Scribd
Upload
223 views29 pages

Iso 17799 Security

The document discusses ISO 17799, a security standard that was revised in 2005 and became ISO 27001. ISO 27001 is a certification standard for information security management systems (ISMS) based on ISO 17799. It describes the components and process model of ISO 27001 certification. The document also maps how ISO 17799 fits within the broader ISO 27000 series of standards and other international standards bodies for information security.

Uploaded by

cmsc1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
223 views29 pages

Iso 17799 Security

The document discusses ISO 17799, a security standard that was revised in 2005 and became ISO 27001. ISO 27001 is a certification standard for information security management systems (ISMS) based on ISO 17799. It describes the components and process model of ISO 27001 certification. The document also maps how ISO 17799 fits within the broader ISO 27000 series of standards and other international standards bodies for information security.

Uploaded by

cmsc1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

ISO 17799 Security

Standard
How Will It Fit with Other Standards

Don Holden, CISSP-ISSMP


dholden@concordantinc.com
Concordant, Inc

January 2006 1
Agenda

¾ Do We Need a Security Standard?


¾ History of ISO 17799
¾ New and Improved 17799
¾ A Certification Standard – 27001
¾ Benefits of Certification
¾ Other Security Standards
¾ Is There a Map for this Maize
¾ A New Framework
¾ Other Sources

Concordant, Inc. | www.concordantinc.com


Why Standardization
Security Visibility among Business Partners

Source: NIST Presentation

Source:
Concordant, NIST
Inc. | www.concordantinc.com
Desired End State

Source: NIST Presentation

Concordant, Inc. | www.concordantinc.com


History of ISO17799

¾ Began in 1989 as “User Code of Practice” (UK’s


DTI)
¾ Became BSI 7799 “Code of Practice for
Information Security Management” in 1995
¾ Submitted to ISO but defeated
¾ Part 2 was added in 1998
¾ Revised in 1999 and Part 1 submitted to ISO for
fast track approval.
¾ Opposed by other large countries but passed in
2000 as ISO 17799:2000
Concordant, Inc. | www.concordantinc.com
ISO17799-2005
New and Improved

¾ Additions
„ 17 new controls
„ 8 new control objectives
¾ Deletions – 9 controls deleted
¾ Improvements
„ Rewording for clarity
„ Reformatting
„ Relocating controls and text

Concordant, Inc. | www.concordantinc.com


ISO 17799
Reformatted Clauses
Security Policy Security Policy

Security Organization Organizing Information Security

Asset Classification & Control Asset Management

Personnel Security Human Resource Security

Physical & Environmental Security Physical & Environmental Security

Communications & Operations Mgt Communications & Operations Mgt

Access Control Access Control

IS Acquisitions, Development &


Systems Development & Maintenance
Maintenance

IS Incident Management

Business Continuity Management Business Continuity Management

Compliance Compliance

Concordant, Inc. | www.concordantinc.com


ISO 17799 Improvements

Concordant, Inc. | www.concordantinc.com


IS Management Systems Certification

¾ There have been no “ISO 17799 certifications”.


„ ISO 17799 is a code of practice, with recommended
controls, not a requirements specification.
„ Certifications have been done for Information Security
Management Systems using BS7799-Part 2

Concordant, Inc. | www.concordantinc.com


ISO 27001:2005 ISMS - Requirements

¾ The Certification Standard


„ Based on BS 7799-2002 Part 2
„ Aligned with ISO 9001 and 14001 (EMS)
¾ Concepts in 27001
„ All activities must follow a process (PDCA)
„ Must specify security goals
„ Controls based on risk analysis
„ Choice of offered controls
„ Continuous verification process
„ Continuous improvement process

Concordant, Inc. | www.concordantinc.com


ISO 27001
ISMS Process Model

Source: ISO 27001:2005

Concordant, Inc. | www.concordantinc.com


Components of 27001
4 Information security management 5 Management responsibility
system ¾ 5.1 Management commitment
¾ 4.1 General requirements ¾ 5.2 Resource management
¾ 4.2 Establishing and managing ¾ 5.2.1 Provision of resources
the ISMS ¾ 5.2.2 Training, awareness and
¾ 4.2.1 Establish the ISMS competence
¾ 4.2.2 Implement and operate the 6 Internal ISMS audits
ISMS 7 Management review of the ISMS
¾ 4.2.3 Monitor and review the
¾ 7.1 General
ISMS
¾ 7.2 Review input
¾ 4.2.4 Maintain and improve the
ISMS ¾ 7.3 Review output
¾ 4.3 Documentation 8 ISMS improvement
requirements 8.1 Continual improvement
¾ 4.3.1 General
¾ 4.3.2 Control of documents
¾ 4.3.3 Control of records

Concordant, Inc. | www.concordantinc.com


Why Certify to 27001

¾ Some Reasons for Certifying:


„ Meeting U.S. legislative requirements directly and
indirectly
„ As part of a supplier management program
„ As a measure and independent evidence that industry best
practices are being followed.
„ To reduce insurance premiums
„ As part of a corporate governance program
„ May offer competitive advantage

Concordant, Inc. | www.concordantinc.com


ISO 27000 Series
What’s Next
¾ Provide guidance (not mandatory requirements )
for 27001 processes (PDCA)
¾ Defining scopes for information security
management systems
¾ Risk assessment
¾ Identification of assets
¾ Effectiveness of information security

Concordant, Inc. | www.concordantinc.com


Planned 27000 Series
ISMS Framework
¾ 27000 (P) Fundamentals and Vocabulary
¾ 27001-2005 Requirements – (PDCA)
¾ 27002 (P) Code of Practice (17799-2005)
¾ 27003 (P) Implementation Guidance – (PDCA)
¾ 27004 (D) IS Metrics and Measurements
¾ 27005 (D) Risk Management
„ Supports 27001 Certifications
„ Based upon BS7799-3 ISMS Guidelines for
Information Security Risk Management

Concordant, Inc. | www.concordantinc.com


ISMS Framework – 2700x

¾ Potential Standards
„ Monitoring and Review
„ Internal Auditing
„ Continual Improvement

Concordant, Inc. | www.concordantinc.com


ISO SubCommitee on Security
ISO/IEC JTC SC27

Concordant, Inc. | www.concordantinc.com


SC27 Working Group 1
¾ Management of ICT security (MICTS) Risk - ISO/IEC 13335
¾ Code of practice for information security management - ISO/IEC
17799
¾ IT Network security - ISO/IEC 18028
¾ Selection, deployment and operations of intrusion detection
systems - ISO/IEC 18043
¾ Information security incident management - ISO/IEC 18044
¾ ISMS Requirements specification – ISO 27001
¾ ISMS Metrics and measurements – draft ISO 27004
„ Proposed inclusion of NIST 800-55
„ CISWG Best Practices and Metrics

Concordant, Inc. | www.concordantinc.com


SC27 Working Group 2
¾ Digital signature schemes giving message recovery -
ISO/IEC 9796
¾ Message authentication codes - ISO/IEC 9797
¾ Entity authentication - ISO/IEC 9798
¾ Modes of operation for an n-bit block cipher algorithm -
ISO/IEC 10116
¾ Hash-functions - ISO/IEC 10118
¾ Key management - ISO/IEC 11770
¾ Digital signatures with appendix - ISO/IEC 14888

Concordant, Inc. | www.concordantinc.com


SC27 Working Group 3
¾ Cryptographic techniques based on elliptic curves -
ISO/IEC 15946
¾ Time stamping services - ISO/IEC 18014
¾ Random bit generation - ISO/IEC 18031
¾ Prime number generation - ISO/IEC 18032
¾ Encryption algorithms - ISO/IEC 18033
¾ Data encapsulation mechanisms - ISO/IEC 19772
¾ Biometric template protection - ISO/IEC 24745

Concordant, Inc. | www.concordantinc.com


Mapping the Maize

¾ Standards and
guidelines that
support ISO 17799

Concordant, Inc. | www.concordantinc.com


Mapping to 17799

Source: SC27 N4476 WG1 Road Map Source: SC27/WG1 “WG1 Road Map”
Concordant, Inc. | www.concordantinc.com
Security Standards Framework

Concordant, Inc. | www.concordantinc.com Source: SC27 Business Plan


Source ISO/IEC SC27
Other ISO Security
TC 68 SC2 Banking Security
¾ Some Security Standards:
„ Message authentication
„ Digital Signatures
„ Encryption Techniques
„ Protection Profiles
„ Security guidelines
„ Biometrics

Concordant, Inc. | www.concordantinc.com


How does the U.S. Participate?

¾ InterNational Committee Information Technology


Standards (INCITS)
„ ANSI Technical Advisory Group for ISO/IEC JTC1
„ INCITS is sponsored by the Information Technology
Industry Council (ITI)
„ Originally founded as Accredited Standards Committee X3
„ INCITS Cyber Security 1 (CS1) formed in April 2005 for
security standards
„ CS1 working on a draft standard- “Implementation of Role-
Based Access Controls”

Concordant, Inc. | www.concordantinc.com


Other Sources of Guidance

¾ NIST 800 Series Publications


¾ CISWG Best Practices and Metrics – Report to
Congress
¾ PCI Data Security
¾ Technical Benchmarks
„ Center for Internet Security
„ NSA
„ NIST
„ Vendor Security Recommendations

Concordant, Inc. | www.concordantinc.com


Concordant, Inc. | www.concordantinc.com
What Concordant Does
¾ IT infrastructure services for regulated
industries
¾ Security services
„ Secure & Compliant
Assessment
„ Implementation/
Remediation
„ Maintenance and
Support

Concordant, Inc. | www.concordantinc.com


References
¾ “Frequently Asked Questions” ATSEC http://www.atsec.com/01/index.php?id=06-0101-01
¾ CISWG Report of the Best Practices and Metrics Team
http://www.cisecurity.org/Documents/BPMetricsTeamReportFinal111704Rev11005.pdf
¾ INCITS CS1 www. www.ncits.org/tc_home/cs1.htm
¾ ISO/IEC 13335-1:2004, Management of information and communications technology security — Part1:
Concepts and models for managing and planning ICT security.
¾ ISO/IEC TR 13335-3:1998, Guidelines for the Management of IT Security — Part 3: Techniques for the
management of IT security.
¾ ISO/IEC TR 13335-4:2000, Guidelines for the Management of IT Security — Part 4: Selection of
¾ Safeguards
¾ ISO/IEC TR 18044:2004, Security techniques — Information Security Incident Management
¾ NIST SP 800-30, Risk Management Guide for Information Technology Systems
¾ Gamma Secure Systems Ltd http://www.gammassl.co.uk/index.html
¾ NIST Presentation “New FISMA Standards & Guidelines”, Ross, Don; Katzke, S.
¾ OECD Guidelines for the Security of Information Systems and Networks — Towards a Culture of Security.
Paris: OECD, July 2002. www.oecd.org

Concordant, Inc. | www.concordantinc.com

You might also like