Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

5 Standards And Recommendations For Information Security On Internet


Published on

  • Be the first to comment

  • Be the first to like this

5 Standards And Recommendations For Information Security On Internet

  1. 1. Standards and recommendation for information security on internet ELSA Conference Strumica, 27.11.2008 LjubomirTrajkovski [email_address]
  2. 2. How to protect ourselves from internet insecurity ?
  3. 3. Internet Global Village <ul><li>By default “open & insecure” </li></ul><ul><li>Internet for ALL ( good gays & bad gays) </li></ul><ul><li>Bad gays for : pleasure and/or business </li></ul><ul><li>Internet in-security : all for one / one for all </li></ul>
  4. 4. There are “Bad gays” in “our Village” <ul><li>So we have to protect ourselves- but how ? </li></ul>
  5. 5. Do not forget what Information System consists of ! <ul><li>Information/Data </li></ul><ul><li>Equipment ( HW) </li></ul><ul><li>Communications ( Internet) </li></ul><ul><li>Applications ( SW) </li></ul><ul><li>Procedures and processes </li></ul><ul><li>People (users, performers/operators) </li></ul>
  6. 6. “ The chain is only as strong as its weakest link!” <ul><li>Every single member in any Information System must be “good” and secure ! </li></ul><ul><li>The ONLY questions are : </li></ul><ul><ul><li>“ what means good” and </li></ul></ul><ul><ul><li>“ who guaranty that something is good”? </li></ul></ul><ul><li>Here is where the standards come ! </li></ul>
  7. 7. What is a Standard ? Who define it? (1/3) <ul><li>Standard is collection of specifications describing minimal requirements for security . </li></ul><ul><li>Security standards include as minimum : </li></ul><ul><ul><li>Physically limit access to </li></ul></ul><ul><ul><ul><li>computers, </li></ul></ul></ul><ul><ul><ul><li>network and </li></ul></ul></ul><ul><ul><ul><li>Internet </li></ul></ul></ul><ul><ul><ul><li>to only those who will not compromise security . </li></ul></ul></ul><ul><ul><li>Hardware mechanisms that impose rules on computer programs, thus avoiding depending on computer programs for computer security. </li></ul></ul><ul><ul><li>Operating system mechanisms that impose rules on programs to avoid trusting computer programs. </li></ul></ul><ul><ul><li>Programming strategies to make computer programs dependable and resist subversion </li></ul></ul><ul><ul><li>And ….. </li></ul></ul>
  8. 8. What is a Standard ? Who define it? (2/3) <ul><li>Security Provisions what Organizations should/shall have </li></ul><ul><ul><li>Information System services Service providers ( Banks, Health organizations, Government, Telecom operators, Electricity providers) </li></ul></ul><ul><ul><li>Client s </li></ul></ul><ul><li>Competence of Information System professionals </li></ul><ul><li>Competence/Awareness of End-user in Client organizations </li></ul><ul><li>End users – citizens ( Awareness, PKI ) </li></ul><ul><ul><li>And ….. </li></ul></ul>
  9. 9. What is a Standard ? Who define it? (3/3) <ul><ul><li>And ….. </li></ul></ul><ul><ul><li>Standards are developed by professional association not the Government ! </li></ul></ul><ul><ul><li>Standards are voluntary ( unless someone required them as compulsory) </li></ul></ul><ul><ul><li>“ Hierarchy of standards” </li></ul></ul><ul><ul><ul><li>“ good practice” </li></ul></ul></ul><ul><ul><ul><li>“ best practice” </li></ul></ul></ul><ul><ul><ul><li>“ world wide best practice” </li></ul></ul></ul><ul><ul><ul><li>Recommendations </li></ul></ul></ul><ul><ul><ul><li>National standard </li></ul></ul></ul><ul><ul><ul><li>International standard </li></ul></ul></ul><ul><ul><li>There are ALSO : </li></ul></ul><ul><ul><ul><li>International declarations and resolutions ( UN, OECD, NATO) </li></ul></ul></ul><ul><ul><ul><li>International Conventions ( UN , International Agencies,…) </li></ul></ul></ul>
  10. 10. Certification (From Wikipedia ) <ul><li>Certification refers to the confirmation of certain characteristics of an </li></ul><ul><ul><li>object, </li></ul></ul><ul><ul><li>Product, </li></ul></ul><ul><ul><li>person, or </li></ul></ul><ul><ul><li>organization. </li></ul></ul><ul><ul><li>This confirmation is often, but not always, provided by some form of external review, education, or assessment. </li></ul></ul><ul><li>Licence : Certification does not refer to the state of legally being able to practice or work in a profession. That is licensure . Usually, licensure is administered by a governmental entity for public protection purposes and certification by a professional association. However, they are similar in that they both require the demonstration of a certain level of knowledge or ability. </li></ul><ul><li>Product certification :The other most common type of certification in modern society is product certification . This refers to processes intended to determine if a product meets minimum standards, similar to quality assurance . </li></ul><ul><li>Organizational certification, such as the ISO 9000 Quality Management System environmental and sustainability certification, is usually referred to as accreditation . </li></ul>
  11. 11. Cyber security standards ( From Wikipedia ) <ul><li>Cyber security standards are security standards which enable organizations to practice safe security techniques in order to minimize the number of successful cyber security attacks . </li></ul><ul><li>These guides provide general outlines as well as specific techniques for implementing cyber security . </li></ul><ul><li>For certain specific standards , cyber security certification by an accredited body can be obtained. There are many advantages to obtaining certification including the ability to get cyber security insurance. </li></ul>
  12. 12. Specific Information security related standards <ul><li>For Citizens : </li></ul><ul><li>PKI (Personnel key Identifier, Electronic Signature) </li></ul><ul><li>For Organizations / Companies : </li></ul><ul><li>ISO 27001 Information Security Management System </li></ul><ul><li>For Information Systems </li></ul><ul><li>ISO </li></ul><ul><li>For Information Security professionals </li></ul><ul><li>CISA, CISM, CSSP, </li></ul>
  14. 14. Process Success Factors <ul><li>Put policy and standards in place </li></ul>
  15. 15. Security Life Cycle Steps Assess current security state Update policies Develop and document &quot;baseline&quot; security standard Translate standards into security guidelines Implement guidelines on systems Ensure compliance with standards
  16. 16. Top-level Policy <ul><li>Broad statement of intent </li></ul><ul><li>Sets the expectations for compliance </li></ul><ul><li>Must acknowledge individual accountability </li></ul><ul><li>Culture-dependent </li></ul><ul><li>Must cover appropriate use </li></ul><ul><li>Must be enforced </li></ul>Policy Standards Guidelines Procedures Practice
  17. 17. Standards <ul><li>Describe what to do, not how to do it </li></ul><ul><li>Explain the application of policy </li></ul><ul><li>Cover all elements of information security </li></ul><ul><li>Use existing models (I4 & ISF) </li></ul><ul><li>Provide the cornerstone for compliance </li></ul>Policy Standards Guidelines Procedures Practice
  18. 18. Guidelines <ul><li>Tell how to meet standards </li></ul><ul><li>Are platform- or technology-specific </li></ul><ul><li>Provide examples and configuration recommendations </li></ul><ul><li>Must be kept up to date </li></ul>Policy Standards Guidelines Procedures Practice
  19. 19. What about the Laws ? <ul><li>Macedonian Information security related Framework </li></ul><ul><li>Law for Personnel Data Protection </li></ul><ul><li>Law for Classified Information </li></ul><ul><li>Law for free public access </li></ul><ul><li>Law for crime( relevant articles for Cyber crime ) </li></ul>