Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISO 17799 The International Security Standard. WHAT IS IT? “A comprehensive set of controls comprising best practices in information security” Comprises.

Similar presentations


Presentation on theme: "ISO 17799 The International Security Standard. WHAT IS IT? “A comprehensive set of controls comprising best practices in information security” Comprises."— Presentation transcript:

1 ISO The International Security Standard

2 WHAT IS IT? “A comprehensive set of controls comprising best practices in information security” Comprises TWO parts - a code of practice (ISO 17799) and a specification for an information security management system (ISO 27001) Basically… an internationally recognized generic information security standard

3 Terminology Policy – General regulations everyone must follow; should be short, clear Standard – Collection of system-specific requirements that must be met Guidelines – Collection of system-specific suggestions for best practice. They are not required, but are strongly recommended Procedures – A series of steps to accomplish a task

4 Data Security Example Policy – All university data must be classified according to the K-State data classification schema and protected according to the K-State data security standards.

5 Data Security Example Standard – Confidential data must be encrypted in transit and when stored on a mobile device Guideline – Confidential data should not be stored on a mobile device such as a laptop computer, PDA, USB drive, etc.

6 Data Security Example Procedures –How to encrypt a file –How to install and operate full-disk encryption on a laptop –How to recover encrypted data when the private key is lost

7 Why ISO 17799? “It is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce” Framework for comprehensive IT security program International standard Meshes well with EDUCAUSE/I2 direction Certification for institution available

8 ISO Copyright, License Copyright from the ISO standard document: “Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO’s member body in the country of the requester.”

9 ISO Copyright, License From the license agreement: –Is licensed to “Kansas State University” –“…grants to the organisation… a non-exclusive and non-transferable license to use for the Licensee’s own personal or internal business purposes…” –Cannot “redistribute any information from or via the software to other workstations, users or systems which are not covered by the license;” –“…may copy the Software for back-up and archival purposes only…”

10 ISO Copyright, License from licensor: “With respect to the standards themselves, no, definitely not. They are single copy license. This is made clear within the PDFs themselves. With respect to the other items in the toolkit (eg: policies), yes, you may share them internally.”

11 History First published as DTI Code of Practice in UK Re-badged and published as Version 1 of BS7799 published in Feb 1995 NOT widely embraced - for various reasons

12 History A major revision of BS7799 undertaken... Version 2 published in May 1999 Formal certification and accreditation schemes proposed by BSI in the same year Supporting tools start to appear Fast track ISO initiative accelerated First published as an ISO standard in Dec 2000

13 History May 2002: BS published. This focused specifically upon the Information Security Management System Formal certification schemes established June 2005: New version of ISO published Oct 2005: BS published as an ISO standard, ISO 27001

14 Sections (“Clauses”) in ISO Security Policy Organizing Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development, and Maintenance Information Security Incident Management Business Continuity Management Compliance

15 Controls in Each Clause Control objective stating what is to be achieved One or more controls to achieve the objective Each control contains: –Control statement –Implementation guidance (the details) –Other information

16 Example Clause 8 – “Human Resources Security” 8.1 – Prior to employment – Roles and responsibilities – Screening – Terms and conditions of employment 8.2 – During employment – Management responsibilities – Information security awareness, education, and training – Disciplinary process 8.3 – Termination or change of employment – Termination responsibilities – Return of assets – Removal of access rights

17 Extensible… “This code of practice may be regarded as a starting point for developing organization specific guidelines. Not all of the controls and guidance in this code of practice may be applicable. Furthermore, additional controls and guidelines not included in this standard may be required.”

18 EDUCAUSE/Internet2 Security Policy Security Task Force developing model security policy Based on SANS, NIST, ISO 17799, ISC2 Links to existing policies 10 sections follow ISO closely https://wiki.internet2.edu/confluence/display/secg uide/Security+Policies+and+Procedureshttps://wiki.internet2.edu/confluence/display/secg uide/Security+Policies+and+Procedures

19 Policy Sections Security Policy Organizational Security Asset Classification Personnel Security Physical Security Communications and Operations Mgmt Access Control System Development and Maintenance Business Continuity Management Compliance

20 Recommendation Structure IT security policies based on EDUCAUSE/I2 recommendations Incorporate existing security policies into it Base standards and guidelines on ISO Incorporate audit recommendations into both Develop procedures as priorities dictate Consider ISO certification in future

21 Questions?


Download ppt "ISO 17799 The International Security Standard. WHAT IS IT? “A comprehensive set of controls comprising best practices in information security” Comprises."

Similar presentations


Ads by Google