ISO 1779 A Minimum Standard for Maximum Security BCHIMPS Spring Education Session March 15, 2002 Ros

1
ISO 1779A Minimum Standard for Maximum
SecurityBCHIMPS Spring Education SessionMarch
15, 2002Ross Fraser Sextant Software
2
Agenda

• Information Security Mgmt
• Goals
• Context
• Threats, Vulnerabilities, Risks
• ISO 17799
• Rationale
• History
• Current Use
• Structure of 17799
• Steps to Implementation
• Limitations
• NHS ISO Toolkit
• Questions

3
Goals of Info Security Mgmt

Information can exist in many forms. It can be
printed or written on paper, stored
electronically, transmitted by post or using
electronic means, shown on films, or spoken in
conversation
Information
4
Context for Info Security Management
Integrity
Confidentiality
Risk
Availability
5
Threats, Risks Vulnerabilities
Threats
Integrity
Confidentiality
Vulnerabilities
Availability
Risks
6
Threats, Risks Vulnerabilities
Exploit
Threats
Vulnerabilities
Protect against
Increase
Increase
Expose
Risk
Controls
Assets
Reduce
Decrease
Indicate
Met by
Have
Security Requirements
Asset Values
Impact on Organisation
7
Security Controls
Threat
Deterrent Control
Corrective Control
Creates
Reduces Likelihood of
Attack
Vulnerability
Detective Control
Exploits
Discovers
Can trigger
Results in
Decreases
Protects
Impact
Preventative Control
Reduces
8
Agenda

• Information Security Mgmt
• Goals
• Context
• Threats, Vulnerabilities, Risks
• ISO 17799
• Rationale
• History
• Current Use
• Structure of 17799
• Steps to Implementation
• Limitations
• NHS ISO Toolkit
• Questions

9
ISO 17799 What is it?

• A comprehensive set of controls comprising best
  practices in information security
• Basically an internationally recognised generic
  information security standard
• Purpose
• It is intended to serve as a single reference
  point for identifying a range of controls needed
  for most situations where information systems are
  used in industry and commerce
• Facilitation of information flow in a trusted
  environment

ISO 17799-1 identifies 10 control objective
essential as a basis for an Information Security
Management System. 127 controls
10
ISO 17799 History

• British Standards Institute (BSI)
• formed in 1901
• responsible for development of British industry
  policies
• and standards
• supports over 3,000 technical committees
• Supports 16,000 standards projects.
• Member of ISO an European standards organization
  (CEN)
• In early 1990s, recognized need for a practical
  guide for information security management
• Group of leading companies (BOC, BT, Marks
  Spencer, Midland Bank, Nationwide Building
  Society, Shell, Unilever) combined to develop the
  Code of Practice for Information Security
  Management, (now BS 7799 Part 1 Code of Practice)
• Published as BS7799 version 1 in Feb 1995
• BS 7799 Part 2 Specification for Information
  Security
• Management Systems
• commission by UK govt Dept. of Trade and
  Insdustry
• published in Feb 1998.

11
ISO 17799 History

• Early Days (mid 1990s)
• Other countries started to publish it a national
  standard
• Netherlands (SPE20003)
• Australia/New Zealand (AS/NZS 4444)
• Denmark and Sweden (SS627799)
• Initially NOT widely embraced by industry, for
  various reasons
• not flexible enough
• simplistic key control approach
• other more pressing issues (eg Y2K)
• Major revision of BS7799
• version 2 published in May 1999
• formal certification and accreditation schemes
  launched same year
• support tools started to appear
• fast tracked as an ISO standard
• published as ISO standard, Dec 2000

12
ISO 17799 Current Status

• Today
• Sudden uptake
• - many organizations quote intent
• - some well on route to certification
• - some organizations already certified through
  BS7799
• - significant international take-up
• - massive increase in interest in the issue of
  security
• Why the Change?
• Companies doing e-business seek security
  assurance
• Major consultancies have invested very heavily in
  training of certified auditors (potential major
  income generator)
• - consultants therefore act indirectly as sales
  agents
• Improved quality of the standard
• Y2K and other competing issues have been
  completed or scaled down

13
ISO 17799 Current Status
Recent UK survey by Gamma Secure Systems of 673
organisations responding, 581 are pursuing BS
7799 certification. Survey results indicate
immediate need. Scope will encompass
confidentiality, integrity and availability.
Only 270 respondents already had an info
security management system in place.
14
Agenda

• Information Security Mgmt
• Goals
• Context
• Threats, Vulnerabilities, Risks
• ISO 17799
• Rationale
• History
• Current Use
• Structure of 17799
• Steps to Implementation
• Limitations
• NHS ISO Toolkit
• Questions

15
Structure of ISO 17799
ISO 17799-1 A Code of Best Practice BS
7799-2 Assessment Process for Certification
ISO 17799
16
Structure of ISO 17799
ISO 17799-11999 identifies 10 control objective
essential as a basis for an Information Security
Management System. includes 127 controls
BS 7799-21999 contains 36 Control
Objectives 127 Controls
Not all the controls described will be relevant
to every situation, nor can they take account of
local environmental or technological constraints,
or be present in a form that suits every
potential user in an organisation.
17
Structure of ISO 17799

• ISO 17799 based on assuring integrity,
  availability, and confidentiality of information
  assets.
• Assurance is attained through controls that
  management creates and maintains within the
  organisation.
• Ten key controls identified by BS 7799 for the
  implementation of a successful information
  security program are
• A documented information security policy
• Allocation of information security
  responsibilities within the organization
• Information security education and training
• Security incident reporting and response
• Virus detection and prevention controls
• Business continuity planning
• Control of proprietary software copying
• Critical record management processes
• Protection of personal data (privacy)
• Periodic compliance reviews

18
Ten Key Controls of ISO 17799
Information Security Policy
Security Organisation
Compliance
Integrity
Confidentiality
Asset Classification Controls
Bus. Continuity Planning
Information
Personnel Security
System Development Maint.
Availability
Access Controls
Physical Security
Communication Operations Mgmt
19
1. Security Policy

• Objective
• To provide management direction and support for
  information security.
• Policy should cover
• definition of information security
• statement of management intent
• allocation of responsibilities
• scope
• an explanation of specific applicable principles,
  standards and compliance requirements
• an explanation of the process for reporting of
  suspected security incidents
• a defined review process for maintaining the
  policy
• means for assessing the effectiveness of the
  policy, embracing cost and technological changes
• nomination of the policy owner

20
2. Security Organisation

• Objective
• To manage information security within the
  organisation
• To maintain the security of organisational
  information processing facilities and information
  assets accessed by third parties
• To maintain the security of information when the
  responsibility for information processing has
  been outsourced to another organisation.
• Subjects covered
• setting up of a management forum (committee)
• roles of the forum
• allocation of security responsibilities
• establishment of an authorisation process for new
  hardware and software purchases.
• 3rd party access to organisational data
• steps needed to prevent and detect unauthorised
  access via 3rd party access
• security requirements in outsourcing contracts

21
3. Asset Classification Controls

• Objective
• To maintain appropriate protection of corporate
  assets and to ensure that information assets
  receive an appropriate level of protection.
• Subjects covered
• establishing an asset register for hardware,
  software and information
• advice on classifying and labelling assets
• NB Classifying and labelling assets is a
  pre-requisite for a Threat/Risk Assessment

22
4. Personnel Security

• Objective
• To reduce risks of human error, theft, fraud or
  misuse of facilities
• To ensure that users are aware of information
  security threats and concerns and are equipped to
  support the corporate security policy in the
  course of their normal work
• To minimise the damage from security incidents
  and malfunctions and learn from such incidents.
• Subjects covered
• risks to data and systems by deliberate
  accidental human action
• user error
• fraud
• theft
• making security responsibilities part of a formal
  job description
• screening potential staff
• training of staff in basic security awareness
• establishing security incident handling framework
  

23
5. Physical Policy

• Objective
• To prevent unauthorised access, damage and
  interference to business premises and
  information
• To prevent loss, damage or compromise of assets
  and interruption to business activities
• To prevent compromise or theft of information and
  information processing facilities.
• Subjects covered
• need to establish secure areas with physical
  entry controls
• need to physically protect hardware equipment to
  prevent theft
• need to protect network cabling from tampering
• security of equipment taken off site or sent for
  disposal

24
6. Communications Operations Mgmt

• Objective
• To ensure the correct and secure operation of
  information processing facilities
• To minimise the risk of systems failures
• To protect the integrity of software and
  information
• To maintain the integrity and availability of
  information processing and communication
• To ensure the safeguarding of information in
  networks and the protection of the supporting
  infrastructure
• To prevent damage to assets and interruptions to
  business activities
• To prevent loss, modification or misuse of
  information exchanged between organisations.

25
6. Communications (cont.)

• Large section that deals with security for
  computer systems
• Explains main areas of risk, but stops short of
  explaining technical measures necessary
• Subjects covered
• Viruses
• Malicious software
• Change control
• Backup
• The keeping of accurate access logs
• Security of system documentation
• Disposal of media
• Protection and authentication of data during
  transfers and in transit
• Security of Email

26
7. Access Controls

• Objective
• To control access to information
• To prevent unauthorised access to information
  systems
• To ensure the protection of networked services
• To prevent unauthorised computer access
• To detect unauthorised activities
• To ensure information security when using mobile
  computing and tele-networking facilities.
• Subjects covered
• access control and how it can be applied to
  different types of system
• issue and usage of passwords
• duress alarms
• automatic terminal time outs
• physical access to terminals
• software metering/monitoring

27
8. System Development Maintenance

• Objective
• To ensure security is built into operational
  systems
• To prevent loss, modification or misuse of user
  data in application systems
• To protect confidentiality, authenticity and
  integrity of info
• To ensure IT projects support activities are
  conducted in a secure manner
• To maintain security of application system
  software data.
• Subjects covered
• acquisition of new systems modification to
  existing ones
• input data validation
• data encryption
• security of data files
• protection of test data.
• procedures for software development and
  maintenance
• configuration management
• change control
• protection of data

28
9. Business Continuity Planning

• Objective
• To counteract interruptions to business
  activities and to critical business processes
  from the effects of major failures or disasters.
• Subjects covered
• an overview of the case for a comprehensive
  business continuity plan which should be
  designed, implemented, tested and maintained.

29
10. Compliance

• Objective
• To avoid breaches of any criminal or civil law,
  statutory, regulatory or contractual obligations
  and of any security requirements
• To ensure compliance of systems with
  organisational security policies and standards
• To maximise the effectiveness of and to minimise
  interference to/from the system audit process.
• Subjects covered
• areas where an organisation needs to ensure that
  it compiles with its legal and contractual
  obligations
• Contractual commitments (e.g. software licenses)
• intellectual property rights

30
Agenda

• Information Security Mgmt
• Goals
• Context
• Threats, Vulnerabilities, Risks
• ISO 17799
• Rationale
• History
• Current Use
• Structure of 17799
• Steps to Implementation
• Limitations
• NHS ISO Toolkit
• Questions

31
Steps to Implementation
32
Steps to Implementation (cont.)
BS 7799 Accreditation
33
Output
ISO 17799
34
Agenda

• Information Security Mgmt
• Goals
• Context
• Threats, Vulnerabilities, Risks
• ISO 17799
• Rationale
• History
• Current Use
• Structure of 17799
• Steps to Implementation
• Limitations
• NHS ISO Toolkit
• Questions

35
Limitations

• Several countries objected to BS 7799 becoming an
  ISO standard
• cultural insensitivity
• competing ISO work ISO TR 13335
• technical report on IT security management also
  known as GMITS (General Mgmt of IT Security)
• some important areas of security currently
  missing
• digital signatures and non-repudiation
• no integration yet with ISO 15408 Common
  Criteria
• ISO JT1 SC 27 is actively reviewing objections
  and revising 17799 (revised edition expected
  shortly)
• Canadian experts on SC 27 are actively
  participating in review

36
Limitations

• Additional/supplementary standards
• Canadian Handbook on Information Technology
  Security
• developed by the Communications Security
  Establishment (CSE)
• ISO TR 13335 General Mgmt of IT Security (GMITS)
• ISO 15408 Common Criteria
• document for evaluating and rating security
  products
• ISO (D)TS 17090 Health Informatics Public Key
  Infrastructure

37
Agenda

• Information Security Mgmt
• Goals
• Context
• Threats, Vulnerabilities, Risks
• ISO 17799
• Rationale
• History
• Current Use
• Structure of 17799
• Steps to Implementation
• Limitations
• NHS ISO Toolkit
• Questions

38
ISO 17799 NHS Toolkit for HealthcareOrganisations

• Application that takes users through structured
  QA sessions
• Produces pre-formatted reports
• ISO 17799 compliant security policy
• inventory of information assets
• selection of controls applied
• gap analysis

39
Agenda

• Information Security Mgmt
• Goals
• Context
• Threats, Vulnerabilities, Risks
• ISO 17799
• Rationale
• History
• Current Use
• Structure of 17799
• Steps to Implementation
• Limitations
• Toolkits
• Questions

40
Further Reading

• BSI documents (www.bsi.org.uk/index.xhtml)
• Information Security Management An Introduction
  (PD3000)
• provides an overview of the scheme for accredited
  certification and forms a useful a preface to
  other guidance documents in the scheme
• Guide to BS7799 Risk Assessment and Risk
  Management (PD3002)
• describes the underlying concepts behind BS7799
  risk assessment and risk management, including
  terminology process of assessing and managing
  risks
• based on the ISO/IEC Guidelines for the
  Management of IT Security (GMITS)
• Selecting BS7799 Controls (PD3005)
• describes the process of selecting appropriate
  controls

41
Bug Me
Email address rossfraser_at_sextantsoftware.com Ph
one (416) 960-5872