Your SlideShare is downloading. ×
0
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Standards
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Standards

139

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
139
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Information Security Standards Gary Gaskell © 2001 1
  • 2. Contents Overview of security standards Type of standards List of standards Quick insight to each standard Conclusions Gary Gaskell, 3 May 2001 2
  • 3. Types of Standards Risk based System-wide focus Management Product focus Technical Assurance based Lightweight Prescriptive controls Thorough Checklists Gary Gaskell, 3 May 2001 3
  • 4. Security Standards - PickOne! AS/NZS 4444 (BS 7799, ISO 17799) US TCSEC (Rainbow series) ITSEC (Europe) Common Criteria (ISO 15408) IETF Site Security Handbook (RFC 2196) Vendor handbooks and checklists, B.S.I., SANS Website certification services Gary Gaskell, 3 May 2001 4 SAS-70
  • 5. AS/NZS 4444 Information Security Management Standard Part 1 - 1999 Part 2 - 2000 JANZAS Based BS7799 BS7799 based on industry - Shell Oil etc Gary Gaskell, 3 May 2001 5
  • 6. AS 4444 Good internal security management Information Security Management System Explicit Target - trusted interconnection Catalogue of controls Recommended baselines Risk based assessments Gary Gaskell, 3 May 2001 6
  • 7. AS4444 Controls Security policy Security organisation Asset classification Personnel security and control Communications and Physical and operations environmental management security Systems Access control development and Business continuity maintenance management Gary Gaskell, 3 May Compliance 2001 7
  • 8. TCSEC Trusted Computer Security Evaluation Criteria - 1983 US Government specification “Orange book” and “Raindbow series” Origin of C2, B1, B3 etc Functionality & Assurance tightly coupled Superceded by still in use Gary Gaskell, 3 May 2001 8
  • 9. ITSEC Information Technology Security Evaluation Criteria - 1991 UK, France, Germany & The Netherlands Used by Australia System and product use http://www.dsd.gov.au/infosec/aisep/EPL/ prod.html Superceded but still in 3 May Gary Gaskell, use 2001 9
  • 10. Common Criteria Common Criteria for Information Technology Security Evaluation - 1999 ISO 15408 (CC v 2.1) Merge of TCSEC & ITSEC Emerging standard Assurance level separate from functionality level Mutual recognition agreement - 13 Gary Gaskell, 3 May 2001 10 countries
  • 11. RFC 2196 IETF Site Security Handbook Developed by CERT/CC of the CMU Response oriented Good practical advice Explicit about system hardening and patch installation Gary Gaskell, 3 May 2001 11
  • 12. Vendor Checklists SGI Compaq/Digital Sun Microsystems (Blue prints) AIX (redbooks) Microsoft Apache Oracle Gary Gaskell, 3 May 2001 12
  • 13. Vendor Checklists -Continued Explicit and specific Good for specification in designs or outsourcing “how to” oriented Sometimes too light Gary Gaskell, 3 May 2001 13
  • 14. Third Party VendorChecklists AusCERT/CERT Unix security checklist Windows NT 4 NSA/Trusted Systems checklist (http://www.trustedsystems.com) Windows 2000 security checklist (http://www.systemexperts.com) Books - e.g. Practical Unix and Internet Security - Spafford & Garfinkel Gary Gaskell, 3 May 2001 14
  • 15. BSI Bundesamt fuer Sicherheit in der Informationstechnik http://www.bsi.de/gshb/english/etc/inhalt.h tm IT Baseline Protection Manual More practical than other government attempts Gary Gaskell, 3 May 2001 15
  • 16. SANS System and Network Security http://www.sans.org Advice on policy and controls training (& certification ?) Checklists Vulnerability service Gary Gaskell, 3 May 2001 16
  • 17. Website CertificationPrograms TruSecure (ICSA/TruSecure) Web trust beTRUSTed (PwC) SysTrust (AICPA) Others? Gary Gaskell, 3 May 2001 17
  • 18. SAS-70 Statement on Auditing Standards American Institute of Certified Public Accountants Formal Audit Standard - background of financial audits Two levels Type I - inspections of key area Type II - testing of effective of controls Gary Gaskell, 3 May 2001 18
  • 19. Miscellaneous IS 18 - Qld Government VISA - security for merchants sites NIST - FIPS 102 US - HIPAA OECD - Guidelines for the Security of Information Systems ISO 13335 - Guidelines for the ManagementGaryIT Security of Gaskell, 3 May 2001 19
  • 20. Miscellaneous - continued System Security Engineering Capability Maturity Model (SSE-CMM) - International Systems Security Engineering Association (ISSEA) CoBIT - “IT Governance” - AICPA Gary Gaskell, 3 May 2001 20
  • 21. Conclusions Great choice of standards None are a full solution Gary Gaskell, 3 May 2001 21

×