Professional Documents
Culture Documents
ISO-IEC 17799 The New International Standard For Information Security Management
ISO-IEC 17799 The New International Standard For Information Security Management
Caroline Hamilton
RiskWatch, Inc.
With assistance from:
Mike Nash, Gamma Secure Systems Ltd
Camberley, United Kingdom
1
IMPORTANCE OF
STANDARDS
Examples from America’s past include
Railroad Tracks
Shoe Sizing
2
FOUNDING OF NIST - 1901
At that time, the United States had few, if any,
authoritative national standards for any quantities or
products. What it had was a patchwork of locally and
regionally applied standards, often arbitrary, that
were a source of confusion in commerce. It was
difficult for Americans to conduct fair transactions or
get parts to fit together properly. Construction
materials were of uneven quality, and household
products were unreliable. Few Americans worked as
scientists, because most scientific work was based
overseas.
3
The Baltimore Fire of 1904
The need for standards was dramatized in 1904,
when more than 1,500 buildings burned down in
Baltimore, Md., because of a lack of standard fire-
hose couplings. When firefighters from Washington
and as far away as New York arrived to help douse
the fire, few of their hoses fit the hydrants. NIST had
collected more than 600 sizes and variations in fire-
hose couplings in a previous investigation and, after
the Baltimore fire, participated in the selection of a
national standard.
4
Competing Standards
US-Government - -NIST Standards
5
International Standards
International Standards in Information Security are
developed by Security Techniques Committee
ISO/IEC
JTC 1 SC 27
Three Areas
– WG 1 - Security Management
– WG 2 - Security Algorithms/Techniques
– WG 3 - Security Assessment/Evaluation
Includes responsibility for ISO/IEC 17799 (BS
7799), the main topic for today.
6
History
SC 27 formed in 1990
– Replaced previous ISO/IEC security committee
which was failing to make progress
– Scope excluded standardisation of algorithms
» (now relaxed)
7
Membership
Members of SC 27 are National Standards
Bodies
– Participating or Observing
– Also liaisons from other standards making
bodies or committees
Working Groups are composed of experts
nominated by National Bodies
– Up to 200 participating experts
8
Participating Members
SAI Australia KATS Korea, Rep of
IBN Belgium DSM Malaysia
ABNT Brazil NEN Netherlands
SCC Canada NTS/IT Norway
CSBTS/CESI China PKN Poland
CSNI Czech Rep GOST R Russian Fed
DS Denmark
SABS South Africa
SFS Finland
AFNOR France
AENOR Spain
DIN Germany
SIS Sweden
MSZT Hungary SNV Switzerland
BIS India BSI UK
UNINFO Italy DSTU Ukraine
JISC Japan ANSI USA
9
Adoption of New Standard
Australia/New Zealand
AS/NZS ISO/IEC 17799:2000
The primary information security standard
in Australia was AS4444, and in New
Zealand was NZS4444. These have been
replaced with a new international standard,
17799. See Standards Australia OnLine at
http://www.standards.com.au.
10
Observers
ASRO Romania ON Austria
DSN Indonesia PSB Singapore
EVS Estonia SII Israel
IPQ Portugal SNZ New Zealand
IRAM Argentina SUTN Slovakia
NSAI Ireland SZS Yugoslavia
11
WG 2 Security Techniques
There are International Standards for:
– Encryption (WD 18033)
– Modes of Operation (IS 8372)
– Message Authentication Codes (IS 9797)
– Entity Authentication (IS 9798)
– Non-repudiation Techniques (IS 13888)
– Digital Signatures (IS 9796, IS 14888))
– Hash Functions (IS 10118)
– Key Management (IS 11770)
– Elliptic Curve Cryptography (WD 15946)
– Time Stamping Services (WD 18014)
12
Other Standards
US Government Standards
– Data Encryption Standard (DES) (FIPS 46)
– Advanced Encryption Standard (AES)
(FIPS 197) (FIPS - Federal Information
Processing Standard)
Proprietary Standards
– e.g. RSA (The Rivest Shamir Adleman
algorithm)
13
WG 3 Security Evaluation
Third Party Evaluation
– Criteria for an independent body to form an
impartial and repeatable assessment of the
presence, correctness and effectiveness of
security functionality
“Common Criteria” (CC) (IS 15408)
14
Common Criteria
Produced by a consortium of Government
bodies in North America / European Union
– Mainly National Security Agencies
Influenced by International Standardisation
committee
– Adopted as International Standard 15408
Adopted and recognised by other major
Governments
– All EU, Australia, Japan, Russia
Replaces “Orange Book” (US) and ITSEC (EU)
15
Content of CC
Part 1 – Introduction and General Model
Part 2 – Functional Components
Part 3 – Assurance Components
Related standards:
– Protection Profile Registration Procedures (IS 15292)
– Framework for Assurance (WD 15443)
– Guide on Production of Protection Profiles (WD
15446)
– Security Evaluation Methodology (WD 18045)
16
Relevance of CC
The Common Criteria and its predecessors
(Orange Book, ITSEC) raised the level and
reliability of security functionality found in
standard products
– Operating Systems, Databases, Firewalls
Important for major product vendors
Important for high-risk Government systems
Important for Smart Cards
Irrelevant to everyone else
17
Why?
Common Criteria is complex
Evaluation is complex and time consuming
Limited number of approved Evaluation
Facilities
– Expensive
– Inflexible
Money is usually better spent improving
security
18
WG 1 Security Management
Two key standards:
– Guidelines for Information Security Management (GMITS)
(TR 13335)
– Code of Practice for Information Security Management (IS
17799)
Other standards:
– Guidelines on the use and management of trusted third parties
(TR 14516)
– Guidelines for implementation, operation and management of
Intrusion Detection Systems (WD 18043)
– Guidelines for security incident management (WD 18044)
19
GMITS and 17799
GMITS developed by ISO/IEC JTC 1 SC 27
(standards committee)
IS 17799 is (almost) identical to BS 7799-1
– BS 7799-1 was the most widely purchased security standard
worldwide
Officially, no overlap
– This is rubbish
GMITS is dying
– Scope is IT security, not Information Security
– Only a TR (Technical Report)
– Editors of GMITS are moving to work on 17799
20
ISO/IEC 17799 and BS7799-2
IS 17799 is a catalogue of good things to do
BS 7799 Part 2 is a specification for an ISMS
(Information Security Management System)
ISMS compliance can be independently
assessed
21
What is an ISMS?
22
ISO/IEC 17799 Layout
10 Major Headings
36 Objectives
127 Major Controls
Several Thousand Pieces of Guidance
23
The 10 Major Headings
Security Policy
Security Organisation
Asset Classification and Control
Personnel Security
Physical and Environmental Security
Comms and Operational Management
Access Control
Systems Development and Maintenance
Business Continuity Management
Compliance
24
Security Objectives
Security Policy
Security Organisation
• Secure
Asset Classification Areas
and Control
Personnel Security
• Equipment
Physical and Environmental Security
Security
• General
Comms and Operational Controls
Management
Access Control
Systems Development and Maintenance
Business Continuity Management
Compliance
25
Security Controls
Security Policy• Secure Areas
Security Organisation
• Equipment
Asset Classification Security
and Control
• General Controls
Personnel Security
Physical and Environmental Security
• Siting
Comms and Operational Management
Access Control • Power Supplies
Systems Development and Maintenance
• Cabling
Business Continuity Management
• Maintenance
Compliance
•
Off-premises
• Disposal/reuse26
ISO/IEC 17799
A standard for Information Security Management
– Very wide acceptance
Based on British Standard BS 7799
– Replaced Part 1 of BS 7799
– Part 2 of BS 7799 still exists and is current
– Part 2 describes how to build and assess a security management
system
– National equivalents to BS 7799-2 exist in most developed
countries
– Except North America
27
BS 7799-2
ISMS Requirements
– Scope
– Security Policy
– Risk Assessment
– Statement of Applicability
– Develop./maintain ISMS
– Documentation
ISO/IEC 17799 Controls (in imperative
format)
28
Complying with BS 7799-2
Security Policy
Risk Assessment
Statement of Applicability
Management System
29
Security Policy
Scope
Confidentiality
Integrity
Availability
Accountability
Assets
Risk Assessment
Regulatory/Legal
30
Risk Assessment
RISK
31
Statement of Applicability
Identifies actual security controls
Must consider all 7799-2 listed controls
– include or exclude with justification
Select applicable controls by business and
risk analysis
32
33
34
Security Management
The means by which Management Monitors
and Controls security
Requires regular checks that:
– Controls are still in place and effective
– Residual risks are still acceptable
– Assumptions about threats etc. remain valid
35
Revision of IS 17799
ISO/IEC 17799 was identical in technical content
to BS 7799-1:1999
Part of the negotiations for adoption was the
initiation of an immediate major revision process
Revision started April 2002
– First meeting in Berlin failed to finish its agenda
– Lot of fuss over philosophy and definitions
e.g. “What is security?”
– Editors sent away to finish the job
– Having difficulties finding enough changes to justify a major
revision
36
Revision of BS 7799-2
BS 7799-2:2002 issued as draft for
comment in March 2002
– Aligned with other continuous review standards (“Plan-
Do-Check-Act”)
– Comment period now closed
Final text agreed 10th June 2002
Publication as a British Standard in July
2002
37
In closing
Information Security Standards matter
Many standards are for a specialist audience
ISO/IEC 17799 is relevant to every security
professional
38
For more info about ISO
17799
Gamma Secure Systems Ltd
http://www.gammassl.co.uk/
Caroline Hamilton
RiskWatch, Inc.
Chamilton@riskwatch.com
39