Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Information Security Standards Gary Gaskell © 2001.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Information Security Standards Gary Gaskell © 2001."— Presentation transcript:

1 1 Information Security Standards Gary Gaskell © 2001

2 Gary Gaskell, 3 May 20012 Contents u Overview of security standards u Type of standards u List of standards u Quick insight to each standard u Conclusions

3 Gary Gaskell, 3 May 20013 Types of Standards u Risk based u Management u Technical u Lightweight u Thorough u System-wide focus u Product focus u Assurance based u Prescriptive controls u Checklists

4 Gary Gaskell, 3 May 20014 Security Standards - Pick One! u AS/NZS 4444 (BS 7799, ISO 17799) u US TCSEC (Rainbow series) u ITSEC (Europe) u Common Criteria (ISO 15408) u IETF Site Security Handbook (RFC 2196) u Vendor handbooks and checklists, B.S.I., SANS u Website certification services u SAS-70

5 Gary Gaskell, 3 May 20015 AS/NZS 4444 u Information Security Management Standard u Part 1 - 1999 u Part 2 - 2000 u JANZAS u Based BS7799 u BS7799 based on industry - Shell Oil etc

6 Gary Gaskell, 3 May 20016 AS 4444 u Good internal security management u Information Security Management System u Explicit Target - trusted interconnection u Catalogue of controls u Recommended baselines u Risk based assessments

7 Gary Gaskell, 3 May 20017 AS4444 Controls u Security policy u Asset classification and control u Physical and environmental security u Access control u Business continuity management u Security organisation u Personnel security u Communications and operations management u Systems development and maintenance u Compliance

8 Gary Gaskell, 3 May 20018 TCSEC u Trusted Computer Security Evaluation Criteria - 1983 u US Government specification u “Orange book” and “Raindbow series” u Origin of C2, B1, B3 etc u Functionality & Assurance tightly coupled u Superceded by still in use

9 Gary Gaskell, 3 May 20019 ITSEC u Information Technology Security Evaluation Criteria - 1991 u UK, France, Germany & The Netherlands u Used by Australia u System and product use u http://www.dsd.gov.au/infosec/aisep/EPL/ prod.html u Superceded but still in use

10 Gary Gaskell, 3 May 200110 Common Criteria u Common Criteria for Information Technology Security Evaluation - 1999 u ISO 15408 (CC v 2.1) u Merge of TCSEC & ITSEC u Emerging standard u Assurance level separate from functionality level u Mutual recognition agreement - 13 countries

11 Gary Gaskell, 3 May 200111 RFC 2196 u IETF Site Security Handbook u Developed by CERT/CC of the CMU u Response oriented u Good practical advice u Explicit about system hardening and patch installation

12 Gary Gaskell, 3 May 200112 Vendor Checklists u SGI u Compaq/Digital u Sun Microsystems (Blue prints) u AIX (redbooks) u Microsoft u Apache u Oracle

13 Gary Gaskell, 3 May 200113 Vendor Checklists - Continued u Explicit and specific u Good for specification in designs or outsourcing u “how to” oriented u Sometimes too light

14 Gary Gaskell, 3 May 200114 Third Party Vendor Checklists u AusCERT/CERT Unix security checklist u Windows NT 4 NSA/Trusted Systems checklist (http://www.trustedsystems.com) u Windows 2000 security checklist (http://www.systemexperts.com) u Books - e.g. Practical Unix and Internet Security - Spafford & Garfinkel

15 Gary Gaskell, 3 May 200115 BSI u Bundesamt fuer Sicherheit in der Informationstechnik u http://www.bsi.de/gshb/english/etc/inhalt.htm u IT Baseline Protection Manual u More practical than other government attempts

16 Gary Gaskell, 3 May 200116 SANS u System and Network Security u http://www.sans.org u Advice on policy and controls u training (& certification ?) u Checklists u Vulnerability service

17 Gary Gaskell, 3 May 200117 Website Certification Programs u TruSecure (ICSA/TruSecure) u Web trust u beTRUSTed (PwC) u SysTrust (AICPA) u Others?

18 Gary Gaskell, 3 May 200118 SAS-70 u Statement on Auditing Standards u American Institute of Certified Public Accountants u Formal Audit Standard - background of financial audits u Two levels 8Type I - inspections of key area 8Type II - testing of effective of controls

19 Gary Gaskell, 3 May 200119 Miscellaneous u IS 18 - Qld Government u VISA - security for merchants sites u NIST - FIPS 102 u US - HIPAA u OECD - Guidelines for the Security of Information Systems u ISO 13335 - Guidelines for the Management of IT Security

20 Gary Gaskell, 3 May 200120 Miscellaneous - continued u System Security Engineering Capability Maturity Model (SSE-CMM) - International Systems Security Engineering Association (ISSEA) u CoBIT - “IT Governance” - AICPA

21 Gary Gaskell, 3 May 200121 Conclusions u Great choice of standards u None are a full solution

Download ppt "1 Information Security Standards Gary Gaskell © 2001."

Similar presentations

Presentation by Rachel Su’a

Presentation by Rachel Su’a
The International Security Standard

The International Security Standard
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.

Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.

Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
Auditing Corporate Information Security John R. Robles Tuesday, November 1, 2005 Tel: 787-647-396.

Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor

Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
Security Controls – What Works

Security Controls – What Works
Network System Architects, Inc. (NSAi) Capabilities Briefing

Network System Architects, Inc. (NSAi) Capabilities Briefing
COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
1 Copyright © 2010 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5 Chapter 54 “Security Audits, Standards and Inspections”

1 Copyright © 2010 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5 Chapter 54 “Security Audits, Standards and Inspections”
1 K P M G L L P A D V I S O R Y Information Security: Policy, Awareness and Training, and Compliance Graham J. Hill IT Advisory Services November 21, 2007.

1 K P M G L L P A D V I S O R Y Information Security: Policy, Awareness and Training, and Compliance Graham J. Hill IT Advisory Services November 21, 2007.
Stephen S. Yau CSE 465-591, Fall 2006 1 Evaluating Systems for Functionality and Assurance.

Stephen S. Yau CSE , Fall Evaluating Systems for Functionality and Assurance.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
OSR/Aug 02 Data Security E2002, Lecture 1 August 30, 2002 000-015 History Background - Batch - Remote access, DB, RACF - Orange Book - ITSec, Common Criteria.

OSR/Aug 02 Data Security E2002, Lecture 1 August 30, History Background - Batch - Remote access, DB, RACF - Orange Book - ITSec, Common Criteria.
Copyright Security-Assessment.com 2004 Security Governance and Regulatory Controls by Peter Benson.

Copyright Security-Assessment.com 2004 Security Governance and Regulatory Controls by Peter Benson.

Similar presentations

Ads by Google