1. 1 Andrew Caswell PROJECTS MANAGER Standards Australia

2. 2 Agenda Introduction The Security Standards Space Controls (ISO 17799) Implementation (HB 231) Information Security Management Systems (AS/NZS 7799.2) Process Example Timelines

3. 3 Standards Australia Standards Australia is a registered Australian corporation, limited by guarantee whose members represent a broad cross-section of Australia's technical and commercial infrastructure, industry, unions, academia and government. There are no shareholders, no dividends are paid, and any surpluses are ploughed back into the business.

4. 4 Mission To excel in meeting Australia’s need for contemporary, internationally-aligned Standards and related services which enhance the nation’s economic efficiency, International competitiveness, and fulfill the community desire for a safe and sustainable environment.

5. 5 Who develops the Standards? Standards Australia facilitates the development of standards by bringing together experts from representative interest groups that work to formulate or revise Standards. Around 9,000 experts in various fields are members of Standards Australia technical committees.

6. 6 Who develops the Standards? (continued) Members of Standards Australia committees represent: Governments, Federal, State & Local Commercial & retail interests Trade union & consumer interests Research, academic & testing organizations Professional bodies Manufacturing & industry

7. 7 Who develops the Standards? (continued) Standards Australia is a purely neutral facilitator Standards Australia staff do not have any voting rights or other powers to influence committee decisions 80% agreement is required before a Standard is finalised and no major sectional interest can maintain a negative vote

8. 8 How are Standards developed? Our Technical Committees are under an obligation to work towards consensus. This distils agreement from many different points of view, and allows a broad-based agreement to emerge resulting in a standard which best matches the needs and values of our society as a whole.

9. 9 Request for new Standard Project Preliminary Draft Consideration of comments Draft for Postal Ballot The Published Standard Draft for Public Comment Project approved Committee Draft The Preparation of a new Australian Standard

10. 10 Other Related Products All developed under the auspices of representative committees Technical Specification – medium transparency / medium consensus Handbook – medium transparency / no consensus Miscellaneous Publication – no transparency / no consensus

11. 11 Australia & New Zealand Regional Standardization 1983Closer Economic Relations (CER) agreement signed between Australia and New Zealand 1984MoU signed between SA and SNZ 2000Revised Active Cooperation Agreement ACA signed 2003ACA replaced with MoU and Agreement on copyright

12. 12 International Organization for Standardization (ISO) 146Member bodies 13,700Published ISO Standards 188Technical Committees 2175Working Groups 320 Committees and subcommittees with Standards Australia Involvement

13. 13 International Electro-technical Commission (IEC) 62Member bodies 4,553Published IEC Standards 174Technical Committees/ Subcommittees 83 Committees and subcommittees with Standards Australia involvement

14. 14 Some of our Most Popular Standards AS/NZS ISO 9000, Quality management systems AS/NZS 3000, Electrical installations (wiring rules) AS/NZS 4360, Risk management AS 4000, General conditions of contract AS/NZS ISO/IEC 17799, Information Technology – Code of Practice for Information Security Management AS 1684, National timber framing code AS 8000-4, Corporate governance

15. 15 Information Security Information security is more than just technology Challenges: –organizing requirements –getting level of detail right –prescription v options Everyone has security in their job, but details vary widely

16. 16 Categories of Information Security Standards THREE MAJOR DIVISIONS –Controls –Implementation Concepts and Processes –IS Management Systems

17. 17 Management Systems Information Security Management Systems AS/NZS 7799.2 Specification for information security management systems Underlying concepts General Risk Management Processes (any type of risk) AS/NZS 4360 Risk Management Underlying concepts Information Security Risk Management Processes HB 231 Information Security Risk Management Guidelines Underlying concepts Information Security Management Concept Explanations AS 13335 Guidelines for the Management of IT Security Process requirements Systems Security Engineering ISO/IEC 21827 Systems Security Engineering – Capability Maturity Model Information Security Controls Overview Objectives & Requirements AS/NZS 17799 Code of Practice for Information Security Management Information Security Controls Evidence Management HB 171 Guidelines for the Management of IT Evidence Information Security Controls Other implementation & Operation guidelines Trusted third party services Intrusion detection systems Incident management (coming) Network security (coming) Contact Standards Australia for details Concepts & ProcessesControls

18. 18 [1] Controls The selection of APPROPRIATE controls to mitigate risk Provide a basis for an organisation’s security architecture Facilitate detailed implementation standards – tailored to specific business needs ISO 17799

19. 19 What Does It Cover? ISO 17799 covers all dimensions of Information Security Management

20. 20 Controls ISO 17799 is a Code of Practice

21. 21 Note ISO 17799 aims to be a distillation of the major information security threats that could face an organisation HOWEVER – it cannot be totally exhaustive and Not all controls will be relevant to any specific organisation

22. 22 [2] Implementation - Concepts and Processes All players need a detailed understanding of fundamental concepts key to effective information security risk management HB 231

23. 23 HB 231 Contains Guidelines for implementing the Controls of 17799 It draws on two main resources –AS/NZS 4360 – Risk Management, and –ISO TR 13335 – Guidelines for Management of IT Security

24. 24 Audience Note than it a “Handbook” as compared to a “Standard” Aimed at “hands on” security practitioners who face the tasks of : –Identifying risks –Selecting controls –Et cetera

25. 25 [3] IS Management Systems Context is “Organisation’s OVERALL business risk” Emphasis on MANAGEMENT SYSTEM AS/NZS 7799.2

26. 26 [3] IS Management Systems Covers –Establishing –Implementing –Operating –Monitoring –Reviewing –Maintaining –Improving DOCUMENTED ISMS

27. 27 AS/NZS 7799.2 AS/NZS 7799 Part 2 is a specification for an Information Security Management System (ISMS) It has significant applicability as a basis certification PROPOSED for ISO ADOPTION as ISO 17799 “Fast Track” procedure

28. 28 Too many management standards? ISO Guide 72 ensures that new management system standards are only produced when there is an important need –and that widely accepted models are used such as the ‘Plan-Do-Check-Act’ process model Before a new management standard is started, a justification study is required –a business case

29. 29 The ISMS justification study Covers: –What is proposed –Affected parties –The need being addressed –Sector specific considerations –The value of an ISMS –Risk of Trade barriers –Risk of incompatibility, overlaps and conflicts with other standards –Other risk factors

30. 30 Intended Use –Cost effective management of information security risks –Design of information security management processes and process management –Determining the status of information security risk management by managers –Determining policy compliance by internal and external auditors –Establishing confidence and trust with trading partners and customers

31. 31 Affected Parties Managers, operational staff, and auditors –within organisations implementing the standard –within organisations sharing information with organisations that implement the standard Customers of organisations implementing the standard Bodies concerned with standards conformity assessment

32. 32 The Need Studies in Australia, Belgium, Brazil, Ireland, Japan, Korea, Malaysia, Netherlands, New Zealand, Norway, Spain, Sweden, Switzerland, and UK have confirmed a need in business and government organisations –one country, Canada, believed that no need existed Where a need exists, an international standard is desired –to facilitate international business

33. 33 Areas of Applicability The standard is generally applicable across a range of business and government sectors –large and small organisations –no sectors have been identified where it is not applicable

34. 34 Value of an ISMS Benefits identified include: –managing downwards costs –facilitating trust –increased management, shareholder, and trading partner confidence Costs –expected to be lower in a standardised ISMS than in alternative ad-hoc approaches

35. 35 What is Proposed What is proposed –Similar to (and if possible based on) BS 7799.2 –Additional standard on metrics –More flexibility concerning choice of controls (perhaps) –References TR 13335 for details of how to do risk management Conformance assessment and certification is out of scope

36. 36 ISO 17799

37. 37 FCD 17799

38. 38 The Next Steps SC27 has completed the justification study SC27 has approved an ‘accelerated timeframe’ ISMS project based on BS 7799.2 –SC 27 has agreed to do this work in close collaboration with ITU-T –Developing telecommunications specific extensions SC 27 has approved parallel project covering security measurement and metrics –covers both management systems and ‘controls’

39. 39 Infosec Management Standards so far 198619902000 TR 13335 IS 13335 AS/NZS 4360 AS/NZS BS 7799.1* AS/NZS BS 7799.2** ISO/IEC 17799 ISO/IEC ISMS 199620082004 Guidance, policies Risk management Baseline controls

40. 40 Timeline Justification study – Completed New Work Item Proposal – Approved Final Committee Draft (stable text) – Completed –ballot in Q1 2005 Final Draft International Standard (editorial review) –ballot in Q2 2005 Publication – late 2005 or early 2006

41. 41 Australian Contribution to Standards