En algunas ocasiones no existe un acuerdo, sino que la fuerza del mercado hace de ciertos productos un estándar. Con frecuencia surgen problemas por distintas implementaciones del estándar por distintas compañías. Esto suele deberse a que existen varios estándares alternativos, que compiten por el mismo espacio, otras veces a que el estándar no está definido más allá de cualquier diferencia de interpretación, y deja ciertas partes a discreción del implementador, y por último hay fabricantes que deciden no seguir el estándar al pié de la letra.
CC It’s the succesor of ITSEC. CC It’s a very complex specification for security products. It’s lengthy and expensive process for certification leads to very few products being certified.
You can be certified on BS 7799-2, but not on ISO 7799 = BS 7799-1
Impopular No auditable Se centra mucho en la gestión de IT
Metholodogies and Security Standards
Security Standards & Methodologies Vicente Aceituno FIST November/Madrid 2003 @ UPSAMwww.sia.esDeveloping the infrastructures that enable e-business ®
What are standards good for?Most standards are the result of agreements on thebehaviour of a component or the connection betweencomponents. Using standards a company can create products andservices that work well with others, without any previousagreement between the product makers.Standards enable “teamwork” without permanentcoordination, becoming a “coordination by default”.
Who makes standards?International Organization for Standardization.International Electrotechnical Commission.British Standards Institute.Internet Engineering Task Force.ISACA.International Information Security Foundation.National Institute of Standards and Technology (USA)AENOR (Spain)AICPA.BSI.Software Engineering Institute.ISECOMW3CIETFPrivate companies.ISSA...and so on.
What is covered by standards?Benchmarks.Algorithms.Products.Operations.Management.Organization.Auditing.
Why there are so many standards?Andrew Tanenbaum famously quipped that “The goodthing about standards is that there are so many to choosefrom”.The reasons are manifold. Politics, Economics andother interests...
What is a perfect standard?Clear concepts framework.Provides guidance to move from theory topractice.Compliance can be tested. It scales: It can be used both for small andlarge organizations, enterprises andgovernment.It considers the environment where theorganization operates.
Some Security Standards ISO 17799 based on BS 7799 of the British Standards Institute. ISO/IEC TR 13335-4 by ISO/IEC Joint Technical Committee 1. RFC2196 by Internet Engineering Task Force. Cobit by ISACA. 800-14 GAASP by National Institute of Standards and Technology. ISO15408 - Common Criteria from National Institute of Standards and Technology. Standard of Good Practice for Information Security from ISF. SysTrust by AICPA. IT Baseline Protection Manual from BSI. OCTAVE by Software Engineering Institute. CSEAT Review Criteria from National Institute of Standards and Technology. OSSTMM from ISECOM. RFC2078 GSS API by Internet Engineering Task Force. RFC3365 by Internet Engineering Task Force. RSA PKCS.GAISP by ISSA.
Information Security ManagementISO 17799 based on BS 7799 of the British Standards Institute.ISO/IEC TR 13335-4 by ISO/IEC Joint Technical Committee 1.Cobit by ISACA.800-14 GAASP by National Institute of Standards andTechnology.Standard of Good Practice for Information Security from ISF.SysTrust by AICPA.
Testing and Auditing IT Baseline Protection Manual from BSI OCTAVE by Software Engineering Institute. CSEAT Review Criteria. OSSTMM from ISECOM.
Technology Products: ISO15408 - Common Criteria. API: RFC2078 - Generic Security Service Application ProgramInterface. Protocols: RFC3365 - Strong Security Requirements forInternet Engineering Task Force Standard Protocols. PKI: PKCS, X.509 Encryption: Advanced Encryption Standard (FIPS 197) XML: XML encryption (Xenc) XML signatures (XML-SIG) XML key management specification (XKMS) Security assertion markup language (SAML) eXtensible access control markup language (XACML)...just too many to tell them all.
ISO 17799:2000 It is based on BS 7799-1. BS 77991-1 is a Code of Practice provides 127 security controls; It contains requirements of a general nature. BS 77991-2 is a information security management system. It provides a formal methodology for setting up an Information Security Management System.•http://www.bsi-global.com/Training/Infosec/index.xalter
ISO/IEC Technical Report 13335 - Guidelines for the management of IT Security 1996 -- Part 1: Concepts and models for IT Security. 1997 -- Part 2: Managing and planning IT Security . 1998 -- Part 3: Techniques for the management of IT Security. 2000 -- Part 4: Selection of safeguards. 2001 -- Part 5: Management guidance on network Security.•http://www.iso.org/iso/en/ISOOnline.frontpage
COBITThe purpose of COBIT is to provide an InformationTechnology (IT) governance model that helps managing therisks associated with IT.COBIT aims to make a clear and distinct link betweeninformation technology and business goals The COBIT framework identifies 318 detailed controlobjectives contained within this classification. Quality Control Components: Quality, Cost and Delivery Fiduciary Control Components: Effectiveness, Efficiency, Reliability of information, Compliance. Security Control Components: Confidentiality, Integrity and Availability •http://www.isaca.org/
GAISP & 800-14It’s just a series of principles.It doesn’t provide a way to test if theprinciples are being followed.It’s been used a information sourcefor other standards. •http://www.issa.org/gaisp.html •http://web.mit.edu/security/www/gassp1.html •http://csrc.nist.gov/publications/nistpubs/
Standard of Good Practice This standard is being pushed as “the standard” by the proponents, with scarce results.•http://www.isfsecuritystandard.com/index_ns.htm
SysTrust/WebTrust Focused on systems reliability for e-commerce activities.•http://www.cica.ca/index.cfm/ci_id/635/la_id/1.htm
IT Baseline protection Describes organizational, personnel, infraestructure and technical standards. Globally assumed threat scenario. Detailed descriptions of safeguards. Description of the process involved in maintaining an appropriate level of IT security. Procedure for ascertaining the level of IT security.•http://www.bsi.bund.de/gshb/english/menue.htm
OCTAVE Involves internal personnel, providing security awareness and understanding of the business continuity needs. Introduces extensible project management techniques. It’s supposed to facilitate adaption to security requirements evolution.•http://www.cert.org/octave/
CSEAT Review Criteria Big list of things to do. Provides no conceptual framework.•http://csrc.nist.gov/cseat/
Open Source Security Testing Methodology Manual Methodology for Penetration Testing. GNU-FDL Licenced.•http://www.isecom.org/projects/osstmm.shtml
FIST November/Madrid 2003 Security Standards & Methodologies Vicente AceitunoDeveloping the infrastructures that enable e-business ®