda
- Information Security Mgmt
- Goals
- Context
- Threats, Vulnerabilities, Risks
- ISO 17799
- Rationale
- History
- Current Use
- Structure of 17799
- Steps to Implementation
- Limitations
- NHS ISO Toolkit
- Questions
3Goals of Info Security Mgmt
Information can exist in many forms. It can be
printed or written on paper, stored
electronically, transmitted by post or using
electronic means, shown on films, or spoken in
conversation
Information
4Context for Info Security Management
Integrity
Confidentiality
Risk
Availability
5Threats, Risks Vulnerabilities
Threats
Integrity
Confidentiality
Vulnerabilities
Availability
Risks
6Threats, Risks Vulnerabilities
Exploit
Threats
Vulnerabilities
Protect against
Increase
Increase
Expose
Risk
Controls
Assets
Reduce
Decrease
Indicate
Met by
Have
Security Requirements
Asset Values
Impact on Organisation
7Security Controls
Threat
Deterrent Control
Corrective Control
Creates
Reduces Likelihood of
Attack
Vulnerability
Detective Control
Exploits
Discovers
Can trigger
Results in
Decreases
Protects
Impact
Preventative Control
Reduces
8Agenda
- Information Security Mgmt
- Goals
- Context
- Threats, Vulnerabilities, Risks
- ISO 17799
- Rationale
- History
- Current Use
- Structure of 17799
- Steps to Implementation
- Limitations
- NHS ISO Toolkit
- Questions
9ISO 17799 What is it?
- A comprehensive set of controls comprising best
practices in information security - Basically an internationally recognised generic
information security standard - Purpose
- It is intended to serve as a single reference
point for identifying a range of controls needed
for most situations where information systems are
used in industry and commerce - Facilitation of information flow in a trusted
environment
ISO 17799-1 identifies 10 control objective
essential as a basis for an Information Security
Management System. 127 controls
10ISO 17799 History
- British Standards Institute (BSI)
- formed in 1901
- responsible for development of British industry
policies - and standards
- supports over 3,000 technical committees
- Supports 16,000 standards projects.
- Member of ISO an European standards organization
(CEN) - In early 1990s, recognized need for a practical
guide for information security management - Group of leading companies (BOC, BT, Marks
Spencer, Midland Bank, Nationwide Building
Society, Shell, Unilever) combined to develop the
Code of Practice for Information Security
Management, (now BS 7799 Part 1 Code of Practice) - Published as BS7799 version 1 in Feb 1995
- BS 7799 Part 2 Specification for Information
Security - Management Systems
- commission by UK govt Dept. of Trade and
Insdustry - published in Feb 1998.
11ISO 17799 History
- Early Days (mid 1990s)
- Other countries started to publish it a national
standard - Netherlands (SPE20003)
- Australia/New Zealand (AS/NZS 4444)
- Denmark and Sweden (SS627799)
- Initially NOT widely embraced by industry, for
various reasons - not flexible enough
- simplistic key control approach
- other more pressing issues (eg Y2K)
- Major revision of BS7799
- version 2 published in May 1999
- formal certification and accreditation schemes
launched same year - support tools started to appear
- fast tracked as an ISO standard
- published as ISO standard, Dec 2000
12ISO 17799 Current Status
- Today
- Sudden uptake
- - many organizations quote intent
- - some well on route to certification
- - some organizations already certified through
BS7799 - - significant international take-up
- - massive increase in interest in the issue of
security - Why the Change?
- Companies doing e-business seek security
assurance - Major consultancies have invested very heavily in
training of certified auditors (potential major
income generator) - - consultants therefore act indirectly as sales
agents - Improved quality of the standard
- Y2K and other competing issues have been
completed or scaled down
13ISO 17799 Current Status
Recent UK survey by Gamma Secure Systems of 673
organisations responding, 581 are pursuing BS
7799 certification. Survey results indicate
immediate need. Scope will encompass
confidentiality, integrity and availability.
Only 270 respondents already had an info
security management system in place.
14Agenda
- Information Security Mgmt
- Goals
- Context
- Threats, Vulnerabilities, Risks
- ISO 17799
- Rationale
- History
- Current Use
- Structure of 17799
- Steps to Implementation
- Limitations
- NHS ISO Toolkit
- Questions
15Structure of ISO 17799
ISO 17799-1 A Code of Best Practice BS
7799-2 Assessment Process for Certification
ISO 17799
16Structure of ISO 17799
ISO 17799-11999 identifies 10 control objective
essential as a basis for an Information Security
Management System. includes 127 controls
BS 7799-21999 contains 36 Control
Objectives 127 Controls
Not all the controls described will be relevant
to every situation, nor can they take account of
local environmental or technological constraints,
or be present in a form that suits every
potential user in an organisation.
17Structure of ISO 17799
- ISO 17799 based on assuring integrity,
availability, and confidentiality of information
assets. - Assurance is attained through controls that
management creates and maintains within the
organisation. - Ten key controls identified by BS 7799 for the
implementation of a successful information
security program are - A documented information security policy
- Allocation of information security
responsibilities within the organization - Information security education and training
- Security incident reporting and response
- Virus detection and prevention controls
- Business continuity planning
- Control of proprietary software copying
- Critical record management processes
- Protection of personal data (privacy)
- Periodic compliance reviews
18Ten Key Controls of ISO 17799
Information Security Policy
Security Organisation
Compliance
Integrity
Confidentiality
Asset Classification Controls
Bus. Continuity Planning
Information
Personnel Security
System Development Maint.
Availability
Access Controls
Physical Security
Communication Operations Mgmt
191. Security Policy
- Objective
- To provide management direction and support for
information security. - Policy should cover
- definition of information security
- statement of management intent
- allocation of responsibilities
- scope
- an explanation of specific applicable principles,
standards and compliance requirements - an explanation of the process for reporting of
suspected security incidents - a defined review process for maintaining the
policy - means for assessing the effectiveness of the
policy, embracing cost and technological changes - nomination of the policy owner
202. Security Organisation
- Objective
- To manage information security within the
organisation - To maintain the security of organisational
information processing facilities and information
assets accessed by third parties - To maintain the security of information when the
responsibility for information processing has
been outsourced to another organisation. - Subjects covered
- setting up of a management forum (committee)
- roles of the forum
- allocation of security responsibilities
- establishment of an authorisation process for new
hardware and software purchases. - 3rd party access to organisational data
- steps needed to prevent and detect unauthorised
access via 3rd party access - security requirements in outsourcing contracts
213. Asset Classification Controls
- Objective
- To maintain appropriate protection of corporate
assets and to ensure that information assets
receive an appropriate level of protection. -
- Subjects covered
- establishing an asset register for hardware,
software and information - advice on classifying and labelling assets
- NB Classifying and labelling assets is a
pre-requisite for a Threat/Risk Assessment
224. Personnel Security
- Objective
- To reduce risks of human error, theft, fraud or
misuse of facilities - To ensure that users are aware of information
security threats and concerns and are equipped to
support the corporate security policy in the
course of their normal work - To minimise the damage from security incidents
and malfunctions and learn from such incidents. - Subjects covered
- risks to data and systems by deliberate
accidental human action - user error
- fraud
- theft
- making security responsibilities part of a formal
job description - screening potential staff
- training of staff in basic security awareness
- establishing security incident handling framework
235. Physical Policy
- Objective
- To prevent unauthorised access, damage and
interference to business premises and
information - To prevent loss, damage or compromise of assets
and interruption to business activities - To prevent compromise or theft of information and
information processing facilities. - Subjects covered
- need to establish secure areas with physical
entry controls - need to physically protect hardware equipment to
prevent theft - need to protect network cabling from tampering
- security of equipment taken off site or sent for
disposal
246. Communications Operations Mgmt
- Objective
- To ensure the correct and secure operation of
information processing facilities - To minimise the risk of systems failures
- To protect the integrity of software and
information - To maintain the integrity and availability of
information processing and communication - To ensure the safeguarding of information in
networks and the protection of the supporting
infrastructure - To prevent damage to assets and interruptions to
business activities - To prevent loss, modification or misuse of
information exchanged between organisations.
256. Communications (cont.)
- Large section that deals with security for
computer systems - Explains main areas of risk, but stops short of
explaining technical measures necessary - Subjects covered
- Viruses
- Malicious software
- Change control
- Backup
- The keeping of accurate access logs
- Security of system documentation
- Disposal of media
- Protection and authentication of data during
transfers and in transit - Security of Email
267. Access Controls
- Objective
- To control access to information
- To prevent unauthorised access to information
systems - To ensure the protection of networked services
- To prevent unauthorised computer access
- To detect unauthorised activities
- To ensure information security when using mobile
computing and tele-networking facilities. - Subjects covered
- access control and how it can be applied to
different types of system - issue and usage of passwords
- duress alarms
- automatic terminal time outs
- physical access to terminals
- software metering/monitoring
278. System Development Maintenance
- Objective
- To ensure security is built into operational
systems - To prevent loss, modification or misuse of user
data in application systems - To protect confidentiality, authenticity and
integrity of info - To ensure IT projects support activities are
conducted in a secure manner - To maintain security of application system
software data. - Subjects covered
- acquisition of new systems modification to
existing ones - input data validation
- data encryption
- security of data files
- protection of test data.
- procedures for software development and
maintenance - configuration management
- change control
- protection of data
289. Business Continuity Planning
- Objective
- To counteract interruptions to business
activities and to critical business processes
from the effects of major failures or disasters. - Subjects covered
- an overview of the case for a comprehensive
business continuity plan which should be
designed, implemented, tested and maintained.
2910. Compliance
- Objective
- To avoid breaches of any criminal or civil law,
statutory, regulatory or contractual obligations
and of any security requirements - To ensure compliance of systems with
organisational security policies and standards - To maximise the effectiveness of and to minimise
interference to/from the system audit process. - Subjects covered
- areas where an organisation needs to ensure that
it compiles with its legal and contractual
obligations - Contractual commitments (e.g. software licenses)
- intellectual property rights
30Agenda
- Information Security Mgmt
- Goals
- Context
- Threats, Vulnerabilities, Risks
- ISO 17799
- Rationale
- History
- Current Use
- Structure of 17799
- Steps to Implementation
- Limitations
- NHS ISO Toolkit
- Questions
31Steps to Implementation
32Steps to Implementation (cont.)
BS 7799 Accreditation
33Output
ISO 17799
34Agenda
- Information Security Mgmt
- Goals
- Context
- Threats, Vulnerabilities, Risks
- ISO 17799
- Rationale
- History
- Current Use
- Structure of 17799
- Steps to Implementation
- Limitations
- NHS ISO Toolkit
- Questions
35Limitations
- Several countries objected to BS 7799 becoming an
ISO standard - cultural insensitivity
- competing ISO work ISO TR 13335
- technical report on IT security management also
known as GMITS (General Mgmt of IT Security) - some important areas of security currently
missing - digital signatures and non-repudiation
- no integration yet with ISO 15408 Common
Criteria - ISO JT1 SC 27 is actively reviewing objections
and revising 17799 (revised edition expected
shortly) - Canadian experts on SC 27 are actively
participating in review
36Limitations
- Additional/supplementary standards
- Canadian Handbook on Information Technology
Security - developed by the Communications Security
Establishment (CSE) - ISO TR 13335 General Mgmt of IT Security (GMITS)
- ISO 15408 Common Criteria
- document for evaluating and rating security
products - ISO (D)TS 17090 Health Informatics Public Key
Infrastructure
37Agenda
- Information Security Mgmt
- Goals
- Context
- Threats, Vulnerabilities, Risks
- ISO 17799
- Rationale
- History
- Current Use
- Structure of 17799
- Steps to Implementation
- Limitations
- NHS ISO Toolkit
- Questions
38ISO 17799 NHS Toolkit for HealthcareOrganisations
- Application that takes users through structured
QA sessions - Produces pre-formatted reports
- ISO 17799 compliant security policy
- inventory of information assets
- selection of controls applied
- gap analysis
-
39Agenda
- Information Security Mgmt
- Goals
- Context
- Threats, Vulnerabilities, Risks
- ISO 17799
- Rationale
- History
- Current Use
- Structure of 17799
- Steps to Implementation
- Limitations
- Toolkits
- Questions
40 Further Reading
- BSI documents (www.bsi.org.uk/index.xhtml)
- Information Security Management An Introduction
(PD3000) - provides an overview of the scheme for accredited
certification and forms a useful a preface to
other guidance documents in the scheme - Guide to BS7799 Risk Assessment and Risk
Management (PD3002) - describes the underlying concepts behind BS7799
risk assessment and risk management, including
terminology process of assessing and managing
risks - based on the ISO/IEC Guidelines for the
Management of IT Security (GMITS) - Selecting BS7799 Controls (PD3005)
- describes the process of selecting appropriate
controls
41 Bug Me
Email address rossfraser_at_sextantsoftware.com Ph
one (416) 960-5872