Presentation is loading. Please wait.

Presentation is loading. Please wait.

The International Security Standard

Published byGunner Henderson Modified over 9 years ago

Similar presentations

Presentation on theme: "The International Security Standard"— Presentation transcript:

1 The International Security Standard
ISO 17799 The International Security Standard

2 WHAT IS IT? “A comprehensive set of controls comprising best practices in information security” Comprises TWO parts - a code of practice (ISO ) and a specification for an information security management system (ISO 27001) Basically… an internationally recognized generic information security standard

3 Terminology Policy – General regulations everyone must follow; should be short, clear Standard – Collection of system-specific requirements that must be met Guidelines – Collection of system-specific suggestions for best practice. They are not required, but are strongly recommended Procedures – A series of steps to accomplish a task

4 Data Security Example Policy – All university data must be classified according to the K-State data classification schema and protected according to the K-State data security standards.

5 Data Security Example Standard – Confidential data must be encrypted in transit and when stored on a mobile device Guideline – Confidential data should not be stored on a mobile device such as a laptop computer, PDA, USB drive, etc.

6 Data Security Example Procedures How to encrypt a file
How to install and operate full-disk encryption on a laptop How to recover encrypted data when the private key is lost

7 Why ISO 17799? “It is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce” Framework for comprehensive IT security program International standard Meshes well with EDUCAUSE/I2 direction Certification for institution available

8 ISO Copyright, License Copyright from the ISO standard document: “Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO’s member body in the country of the requester.”

9 ISO 17799 Copyright, License From the license agreement:
Is licensed to “Kansas State University” “…grants to the organisation… a non-exclusive and non-transferable license to use for the Licensee’s own personal or internal business purposes…” Cannot “redistribute any information from or via the software to other workstations, users or systems which are not covered by the license;” “…may copy the Software for back-up and archival purposes only…”

10 ISO 17799 Copyright, License E-mail from licensor:
“With respect to the standards themselves, no, definitely not. They are single copy license. This is made clear within the PDFs themselves. With respect to the other items in the toolkit (eg: policies), yes, you may share them internally.”

11 History First published as DTI Code of Practice in UK
Re-badged and published as Version 1 of BS7799 published in Feb 1995 NOT widely embraced - for various reasons

12 History A major revision of BS7799 undertaken... Version 2 published in May 1999 Formal certification and accreditation schemes proposed by BSI in the same year Supporting tools start to appear Fast track ISO initiative accelerated First published as an ISO standard in Dec 2000

13 History May 2002: BS published. This focused specifically upon the Information Security Management System Formal certification schemes established June 2005: New version of ISO published Oct 2005: BS published as an ISO standard, ISO 27001

14 Sections (“Clauses”) in ISO 17799
Security Policy Organizing Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development, and Maintenance Information Security Incident Management Business Continuity Management Compliance

15 Controls in Each Clause
Control objective stating what is to be achieved One or more controls to achieve the objective Each control contains: Control statement Implementation guidance (the details) Other information

16 Example Clause 8 – “Human Resources Security”
8.1 – Prior to employment 8.1.1 – Roles and responsibilities 8.1.2 – Screening 8.1.3 – Terms and conditions of employment 8.2 – During employment 8.2.1 – Management responsibilities 8.2.2 – Information security awareness, education, and training 8.2.3 – Disciplinary process 8.3 – Termination or change of employment 8.3.1 – Termination responsibilities 8.3.2 – Return of assets 8.3.3 – Removal of access rights

17 Extensible… “This code of practice may be regarded as a starting point for developing organization specific guidelines. Not all of the controls and guidance in this code of practice may be applicable. Furthermore, additional controls and guidelines not included in this standard may be required.”

18 EDUCAUSE/Internet2 Security Policy
Security Task Force developing model security policy Based on SANS, NIST, ISO 17799, ISC2 Links to existing policies 10 sections follow ISO closely

19 Policy Sections Security Policy Organizational Security
Asset Classification Personnel Security Physical Security Communications and Operations Mgmt Access Control System Development and Maintenance Business Continuity Management Compliance

20 Recommendation Structure IT security policies based on EDUCAUSE/I2 recommendations Incorporate existing security policies into it Base standards and guidelines on ISO 17799 Incorporate audit recommendations into both Develop procedures as priorities dictate Consider ISO certification in future

21 Questions?

Download ppt "The International Security Standard"

Similar presentations

Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
PRINCIPLES OF A CALIBRATION MANAGEMENT SYSTEM

PRINCIPLES OF A CALIBRATION MANAGEMENT SYSTEM
Developing a Risk-Based Information Security Program

Developing a Risk-Based Information Security Program
Configuration Management

Configuration Management
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
ANSI/ASQ E Overview Gary L. Johnson U.S. EPA

ANSI/ASQ E Overview Gary L. Johnson U.S. EPA
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
How ISO Standards Relates to Usability:. INTRODUCTION/ Before we can relate the ISO standards to usability, first we need to know what the meaning of.

How ISO Standards Relates to Usability:. INTRODUCTION/ Before we can relate the ISO standards to usability, first we need to know what the meaning of.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Examine Quality Assurance/Quality Control Documentation

Examine Quality Assurance/Quality Control Documentation
ISO 9000:2000 Quality system standards adopted in 1987 by International Organization for Standardization; revised in 1994 and 2000 Technical specifications.

ISO 9000:2000 Quality system standards adopted in 1987 by International Organization for Standardization; revised in 1994 and 2000 Technical specifications.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.

Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.
1 DOD Fleet Management Training and Certification 7/31/13.

1 DOD Fleet Management Training and Certification 7/31/13.

Similar presentations

Ads by Google