ISO-IEC 17799

The New International

Standard for Information
Security Management
Caroline Hamilton
RiskWatch, Inc.
With assistance from:

Mike Nash, Gamma Secure Systems Ltd

Camberley, United Kingdom

IMPORTANCE OF
STANDARDS

Examples from Americas past include

Railroad Tracks
Shoe Sizing

FOUNDING OF NIST - 1901

At that time, the United States had few, if any,

authoritative national standards for any quantities or
products. What it had was a patchwork of locally and
regionally applied standards, often arbitrary, that were
a source of confusion in commerce. It was difficult for
Americans to conduct fair transactions or get parts to
fit together properly. Construction materials were of
uneven quality, and household products were
unreliable. Few Americans worked as scientists,
because most scientific work was based overseas.

The Baltimore Fire of 1904

The need for standards was dramatized in 1904,

when more than 1,500 buildings burned down in
Baltimore, Md., because of a lack of standard firehose couplings. When firefighters from Washington
and as far away as New York arrived to help douse
the fire, few of their hoses fit the hydrants. NIST had
collected more than 600 sizes and variations in firehose couplings in a previous investigation and, after
the Baltimore fire, participated in the selection of a
national standard.

Competing Standards

US-Government - -NIST Standards

BS 7799 -- ISO-IEC 17799 Standard

International Standards
International Standards in Information Security are
developed by Security Techniques Committee
ISO/IEC
JTC 1 SC 27
Three Areas

WG 1 - Security Management
WG 2 - Security Algorithms/Techniques
WG 3 - Security Assessment/Evaluation

Includes responsibility for ISO/IEC 17799 (BS

7799), the main topic for today.
6

History

SC 27 formed in 1990
Replaced previous ISO/IEC security committee
which was failing to make progress
Scope excluded standardisation of algorithms
(now relaxed)

Membership

Members of SC 27 are National Standards

Bodies
Participating or Observing
Also liaisons from other standards making
bodies or committees

Working Groups are composed of experts

nominated by National Bodies
Up to 200 participating experts
8

Participating Members

SAI Australia
IBN Belgium
ABNT Brazil
SCC Canada
CSBTS/CESI China
CSNI Czech Rep
DS Denmark
SFS Finland
AFNOR France
DIN Germany
MSZT Hungary
BIS India
UNINFO Italy
JISC Japan

KATS Korea, Rep of

DSM Malaysia
NEN Netherlands
NTS/IT Norway
PKN Poland
GOST R Russian Fed
SABS South Africa
AENOR Spain
SIS Sweden
SNV Switzerland
BSI UK
DSTU Ukraine
ANSI USA

Adoption of New Standard

Australia/New Zealand
AS/NZS ISO/IEC 17799:2000
The primary information security standard
in Australia was AS4444, and in New
Zealand was NZS4444. These have been
replaced with a new international standard,
17799. See Standards Australia OnLine at
http://www.standards.com.au.

10

Observers

ASRO Romania
DSN Indonesia
EVS Estonia
IPQ Portugal
IRAM Argentina
NSAI Ireland

ON Austria
PSB Singapore
SII Israel
SNZ New Zealand
SUTN Slovakia
SZS Yugoslavia

11

WG 2 Security Techniques

There are International Standards for:

Encryption (WD 18033)

Modes of Operation (IS 8372)
Message Authentication Codes (IS 9797)
Entity Authentication (IS 9798)
Non-repudiation Techniques (IS 13888)
Digital Signatures (IS 9796, IS 14888))
Hash Functions (IS 10118)
Key Management (IS 11770)
Elliptic Curve Cryptography (WD 15946)
Time Stamping Services (WD 18014)

12

Other Standards

US Government Standards
Data Encryption Standard (DES) (FIPS 46)
Advanced Encryption Standard (AES)
(FIPS 197) (FIPS - Federal Information
Processing Standard)

Proprietary Standards
e.g. RSA (The
algorithm)

Rivest

Shamir Adleman

13

WG 3 Security Evaluation

Third Party Evaluation

Criteria for an independent body to form an
impartial and repeatable assessment of the
presence, correctness and effectiveness of
security functionality

Common Criteria (CC) (IS 15408)

14

Common Criteria

Produced by a consortium of Government

bodies in North America / European Union
Mainly National Security Agencies

Influenced by International Standardisation

committee
Adopted as International Standard 15408

Adopted and recognised by other major

Governments
All EU, Australia, Japan, Russia

Replaces Orange Book (US) and ITSEC (EU)

15

Content of CC
Part 1 Introduction and General Model
Part 2 Functional Components
Part 3 Assurance Components
Related standards:

Protection Profile Registration Procedures (IS 15292)

Framework for Assurance (WD 15443)
Guide on Production of Protection Profiles (WD
15446)
Security Evaluation Methodology (WD 18045)
16

Relevance of CC

The Common Criteria and its predecessors

(Orange Book, ITSEC) raised the level and
reliability of security functionality found in
standard products
Operating Systems, Databases, Firewalls

Important for major product vendors

Important for high-risk Government systems
Important for Smart Cards
Irrelevant to everyone else

17

Why?
Common Criteria is complex
Evaluation is complex and time consuming
Limited number of approved Evaluation
Facilities

Expensive
Inflexible

Money is usually better spent improving

security
18

WG 1 Security Management

Two key standards:

Guidelines for Information Security Management (GMITS)
(TR 13335)
Code of Practice for Information Security Management (IS
17799)

Other standards:
Guidelines on the use and management of trusted third parties
(TR 14516)
Guidelines for implementation, operation and management of
Intrusion Detection Systems (WD 18043)
Guidelines for security incident management (WD 18044)

19

GMITS and 17799

GMITS developed by ISO/IEC JTC 1 SC 27
(standards committee)
IS 17799 is (almost) identical to BS 7799-1

BS 7799-1 was the most widely purchased security standard

worldwide

Officially, no overlap
This is rubbish

GMITS is dying
Scope is IT security, not Information Security
Only a TR (Technical Report)
Editors of GMITS are moving to work on 17799

20

ISO/IEC 17799 and BS7799-2

IS 17799 is a catalogue of good things to do
BS 7799 Part 2 is a specification for an ISMS
(Information Security Management System)
ISMS compliance can be independently
assessed

21

What is an ISMS?

22

ISO/IEC 17799 Layout

10 Major Headings
36 Objectives
127 Major Controls
Several Thousand Pieces of Guidance

23

The 10 Major Headings

Security Policy
Security Organisation
Asset Classification and Control
Personnel Security
Physical and Environmental Security
Comms and Operational Management
Access Control
Systems Development and Maintenance
Business Continuity Management
Compliance

24

Security Objectives
Security Policy
Security Organisation
Secure
Areas
Asset Classification
and Control
Personnel Security

Equipment
Security
Physical and Environmental Security
General
Comms and Operational
Controls
Management
Access Control
Systems Development and Maintenance
Business Continuity Management
Compliance

25

Security Controls
Security Policy Secure Areas
Security Organisation
Equipment
Security
Asset Classification
and Control
General Controls
Personnel Security
Physical and Environmental Security
Siting
Comms and Operational Management
Access Control
Power Supplies
Systems Development and Maintenance
Cabling
Business Continuity Management
Maintenance
Compliance

Off-premises
Disposal/reuse
26

ISO/IEC 17799

A standard for Information Security Management

Very wide acceptance

Based on British Standard BS 7799

Replaced Part 1 of BS 7799
Part 2 of BS 7799 still exists and is current
Part 2 describes how to build and assess a security
management system
National equivalents to BS 7799-2 exist in most developed
countries
Except North America

27

BS 7799-2

ISMS Requirements

Scope
Security Policy
Risk Assessment
Statement of Applicability
Develop./maintain ISMS
Documentation

ISO/IEC 17799 Controls (in imperative

format)
28

Complying with BS 7799-2

Security Policy
Risk Assessment
Statement of Applicability
Management System

29

Security Policy

Scope
Confidentiality
Integrity
Availability
Accountability
Assets
Risk Assessment
Regulatory/Legal

30

Risk Assessment
Asset
Asset

Threat
Threat

Vulnerability
Vulnerability

RISK
RISK
31

Statement of Applicability
Identifies actual security controls
Must consider all 7799-2 listed controls

include or exclude with justification

Select applicable controls by business and

risk analysis

32

33

34

Security Management
The means by which Management Monitors
and Controls security
Requires regular checks that:

Controls are still in place and effective

Residual risks are still acceptable
Assumptions about threats etc. remain valid

35

Revision of IS 17799
ISO/IEC 17799 was identical in technical content
to BS 7799-1:1999
Part of the negotiations for adoption was the
initiation of an immediate major revision process
Revision started April 2002

First meeting in Berlin failed to finish its agenda

Lot of fuss over philosophy and definitions
e.g. What is security?
Editors sent away to finish the job
Having difficulties finding enough changes to justify a major
revision

36

Revision of BS 7799-2

BS 7799-2:2002 issued as draft for

comment in March 2002
Aligned with other continuous review standards (PlanDo-Check-Act)
Comment period now closed

Final text agreed 10th June 2002

Publication as a British Standard in July
2002

37

In closing
Information Security Standards matter
Many standards are for a specialist audience
ISO/IEC 17799 is relevant to every security
professional

38

For more info about ISO

17799
Gamma Secure Systems Ltd
http://www.gammassl.co.uk/
Caroline Hamilton
RiskWatch, Inc.
Chamilton@riskwatch.com
39