Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. ISO 17799 Project Review Stan Guzik, CISSP, MCP Chief Technology Officer Immediatech Corp. ISO 17799 Project Lead [email_address]
  2. 2. What Will Be Covered? <ul><li>Background On The ISO 17799 Project </li></ul><ul><li>What Is Information Security? </li></ul><ul><li>Information Security Threats </li></ul><ul><li>Developing Security Management Policies/Procedures </li></ul><ul><li>What Is The ISO 17799? </li></ul><ul><li>ISO 17799 OWASP Project Details </li></ul><ul><li>Implementation Example </li></ul><ul><li>Critical Success Factors </li></ul><ul><li>OWASP Needs Your Feedback </li></ul><ul><li>References </li></ul>
  3. 3. Background On The ISO 17799 Project <ul><li>OWASP Holistic Approach To Security </li></ul><ul><ul><li>Top Ten </li></ul></ul><ul><ul><li>Guide </li></ul></ul><ul><ul><li>Testing </li></ul></ul><ul><ul><li>WebGoat </li></ul></ul><ul><ul><li>ISO 17799 </li></ul></ul><ul><li>Challenges Of Today’s Web Applications </li></ul><ul><ul><li>Security - CIA </li></ul></ul><ul><ul><li>24x7x365 uptime </li></ul></ul><ul><ul><li>Fast and easy to use </li></ul></ul><ul><ul><li>Integration with external systems </li></ul></ul><ul><ul><li>Fast SDLC due to market pressures </li></ul></ul><ul><ul><li>Bug free </li></ul></ul><ul><ul><li>Customers expect it at no/low cost </li></ul></ul>
  4. 4. Background On The ISO 17799 Project <ul><li>Management Of Web Applications In Production </li></ul><ul><ul><li>Traditional IT organizations are not familiar with web app security management </li></ul></ul><ul><ul><li>Auditors as head of IT (EDP) </li></ul></ul><ul><ul><li>Internet applications </li></ul></ul><ul><ul><li>20 Year old policy/procedures do not apply </li></ul></ul><ul><li>Benefits Of Applying ISO 17799 </li></ul><ul><ul><li>Increased security </li></ul></ul><ul><ul><li>Increased uptime </li></ul></ul><ul><ul><li>ROI – Fighting Fires </li></ul></ul><ul><ul><li>Keep your job </li></ul></ul>
  5. 5. What Is Information Security? <ul><li>Information Is An Asset – Value </li></ul><ul><li>Information Protection – Ensure Business Continuity, minimize damage, legal requirements </li></ul><ul><li>Information Forms – Electronic, Paper, Spoken, and etc… </li></ul><ul><li>Information Preservation </li></ul><ul><ul><li>Confidentiality – Information is not disclosed to unauthorized subjects </li></ul></ul><ul><ul><li>Integrity – Accuracy and completeness of information and only modified by authorized subjects </li></ul></ul><ul><ul><li>Availability – Authorized subjects are granted assess to information. (SLA) </li></ul></ul><ul><li>Information Security Controls – Policies, procedures, practices, organizational structure, and HW/SW. </li></ul>
  6. 6. Information Security Threats <ul><li>Viruses </li></ul><ul><li>Hackers </li></ul><ul><li>Espionage </li></ul><ul><li>Sabotage </li></ul><ul><li>Vandalism </li></ul><ul><li>Fire </li></ul><ul><li>Flood </li></ul><ul><li>Employee With </li></ul><ul><li>A Big Mouth </li></ul><ul><li>(HR Info) </li></ul>
  7. 7. Information Security Threats <ul><li>Today Organizations Are More Vulnerable </li></ul><ul><ul><li>Interconnected public and private networks </li></ul></ul><ul><ul><li>System complexities in achieving access controls </li></ul></ul><ul><ul><li>Lack of security conscious developers – focus on functionality & performance. </li></ul></ul><ul><ul><li>Shorter Time To Market </li></ul></ul><ul><li>Supplement Secure Applications With Appropriate Security Management Policies/Procedures </li></ul><ul><ul><li>Secure applications running in an unsecured environments </li></ul></ul><ul><ul><li>Secure applications and a secured environment running with insecure operations </li></ul></ul><ul><ul><li>Etc… </li></ul></ul>
  8. 8. Develop Security Management Policies/Procedures <ul><li>Legal, Regulatory, Contractual Requirements, Due Diligence </li></ul><ul><li>Risk Assessment – Threats to Assets </li></ul><ul><ul><li>The likelihood a threat will occur and evaluate its impact on an asset </li></ul></ul><ul><ul><ul><li>Quantitative Risk Assessment </li></ul></ul></ul><ul><ul><ul><ul><li>Annual Loss Expectancy (ALE) – Yearly cost of all instances of a specific realized threat against a specific asset: </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>ALE = ARO * SLE </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Annual Rate of Occurrence (ARO) – Expected frequency that a specific threat or risk will occur (probability determination) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Single Loss Expectancy (SLE) –- Cost associated with a single realized risk against a specific asset. </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>SLE = Asset Value * EF </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Exposure Factor (EF) – Loss Potential of a specific asset by a realized risk </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Example – DOS Web Application (Input Validation) </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Asset Values = $2,000,000 </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>EF = 20% </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>SLE =$2,000,000 * 20% = $400,000 </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>ARO = 10% </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>ALE = 10% * $400,000 = $40,000 </li></ul></ul></ul></ul></ul>
  9. 9. <ul><ul><ul><li>Qualitative Risk Assessment </li></ul></ul></ul><ul><ul><ul><ul><li>Scenario/Judgment Based </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Experience Based … </li></ul></ul></ul></ul><ul><li>Risk Assessment Results </li></ul><ul><ul><li>Determine the appropriate management actions </li></ul></ul><ul><ul><li>Set priorities for managing information security risk </li></ul></ul><ul><ul><li>Implement controls to protect against realized risk </li></ul></ul>Develop Security Management Policies/Procedures
  10. 10. <ul><li>Select Appropriate Security Controls </li></ul><ul><ul><li>Implement controls to ensure risks are reduced to an acceptable level. </li></ul></ul><ul><ul><li>Controls should be selected based on the cost of implementation in relation to the risk being reduced and the potential losses if a security breach occurs. </li></ul></ul>Develop Security Management Policies/Procedures
  11. 11. What Is The ISO 17799 Standard? <ul><li>ISO – International Organization for Standardization </li></ul><ul><li>Complete Set Of Controls To Ensure The Best Practices For Information Security </li></ul><ul><li>The Major Standard - Internationally Recognized Information Security Standard </li></ul><ul><li>Guideline - Guiding principle providing a good starting point for implementing information security. They are either based on essential legislative requirements or considered to be common best practices for information security. </li></ul><ul><ul><li>Legislative Controls </li></ul></ul><ul><ul><ul><li>12.1.4 – Data Protection and Privacy of Personal Information </li></ul></ul></ul><ul><ul><ul><li>12.1.3 – Safeguarding of Organizational Records </li></ul></ul></ul><ul><ul><ul><li>12.1.2 – Intellectual Property Rights </li></ul></ul></ul><ul><ul><li>Best Practices </li></ul></ul><ul><ul><ul><li>3.1 – Information Security Policy Document </li></ul></ul></ul><ul><ul><ul><li>4.1.3 – Allocation of Information Security Responsibilities </li></ul></ul></ul><ul><ul><ul><li>6.2.1 – Information Security Education and Training </li></ul></ul></ul><ul><ul><ul><li>6.3.1 – Reporting Security Incidents </li></ul></ul></ul><ul><ul><ul><li>11.1 Business Continuity Management </li></ul></ul></ul>
  12. 12. What Is The ISO 17799 Standard? <ul><li>10 Sections </li></ul><ul><ul><li>Security Policy – To provide management direction & support for information security </li></ul></ul><ul><ul><li>Organizational Security – Manage information security within the organization </li></ul></ul><ul><ul><li>Asset Classification and Control – To maintain appropriate protection of organizational assets </li></ul></ul><ul><ul><li>Personnel Security – To reduce the risk of human error, theft, fraud or misuse of facilities </li></ul></ul><ul><ul><li>Physical & Environmental Security – To prevent unauthorized access, damage and interference to business premises and information </li></ul></ul><ul><ul><li>Communications and Operations Management – To ensure the correct and secure operations of information processing facilities </li></ul></ul><ul><ul><li>Access Control – Control access to information </li></ul></ul><ul><ul><li>System Development and Maintenance – To ensure security is built into information systems </li></ul></ul><ul><ul><li>Business Continuity Management – To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters </li></ul></ul><ul><ul><li>Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual </li></ul></ul>
  13. 13. ISO 17799 OWASP Project Details <ul><li>Documentation Project </li></ul><ul><ul><li>Toolbox Of Sample Templates Of ISO 17799 Policies & Procedures </li></ul></ul><ul><li>What Exists Today </li></ul><ul><ul><li>ISO 17799 Is A Standard Not a tool </li></ul></ul><ul><ul><li>Not Many Publicly Available Templates </li></ul></ul><ul><ul><li>Commercial Licensed Templates Are Poor Quality </li></ul></ul>
  14. 14. Implementation Example <ul><li>8.1.2 Operational Change Control </li></ul><ul><ul><li>Inadequate control may cause system or security failures </li></ul></ul><ul><ul><li>Formal management responsibilities and procedures should be in place </li></ul></ul><ul><ul><li>Operational programs subject to strict change control </li></ul></ul><ul><li>Current State Of Project </li></ul><ul><ul><li>Many templates </li></ul></ul><ul><ul><li>Todo: Pull all templates together into a consistent format and publish </li></ul></ul>
  15. 15. Critical Success Factors <ul><li>Targeted Risk Assessment </li></ul><ul><li>Implement Good Controls </li></ul><ul><li>Use Already Proven Policies & Procedures </li></ul><ul><li>Training & Awareness </li></ul><ul><li>Get Some More Sleep At Night!!! </li></ul>
  16. 16. OWASP Needs Your Feedback! <ul><li>Send Us Your Templates </li></ul><ul><li>Modifications To Existing Templates </li></ul><ul><li>Can you get involved? </li></ul>
  17. 17. References <ul><li>ISO/IEC 17799:2000(E) </li></ul><ul><li>CISSP:Certified Information Systems Security Professional Study Guide, Ed Tittel </li></ul><ul><li>OWASP ISO 17799 Project </li></ul>