Download - Metholodogies and Security Standards
Developing the infrastructures that enable e-business ®
www.sia.es
Security Standards & Methodologies
FIST November/Madrid 2003 @ UPSAM
Vicente Aceituno
Most standards are the result of agreements on the behaviour of a component or the connection between components.
Using standards a company can create products and services that work well with others, without any previous agreement between the product makers.
Standards enable “teamwork” without permanent coordination, becoming a “coordination by default”.
What are standards good for?
International Organization for Standardization.
International Electrotechnical Commission.
British Standards Institute.
Internet Engineering Task Force.
ISACA.
International Information Security Foundation.
National Institute of Standards and Technology (USA)
AENOR (Spain)
AICPA.
BSI.
Software Engineering Institute.
ISECOM
W3C
IETF
Private companies.
ISSA...and so on.
Who makes standards?
Benchmarks.
Algorithms.
Products.
Operations.
Management.
Organization.
Auditing.
What is covered by standards?
Andrew Tanenbaum famously quipped that “The good thing about standards is that there are so many to choose from”.
The reasons are manifold. Politics, Economics and other interests...
Why there are so many standards?
Clear concepts framework.
Provides guidance to move from theory to practice.
Compliance can be tested.
It scales: It can be used both for small and large organizations, enterprises and government.
It considers the environment where the organization operates.
What is a perfect standard?
ISO 17799 based on BS 7799 of the British Standards Institute.
ISO/IEC TR 13335-4 by ISO/IEC Joint Technical Committee 1.
RFC2196 by Internet Engineering Task Force.
Cobit by ISACA.
800-14 GAASP by National Institute of Standards and Technology.
ISO15408 - Common Criteria from National Institute of Standards and Technology.
Standard of Good Practice for Information Security from ISF.
SysTrust by AICPA.
IT Baseline Protection Manual from BSI.
OCTAVE by Software Engineering Institute.
CSEAT Review Criteria from National Institute of Standards and Technology.
OSSTMM from ISECOM.
RFC2078 GSS API by Internet Engineering Task Force.
RFC3365 by Internet Engineering Task Force.
RSA PKCS.
GAISP by ISSA.
Some Security Standards
ISO 17799 based on BS 7799 of the British Standards Institute.
ISO/IEC TR 13335-4 by ISO/IEC Joint Technical Committee 1.
Cobit by ISACA.
800-14 GAASP by National Institute of Standards and Technology.
Standard of Good Practice for Information Security from ISF.
SysTrust by AICPA.
Information Security Management
IT Baseline Protection Manual from BSI
OCTAVE by Software Engineering Institute.
CSEAT Review Criteria.
OSSTMM from ISECOM.
Testing and Auditing
Products: ISO15408 - Common Criteria.
API: RFC2078 - Generic Security Service Application Program Interface.
Protocols: RFC3365 - Strong Security Requirements for Internet Engineering Task Force Standard Protocols.
PKI: PKCS, X.509
Encryption: Advanced Encryption Standard (FIPS 197)
XML:XML encryption (Xenc)
XML signatures (XML-SIG)
XML key management specification (XKMS)
Security assertion markup language (SAML)
eXtensible access control markup language (XACML)
...just too many to tell them all.
Technology
It is based on BS 7799-1.
BS 77991-1 is a Code of Practice provides 127 security controls; It contains requirements of a general nature.
BS 77991-2 is a information security management system. It provides a formal methodology for setting up an Information Security Management System.
ISO 17799:2000
•http://www.bsi-global.com/Training/Infosec/index.xalter
ISO/IEC Technical Report 13335 - Guidelines for the management of IT Security
1996 -- Part 1: Concepts and models for IT Security.
1997 -- Part 2: Managing and planning IT Security .
1998 -- Part 3: Techniques for the management of IT Security.
2000 -- Part 4: Selection of safeguards.
2001 -- Part 5: Management guidance on network Security.
•http://www.iso.org/iso/en/ISOOnline.frontpage
COBIT
The purpose of COBIT is to provide an Information Technology (IT) governance model that helps managing the risks associated with IT.
COBIT aims to make a clear and distinct link between information technology and business goals
The COBIT framework identifies 318 detailed control objectives contained within this classification.
Quality Control Components: Quality, Cost and Delivery
Fiduciary Control Components: Effectiveness, Efficiency, Reliability of information, Compliance.
Security Control Components: Confidentiality, Integrity and Availability
•http://www.isaca.org/
GAISP & 800-14
It’s just a series of principles.
It doesn’t provide a way to test if the principles are being followed.
It’s been used a information source for other standards.
•http://csrc.nist.gov/publications/nistpubs/
•http://web.mit.edu/security/www/gassp1.html
•http://www.issa.org/gaisp.html
Standard of Good Practice
This standard is being pushed as “the standard” by the proponents, with scarce results.
•http://www.isfsecuritystandard.com/index_ns.htm
SysTrust/WebTrust
Focused on systems reliability for e-commerce activities.
•http://www.cica.ca/index.cfm/ci_id/635/la_id/1.htm
Describes organizational, personnel, infraestructure and technical standards.
Globally assumed threat scenario.
Detailed descriptions of safeguards.
Description of the process involved in maintaining an appropriate level of IT security.
Procedure for ascertaining the level of IT security.
IT Baseline protection
•http://www.bsi.bund.de/gshb/english/menue.htm
OCTAVE
Involves internal personnel, providing security awareness and understanding of the business continuity needs.
Introduces extensible project management techniques.
It’s supposed to facilitate adaption to security requirements evolution.
•http://www.cert.org/octave/
CSEAT Review Criteria
Big list of things to do.
Provides no conceptual framework.
•http://csrc.nist.gov/cseat/
Methodology for Penetration Testing.
GNU-FDL Licenced.
Open Source Security Testing Methodology Manual
•http://www.isecom.org/projects/osstmm.shtml
Security Standards & Methodologies
FIST November/Madrid 2003
Vicente Aceituno
Developing the infrastructures that enable e-business ®