Security Standards                                           & Methodologies                                              ...
What are standards good for?Most standards are the result of agreements on thebehaviour of a component or the connection ...
Who makes standards?International Organization for Standardization.International Electrotechnical Commission.British St...
What is covered by standards?Benchmarks.Algorithms.Products.Operations.Management.Organization.Auditing.
Why there are so many standards?Andrew Tanenbaum famously quipped that “The goodthing about standards is that there are s...
What is a perfect standard?Clear concepts framework.Provides guidance to move from theory topractice.Compliance can be ...
Some Security Standards ISO 17799 based on BS 7799 of the British Standards Institute. ISO/IEC TR 13335-4 by ISO/IEC Joi...
Information Security ManagementISO 17799 based on BS 7799 of the British Standards Institute.ISO/IEC TR 13335-4 by ISO/I...
Testing and Auditing IT Baseline Protection Manual from BSI OCTAVE by Software Engineering Institute. CSEAT Review Crit...
Technology Products: ISO15408 - Common Criteria. API: RFC2078 - Generic Security Service Application ProgramInterface. ...
ISO 17799:2000    It is based on BS 7799-1.    BS 77991-1 is a Code of Practice provides 127    security controls; It con...
ISO/IEC Technical Report 13335 - Guidelines for the                                      management of IT Security    199...
COBITThe purpose of COBIT is to provide an InformationTechnology (IT) governance model that helps managing therisks assoc...
GAISP & 800-14It’s just a series of principles.It doesn’t provide a way to test if theprinciples are being followed.It’...
Standard of Good Practice   This standard is being pushed as “the   standard” by the proponents, with scarce   results.•h...
SysTrust/WebTrust      Focused on systems reliability for     e-commerce activities.•http://www.cica.ca/index.cfm/ci_id/6...
IT Baseline protection    Describes organizational, personnel, infraestructure   and technical standards.    Globally as...
OCTAVE     Involves internal personnel, providing security    awareness and understanding of the business    continuity n...
CSEAT Review Criteria       Big list of things to do.       Provides no conceptual framework.•http://csrc.nist.gov/cseat/
Open Source Security Testing Methodology Manual  Methodology for Penetration Testing.  GNU-FDL Licenced.•http://www.isec...
FIST November/Madrid 2003                                Security Standards & Methodologies                               ...
Upcoming SlideShare
Loading in …5
×

Metholodogies and Security Standards

420 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
420
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • En algunas ocasiones no existe un acuerdo, sino que la fuerza del mercado hace de ciertos productos un estándar. Con frecuencia surgen problemas por distintas implementaciones del estándar por distintas compañías. Esto suele deberse a que existen varios estándares alternativos, que compiten por el mismo espacio, otras veces a que el estándar no está definido más allá de cualquier diferencia de interpretación, y deja ciertas partes a discreción del implementador, y por último hay fabricantes que deciden no seguir el estándar al pié de la letra.
  • CC It’s the succesor of ITSEC. CC It’s a very complex specification for security products. It’s lengthy and expensive process for certification leads to very few products being certified.
  • You can be certified on BS 7799-2, but not on ISO 7799 = BS 7799-1
  • Impopular No auditable Se centra mucho en la gestión de IT
  • Metholodogies and Security Standards

    1. 1. Security Standards & Methodologies Vicente Aceituno FIST November/Madrid 2003 @ UPSAMwww.sia.esDeveloping the infrastructures that enable e-business ®
    2. 2. What are standards good for?Most standards are the result of agreements on thebehaviour of a component or the connection betweencomponents. Using standards a company can create products andservices that work well with others, without any previousagreement between the product makers.Standards enable “teamwork” without permanentcoordination, becoming a “coordination by default”.
    3. 3. Who makes standards?International Organization for Standardization.International Electrotechnical Commission.British Standards Institute.Internet Engineering Task Force.ISACA.International Information Security Foundation.National Institute of Standards and Technology (USA)AENOR (Spain)AICPA.BSI.Software Engineering Institute.ISECOMW3CIETFPrivate companies.ISSA...and so on.
    4. 4. What is covered by standards?Benchmarks.Algorithms.Products.Operations.Management.Organization.Auditing.
    5. 5. Why there are so many standards?Andrew Tanenbaum famously quipped that “The goodthing about standards is that there are so many to choosefrom”.The reasons are manifold. Politics, Economics andother interests...
    6. 6. What is a perfect standard?Clear concepts framework.Provides guidance to move from theory topractice.Compliance can be tested. It scales: It can be used both for small andlarge organizations, enterprises andgovernment.It considers the environment where theorganization operates.
    7. 7. Some Security Standards ISO 17799 based on BS 7799 of the British Standards Institute. ISO/IEC TR 13335-4 by ISO/IEC Joint Technical Committee 1. RFC2196 by Internet Engineering Task Force. Cobit by ISACA. 800-14 GAASP by National Institute of Standards and Technology. ISO15408 - Common Criteria from National Institute of Standards and Technology. Standard of Good Practice for Information Security from ISF. SysTrust by AICPA. IT Baseline Protection Manual from BSI. OCTAVE by Software Engineering Institute. CSEAT Review Criteria from National Institute of Standards and Technology. OSSTMM from ISECOM. RFC2078 GSS API by Internet Engineering Task Force. RFC3365 by Internet Engineering Task Force. RSA PKCS.GAISP by ISSA.
    8. 8. Information Security ManagementISO 17799 based on BS 7799 of the British Standards Institute.ISO/IEC TR 13335-4 by ISO/IEC Joint Technical Committee 1.Cobit by ISACA.800-14 GAASP by National Institute of Standards andTechnology.Standard of Good Practice for Information Security from ISF.SysTrust by AICPA.
    9. 9. Testing and Auditing IT Baseline Protection Manual from BSI OCTAVE by Software Engineering Institute. CSEAT Review Criteria. OSSTMM from ISECOM.
    10. 10. Technology Products: ISO15408 - Common Criteria. API: RFC2078 - Generic Security Service Application ProgramInterface. Protocols: RFC3365 - Strong Security Requirements forInternet Engineering Task Force Standard Protocols. PKI: PKCS, X.509 Encryption: Advanced Encryption Standard (FIPS 197) XML: XML encryption (Xenc) XML signatures (XML-SIG) XML key management specification (XKMS) Security assertion markup language (SAML) eXtensible access control markup language (XACML)...just too many to tell them all.
    11. 11. ISO 17799:2000 It is based on BS 7799-1. BS 77991-1 is a Code of Practice provides 127 security controls; It contains requirements of a general nature. BS 77991-2 is a information security management system. It provides a formal methodology for setting up an Information Security Management System.•http://www.bsi-global.com/Training/Infosec/index.xalter
    12. 12. ISO/IEC Technical Report 13335 - Guidelines for the management of IT Security  1996 -- Part 1: Concepts and models for IT Security.  1997 -- Part 2: Managing and planning IT Security .  1998 -- Part 3: Techniques for the management of IT Security.  2000 -- Part 4: Selection of safeguards.  2001 -- Part 5: Management guidance on network Security.•http://www.iso.org/iso/en/ISOOnline.frontpage
    13. 13. COBITThe purpose of COBIT is to provide an InformationTechnology (IT) governance model that helps managing therisks associated with IT.COBIT aims to make a clear and distinct link betweeninformation technology and business goals The COBIT framework identifies 318 detailed controlobjectives contained within this classification. Quality Control Components: Quality, Cost and Delivery Fiduciary Control Components: Effectiveness, Efficiency, Reliability of information, Compliance. Security Control Components: Confidentiality, Integrity and Availability •http://www.isaca.org/
    14. 14. GAISP & 800-14It’s just a series of principles.It doesn’t provide a way to test if theprinciples are being followed.It’s been used a information sourcefor other standards. •http://www.issa.org/gaisp.html •http://web.mit.edu/security/www/gassp1.html •http://csrc.nist.gov/publications/nistpubs/
    15. 15. Standard of Good Practice This standard is being pushed as “the standard” by the proponents, with scarce results.•http://www.isfsecuritystandard.com/index_ns.htm
    16. 16. SysTrust/WebTrust  Focused on systems reliability for e-commerce activities.•http://www.cica.ca/index.cfm/ci_id/635/la_id/1.htm
    17. 17. IT Baseline protection  Describes organizational, personnel, infraestructure and technical standards.  Globally assumed threat scenario.  Detailed descriptions of safeguards.  Description of the process involved in maintaining an appropriate level of IT security.  Procedure for ascertaining the level of IT security.•http://www.bsi.bund.de/gshb/english/menue.htm
    18. 18. OCTAVE  Involves internal personnel, providing security awareness and understanding of the business continuity needs.  Introduces extensible project management techniques.  It’s supposed to facilitate adaption to security requirements evolution.•http://www.cert.org/octave/
    19. 19. CSEAT Review Criteria Big list of things to do. Provides no conceptual framework.•http://csrc.nist.gov/cseat/
    20. 20. Open Source Security Testing Methodology Manual Methodology for Penetration Testing. GNU-FDL Licenced.•http://www.isecom.org/projects/osstmm.shtml
    21. 21. FIST November/Madrid 2003 Security Standards & Methodologies Vicente AceitunoDeveloping the infrastructures that enable e-business ®

    ×