Standards and recommendation for information security on internet ELSA Conference Strumica,  27.11.2008 LjubomirTrajkovski...
How to protect ourselves  from internet insecurity ?
Internet Global Village  <ul><li>By default “open & insecure” </li></ul><ul><li>Internet for ALL ( good gays & bad gays) <...
There are “Bad gays”  in “our Village” <ul><li>So we have to protect ourselves- but how ? </li></ul>
Do not forget  what Information System consists of ! <ul><li>Information/Data </li></ul><ul><li>Equipment ( HW) </li></ul>...
“ The chain is only as strong as its weakest  link!” <ul><li>Every single member in any Information System must be “good” ...
What is a Standard ? Who define it? (1/3) <ul><li>Standard is collection of specifications describing minimal requirements...
What is a Standard ? Who define it?  (2/3) <ul><li>Security Provisions what Organizations should/shall have </li></ul><ul>...
What is a Standard ? Who define it?  (3/3) <ul><ul><li>And ….. </li></ul></ul><ul><ul><li>Standards are developed by profe...
Certification  (From Wikipedia ) <ul><li>Certification  refers to the confirmation of certain characteristics of an  </li>...
Cyber security standards ( From Wikipedia ) <ul><li>Cyber security standards  are security standards which enable  organiz...
Specific Information security related standards <ul><li>For Citizens :  </li></ul><ul><li>PKI (Personnel key Identifier, E...
HOW TO LIVE WITH STANDARDS
Process Success Factors <ul><li>Put policy and standards in place </li></ul>
Security Life Cycle Steps Assess current security state Update policies  Develop and document &quot;baseline&quot; securit...
Top-level Policy <ul><li>Broad statement of intent </li></ul><ul><li>Sets the expectations for compliance </li></ul><ul><l...
Standards <ul><li>Describe what to do, not how to do it </li></ul><ul><li>Explain the application of policy </li></ul><ul>...
Guidelines <ul><li>Tell how to meet standards </li></ul><ul><li>Are platform- or technology-specific </li></ul><ul><li>Pro...
What about the Laws ? <ul><li>Macedonian Information security related Framework </li></ul><ul><li>Law for Personnel Data P...
Upcoming SlideShare
Loading in …5
×

5 Standards And Recommendations For Information Security On Internet

2,128 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,128
On SlideShare
0
From Embeds
0
Number of Embeds
351
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

5 Standards And Recommendations For Information Security On Internet

  1. 1. Standards and recommendation for information security on internet ELSA Conference Strumica, 27.11.2008 LjubomirTrajkovski [email_address]
  2. 2. How to protect ourselves from internet insecurity ?
  3. 3. Internet Global Village <ul><li>By default “open & insecure” </li></ul><ul><li>Internet for ALL ( good gays & bad gays) </li></ul><ul><li>Bad gays for : pleasure and/or business </li></ul><ul><li>Internet in-security : all for one / one for all </li></ul>
  4. 4. There are “Bad gays” in “our Village” <ul><li>So we have to protect ourselves- but how ? </li></ul>
  5. 5. Do not forget what Information System consists of ! <ul><li>Information/Data </li></ul><ul><li>Equipment ( HW) </li></ul><ul><li>Communications ( Internet) </li></ul><ul><li>Applications ( SW) </li></ul><ul><li>Procedures and processes </li></ul><ul><li>People (users, performers/operators) </li></ul>
  6. 6. “ The chain is only as strong as its weakest link!” <ul><li>Every single member in any Information System must be “good” and secure ! </li></ul><ul><li>The ONLY questions are : </li></ul><ul><ul><li>“ what means good” and </li></ul></ul><ul><ul><li>“ who guaranty that something is good”? </li></ul></ul><ul><li>Here is where the standards come ! </li></ul>
  7. 7. What is a Standard ? Who define it? (1/3) <ul><li>Standard is collection of specifications describing minimal requirements for security . </li></ul><ul><li>Security standards include as minimum : </li></ul><ul><ul><li>Physically limit access to </li></ul></ul><ul><ul><ul><li>computers, </li></ul></ul></ul><ul><ul><ul><li>network and </li></ul></ul></ul><ul><ul><ul><li>Internet </li></ul></ul></ul><ul><ul><ul><li>to only those who will not compromise security . </li></ul></ul></ul><ul><ul><li>Hardware mechanisms that impose rules on computer programs, thus avoiding depending on computer programs for computer security. </li></ul></ul><ul><ul><li>Operating system mechanisms that impose rules on programs to avoid trusting computer programs. </li></ul></ul><ul><ul><li>Programming strategies to make computer programs dependable and resist subversion </li></ul></ul><ul><ul><li>And ….. </li></ul></ul>
  8. 8. What is a Standard ? Who define it? (2/3) <ul><li>Security Provisions what Organizations should/shall have </li></ul><ul><ul><li>Information System services Service providers ( Banks, Health organizations, Government, Telecom operators, Electricity providers) </li></ul></ul><ul><ul><li>Client s </li></ul></ul><ul><li>Competence of Information System professionals </li></ul><ul><li>Competence/Awareness of End-user in Client organizations </li></ul><ul><li>End users – citizens ( Awareness, PKI ) </li></ul><ul><ul><li>And ….. </li></ul></ul>
  9. 9. What is a Standard ? Who define it? (3/3) <ul><ul><li>And ….. </li></ul></ul><ul><ul><li>Standards are developed by professional association not the Government ! </li></ul></ul><ul><ul><li>Standards are voluntary ( unless someone required them as compulsory) </li></ul></ul><ul><ul><li>“ Hierarchy of standards” </li></ul></ul><ul><ul><ul><li>“ good practice” </li></ul></ul></ul><ul><ul><ul><li>“ best practice” </li></ul></ul></ul><ul><ul><ul><li>“ world wide best practice” </li></ul></ul></ul><ul><ul><ul><li>Recommendations </li></ul></ul></ul><ul><ul><ul><li>National standard </li></ul></ul></ul><ul><ul><ul><li>International standard </li></ul></ul></ul><ul><ul><li>There are ALSO : </li></ul></ul><ul><ul><ul><li>International declarations and resolutions ( UN, OECD, NATO) </li></ul></ul></ul><ul><ul><ul><li>International Conventions ( UN , International Agencies,…) </li></ul></ul></ul>
  10. 10. Certification (From Wikipedia ) <ul><li>Certification refers to the confirmation of certain characteristics of an </li></ul><ul><ul><li>object, </li></ul></ul><ul><ul><li>Product, </li></ul></ul><ul><ul><li>person, or </li></ul></ul><ul><ul><li>organization. </li></ul></ul><ul><ul><li>This confirmation is often, but not always, provided by some form of external review, education, or assessment. </li></ul></ul><ul><li>Licence : Certification does not refer to the state of legally being able to practice or work in a profession. That is licensure . Usually, licensure is administered by a governmental entity for public protection purposes and certification by a professional association. However, they are similar in that they both require the demonstration of a certain level of knowledge or ability. </li></ul><ul><li>Product certification :The other most common type of certification in modern society is product certification . This refers to processes intended to determine if a product meets minimum standards, similar to quality assurance . </li></ul><ul><li>Organizational certification, such as the ISO 9000 Quality Management System environmental and sustainability certification, is usually referred to as accreditation . </li></ul>
  11. 11. Cyber security standards ( From Wikipedia ) <ul><li>Cyber security standards are security standards which enable organizations to practice safe security techniques in order to minimize the number of successful cyber security attacks . </li></ul><ul><li>These guides provide general outlines as well as specific techniques for implementing cyber security . </li></ul><ul><li>For certain specific standards , cyber security certification by an accredited body can be obtained. There are many advantages to obtaining certification including the ability to get cyber security insurance. </li></ul>
  12. 12. Specific Information security related standards <ul><li>For Citizens : </li></ul><ul><li>PKI (Personnel key Identifier, Electronic Signature) </li></ul><ul><li>For Organizations / Companies : </li></ul><ul><li>ISO 27001 Information Security Management System </li></ul><ul><li>For Information Systems </li></ul><ul><li>ISO </li></ul><ul><li>For Information Security professionals </li></ul><ul><li>CISA, CISM, CSSP, </li></ul>
  13. 13. HOW TO LIVE WITH STANDARDS
  14. 14. Process Success Factors <ul><li>Put policy and standards in place </li></ul>
  15. 15. Security Life Cycle Steps Assess current security state Update policies Develop and document &quot;baseline&quot; security standard Translate standards into security guidelines Implement guidelines on systems Ensure compliance with standards
  16. 16. Top-level Policy <ul><li>Broad statement of intent </li></ul><ul><li>Sets the expectations for compliance </li></ul><ul><li>Must acknowledge individual accountability </li></ul><ul><li>Culture-dependent </li></ul><ul><li>Must cover appropriate use </li></ul><ul><li>Must be enforced </li></ul>Policy Standards Guidelines Procedures Practice
  17. 17. Standards <ul><li>Describe what to do, not how to do it </li></ul><ul><li>Explain the application of policy </li></ul><ul><li>Cover all elements of information security </li></ul><ul><li>Use existing models (I4 & ISF) </li></ul><ul><li>Provide the cornerstone for compliance </li></ul>Policy Standards Guidelines Procedures Practice
  18. 18. Guidelines <ul><li>Tell how to meet standards </li></ul><ul><li>Are platform- or technology-specific </li></ul><ul><li>Provide examples and configuration recommendations </li></ul><ul><li>Must be kept up to date </li></ul>Policy Standards Guidelines Procedures Practice
  19. 19. What about the Laws ? <ul><li>Macedonian Information security related Framework </li></ul><ul><li>Law for Personnel Data Protection </li></ul><ul><li>Law for Classified Information </li></ul><ul><li>Law for free public access </li></ul><ul><li>Law for crime( relevant articles for Cyber crime ) </li></ul>

×