Professional Documents
Culture Documents
ISO-IEC 17799 The New International Standard For Information Security Management
ISO-IEC 17799 The New International Standard For Information Security Management
IMPORTANCE OF
STANDARDS
Competing Standards
International Standards
International Standards in Information Security are
developed by Security Techniques Committee
ISO/IEC
JTC 1 SC 27
Three Areas
WG 1 - Security Management
WG 2 - Security Algorithms/Techniques
WG 3 - Security Assessment/Evaluation
History
SC 27 formed in 1990
Replaced previous ISO/IEC security committee
which was failing to make progress
Scope excluded standardisation of algorithms
(now relaxed)
Membership
Participating Members
SAI Australia
IBN Belgium
ABNT Brazil
SCC Canada
CSBTS/CESI China
CSNI Czech Rep
DS Denmark
SFS Finland
AFNOR France
DIN Germany
MSZT Hungary
BIS India
UNINFO Italy
JISC Japan
10
Observers
ASRO Romania
DSN Indonesia
EVS Estonia
IPQ Portugal
IRAM Argentina
NSAI Ireland
ON Austria
PSB Singapore
SII Israel
SNZ New Zealand
SUTN Slovakia
SZS Yugoslavia
11
WG 2 Security Techniques
12
Other Standards
US Government Standards
Data Encryption Standard (DES) (FIPS 46)
Advanced Encryption Standard (AES)
(FIPS 197) (FIPS - Federal Information
Processing Standard)
Proprietary Standards
e.g. RSA (The
algorithm)
Rivest
Shamir Adleman
13
WG 3 Security Evaluation
14
Common Criteria
Content of CC
Part 1 Introduction and General Model
Part 2 Functional Components
Part 3 Assurance Components
Related standards:
Relevance of CC
17
Why?
Common Criteria is complex
Evaluation is complex and time consuming
Limited number of approved Evaluation
Facilities
Expensive
Inflexible
WG 1 Security Management
Other standards:
Guidelines on the use and management of trusted third parties
(TR 14516)
Guidelines for implementation, operation and management of
Intrusion Detection Systems (WD 18043)
Guidelines for security incident management (WD 18044)
19
Officially, no overlap
This is rubbish
GMITS is dying
Scope is IT security, not Information Security
Only a TR (Technical Report)
Editors of GMITS are moving to work on 17799
20
21
What is an ISMS?
22
23
24
Security Objectives
Security Policy
Security Organisation
Secure
Areas
Asset Classification
and Control
Personnel Security
Equipment
Security
Physical and Environmental Security
General
Comms and Operational
Controls
Management
Access Control
Systems Development and Maintenance
Business Continuity Management
Compliance
25
Security Controls
Security Policy Secure Areas
Security Organisation
Equipment
Security
Asset Classification
and Control
General Controls
Personnel Security
Physical and Environmental Security
Siting
Comms and Operational Management
Access Control
Power Supplies
Systems Development and Maintenance
Cabling
Business Continuity Management
Maintenance
Compliance
Off-premises
Disposal/reuse
26
ISO/IEC 17799
27
BS 7799-2
ISMS Requirements
Scope
Security Policy
Risk Assessment
Statement of Applicability
Develop./maintain ISMS
Documentation
29
Security Policy
Scope
Confidentiality
Integrity
Availability
Accountability
Assets
Risk Assessment
Regulatory/Legal
30
Risk Assessment
Asset
Asset
Threat
Threat
Vulnerability
Vulnerability
RISK
RISK
31
Statement of Applicability
Identifies actual security controls
Must consider all 7799-2 listed controls
32
33
34
Security Management
The means by which Management Monitors
and Controls security
Requires regular checks that:
35
Revision of IS 17799
ISO/IEC 17799 was identical in technical content
to BS 7799-1:1999
Part of the negotiations for adoption was the
initiation of an immediate major revision process
Revision started April 2002
36
Revision of BS 7799-2
37
In closing
Information Security Standards matter
Many standards are for a specialist audience
ISO/IEC 17799 is relevant to every security
professional
38