Uploaded bynewbie2019
PDF, PPTX475 views

Chapter 10 security standart

This document provides summaries of several information security frameworks and standards, including: - ISO/IEC 27002:2005 which provides guidelines for information security management across 10 security domains. - ISO/IEC 27001:2005 which specifies requirements for establishing an Information Security Management System using a PDCA model. - Payment Card Industry Data Security Standard which consists of 12 requirements to enhance payment data security. - COBIT which links IT initiatives to business requirements and defines management control objectives across 34 IT processes. It also briefly outlines US regulations including Sarbanes-Oxley, COSO, HIPAA, and FISMA which aim to improve corporate disclosures, define healthcare information

Embed presentation

Download as PDF, PPTX
Chapter 10 Security Evaluation Framework & Operational Security Standards 1 Information System Security Jupriyadi, S.Kom. M.T. jupriyadi@teknokrat.ac.id 0856 91 16 15 14 Bandarlampung, Agustus 2021
Information Security Framework & Standards A brief introduction to the various Information Security standards and regulations including ISO standards, COBIT, the Sarbanes-Oxley Act, and others.
Standard Developments • A number of governments and organizations have set up benchmarks, standards and in some cases, legal regulations on information security to help ensure – an adequate level of security is maintained, – resources are used in the right way, and – the best security practices are adopted. • Some industries, such as banking, are regulated, and the guidelines or best practices put together as part of those regulations often become a de facto standard among members of these industries.
ISO/IEC 27002:2005 (Code of Practice for Information Security Management) ISO/IEC 27002:2005 is an international standard that originated from the BS7799-1, one that was originally laid down by the British Standards Institute (BSI). Refers to a code of practice for information security management, and is intended as a common basis and practical guideline for developing organizational security standards and effective management practices.
ISO/IEC 27002:2005 Cont. This standard contains guidelines and best practices recommendations for these 10 security domains: 1. security policy and compliance; 2. organization of information security; 3. asset management; 4. human resources security; 5. physical and environmental security; 6. communications and operations management; 7. access control; 8. information systems acquisition, development and maintenance; 9. information security incident management 10.business continuity management Among these 10 security domains, a total of 39 control objectives and hundreds of best-practice information security control measures are recommended for organizations to satisfy the control objectives and protect information assets against threats to confidentiality, integrity and availability.
ISO/IEC 27001:2005 Cont. • It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within an organization. • It is designed to ensure the selection of adequate and proportionate security controls to protect information assets. • This standard is usually applicable to all types of organizations, including business enterprises, government agencies, and so on.
ISO/IEC 27001:2005 Cont. • The standard introduces a cyclic model known as the “Plan-Do-Check-Act” (PDCA) model that aims to establish, implement, monitor and improve the effectiveness of an organization's ISMS. The PDCA cycle has these four phases: – a) “Plan” phase – establishing the ISMS – b) “Do” phase – implementing and operating the ISMS – c) “Check” phase – monitoring and reviewing the ISMS – d) “Act” phase – maintaining and improving the ISMS There is a list of accredited certification bodies that can certify an organization against the ISMS standard, which is maintained on the UK Accreditation Service website.
ISO/IEC 15408 (Evaluation Criteria for IT Security) • The international standard ISO/IEC 15408 is commonly known as the “Common Criteria” (CC). • This standard helps evaluate, validate, and certify the security assurance of a technology product against a number of factors, such as the security functional requirements specified in the standard. • Hardware and software can be evaluated against CC requirements in accredited testing laboratories to certify the exact EAL (Evaluation Assurance Level) the product or system can attain.
ISO/IEC 13335 (IT Security Management) It consists of a series of guidelines for technical security control measures: a. ISO/IEC 13335-1:2004 documents the concepts and models for information and communications technology security management. b. ISO/IEC TR 13335-3:1998 documents the techniques for the management of IT security. This is under review and may be superseded by ISO/IEC 27005. c. ISO/IEC TR 13335-4:2000 covers the selection of safeguards (i.e. technical security controls). This is under review and may be superseded by ISO/IEC 27005. d. ISO/IEC TR 13335-5:2001 covers management guidance on network security. This is also under review, and may be merged into ISO/IEC 18028-1, and ISO/IEC 27033.
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD • The Payment Card Industry (PCI) Data Security Standard (DSS) was developed by a number of major credit card companies (including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) as members of the PCI Standards Council to enhance payment account data security. • The standard consists of 12 core requirements, which include security management, policies, procedures, network architecture, software design and other critical measures.
Payment Card Industry (PCI) Standards cont. • These requirements are organized into the following areas: 1. Build and Maintain a Secure Network 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy
The Control Objectives for Information and related Technology (COBIT) “a control framework that links IT initiatives to business requirements, organizes IT activities into a generally accepted process model, identifies the major IT resources to be leveraged and defines the management control objectives to be considered” COBIT 4.1 consists of 7 sections, which are: 1. Executive overview, 2. COBIT framework, 3. Plan and Organize, 4. Acquire and Implement, 5. Deliver and Support, 6. Monitor and Evaluate, and 7. Appendices, including a glossary. Its core content can be divided according to the 34 IT processes.
COBIT Cont. • COBIT is increasingly accepted internationally as a set of guidance materials for IT governance that allows managers to bridge the gap between control requirements, technical issues and business risks. • Based on COBIT 4.1, the COBIT Security Baseline focuses on the specific risks around IT security in a way that is simple to follow and implement for small and large organizations. COBIT can be found at ITGI or the Information Systems Audit and Control Association (ISACA) websites www.ISACA.org .
ITIL (OR ISO/IEC 20000 SERIES) • The Information Technology Infrastructure Library (ITIL) is a collection of best practices in IT service management (ITSM), and focuses on the service processes of IT and considers the central role of the user. It was developed by the United Kingdom's Office of Government Commerce (OGC) • An ITIL service management self-assessment can be conducted with the help of an online questionnaire maintained on the website of the IT Service Management Forum. The self-assessment questionnaire helps evaluate the following management areas: – Service Level Management – Financial Management – Capacity Management – Service Continuity Management – Availability Management – Service Desk – Incident Management – Problem Management – Configuration Management – Change Management and – Release Management.
US regulations SOX, COSO, HIPAA, and FISMA SOX Sarbanes-Oxley Act of 2002 – The purpose is to “protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes”. – This regulation affects all companies listed on stock exchanges in the US – In section 404, the SOX requires “each annual report … contain an internal control report … [that] contains an assessment of … the effectiveness of the internal control structures and procedures of the issuer for financial reporting”. As information technology plays a major role in the financial reporting process, IT controls would need to be assessed to see if they fully satisfy this SOX requirement.
The COSO (Committee Of Sponsoring Organizations of the Tread way Commission) • A framework that initiates an integrated process of internal controls. It helps improve ways of controlling enterprises by evaluating the effectiveness of internal controls. It contains five components: 1. Control Environment, including factors like integrity of people within the organization and management authority and responsibilities; 2. Risk Assessment, aiming to identify and evaluate the risks to the business; 3. Control Activities, including the policies and procedures for the organization; 4. Information and Communication, including identification of critical information to the business and communication channels for delivering control measures from management to staff; 5. Monitoring, including the process used to monitor and assess the quality of all internal control systems over time. • COSO and COBIT frameworks described above are both used to satisfy compliance with SOX.
The Health Insurance Portability And Accountability Act (HIPAA) of 1996 • The Act defines security standards for healthcare information, and it takes into account a number of factors including: – Technical capabilities of record systems used to maintain health information – Cost of security measures – Need for training personnel – Value of audit trails in computerized record systems – Needs and capabilities of small healthcare providers • A person who maintains or transmits health information is required to maintain reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of that information. In addition, the information should be properly protected from threats to the security and integrity of that information, unauthorized uses, or unauthorized disclosure.
Federal Information Security Management Act (FISMA) • It requires US federal agencies to develop, document, and implement an agency-wide program to provide information security for the information (and information systems) that support the operations and assets of the agency. Some of the requirements include: 1. Periodic risk assessments of information and information systems that support the operations and assets of the organization 2. Risk-based policies and procedures designed to reduce information security risks to an acceptable level 3. Plans for providing adequate security for networks and information systems 4. Security awareness training to all personnel, including contractors 5. Periodic evaluation and testing of the effectiveness of the security policies, procedures and controls. The frequency should not be less than annually. Remedial action to address any deficiencies found to be properly managed. 6. A working and tested security incident handling procedure 7. A business continuity plan in place to support the operation of the organization.
The Federal Information Processing Standards (FIPS) Publication Series of the National Institute of Standards and Technology (NIST) • An official series of publications relating to standards and guidelines adopted and made available under the provisions of the FISMA. • FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, is the first mandatory security standard laid down under the FISMA legislation. FIPS Publication 200, entitled “Minimum Security Requirements for Federal Information and Information Systems” is the second mandatory set of security standards that specify minimum security requirements for US federal information and information systems across 17 security-related areas. US federal agencies must meet the minimum security requirements defined in this standard by selecting appropriate security controls and assurance requirements laid down in NIST Special Publication 800-53 (Recommended Security Controls for Federal Information Systems).
(FIPS) Publication Series cont. The 17 security-related areas include: 1. access control; 2. awareness and training; 3. audit and accountability; 4. certification, accreditation, and security assessments; 5. configuration management; 6. contingency planning; 7. identification and authentication; 8. incident response; 9. maintenance; 10. media protection; 11. physical and environmental protection; 12. planning; 13. personnel security; 14. risk assessment; 15. systems and services acquisition; 16. system and communications protection; and 17. system and information integrity
IMPLEMENTATION of FRAMWORK & STANDARDS • Although there are a number of standards on information security available now, these standards are often general guidelines or principles that may not all be applicable to a particular organization. • Care must be taken to ensure that standardized policies or guidelines are applicable to, and practical for, that particular organization's culture, business and operational practices. • The organization should first perform a “gap analysis” to identify the current security controls within the organization, the potential problems and issues, the costs and benefits, the operational impact, and the proposed recommendations before applying any chosen standards.
IMPLEMENTATION of FRAMWORK & STANDARDS Cont. • Management support is necessary at all levels. • User awareness programs should also be conducted to ensure that all employees understand the benefits and impacts before the deployment of new security policies and guidelines. • The successful implementation of any information security standards or controls must be a balance of security requirements, functional requirements and user requirements.
Conclusion Although there are a number of information security standards available, an organization can only benefit if those standards are implemented properly. Security is something that all parties should be involved in. Senior management, information security practitioners, IT professionals and users all have a role to play in securing the assets of an organization. The success of information security can only be achieved by full cooperation at all levels of an organization, both inside and outside.
What's Next ?
25

More Related Content

PDF
Nist.sp.800 37r2
bynewbie2019
 
PPTX
Security management concepts and principles
byDivya Tiwari
 
PPTX
CMMC Certification
byControlCase
 
PDF
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
byChristina33713
 
PDF
Assessing Risk: Developing a Client/Server Security Architecture,
byMITDaveMillaar
 
PDF
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
byTripwire
 
PDF
Five principles for improving your cyber security
byWGroup
 
PDF
Building a Product Security Practice in a DevOps World
byArun Prabhakar
 
Nist.sp.800 37r2
bynewbie2019
 
Security management concepts and principles
byDivya Tiwari
 
CMMC Certification
byControlCase
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
byChristina33713
 
Assessing Risk: Developing a Client/Server Security Architecture,
byMITDaveMillaar
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
byTripwire
 
Five principles for improving your cyber security
byWGroup
 
Building a Product Security Practice in a DevOps World
byArun Prabhakar
 

What's hot

PDF
Chapter 12 iso 27001 awareness
bynewbie2019
 
PPT
Security Management Practices
byamiable_indian
 
PDF
Lessons Learned from the NIST CSF
byDigital Bond
 
PPTX
Planning for security and security audit process
byDivya Tiwari
 
PPT
information security management
byGurpreetkaur838
 
PDF
CISA Domain 4 Information Systems Operation | Infosectrain
byInfosecTrain
 
PDF
TOGAF 9 - Security Architecture Ver1 0
byMaganathin Veeraragaloo
 
PPT
Information Security Identity and Access Management Administration 07072016
byLeon Blum
 
PDF
Information Security Management 101
byJerod Brennen
 
PPTX
It audit methodologies
bySalih Islam
 
PPT
Introduction to Information System Security
bychauhankapil
 
PPTX
Chapter 1 Security Framework
byKarthikeyan Dhayalan
 
PPTX
Information Security Management System ISO/IEC 27001:2005
byControlCase
 
PPT
Chapter 5
bysivadnolram
 
PPT
Contractor Responsibilities under the Federal Information Security Management...
bypadler01
 
PPT
Developing an Information Security Program
byShauna_Cox
 
PPTX
Information security management best practice
byparves kamal
 
PPTX
Information security management (bel g. ragad)
byRois Solihin
 
PDF
Gpc case study_eng_0221
bySALIH AHMED ISLAM
 
PPT
Network security policies
byUsman Mukhtar
 
Chapter 12 iso 27001 awareness
bynewbie2019
 
Security Management Practices
byamiable_indian
 
Lessons Learned from the NIST CSF
byDigital Bond
 
Planning for security and security audit process
byDivya Tiwari
 
information security management
byGurpreetkaur838
 
CISA Domain 4 Information Systems Operation | Infosectrain
byInfosecTrain
 
TOGAF 9 - Security Architecture Ver1 0
byMaganathin Veeraragaloo
 
Information Security Identity and Access Management Administration 07072016
byLeon Blum
 
Information Security Management 101
byJerod Brennen
 
It audit methodologies
bySalih Islam
 
Introduction to Information System Security
bychauhankapil
 
Chapter 1 Security Framework
byKarthikeyan Dhayalan
 
Information Security Management System ISO/IEC 27001:2005
byControlCase
 
Chapter 5
bysivadnolram
 
Contractor Responsibilities under the Federal Information Security Management...
bypadler01
 
Developing an Information Security Program
byShauna_Cox
 
Information security management best practice
byparves kamal
 
Information security management (bel g. ragad)
byRois Solihin
 
Gpc case study_eng_0221
bySALIH AHMED ISLAM
 
Network security policies
byUsman Mukhtar
 

Similar to Chapter 10 security standart

PDF
Standards & Framework.pdf
bykarthikvcyber
 
PPT
Standards & Framework.ppt
bykarthikvcyber
 
PPTX
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
bykevlekalakala
 
PPTX
CISSPills #3.02
byPierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
PDF
Cybersecurity Frameworks for DMZCON23 230905.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPT
ISMS Part I
bykhushboo
 
PPTX
Governance and management of IT.pptx
byPrashant Singh
 
PPTX
FCS lecture 6.pptxlknemfenj dkcnd vkf dkjvn
byGulasalButaeva
 
PPTX
Cybersecurity Framework Luncheon Presentation 1-18-18.pptx
bytrinirebel1
 
PPTX
Welingkar Presentation On Cobit And Iso 1799 And Bs 7799
byAbhinav Goyal
 
PDF
Information assurance /Information security
byjorgenajarro3
 
PPT
zSecurity_L9_Standards and Policies.ppt
byssuser45a8a6
 
PPT
Unit 4 standards.ppt
byClashWithGROUDON
 
PPT
Use of the COBIT Security Baseline
byBarry Caplin
 
PDF
Cobit 5 for Information Security
bySeto Joseles
 
PPT
S nandakumar
byIPPAI
 
PPT
S nandakumar_banglore
byIPPAI
 
PDF
CNIT 160: Ch 2b: Security Strategy Development
bySam Bowne
 
PDF
Cobit 5 for information security
byElkanouni Mohamed
 
PPTX
COBIT
byAi Lun Wu
 
Standards & Framework.pdf
bykarthikvcyber
 
Standards & Framework.ppt
bykarthikvcyber
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
bykevlekalakala
 
CISSPills #3.02
byPierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISMS Part I
bykhushboo
 
Governance and management of IT.pptx
byPrashant Singh
 
FCS lecture 6.pptxlknemfenj dkcnd vkf dkjvn
byGulasalButaeva
 
Cybersecurity Framework Luncheon Presentation 1-18-18.pptx
bytrinirebel1
 
Welingkar Presentation On Cobit And Iso 1799 And Bs 7799
byAbhinav Goyal
 
Information assurance /Information security
byjorgenajarro3
 
zSecurity_L9_Standards and Policies.ppt
byssuser45a8a6
 
Unit 4 standards.ppt
byClashWithGROUDON
 
Use of the COBIT Security Baseline
byBarry Caplin
 
Cobit 5 for Information Security
bySeto Joseles
 
S nandakumar
byIPPAI
 
S nandakumar_banglore
byIPPAI
 
CNIT 160: Ch 2b: Security Strategy Development
bySam Bowne
 
Cobit 5 for information security
byElkanouni Mohamed
 
COBIT
byAi Lun Wu
 

More from newbie2019

PDF
Digital forensic principles and procedure
bynewbie2019
 
PDF
Fundamental digital forensik
bynewbie2019
 
PDF
Pendahuluan it forensik
bynewbie2019
 
PDF
Chapter 15 incident handling
bynewbie2019
 
PDF
Chapter 14 sql injection
bynewbie2019
 
PDF
Chapter 13 web security
bynewbie2019
 
PDF
NIST Framework for Information System
bynewbie2019
 
PDF
Chapter 8 cryptography lanjutan
bynewbie2019
 
PDF
Pertemuan 7 cryptography
bynewbie2019
 
PDF
Chapter 6 information hiding (steganography)
bynewbie2019
 
PDF
Vulnerability threat and attack
bynewbie2019
 
PDF
Chapter 4 vulnerability threat and attack
bynewbie2019
 
PDF
C02
bynewbie2019
 
PDF
Chapter 3 security principals
bynewbie2019
 
PDF
Chapter 2 konsep dasar keamanan
bynewbie2019
 
PDF
Fundamentals of information systems security ( pdf drive ) chapter 1
bynewbie2019
 
PDF
Chapter 1 introduction
bynewbie2019
 
PDF
CCNA RSE Routing concept
bynewbie2019
 
PPT
Chapter 1 introduction
bynewbie2019
 
PPTX
Sca nv6 instructorppt_chapter2
bynewbie2019
 
Digital forensic principles and procedure
bynewbie2019
 
Fundamental digital forensik
bynewbie2019
 
Pendahuluan it forensik
bynewbie2019
 
Chapter 15 incident handling
bynewbie2019
 
Chapter 14 sql injection
bynewbie2019
 
Chapter 13 web security
bynewbie2019
 
NIST Framework for Information System
bynewbie2019
 
Chapter 8 cryptography lanjutan
bynewbie2019
 
Pertemuan 7 cryptography
bynewbie2019
 
Chapter 6 information hiding (steganography)
bynewbie2019
 
Vulnerability threat and attack
bynewbie2019
 
Chapter 4 vulnerability threat and attack
bynewbie2019
 
C02
bynewbie2019
 
Chapter 3 security principals
bynewbie2019
 
Chapter 2 konsep dasar keamanan
bynewbie2019
 
Fundamentals of information systems security ( pdf drive ) chapter 1
bynewbie2019
 
Chapter 1 introduction
bynewbie2019
 
CCNA RSE Routing concept
bynewbie2019
 
Chapter 1 introduction
bynewbie2019
 
Sca nv6 instructorppt_chapter2
bynewbie2019
 

Recently uploaded

PPTX
META-ANALYSIS INTERPRETATION, PUBLICATION BIAS AND GRADE ASSESSMENT.pptx
bySystematic Reviews Network (SRN)
 
PPTX
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
PPTX
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
PDF
Types of eggs and Egg membranes (Developmental Zoology)
bySudhandraKarthi
 
PPTX
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PPTX
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
PDF
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
PDF
Most Imp Chapters & Weightage for Boards 2025.pdf
byTamannaSagar
 
PPTX
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
PPTX
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
PPTX
Introduction-to-Anatomy-and-Physiology.pptx
byAshish Umale
 
PPTX
Overview of how to Create a Model in Odoo 18
byCeline George
 
PPTX
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
PPTX
Planning Assessment for Outcome-based Education
byAdri Jovin
 
PPTX
ATTENTION -PART 2.pptx Shilpa Hotakar for I semester BSc students
bySHILPA HOTAKAR
 
PPTX
Partial Correlation - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂ r₁₂, r₁₃ and r₂₃
bySundar B N
 
PDF
The voice of the rain poem class 11th.pdf
byReeta Baral
 
PDF
Micro Economics for class 12 and class 11
bysurajbajaj4116
 
PPTX
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
PDF
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
META-ANALYSIS INTERPRETATION, PUBLICATION BIAS AND GRADE ASSESSMENT.pptx
bySystematic Reviews Network (SRN)
 
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
Types of eggs and Egg membranes (Developmental Zoology)
bySudhandraKarthi
 
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
Most Imp Chapters & Weightage for Boards 2025.pdf
byTamannaSagar
 
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
Introduction-to-Anatomy-and-Physiology.pptx
byAshish Umale
 
Overview of how to Create a Model in Odoo 18
byCeline George
 
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
Planning Assessment for Outcome-based Education
byAdri Jovin
 
ATTENTION -PART 2.pptx Shilpa Hotakar for I semester BSc students
bySHILPA HOTAKAR
 
Partial Correlation - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂ r₁₂, r₁₃ and r₂₃
bySundar B N
 
The voice of the rain poem class 11th.pdf
byReeta Baral
 
Micro Economics for class 12 and class 11
bysurajbajaj4116
 
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 

Chapter 10 security standart

  • 1.
    Chapter 10 Security Evaluation Framework& Operational Security Standards 1 Information System Security Jupriyadi, S.Kom. M.T. jupriyadi@teknokrat.ac.id 0856 91 16 15 14 Bandarlampung, Agustus 2021
  • 2.
    Information Security Framework &Standards A brief introduction to the various Information Security standards and regulations including ISO standards, COBIT, the Sarbanes-Oxley Act, and others.
  • 3.
    Standard Developments • Anumber of governments and organizations have set up benchmarks, standards and in some cases, legal regulations on information security to help ensure – an adequate level of security is maintained, – resources are used in the right way, and – the best security practices are adopted. • Some industries, such as banking, are regulated, and the guidelines or best practices put together as part of those regulations often become a de facto standard among members of these industries.
  • 4.
    ISO/IEC 27002:2005 (Code ofPractice for Information Security Management) ISO/IEC 27002:2005 is an international standard that originated from the BS7799-1, one that was originally laid down by the British Standards Institute (BSI). Refers to a code of practice for information security management, and is intended as a common basis and practical guideline for developing organizational security standards and effective management practices.
  • 5.
    ISO/IEC 27002:2005 Cont. Thisstandard contains guidelines and best practices recommendations for these 10 security domains: 1. security policy and compliance; 2. organization of information security; 3. asset management; 4. human resources security; 5. physical and environmental security; 6. communications and operations management; 7. access control; 8. information systems acquisition, development and maintenance; 9. information security incident management 10.business continuity management Among these 10 security domains, a total of 39 control objectives and hundreds of best-practice information security control measures are recommended for organizations to satisfy the control objectives and protect information assets against threats to confidentiality, integrity and availability.
  • 6.
    ISO/IEC 27001:2005 Cont. •It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within an organization. • It is designed to ensure the selection of adequate and proportionate security controls to protect information assets. • This standard is usually applicable to all types of organizations, including business enterprises, government agencies, and so on.
  • 7.
    ISO/IEC 27001:2005 Cont. •The standard introduces a cyclic model known as the “Plan-Do-Check-Act” (PDCA) model that aims to establish, implement, monitor and improve the effectiveness of an organization's ISMS. The PDCA cycle has these four phases: – a) “Plan” phase – establishing the ISMS – b) “Do” phase – implementing and operating the ISMS – c) “Check” phase – monitoring and reviewing the ISMS – d) “Act” phase – maintaining and improving the ISMS There is a list of accredited certification bodies that can certify an organization against the ISMS standard, which is maintained on the UK Accreditation Service website.
  • 8.
    ISO/IEC 15408 (Evaluation Criteriafor IT Security) • The international standard ISO/IEC 15408 is commonly known as the “Common Criteria” (CC). • This standard helps evaluate, validate, and certify the security assurance of a technology product against a number of factors, such as the security functional requirements specified in the standard. • Hardware and software can be evaluated against CC requirements in accredited testing laboratories to certify the exact EAL (Evaluation Assurance Level) the product or system can attain.
  • 9.
    ISO/IEC 13335 (ITSecurity Management) It consists of a series of guidelines for technical security control measures: a. ISO/IEC 13335-1:2004 documents the concepts and models for information and communications technology security management. b. ISO/IEC TR 13335-3:1998 documents the techniques for the management of IT security. This is under review and may be superseded by ISO/IEC 27005. c. ISO/IEC TR 13335-4:2000 covers the selection of safeguards (i.e. technical security controls). This is under review and may be superseded by ISO/IEC 27005. d. ISO/IEC TR 13335-5:2001 covers management guidance on network security. This is also under review, and may be merged into ISO/IEC 18028-1, and ISO/IEC 27033.
  • 10.
    PAYMENT CARD INDUSTRYDATA SECURITY STANDARD • The Payment Card Industry (PCI) Data Security Standard (DSS) was developed by a number of major credit card companies (including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) as members of the PCI Standards Council to enhance payment account data security. • The standard consists of 12 core requirements, which include security management, policies, procedures, network architecture, software design and other critical measures.
  • 11.
    Payment Card Industry(PCI) Standards cont. • These requirements are organized into the following areas: 1. Build and Maintain a Secure Network 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy
  • 12.
    The Control Objectivesfor Information and related Technology (COBIT) “a control framework that links IT initiatives to business requirements, organizes IT activities into a generally accepted process model, identifies the major IT resources to be leveraged and defines the management control objectives to be considered” COBIT 4.1 consists of 7 sections, which are: 1. Executive overview, 2. COBIT framework, 3. Plan and Organize, 4. Acquire and Implement, 5. Deliver and Support, 6. Monitor and Evaluate, and 7. Appendices, including a glossary. Its core content can be divided according to the 34 IT processes.
  • 13.
    COBIT Cont. • COBITis increasingly accepted internationally as a set of guidance materials for IT governance that allows managers to bridge the gap between control requirements, technical issues and business risks. • Based on COBIT 4.1, the COBIT Security Baseline focuses on the specific risks around IT security in a way that is simple to follow and implement for small and large organizations. COBIT can be found at ITGI or the Information Systems Audit and Control Association (ISACA) websites www.ISACA.org .
  • 14.
    ITIL (OR ISO/IEC20000 SERIES) • The Information Technology Infrastructure Library (ITIL) is a collection of best practices in IT service management (ITSM), and focuses on the service processes of IT and considers the central role of the user. It was developed by the United Kingdom's Office of Government Commerce (OGC) • An ITIL service management self-assessment can be conducted with the help of an online questionnaire maintained on the website of the IT Service Management Forum. The self-assessment questionnaire helps evaluate the following management areas: – Service Level Management – Financial Management – Capacity Management – Service Continuity Management – Availability Management – Service Desk – Incident Management – Problem Management – Configuration Management – Change Management and – Release Management.
  • 15.
    US regulations SOX,COSO, HIPAA, and FISMA SOX Sarbanes-Oxley Act of 2002 – The purpose is to “protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes”. – This regulation affects all companies listed on stock exchanges in the US – In section 404, the SOX requires “each annual report … contain an internal control report … [that] contains an assessment of … the effectiveness of the internal control structures and procedures of the issuer for financial reporting”. As information technology plays a major role in the financial reporting process, IT controls would need to be assessed to see if they fully satisfy this SOX requirement.
  • 16.
    The COSO (CommitteeOf Sponsoring Organizations of the Tread way Commission) • A framework that initiates an integrated process of internal controls. It helps improve ways of controlling enterprises by evaluating the effectiveness of internal controls. It contains five components: 1. Control Environment, including factors like integrity of people within the organization and management authority and responsibilities; 2. Risk Assessment, aiming to identify and evaluate the risks to the business; 3. Control Activities, including the policies and procedures for the organization; 4. Information and Communication, including identification of critical information to the business and communication channels for delivering control measures from management to staff; 5. Monitoring, including the process used to monitor and assess the quality of all internal control systems over time. • COSO and COBIT frameworks described above are both used to satisfy compliance with SOX.
  • 17.
    The Health InsurancePortability And Accountability Act (HIPAA) of 1996 • The Act defines security standards for healthcare information, and it takes into account a number of factors including: – Technical capabilities of record systems used to maintain health information – Cost of security measures – Need for training personnel – Value of audit trails in computerized record systems – Needs and capabilities of small healthcare providers • A person who maintains or transmits health information is required to maintain reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of that information. In addition, the information should be properly protected from threats to the security and integrity of that information, unauthorized uses, or unauthorized disclosure.
  • 18.
    Federal Information Security ManagementAct (FISMA) • It requires US federal agencies to develop, document, and implement an agency-wide program to provide information security for the information (and information systems) that support the operations and assets of the agency. Some of the requirements include: 1. Periodic risk assessments of information and information systems that support the operations and assets of the organization 2. Risk-based policies and procedures designed to reduce information security risks to an acceptable level 3. Plans for providing adequate security for networks and information systems 4. Security awareness training to all personnel, including contractors 5. Periodic evaluation and testing of the effectiveness of the security policies, procedures and controls. The frequency should not be less than annually. Remedial action to address any deficiencies found to be properly managed. 6. A working and tested security incident handling procedure 7. A business continuity plan in place to support the operation of the organization.
  • 19.
    The Federal InformationProcessing Standards (FIPS) Publication Series of the National Institute of Standards and Technology (NIST) • An official series of publications relating to standards and guidelines adopted and made available under the provisions of the FISMA. • FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, is the first mandatory security standard laid down under the FISMA legislation. FIPS Publication 200, entitled “Minimum Security Requirements for Federal Information and Information Systems” is the second mandatory set of security standards that specify minimum security requirements for US federal information and information systems across 17 security-related areas. US federal agencies must meet the minimum security requirements defined in this standard by selecting appropriate security controls and assurance requirements laid down in NIST Special Publication 800-53 (Recommended Security Controls for Federal Information Systems).
  • 20.
    (FIPS) Publication Seriescont. The 17 security-related areas include: 1. access control; 2. awareness and training; 3. audit and accountability; 4. certification, accreditation, and security assessments; 5. configuration management; 6. contingency planning; 7. identification and authentication; 8. incident response; 9. maintenance; 10. media protection; 11. physical and environmental protection; 12. planning; 13. personnel security; 14. risk assessment; 15. systems and services acquisition; 16. system and communications protection; and 17. system and information integrity
  • 21.
    IMPLEMENTATION of FRAMWORK& STANDARDS • Although there are a number of standards on information security available now, these standards are often general guidelines or principles that may not all be applicable to a particular organization. • Care must be taken to ensure that standardized policies or guidelines are applicable to, and practical for, that particular organization's culture, business and operational practices. • The organization should first perform a “gap analysis” to identify the current security controls within the organization, the potential problems and issues, the costs and benefits, the operational impact, and the proposed recommendations before applying any chosen standards.
  • 22.
    IMPLEMENTATION of FRAMWORK& STANDARDS Cont. • Management support is necessary at all levels. • User awareness programs should also be conducted to ensure that all employees understand the benefits and impacts before the deployment of new security policies and guidelines. • The successful implementation of any information security standards or controls must be a balance of security requirements, functional requirements and user requirements.
  • 23.
    Conclusion Although there area number of information security standards available, an organization can only benefit if those standards are implemented properly. Security is something that all parties should be involved in. Senior management, information security practitioners, IT professionals and users all have a role to play in securing the assets of an organization. The success of information security can only be achieved by full cooperation at all levels of an organization, both inside and outside.
  • 24.
  • 25.