113505 6969-ijecs-ijens


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

113505 6969-ijecs-ijens

  1. 1. International Journal of Electrical & Computer Sciences IJECS-IJENS Vol: 11 No: 05 23 Information Security Management System Standards: A Comparative Study of the Big Five Heru Susanto12, Mohammad Nabil Almunawar1 and Yong Chee Tuan1 1 2 FBEPS, University of Brunei The Indonesian Institute of Sciences Information System Group Information Security & IT Governance Research Group susanto.net@gmail.com & 10h0103@ubd.edu.bn heru.susanto@lipi.go.idAbstract. -- It cannot be denied that nowadays information is avery important asset for any modern organization. Thereforeprotecting its security is very important and becoming a toppriority for many organizations. Unfortunately there is nosingle formula that can guarantee 100% of information security.Therefore there is a need for a set of benchmarks or standardsto ensure the best security practices are adopted and anadequate level of security is attained. In this paper, authorsintroduce various information security standards briefly andthen provide a comparative study for major informationsecurity standards, namely ISO27001, BS 7799, PCIDSS, ITILand COBIT. The study will provide a picture of theposition and specialization of each standard, adoption bycountries and their usability levels.Keywords– ISO27001, BS7799, PCIDSS, ITIL, COBIT, ISMS, Figure 1. Activities of unidentified user as potential attack and threat to Information Security, PDCA organization I. INTRODUCTION Since information security has a very important role in supporting the activities of the organization, we need a standard Information is the lifeblood of organizations, a vital or benchmark which regulates governance over informationbusiness asset in today’s Information Technology (IT) -enabled security. Several private and government organizationsworld. Access to high-quality, complete, accurate and up-to- developed standards bodies whose function is to setupdate information is vital in supporting managerial decision- benchmarks, standards and in some cases, legal regulations onmaking process that leads to sound decisions. Thus, securing information security to ensure that an adequate level of securityinformation system resources is extremely important to ensure is preserved, to ensure resources used in the right way, and tothat the resources are well protected. Information security is not ensure the best security practices adopted in an organization.just a simple matter of having usernames and passwords [5]. There are several standards for IT Governance which leads toRegulations and various privacy / data protection policy impose information security such as PRINCE2, OPM3, CMMI,a raft of obligations to organizations [6]. Meanwhile viruses, P-CMM, PMMM, ISO27001, BS7799, PCIDSS, COSO, SOA,worms, hackers, phishers and social engineers threaten ITIL and COBIT.organizations on all sides. Hackers or sometimes we call edit by However, some of these standards are not well adopted byunidentified user is likely to cause huge losses for an the organizations, with a variety of reasons. In this paper weorganization [figure 1], such as by theft of customer data, spy will discuss the big five of ISMS standards, widely usedon business strategy, for the benefit of competitors [7]. It is standards for information security. The big five are ISO27001,imperative for organizations to use an information security BS 7799, PCIDSS, ITIL and COBIT. This comparative studymanagement system (ISMS) to effectively manage their conducted to determine their respective strengths, focus, maininformation assets. ISMS is basically consist of sets of policies components and their adoption based on ISMS.put place by an organization to define, construct, develop andmaintain security of their computer based on hardware and II. ISMS STANDARDSsoftware resources. These policies dictate the way in whichcomputer resources can be used. This section we give an overview of the big five ISMS standards; ISO27001, BS7799, PCIDSS, ITIL and COBIT. The overview includes profile and methodology used in each 113505-6969 IJECS-IJENS © October 2011 IJENS IJENS
  2. 2. International Journal of Electrical & Computer Sciences IJECS-IJENS Vol: 11 No: 05 24standard in implementing ISMS for organizations. These security management." The second part of BS7799 was firstoverviews will help readers easily understand functions, published by BSI in 1999, known as BS 7799 Part 2, titledbehaviors and position of each on the big figure and whole "Information Security Management Systems - Specification withISMS’s strategies. guidance for use", BS 7799-2 focused on how to implement ISMS, referring to the information security management structure and controls identified in BS 7799-2, which laterII.1. ISO27001 became ISO 27001. The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming quality assurance ISO, founded on February 23, 1947, promulgates worldwide model) [figure 3], aligning it with quality standards such as ISOproprietary industrial and commercial standards, has 9000. BS 7799 Part 2 was adopted by ISO as ISO 27001 inheadquarters in Geneva, Switzerland [8]. It has 163 national November 2005 [16].members out of the 203 total countries in the world [figure 2].The international standard of ISO 27001 specifies therequirements for establishing, implementing, operating,monitoring, reviewing, maintaining and improving adocumented ISMS within an organization [25]. Figure 3. PDCA Model on BS 7799 II.3. PCIDSS The Payment Card Industry Data Security Standard (PCIDSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard was created to help industry organizations processes card payments and to prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations that hold, process, or Figure 2. Map of members of ISO (by IchwanPalongengi) exchange cardholder information from any card branded with the logo of one of the card brands [20], [figure 4]. It designed to ensure the selection of adequate andproportionate security controls to protect information assets.This standard is usually applicable to all types of organizations,either private or public organizations. The standard introducesa cyclic model known as the “Plan-Do-Check-Act” (PDCA)model [1], aims to establish, implement, monitor andimprove the effectiveness of an organization’s ISMS [2].II.2. BS 7799 BS 7799 was a standard originally published by BritishStandard Institution (BSI) Group in 1995. It was written by theUnited Kingdom Governments Department of Trade and Figure 4. Transaction security models of PCIDSSIndustry (DTI), and consisted of several parts [13], [16]. Thefirst part, containing the best practices for ISMS, was revised in Validation of compliance can be performed either internally1998, which was eventually adopted by ISO as ISO17799, or externally, depending on the volume of card transactions, but"Information Technology - Code of practice for information regardless of the size of the organization, compliance must be 113505-6969 IJECS-IJENS © October 2011 IJENS IJENS
  3. 3. International Journal of Electrical & Computer Sciences IJECS-IJENS Vol: 11 No: 05 25assessed annually. Organizations handling large volumes of the IT Governance Institute (ITGI) in 1996 [9]. They believetransactions must have their compliance assessed by an that it is a set of practices (framework) for IT management.independent assessor called by Qualified Security Assessor COBIT is an IT governance framework and supporting toolset(QSA) [21], while companies handling smaller volumes have that allows managers to bridge the gap between controlthe option of demonstrating compliance via a Self-Assessment requirements, technical issues, business risks, and securityQuestionnaire (SAQ). issues. COBIT has five IT Governance areas of concentration [12], [23]:II.4. ITIL • Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating The Information Technology Infrastructure Library (ITIL) the IT value proposition; and aligning IT operations withconcept emerged in the 1980s, when the British government enterprise operations.determined that the level of IT service quality provided to themwas not sufficient [19]. ITIL is a set of concepts and practices • Value delivery is about executing the value propositionfor Information Technology Services Management (ITSM), throughout the delivery cycle, ensuring that IT delivers theInformation Technology (IT) development and IT operations, promised benefits against the strategy, concentrating onwhich has parts focus on security. optimizing costs and proving the intrinsic value of IT. • Resource management is about the optimal investment and the proper management of critical IT resources: applications, information, infrastructure and people. • Risk managementis a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, and transparency into the organization. • Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. III. FEATURES Figure 5. The ITIL components Alfantookh2009 [2], defined 11 essential control, called by 11EC, that should be implemented by an organization, as The ITIL originated as a collection of books, each covering requirements and compliance of the information securitya specific practice within IT Service Management, was built criteria by the standard body of ISMS [2], [6] due to thesearound a process-model based view of controlling and features as basis of parameters and benchmarks for fulfillmentmanaging operations often credited to W. Edwards Deming and of information security which is most comprehensively coverhis plan-do-check-act (PDCA) cycle [4], as IT Services all aspects must be owned, these 11EC are [8], [24]:Management Standards and Best Practices [18] contains of 8main components[figure 5], they are: Service Support, Service 1. Information Security Policy: how an institution expressesDelivery, ICT Infrastructure Management, Security its intent with emphasized to information security, meansManagement, Application Management, Software Asset by which an institutions governing body expresses itsManagement, Planning to Implement Service Management, intent to secure information, gives direction toSmall-Scale Implementation. management and staff and informs the other stakeholders of the primacy of efforts.II.5. COBIT 2. Communications and Operations Management: defined The Control Objectives for Information and related policy on security in the organization, in reducing securityTechnology (COBIT) is a certification created by ISACA and 113505-6969 IJECS-IJENS © October 2011 IJENS IJENS
  4. 4. International Journal of Electrical & Computer Sciences IJECS-IJENS Vol: 11 No: 05 26 risk and ensuring correct computing, including operational procedures, controls, and well-defined responsibilities. 11. Compliance: these issues necessarily are divided into two areas; the first area involves compliance with the myriad3. Access Control: is a system which enables an authority to laws, regulations or even contractual requirements which control access to areas and resources in a given physical are part of the fabric ofevery institution. The second area is facility or computer-based information system. compliance with information security policies, standards and processes.4. Information System Acquisition, Development and Maintenance: an integrated process that defines Table 1 below we showed up head to head comparisons on boundaries and technical information systems, beginning the big five ISMS standards deal with 11EC of information with the acquisition, and development and the last is the security. maintenance of information systems.5. Organization of Information Security: is a structure ISO BS PCIDSS ITIL COBIT owned by an organization in implementing information 27001 7799 V2.0 V4.0 V4.1 1. Information security, consists of; management commitment to Security Policy √ √ √ √ √ information security, information security co-ordination, authorization process for information processing facilities. Communications Two major directions: internal organization, and external 2. and Operations √ √ √ ● √ parties. Management 3. Access Control √ √ √ √ √6. Asset Management: is based on the idea that it is important to identify, track, classify, and assign ownership Information for the most important assets to ensure they are adequately Systems protected. 4. Acquisition, √ √ √ ● √ Development and7. Information Security Incident Management: is a program Maintenance that prepares for incidents. From a management perspective, it involves identification of resources needed Organization of 5. Information √ √ √ √ √ for incident handling. Good incident management will also help with the prevention of future incidents. Security 6. Asset8. Business Continuity Management: to ensure continuity of Management √ √ √ √ √ operations under abnormal conditions. Plans promote the Information readiness of institutions for rapid recovery in the face of 7. Security Incident √ ● √ √ √ adverse events or conditions, minimize the impact of such Management circumstances, and provide means to facilitate functioning during and after emergencies. Business 8. Continuity √ √ √ √ √ Management9. Human Resources Security: to ensure that all employees (including contractors and user of sensitive data) are Human 9. Resources √ √ √ ● √ qualified for and understand their roles and responsibilities of their job duties and that access is removed once Security employment is terminated. Physical and 10. Environmental √ √ √ ● √10. Physical and Environmental Security: to measures taken Security to protect systems, buildings, and related supporting 11. Compliance √ √ √ √ √ infrastructure against threats associated with their physical environment, buildings and rooms that house information and information technology systems must be afforded Tabel 1. Features of Big Five of ISMS Standard appropriate protection to avoid damage or unauthorized access to information and systems. 113505-6969 IJECS-IJENS © October 2011 IJENS IJENS
  5. 5. International Journal of Electrical & Computer Sciences IJECS-IJENS Vol: 11 No: 05 27 IV. COMPARISONSOF THEBIG FIVEProfile of each standard is presented here to provide a general overview and summaryof the relevant standard on their respectivepositions which is currently most widely used worldwide [table 2]. ISO 27001 BS 7799 PCIDSS ITIL COBIT ISO is a non- is an IT governance ITIL is the abbreviation for governmental framework and supporting the guideline IT organization that forms a is a worldwide information toolset that allows BS Standards is the UKs Infrastructure Library, bridge between the public security standard defined managers to bridge the National Standards Body developed by CCTA, now and private sectors. On the by the Payment Card gap between control (NSB) and was the worlds the OGC (Office one hand, many of its Industry Security requirements, technical first. BS Standards works of Governance Commerce) member institutes are part Standards Council. The issues and business risks. with manufacturing and in Norwich (England) of the governmental standard was created to COBIT enables clear Profile of service industries, developed on behalf of the structure of their countries, help industry organizations policy development and Standards businesses, governments British government. The or are mandated by their that process card payments good practice for IT and consumers to facilitate main focus of government; also other prevent credit card fraud control throughout the production of British, the development was on members have their roots through increased controls organizations. COBIT European and mutual best practices for uniquely in the private around data and its emphasizes regulatory international standards all British government sector, having been set up exposure to compromise compliance, helps [13] data centers to ensure by national partnerships of [20] organizations to increase comparable services industry associations the value attained from IT [19] [8] [9] VisaCard, MasterCard, The Central Computer and United Kingdom American Express, Telecommunications Information Systems Audit delegates from 25 Governments Department Discover Information and Agency (CCTA), now and Control AssociationInitiated by countries of Trade and Industry Compliance, and the called the Office of (ISACA) and the IT [8] (DTI) JCBData Security Government Commerce Governance Institute [13] Program (OGC)– UK (ITGI)–USA [20] [19] [9],[14] Launched February 23, 1947 1995 15 December 2004 1980s 1996 on 18,500 International 6 main components on 8 main components + 6 main components onStandards & 27,000 active standards Standards standard 5 components version 3 standardComponents [13],[16] [8],[15],[17] [20],[21] [10],[18], [19] [10],[22],[23] Certified Information Systems Auditor™ (CISA®) Certified Information Security Manager®Certificate Certificate of Certificate of Certificate of PCI-DSS Certificate of ITIL (CISM®) Name ISO 27000 Series BS 7799: 1-2 Compliance Compliance Certified in the Governance of Enterprise IT® (CGEIT® ) Certified in Risk and Information Systems Control TM (CRISCTM) Information and Data Transaction Security on Scope Information Security Information Security Service Management IT Governance debit, credit, prepaid, e-purse, ATM, and POS 163 national members out 110 national members out 125 countries out of the Usability of the 203 total countries of the 203 total countries 203 total countries in the 50 international chapters 160 countries in the world in the world world Tabel 2. Profile of Big Five of ISMS Standards 113505-6969 IJECS-IJENS © October 2011 IJENS IJENS
  6. 6. International Journal of Electrical & Computer Sciences IJECS-IJENS Vol: 11 No: 05 28 Substantively numbers of active standard on BS is 50% more than the standard that is owned by ISO, and also more than PCIDSS, ITIL and COBIT, but other reason that leads organization not implemented BS, tend to preferred ISO, PCIDSS, COBIT is due in some part BS using benchmarks Europe or commonly known as BSEN (British Standard Europe Norm) [13], inauspiciously it would confuse stakeholders, which one is better, BS or BSEN, local or regional, such as pouring the same water in two glasses of different shapes. Stakeholders prefer a more flexible standard, more focus and have not two different terms for the same issues; thus, ISO, PCIDSS, COBIT become more consideration as best choice. Figure 6. Country as initiator of standardNowadays, it is very important for a standard, accepted andrecognized as global benchmarking tools, marked by number ofcounty which initiated for establishment of an organization dealwith [figure 6]. ISO (25 countries) BS (1 country) PCIDSS(1 country), ITIL (1 country), and COBIT (1 country).[Figure7] ISOs most widely used in globally by163 countries,compared with BS (110), PCIDSS (125), ITIL (50) and COBIT(160). Indication descript us that ISO is more easilyimplemented, stakeholders (clients, suppliers, customers andmanagement) is easier to recognize, also it has appropriateplatform in an organization deal with, than four others securitystandards. Figure 8. Position of each standard The main focus on information security, ISO27001 and BS7799 have similar characteristics, since ISO27001 adopted from BS7799, with improvements and additions emphasized on the strength of ISMS from various aspects, while the three others also focus on IT governance and Project Management [figure 8]. Figure 7. Usability level of standards 113505-6969 IJECS-IJENS © October 2011 IJENS IJENS
  7. 7. International Journal of Electrical & Computer Sciences IJECS-IJENS Vol: 11 No: 05 29 V. CONCLUSION REMARKS [6] Heru Susanto & Fahad bin Muhaya. Multimedia Information Security Architecture. @ IEEE. 2010.Each standard playing its own role and position in [7] Heru Susanto, Mohammad Nabil Almunawar & Yong Chee Tuan. I-SolFramework View on ISO 27001. Information Security Managementimplementing ISMS, several standards such as ISO 27001 and System: Refinement Integrated Solution’s Six Domains. Journal ofBS 7799 focusing on information security management system Computer, Asian Transaction. July 2011.as main domain and their focus on, while PCIDSS focus on [8] ISO History and Definition. www.iso.orginformation security relating to business transactions and smart [9] IT Governance Institute. COBIT 4.1 Excerpts. 2007. Rolling Meadows, IL 60008 USAcard, then ITIL and COBIT focuses on information security and [10] IT Governance Institute. Mapping of ITIL v3 with COBIT 4.1. 2008.its relation with the Project management and IT Governance Rolling Meadows, IL 60008 USA[figure 8]. Refers to the usability of standards in global, [11] The Government of the Hong Kong. An Overview of Informationindicated that ISO (27001) leading than four other standards Security Standards. 2008. Hongkong. [12] Overview on COBIT.especially on ISMS, therefore it described us the standard is http://www.benchmarklearning.com/COMMUNITIES/ITIL/cobit.aspxmore easily implemented and well recognized by stakeholders [13] Overview on British Standard. http://www.bsigroup.com/en/Standards-(top management, staff, suppliers, customers/clients, and-Publications/About-BSI-British-Standards/regulators). We can analogous ISO (27001) is like a global [14] http://www.isaca.org/KnowledgeCenter/COBIT/Pages/Overview.aspx [15] http://www.iso.org/iso/about/discover-iso_isos-name.htmlanguage in standards and benchmarking on ISMS, such as [16] http://www.isms-guide.blogspot.com/2007/11/key-components-of-English as an international language, with level of usability and standard-bs-7799-iso.htmltrust reach more than 80% of the world [figure 2]. [17] http://www.iso.org/iso/about.htm [18] http://www.itil.org/en/vomkennen/itil/ueberblick/index.php [19] http://www.itil- officialsite.com/faq.aspx?category=General+FAQs&btnSubmit=Open VI. RECOMMENDATION AND FUTURE RESEARCH [20] https://www.pcisecuritystandards.org/security_standards/index.php [21] http://www.retrievernpc.com/cms/pci-compliance/certificate-of-pci-dss-As the international language of standards and recognized compliance/globally, authors recommend further research in refinement of [22] http://technet.microsoft.com/en-us/library/ff758651.aspxISO (27001). Purposed of refinement is to make more easily [23] http://searchsecurity.techtarget.com/feature/Introduction-to-COBIT-for-understood, implemented, and easily measured in an SOX-compliance [24] https://wiki.internet2.edu/confluence/display/itsg2/organization by stakeholders. Refinement expected translating Human+Resources+Security+(ISO+8)and interpreting high level language of terms, technical nature [25] http:// wikipedia.org/wiki/ISOand details on the subject of ISMS assessments to Heru Susanto is a researcher at The Indonesian Institute of Sciences,understandable human being parlance. Information Security & IT Governance Research Group, also was working at Prince Muqrin Chair for Information Security Technologies, Information Security Research Group, King Saud University. He received BSc in Computer Science from Bogor Agriculture University, in 1999 and MSc in Computer Science VII. ACKNOWLEDGMENT from King Saud University, nowadays he as PhD Candidate in Information System from the University of Brunei Darussalam. Heru has published manyThis paper is one part of the big research which topic of papers in refereed journals as well as international conferences.framework for refinement information security management Mohammad Nabil Almunawar is a senior lecturer at Faculty of Business,system as tools of integrated solutions. This research is Economics and Policy Studies, University of Brunei Darussalam. He received master Degree (MSc Computer Science) from the Department of Computersupported by FBEPS University of Brunei Darussalam (UBD), Science, University of Western Ontario, Canada in 1991 and PhD from theThe Indonesian Institute of Sciences and Prince Muqrin Chair University of New South Wales (School of Computer Science and Engineering,(PMC) for IT Security, King Saud University (KSU). UNSW) in 1997. Dr Nabil has published many papers in refereed journals as well as international conferences. He has many years teaching experiences in the area computer and information systems. He was a respected consultant in VIII. REFERENCES developing information systems for United Nations (WHO) projects, Central Bank of Indonesia and some private companies. His overall research interest is[1] Alan Calder and Setve Watkins. IT Governance – A Manager’s Guide to application of IT in Management and Electronic Commerce. He is also Data Security and ISO 27001 and ISO 27002 interested in object-oriented technology, databases and multimedia retrieval.[2] Abdulkader Alfantookh. An Approach for the Assessment of The Yong Chee Tuan is a senior lecturer at Faculty of Business, Economics and Application of ISO 27001 Essential Information Security Controls. Policy Studies, University of Brunei Darussalam, has more than 20 years of Computer Sciences, King Saud University. 2009 experience in IT, HRD, e-gov, environmental management and project[3] Basie von Solms. 2005. Information Security Governance: COBIT or management. He received PhD in Computer Science from University of Leeds, ISO 17799 or both? Computer&Security Journal. Elsevier.Science Direct UK, in 1994. He was involved in the drafting of the two APEC SME Business[4] Basie von Solms. 2005. Information Security Governance – Compliance Forums Recommendations held in Brunei and Shanghai. He sat in the E-gov Management vs Operational Management. Computer & Security Journal. Strategic, Policy and Coordinating Group from 2003-2007. He is the vice-chair Elsevier, Science Direct of the Asia Oceanic Software Park Alliance. He has been appointed as the[5] Basie von Solms & Rossouw von Solms. 2004. The 10 deadly sins of regular judge of the APICTA since 2001. He is the country representative in the Information Security Management. Computer & Security 23(2004) 371- UNDP Digital Review Publications. 376. Elsevier Science Ltd. 113505-6969 IJECS-IJENS © October 2011 IJENS IJENS