Information Security     Standards       Gary Gaskell         © 2001                       1
Contents Overview of security standards Type of standards List of standards Quick insight to each standard Conclusions    ...
Types of Standards Risk based                 System-wide focus Management                 Product focus Technical        ...
Security Standards - PickOne! AS/NZS 4444 (BS 7799, ISO 17799) US TCSEC (Rainbow series) ITSEC (Europe) Common Criteria (I...
AS/NZS 4444 Information Security Management Standard Part 1 - 1999 Part 2 - 2000 JANZAS Based BS7799 BS7799 based on indus...
AS 4444 Good internal security management Information Security Management System Explicit Target - trusted interconnection...
AS4444 Controls Security policy          Security organisation Asset classification     Personnel security and control    ...
TCSEC Trusted Computer Security Evaluation Criteria - 1983 US Government specification “Orange book” and “Raindbow series”...
ITSEC Information Technology Security Evaluation Criteria - 1991 UK, France, Germany & The Netherlands Used by Australia S...
Common Criteria Common Criteria for Information Technology Security Evaluation - 1999 ISO 15408 (CC v 2.1) Merge of TCSEC ...
RFC 2196 IETF Site Security Handbook Developed by CERT/CC of the CMU Response oriented Good practical advice Explicit abou...
Vendor Checklists SGI Compaq/Digital Sun Microsystems (Blue prints) AIX (redbooks) Microsoft Apache Oracle             Gar...
Vendor Checklists -Continued Explicit and specific Good for specification in designs or outsourcing “how to” oriented Some...
Third Party VendorChecklists AusCERT/CERT Unix security checklist Windows NT 4 NSA/Trusted Systems checklist (http://www.t...
BSI Bundesamt fuer Sicherheit in der Informationstechnik http://www.bsi.de/gshb/english/etc/inhalt.h tm IT Baseline Protec...
SANS System and Network Security http://www.sans.org Advice on policy and controls training (& certification ?) Checklists...
Website CertificationPrograms TruSecure (ICSA/TruSecure) Web trust beTRUSTed (PwC) SysTrust (AICPA) Others?            Gar...
SAS-70 Statement on Auditing Standards American Institute of Certified Public Accountants Formal Audit Standard - backgrou...
Miscellaneous IS 18 - Qld Government VISA - security for merchants sites NIST - FIPS 102 US - HIPAA OECD - Guidelines for ...
Miscellaneous - continued System Security Engineering Capability Maturity Model (SSE-CMM) - International Systems Security...
Conclusions Great choice of standards None are a full solution             Gary Gaskell, 3 May             2001           ...
Upcoming SlideShare
Loading in...5
×

Standards

155

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
155
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Standards"

  1. 1. Information Security Standards Gary Gaskell © 2001 1
  2. 2. Contents Overview of security standards Type of standards List of standards Quick insight to each standard Conclusions Gary Gaskell, 3 May 2001 2
  3. 3. Types of Standards Risk based System-wide focus Management Product focus Technical Assurance based Lightweight Prescriptive controls Thorough Checklists Gary Gaskell, 3 May 2001 3
  4. 4. Security Standards - PickOne! AS/NZS 4444 (BS 7799, ISO 17799) US TCSEC (Rainbow series) ITSEC (Europe) Common Criteria (ISO 15408) IETF Site Security Handbook (RFC 2196) Vendor handbooks and checklists, B.S.I., SANS Website certification services Gary Gaskell, 3 May 2001 4 SAS-70
  5. 5. AS/NZS 4444 Information Security Management Standard Part 1 - 1999 Part 2 - 2000 JANZAS Based BS7799 BS7799 based on industry - Shell Oil etc Gary Gaskell, 3 May 2001 5
  6. 6. AS 4444 Good internal security management Information Security Management System Explicit Target - trusted interconnection Catalogue of controls Recommended baselines Risk based assessments Gary Gaskell, 3 May 2001 6
  7. 7. AS4444 Controls Security policy Security organisation Asset classification Personnel security and control Communications and Physical and operations environmental management security Systems Access control development and Business continuity maintenance management Gary Gaskell, 3 May Compliance 2001 7
  8. 8. TCSEC Trusted Computer Security Evaluation Criteria - 1983 US Government specification “Orange book” and “Raindbow series” Origin of C2, B1, B3 etc Functionality & Assurance tightly coupled Superceded by still in use Gary Gaskell, 3 May 2001 8
  9. 9. ITSEC Information Technology Security Evaluation Criteria - 1991 UK, France, Germany & The Netherlands Used by Australia System and product use http://www.dsd.gov.au/infosec/aisep/EPL/ prod.html Superceded but still in 3 May Gary Gaskell, use 2001 9
  10. 10. Common Criteria Common Criteria for Information Technology Security Evaluation - 1999 ISO 15408 (CC v 2.1) Merge of TCSEC & ITSEC Emerging standard Assurance level separate from functionality level Mutual recognition agreement - 13 Gary Gaskell, 3 May 2001 10 countries
  11. 11. RFC 2196 IETF Site Security Handbook Developed by CERT/CC of the CMU Response oriented Good practical advice Explicit about system hardening and patch installation Gary Gaskell, 3 May 2001 11
  12. 12. Vendor Checklists SGI Compaq/Digital Sun Microsystems (Blue prints) AIX (redbooks) Microsoft Apache Oracle Gary Gaskell, 3 May 2001 12
  13. 13. Vendor Checklists -Continued Explicit and specific Good for specification in designs or outsourcing “how to” oriented Sometimes too light Gary Gaskell, 3 May 2001 13
  14. 14. Third Party VendorChecklists AusCERT/CERT Unix security checklist Windows NT 4 NSA/Trusted Systems checklist (http://www.trustedsystems.com) Windows 2000 security checklist (http://www.systemexperts.com) Books - e.g. Practical Unix and Internet Security - Spafford & Garfinkel Gary Gaskell, 3 May 2001 14
  15. 15. BSI Bundesamt fuer Sicherheit in der Informationstechnik http://www.bsi.de/gshb/english/etc/inhalt.h tm IT Baseline Protection Manual More practical than other government attempts Gary Gaskell, 3 May 2001 15
  16. 16. SANS System and Network Security http://www.sans.org Advice on policy and controls training (& certification ?) Checklists Vulnerability service Gary Gaskell, 3 May 2001 16
  17. 17. Website CertificationPrograms TruSecure (ICSA/TruSecure) Web trust beTRUSTed (PwC) SysTrust (AICPA) Others? Gary Gaskell, 3 May 2001 17
  18. 18. SAS-70 Statement on Auditing Standards American Institute of Certified Public Accountants Formal Audit Standard - background of financial audits Two levels Type I - inspections of key area Type II - testing of effective of controls Gary Gaskell, 3 May 2001 18
  19. 19. Miscellaneous IS 18 - Qld Government VISA - security for merchants sites NIST - FIPS 102 US - HIPAA OECD - Guidelines for the Security of Information Systems ISO 13335 - Guidelines for the ManagementGaryIT Security of Gaskell, 3 May 2001 19
  20. 20. Miscellaneous - continued System Security Engineering Capability Maturity Model (SSE-CMM) - International Systems Security Engineering Association (ISSEA) CoBIT - “IT Governance” - AICPA Gary Gaskell, 3 May 2001 20
  21. 21. Conclusions Great choice of standards None are a full solution Gary Gaskell, 3 May 2001 21
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×