copyright © xisec, all rights reserved, 2002 secure computing best lifetime achievement award 2002...

Copyright © XiSEC, All rights reserved, 2002

Secure ComputingBest Lifetime Achievement Award 2002

Ted Humphreys

Information Security Management Goes Global

Ted Humphreys

XiSEC

Business continuity Corporate governance Compliance with legislation Information assets Policy & procedures

Management of risk Incident handling Best practice Protecting on-line business Managing 3 rd party access



Ted Humphreys

Information Security Management

Ensuring business continuity

These global objectives of information security management are also stated in ISO/IEC 17799

Minimise business damage

Maximise return on investments

Global Business Objectives



Ted Humphreys


Achieving the objectives by managing the risk



Ted Humphreys

Assessing the Risk

• Risk is the potential that a threat will exploit a vulnerability and cause damage or loss to an asset

• The assessment includes:– the value of the asset– the level of corresponding vulnerabilities– the likelihood of the relevant threats– existing and planned controls which protect the

asset



Ted Humphreys

Managing the Risks

• Expenditure on information security needs to be balanced against and appropriate to– The business value of the information and

other business assets at risk, and– The business harm/impact likely to result

from security failures



Ted Humphreys

Managing the Risk

• Risk acceptance

• Ignoring the risks

• Risk avoidance

• Risk transfer

• Risk reduction



Ted Humphreys

Managing the Risks with Controls

• Reduce the vulnerabilities– Reduce/eliminate the weaknesses

• Reduce the likelihood of occurrence– Reduce/eliminate the cause

– Minimise the probability by preventative measures

• Reduce the consequences of impact– Ensuring effective monitoring

– Taking steps to prevent, minimise or contain impact.



Ted Humphreys


Preserving the Confidentiality,

Integrity/ authenticity

& Availability of information

Targets

Access control, user identification & authentication, encryption, digital signatures,message authentication, backups, capacity planning, regular maintenance, virus protection software, information handing procedures, physical security etc

Means of achieving targets



Ted Humphreys

What is ISO/IEC 17799?

Its a standard on best practice for

information security

management

A risk based approach for defining policy & procedures & selection of appropriate controls to manage risk

NOT IT Security

Its about

Information S

ecurity



Ted Humphreys

Who looks after ISO/IEC 17799?

17799 is managed and maintain by ISO/IEC JTC 1/ SC 27 WG1

WG1 Convenor Ted Humphreys

Editors Angelika Plate and Oliver Weissmann



Ted Humphreys

Some ISO/IEC 17799 History

BS 7799 Part 1: 1999

BS 7799 Part 1: 1995

ISO/IEC 17799: 2000

WG1 managing 1st revision due 200x



Ted Humphreys

What’s in ISO/IEC 17799?

Security policy

Security organisation

Asset classification & control

Business continuity

Personnel security

Physical & environmental security

Access control

Compliance

Communications & operations management

Systems development & maintenance

The Chapters

Security policy

Security organisation

Asset classification & control

Business continuity

Personnel security

Physical & environmental security

Access control

Compliance

Communications & operations management

Systems development & maintenance



Ted Humphreys

ISO/IEC 17799 Chapter Structure

Control Objective

Control

Implementation Guidance

Other Information

Control satisfies the requirements of the objective

Advice and help on implementation of the control

Other supporting help and information



Ted Humphreys

Control Example External facilities management Control

Implementation Guidance

Other Information

The risks of using external facilities management services should be identified in advance, and appropriate controls agreed with the contractor, and incorporated into the contract.

Particular issues that should be addressed include: a) Identifying sensitive or critical applications better retained in-house,b) Obtaining the approval of business application owners,c) Implications for business continuity plans,d) Security standards to be specified, and the process for measuring compliance,e) Allocation of specific responsibilities and procedures to effectively monitor all relevant security activities,responsibilities and procedures for reporting and handling security incidents

The use of an external contractor to manage information processing facilities may introduce potential security exposures, such as the possibility of compromise, damage, or loss of data at the contractor’s site. See also 4.2.2 and 4.3 for guidance on third party contracts involving access to organizational facilities and outsourcing contracts



Ted Humphreys

• Information security policy

• Access control

• Use of e-mail, Internet services & network connections

• Use of mobile computing

ISO/IEC 17799 Policies & Procedures



Ted Humphreys

ISO/IEC 17799 Policies & Procedures

• Security incident handling

• Business continuity

• Operational procedures

• Change control

• Housekeeping

• Information handling

• System acceptance



Ted Humphreys

ISO/IEC 17799 Organisational Security

• To manage information security within the organisation– Security Forum– Allocation of roles and responsibilities– Co-ordination– Security of 3rd party access

• Outsourcing, managed services etc

• Security conditions in contracts



Ted Humphreys

ISO/IEC 17799 Asset Control

• Accountability of assets– To maintain an asset inventory– Information classification– Information handling procedures– Maintain appropriate protection of assets– Asset ownership and security responsibilities

• Delegation & accountability

• Outsourcing, managed services etc



Ted Humphreys

ISO/IEC 17799 Operations Management

• Procedures to ensure correct and secure operation– Minimise the risk of system failures– Safeguard the integrity of company information

and software– Maintain the integrity and availability of

company services



Ted Humphreys

• Ensure the protection of supporting system and networking infrastructures

• Prevent damage to computer media• Incident management procedures• System and capacity planning and

acceptance• Malicious software• Backups

ISO/IEC 17799 Operations Management



Ted Humphreys

ISO/IEC 17799 – Security Incidents

• Responding to incidents– To minimise the damage from security

incidents, system malfunctions, software weaknesses, virus attacks, denial of service attacks, breaches of law, data theft etc

– Monitoring, detecting, reporting, responding to and learning from security incidents



Ted Humphreys

ISO/IEC 17799 Controlling Access

• To control access to the company’s information based on agreed access control policy and procedures– User access management– User registration– User responsibilities, rights and privileges,

review



Ted Humphreys

• Access policy, procedures and technical controls– Network services (internal and external),

Web sites etc– Computer systems– Applications– On-site and off-site (remote) access– Monitoring system access and use

ISO/IEC 17799 Controlling Access



Ted Humphreys

ISO/IEC 17799 Systems Dev/Maintenance

• Building security into the company’s systems and processes– Application systems

• Input/output data validation

• Internal processing validation

• Cryptographic mechanisms

• Non-cryptographic mechanisms



Ted Humphreys

• Building security into the company’s systems and processes– System files

• Control of software and protection of test data

– Development and support environments• Change control procedures• Review of operating system changes• Restrictions on software changes

ISO/IEC 17799 Systems Dev/Maintenance



Ted Humphreys

ISO/IEC 17799 Business Continuity

• To protect critical company processes and assets and to counteract interruptions to business activities from the effects of system failures, serious breaches of security, disasters etc



Ted Humphreys

• A managed planning process should be in place– Procedures (for handling customers/suppliers,

relocation, emergency control, fallback, resumption and recovery etc) should be developed and regularly tested

– Plans and procedures should be regularly reviewed and updated as necessary

ISO/IEC 17799 Business Continuity



Ted Humphreys

ISO/IEC 17799 Compliance

• Compliance with legislation and contractual requirements– To avoid breaches of any statutory, criminal

or civil obligations and related security requirements



Ted Humphreys

In Summary - Why use ISO/IEC 17799?

• Ensure business continuity

• Minimise business damage & protect business assets

• Maximise return on investments & business opportunities

• Good corporate governance

–“fit to manage risk”



Ted Humphreys

Q&A

La sécurité informatique

Riktlinjer för ledning av informationssäkerhet Leitfaden zum Management von

Informationssicherheit

Managementsystem voor informatiebeveiligingGestão da Segurança da Informação

copyright © xisec, all rights reserved, 2002 secure computing best lifetime achievement award 2002...

Documents

information security

information slide

copyright xisec

ted humphreys isoiec

information control

risk slide

information security

ted humphreys whats