Presentation on theme: "Security Frameworks Robert M. Slade, MSc, CISSP"— Presentation transcript:
1Security Frameworks Robert M. Slade, MSc, CISSP The phrase "security framework" has been used in a variety of ways inthe security literature over the years, but in 2006 it came to be usedas an aggregate term for the various documents (and some pieces ofsoftware), from a variety of sources, that give advice on topicsrelated to information systems security, in particular regard to theplanning, managing, or auditing of overall information securitypractices for a given institution.
2Security frameworks Guidelines Principles Standards Frameworks/breakdowns/structuresChecklistsSoftware“Best Practice”Audit guidelines/outlinesLegislationReporting standardsProduct evaluationSome of these texts are guidelines specifically addressed towardsinformation security, such as British Standard 7799 and itsdescendants, particularly the ISO family of standards. In thiscategory are also items such as the (free, both of charge and ofaccess) "Self-Assessment Questionnaire" prepared by the United StatesNational Institute of Standards and Technology (NIST) (identifiedamong their publications as ). There have been a number ofprojects that attempted to produce similar sets of standards orpractice lists, such as the now moribund CASPR (Commonly AcceptedSecurity Practices and Recommendations), two versions of GASSP(Generally Accepted System Security Principles): these listedundertakings have been amalgamated into GAISP (Generally AcceptedInformation Security Principles).Other frameworks are peripherally related, but have come to be seen ashaving a bearing on system security. Probably the most widely knownare the auditing standards and outlines such as COBIT, and the varietyof supporting documents and processes that have grown up around theUnited States' Federal Information Systems Management Act (FISMA).Others are more distantly associated, such as the Common Criteria onspecifications and evaluation.
3Security frameworks Financial reporting instructions Sarbanes-Oxley/Sarbox/SOX, COSO, Turnbull, Basel IIReliability of reported financesInformation systems source of reportsInternal controlsInformation system controlsInsider attack, fraud?Still others are even more tenuouslyconnected, such as the advice on fraudulent financial reporting fromCOSO. (The various financial instructions are generally concernedwith the accuracy and reliability of reported earnings and thefinancial health of a company: this is felt to have implications forthe management and controls on information systems, which are theprimary source of all corporate data, including that related tofinance.)
4Security framework types GovernanceBreakdowns/frameworksChecklistsControls listsRisk managementInfosec, business, and bankingProcess orientedAudit and assuranceThere is frequent confusion in regard to the term governance and whatdifferentiates it from management. Some note that management might besaid to increase direct performance, while governance may, throughanalysis, redirect activities to greater effect. (In a sense thisonly moves the question back one level: this simply seems to be thedistinction between strategic and operational management.) Some textsalso note that five basic classes of decisions must be made in IT:over principles, architecture, infrastructure, business applicationneeds, and the priorizing of investment, and that these constitute theareas of governance.A number of the governance related security frameworks are primarilysets of divisions of activities and functions. These types ofsecurity frameworks are, in fact, the most likely to use the word"framework" in the title or description of the process. The entitiesprovide structures that provide for the breaking down of the overallorganization and operations of an institution into smaller areas thatmay aid in the analysis of specific risks, security requirements, andweaknesses.A significant number of security frameworks are presented in checklistform. This preference for the checklist format is hardly surprising:security is not a single function, but a compilation of a number offunctions. Indeed, it is frequently pointed out that tremendousexpenditures on security may be entirely obviated by the lack of asingle control, and therefore a checklist of functions to be coveredmakes a great deal of sense.The finer grading and codifying of controls that we can do, the betterour analysis of our total security posture, and the twoclassifications are orthogonal. Therefore the two divisions can beused as the basis for a matrix of controls, which can be used toassess the completeness of protection for a given system. Details ofthe process may be found in volume 3 of the 5th edition of the"Information Security Management Handbook, pages
5Weaknesses Content limitations Define “Secure” “Best Practice” One weakness that is very common across all the security frameworks isthe narrow focus to a particular area, topic, or approach. Securityshould be a holistic practice, with input from a variety of fields anda wide-ranging overview of the problem, as well as details suitable tothe situation or environment.As Eugene Spafford has famously said, a secure system is one that doeswhat it is supposed to. Therefore, it is impossible to define a stateof security that is applicable to all computers, since not allcomputers are, in the minds of the users, supposed to do the samething.Does the best practice mean something that will work for everyone inall situations? We have already determined that there is very little(possibly nothing) that will be "secure" in any and every environment.Does best practice mean a minimum level of security required by all?Does it mean an optimal balance? We don't know. There is no agreedupon definition of "best practice."
6BS 7799/ISO 27000 family BS 7799 Part 1 BS 7799 Part 2 ISO 27000 ISO 17799, ISO 27002code of practice133 controls, 500+ detailed controlsBS 7799 Part 2ISO 27001Information Security Management System (ISMS)ISO 27000ISMS fundamentals and vocabulary, umbrella27003 ISMS implementation guide, ISM metrics, infosec risk management, certification agencies, auditBritish Standard 7799, Part 1, is one of the earliest frameworksspecifically addressing information security, and is currentlyprobably the most important and widely used. Subsequent to itsadoption as BS it became of significant interest to theinformation security community world-wide. The InternationalOrganization for Standards used BS as a model for developingmultiple versions of ISO 17799: the current standard is ISO17799: In order to promote consistency of numbering in the 27000family of security standards, ISO is being redeveloped as ISO27002.BS 7799 seems to have promoted the use of the phrase "InformationSecurity Management System" and the use of the acronym "ISMS" is anindicator of a BS 7799 influence. BS 7799 Part 2 deals with ISMSrequirements, and is used within companies to create securityrequirements and objectives.As noted, the ISO standards related to security are being renumbered(as they are updated) and new standards are being added in the 27000range. ISO itself will be about ISMS fundamentals andvocabulary, and will essentially be the introduction to (and umbrellafor) the whole group of standards. ISO will be ISMSimplementation guidance, talks about infosec managementmeasurements and metrics, is infosec risk management, isfor accreditation of certification agencies, and will deal withaudit guidelines.
7COBITISACA (formerly Information Systems Audit and Control Association)Four phases/domains:Planning and OrganizationAcquisition and ImplementationDelivery and SupportMonitoringWidely used and, until the rise of BS , probably the mostrecognized of the security frameworks, COBIT (Control OBjectives forInformation and related Technology) is directed at informationsecurity. However, it should be noted that COBIT was created by aspecific group and intended for a specific purpose.COBIT was created by ISACA (which used to be known as the InformationSystems Audit and Control Association). Auditability is key to theCOBIT, and the accounting and management background definitely showsin the choice of items in the COBIT list. Much of the activitysuggested relates to measurement, performance, and reporting. Thus,in a sense, most of COBIT concentrates on what can be counted anddemonstrated, sometimes disregarding what might actually be effective.
8Common Criteria (CC)Common Criteria for Information Technology Security EvaluationISO 15408not a security frameworknot even evaluation standardFramework for specification of evaluationProtection Profile (PP)Evaluation Assurance Level (EAL 1-7)Contrary to much mistaken opinion, the Common Criteria (more properlythe Common Criteria for Information Technology Security Evaluation,and also ISO 15408) is not a security framework or standard ofpractice. It isn't even a standard for evaluating security productsor systems. The Common Criteria (or CC) is a structure for specifyingproduct and product evaluation standards.Sources of information about the CC have tended to bounce around. Fora while you could go to commoncriteria.org, then that disappeared andthe best place to get an idea of how it worked was at the NISTWebsite. At the moment the siteseems to be working.There are generally three parts, or documents, related to the CCoverall. Part One is a general introduction, outlining the basicideas and major terminology used. The Part One document isn't hard toread, and probably every security professional should have readthrough it at least once.
9FISMA Federal Information Systems Management Act – US National Information Assurance Certification and Accreditation Process (NIACAP)National Institute of Standards and Technology outline,Defense Information Technology Systems Certification and Accreditation Process (DITSCAP)Director of Central Intelligence Directive 6/3The United States' Federal Information Systems Management Act mandatescertain standards of information security and controls for US federalagencies.Thelegislation states that standards must be applied, but the standardsare different for different agencies and applications. Detailedinstructions can be found in directives for the military (DefenseInformation Technology Systems Certification and Accreditation Processor DITSCAP), the intelligence community (Director of CentralIntelligence Directive 6/3 or DCID 6/3), and more generally theNational Information Assurance Certification and Accreditation Process(NIACAP). The National Institute of Standards and Technology also hasoutlines.
10Information Security Forum (ISF) Standard of Good Practice for Information Security5 "aspects"Security ManagementCritical Business ApplicationsComputer InstallationsNetworksSystems Developmentbroken out into 30 "areas," and 135 "sections"The Information Security Forum (ISF) Standard of Good Practice forInformation Security is a guideline forming a checklist of policies(or even attitudes) that the company or employees should have. It isstructured in five "aspects" of Security Management, Critical BusinessApplications, Computer Installations, Networks, Systems andDevelopment. These aspects are broken out into 30 "areas," and theareas into 135 "sections."The ISF standard is, however, one of the few frameworks availablewithout charge. The 247 page document (currently the 2005 version)does provide useful advice in a number of areas (although the earlymaterial is primarily promotional in nature). It can be downloadedfrom the ISF Website at or
11ITIL Information Technology Infrastructure Library management guidelinesIncident responseProblem managementChange managementRelease managementConfiguration managementService desk managementService level managementAvailabilityCapacity managementService continuityIT financialsIT workforce/HR managementsecurity removed in recent revisioninfluenced BS 15000, ISO 20000The Information Technology Infrastructure Library is a massive (andexpensive) set of documentation aimed at improving informationtechnology service management. Proper management generallyleads to better security, so it fairly naturally follows that thislibrary of practices would be of interest to information security.Security itself was originally part of ITIL, then was removed to be addressed separately, and has now been returned.
12Management frameworks Zachman FrameworkCalder-Moir FrameworkBalanced ScorecardThe Zachman Framework is a two-dimensional model used to analyze anorganization or process by breaking it down into smallercharacteristics or considerations. Instead of trying to look at theentire enterprise at once, you break it down into a grid ofperspectives and viewpoints.Supposedly in order to help you get the various security frameworks towork together harmoniously, the Calder-Moir IT Governance Framework isreally only a graphical classification of the various frameworks interms of whether they address the topics of business strategy,business and risk environment, IT strategy, operations, capabilities,and change management.The "balanced" part of Balanced Scorecard is a reminder to viewbusiness processes from multiple perspectives, and not to neglect any.Specifically, the process recommends setting objectives, and measuringperformance, for the learning and growth (employee training),(internal) business processes, customer (satisfaction), and financialperspectives. It is very concerned with metrics and measurement-basedmanagement.
13NIST library of freely available resources Information Security Handbook: A Guide for ManagersRecommended Security Controls for Federal Info SystemsGuide to Information Technology Security ServicesRisk Management Guide for Information Technology SystemsEngineering Principles for Information Technology SecurityGuide for Developing Security Plans for Federal Info SystemsGenerally Accepted Principles and Practices for Securing Information Technology SystemsAn Introduction to Computer Security: The NIST HandbookSecurity Self-Assessment Guide for Information Technology SystemsIt really isn't fair to compare the Computer Security Resource Center(CSRC) of the United States' National Institute of Standards andTechnology, with the security frameworks we have been discussing. Thecentre (which, even though it is only one office of the institute, isgenerally known simply as NIST in the security community) provides awealth of security information and resources, which are freelyavailable at the Website at The publicationssection is particularly useful, with a constantly updated stream ofguidelines and aids, particularly the 800 series documents.
14OCTAVE Carnegie Mellon University risk management Operationally Critical Threat, Asset, and Vulnerability EvaluationCarnegie Mellon Universityrisk managementThe OCTAVE (Operationally Critical Threat, Asset, and VulnerabilityEvaluation) process is a risk management method from Carnegie MellonUniversity. It is a formal and detailed set of processes, and willassist in ensuring that risks are identified and properly analyzed,following the standard techniques used in most risk analysisprocedures. However, due to the level of activity and overheadinvolved in OCTAVE, it is probably best suited to large organizationsor projects.
15Securities and Financial Basel IIbank solvency“operational risk”COSOCommittee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Frameworkinternal controlsSOXAs should be clear to everyone in both fields, the financialsecurities industry has very little to do with computer or informationsecurity, despite a heavy reliance on the technology. However, recentconcerns in that community have concentrated on the area of internalcontrols, which have application in reviewing controls and safeguards,particularly in regard to insider attacks.This reference is shorthand for the second report from the BaselCommittee on Banking Supervision, Risk Management Principles forElectronic Banking. Basel II Accord also looks atoperational risk, which is more in line with the risk management thatinfosec people know and love.Shorthand for the Committee of Sponsoring Organizations of theTreadway Commission, Enterprise Risk Management Integrated Framework. Shorthand for the Committee of Sponsoring Organizations of theTreadway Commission, Enterprise Risk Management Integrated Framework. COSO outlines a three dimensional framework for examining controls.The United States' Sarbanes-Oxley law (frequently referred to asSarbox or SOX) emphasizes that corporate management is responsible forthe reliability of financial reports about publicly traded companies.Section 404 (and also 302, ina marvelous confusion with Web result codes) notes that the integrityof information systems supporting these financial reports must also bemanaged.
16Security Governance part of “CISO Toolkit” (Fred Cohen) structured according to business concepts, rather than security topicseasier for businesspeople to understandchecklist in book form900 checksMany of the security frameworks available are in the form of achecklist, so why shouldn't the "Security Governance" list-in-book-form for Fred Cohen's CISO Toolkit be included?In fact, Cohen's version may be considerably easier to understand anduse, particularly for those with a business, rather than a security,background. While most security frameworks are structured accordingto a taxonomy of security concepts, the checklist in "SecurityGovernance" is based on business models and concepts. The businessperson working through the points will start with the familiar, and only later have to faceitems directly discussing security. (Even then, the security issuesare those regarding the position and management of security within theorganization.)
17SSE-CMM Systems Security Engineering Capability Maturity Model Basic (chaotic/informal)Planned and verifiedWell defined and coordinatedMeasurable and quantitatively controlledConstantly improving (optimizing)The Systems Engineering Capability Maturity Model, more generallyknown as the Capability Maturity Model or CMM, is an attempt to applystandards of engineering rigour to information systems technologydevelopment. Researchers at Carnegie Mellon University noted thatmany technology products and applications succeed based primarily uponbeing the first to address a need, even if it is addressed verypoorly. (Many more programmes and systems fail along the way.) Themodel identified different levels of maturity of organizations, interms of processes, documentation, and discipline in an approach todevelopment and change. The original model identified levels startingat informal or chaotic, through repeatable, documented, managed, andfinally ending at continually improving. These structures andobservations have been modified and applied to more specializedfields.The Systems Security Engineering Capability Maturity Model (SSE-CMM)addresses the planning, development, and management of security, andsecurity architecture for an enterprise.
18Which one? no framework best for all no one-size-fits-all in securityno framework sole source for any enterprisemultiple frameworks, multiple perspectivesWhich one addresses a viewpoint you haven't used?While this article can only be the merest introduction to the securityframeworks themselves, it should provide a general idea of the typesof frameworks that are available, and the relative areas of relevanceand application for specific frameworks. Hopefully the reader willalso have noted that just as no one security framework is suitable forall situations and applications, so no single framework should berelied upon as the sole guide for any enterprise. Multipleperspectives are necessary to provide for realistic security, andmultiple documents have additional viewpoints to add to theconstruction of a security architecture. Each folio should beconsidered to see if it has something to add to your security program.
19Security Frameworks Robert M. Slade, MSc, CISSP This presentation, and the notes supporting it, are the work of Robert M. Slade, who holds the copyright to it. Permission is granted for anyone to use this material in any event for which no charge is made, as long as the material is not modified, and is made freely available to those who request it.Copyright Robert M. Slade, 2007