safeguards frameworks and controls - j. mack … frameworks and controls ... • common criteria...
TRANSCRIPT
Safeguards Frameworks and Controls
Richard Baskerville
Theory of Secure Information Systems
Features: Safeguards and Controls
T1
T2
T3
T4
Tn
. . .
F1
F2
F3
Fl. . .
O1
O2
O3
Om
. . .
T F O
Security Functions
• Loss avoidance
• Deterrence
• Loss prevention
• Loss detection
• Recovery
• Vulnerability correction
Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5), 46-49.
Basic Attributes of SecurityBaskerville, R., & Sainsbury, R. (2005, 11-12 July). Securing Against the Possibility of an Improbable Event: Concepts for Managing
Predictable Threats and Normal Compromises. Paper presented at the European Conference on Information Warfare and Security,
Glamorgan University, UK.
Eliminate serious threats, prevent attacks, limit intrusion scope, e.g. anti-virus, encryption, firewalls, passwords and biometric ID systems.
Respond quickly or actively to unprotected security problems, restoration of system after attack, e.g., data backups, drive images, mirrored servers, extra staff
PREVENTATIVE
RESTORATIVE
Information Security Standards
• ISO/IEC 27001
• ISO/IEC 27002 (17799)
• CobIT
• ITIL
• PCI
• NIST
• Common Criteria
ISO/IEC
27000
Library of
Standards
Guidance and Standards: Examples
• Quality Standards
– ISO/IEC 27001
• Technical Standards
– ISO/IEC 27002
• Professional Standards
– COBIT (Control Objectives for IT), a generally applicable
and accepted standard for good information technology
security and control practices in organizations.
• Industry Practices and Standards
– ITIL (IT Infrastructure Library)
– Payment Card Industry (PCI) Standard
– NIST 800-12 Computer Security Handbook
• Qualification Criteria
– ITSEC, TCSEC, Common Criteria
Quality Standards
Example: ISO/IEC 27001
ISO/IEC 27001
This standard has evolved toward the
development of management systems for
information security and provides a stronger
basis for third party audit and certification. It
offers a managerially-oriented complement to
operatd the technologically-oriented ISO 27002.
Structure of the Information Security
Management System (ISMS)ISO 27001
• Leadership - top management must demonstrate leadership and commitment to
the ISMS, mandate policy, and assign information security roles, responsibilities
and authorities.
• Planning - outlines the process to identify, analyze and plan to treat information
security risks, and clarify the objectives of information security.
• Support - adequate, competent resources must be assigned, awareness raised,
documentation prepared and controlled.
• Operation - a bit more detail about assessing and treating information security
risks, managing changes, and documenting things (partly so that they can be
audited by the certification auditors).
• Performance evaluation - monitor, measure, analyze and evaluate/audit/review
the information security controls, processes and management system in order to
make systematic improvements where appropriate.
• Improvement - address the findings of audits and reviews (e.g. nonconformities
and corrective actions), make continual refinements to the ISMS
Technical Standards
ISO/IEC 27002:2005
ISO/IEC 27002
• Security Policy
• Organization of Information Security
• Human Resources Security
• Asset Management
• Access Control
• Cryptography
• Physical And Environmental Security
• Operations security
• Communications Security
• Information Systems Acquisition, Development, Maintenance
• Supplier Relationships
• Information Security Incident management
• Information Security Aspects of Business Continuity
• Compliance
Overview of Controls
Specimen control from ISO/IEC 27002:2013 Information Security Policies
Provide management
direction and support for
information security in
accordance with business
requirements and relevant
laws and regulations.
ISO 27002
Organization of Information Security
• Establishes a management framework to initiate and control the implementation and operation of information security within the organization
• Ensure the security of teleworking and use of mobile devices.
ISO 27002
Human Resource Security
• Ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
• Ensure that employees and contractors are aware of and fulfil their information security responsibilities.
• Protect the organization’s interests as part of the process of changing or terminating employment.
ISO 27002
Asset Management
• Identify organizational assets and define appropriate protection responsibilities.
• Ensure that information receives an appropriate level of protection in accordance with its importance to the organization.
• Prevent unauthorized disclosure, modification, removal or destruction of information stored on media.
ISO 27002
Access Control
• Limit access to information and information processing facilities.
• Ensure authorized user access and to prevent unauthorized access to systems and services.
• Make users accountable for safeguarding their authentication information.
• Prevent unauthorized access to systems and applications.
ISO 27002
Cryptography
• Ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
ISO 27002
Physical and Environmental Security
• Prevent unauthorized physical access,
damage and interference to the
organization’s information and
information processing facilities.
• Prevent loss, damage, theft or
compromise of assets and
interruption to the organization’s
operations.
ISO 27002
Operations Security
• Ensure correct and secure operations of information processing facilities.
• Ensure that information and information processing facilities are protected against malware.
• Protect against loss of data.
• Record events and generate evidence.
• Ensure the integrity of operational systems.
• Prevent exploitation of technical vulnerabilities.
• Minimise the impact of audit activities on operational systems.
ISO 27002
Communications Security
• Ensure the protection of information in networks and its supporting information processing facilities.
• Maintain the security of information transferred within an organization and with any external entity.
ISO 27002
System Acquisition, Development and
Maintenance
• Ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.
• Ensure that information security is designed and implemented within the development lifecycle of information systems.
• Ensure the protection of data used for testing.
ISO 27002
Supplier Relations
• To ensure protection of the organization’s assets that is accessible by suppliers.
• Maintain an agreed level of information security and service delivery in line with supplier agreements.
ISO 27002
Information Security Incident
Management
Ensure a consistent and effective approach
to the management of information security
incidents, including communication on
security events and weakness
ISO 27002
Information Security Aspects of Business
Continuity Management
• Information security continuity should be embedded in the organization’s business continuity management systems.
• Ensure availability of information processing facilities.
ISO 27002
Compliance
• Avoid breaches of legal, statutory,
regulatory or contractual obligations
related to information security and of
any security requirements
• Ensure that information security is
implemented and operated in
accordance with the organizational
policies and procedures.
ISO 27002
Essential Safeguards
Essential Safeguards Essential Safeguards
Industry Practices & Standards
Examples:
ITIL
PCI
NIST 800
ITIL
• Best practices and guidelines for managing information technology services
• Integrated, process-based approach
• Originated as a 1980's UK government drive
• Focus on quality, efficient, cost-effective delivery of IT services
IT Infrastructure Library
Major ITIL Volumes
• Software asset management
• Service support
• Service delivery
• Planning to implement service management
• ICT infrastructure management
• Application management
• Security management
• The business perspective
ITIL Structure
ITIL Securiity
Initial Security Effort: Risk
AnalysisSecurity
Requirements
Minimum Security Baseline
Requirements Feasibility Analysis
Negotiate & Define SLA
SLA
Negotiate & Define OLA
Customer
IT Service Org.
OLAImplementMonitor
Report
Modify
adapted from Weil, Steven, (2004) "How ITIL Can Improve Information Security" Security Focus (http://www.securityfocus.com/infocus/1815)
▪ Security Management Products▸ Policies▸ Processes▸ Procedures▸ Work instructions
Payment Card Industry
Data Security Standard• Build and Maintain a Secure Network
– Install and maintain a firewall configuration to protect data
– Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data– Protect stored data
– Encrypt transmission of cardholder data and sensitive information across public networks
• Maintain a Vulnerability Management Program– Use and regularly update anti-virus software
– Develop and maintain secure systems and applications
• Implement Strong Access Control Measures– Restrict access to data by business need-to-know
– Assign a unique ID to each person with computer access
– Restrict physical access to cardholder data
• Regularly Monitor and Test Networks– Track and monitor all access to network resources and cardholder data
– Regularly test security systems and processes.
• Maintain an Information Security Policy– Maintain a policy that addresses information security
NIST Computer Security Handbook
Special Publication 800-12
NIST Computer Security Division
• SP 800-12 An Introduction to Computer Security: The NIST Handbook, October
1995
• SP 800-14 Generally Accepted Principles and Practices for Securing Information
Technology Systems, September 1996
• SP 800-18 Guide for Developing Security Plans for Information Technology
Systems, December 1998
• SP 800-26 Security Self-Assessment Guide for Information Technology Systems,
November 2001
• SP 800-30 Risk Management Guide for Information Technology Systems, July 2002
• SP 800-33 Underlying Technical Models for Information Technology Security,
December 2001
• SP 800-34 Contingency Planning Guide for Information Technology Systems, June
2002
• SP 800-55 Security Metrics Guide for Information Technology Systems, July 2003
• SP 800-65 Integrating Security into the Capital Planning and Investment Control
Process, January 2005
http://csrc.nist.gov/publications/nistpubs/
NIST SP 800-14 Reference Model
• Accountability - The responsibilities and accountability of owners, providers and users of
information systems and other parties...should be explicit.
• Awareness - Owners, providers, users and other parties should readily be able, consistent
with maintaining security, to gain appropriate knowledge of and be informed about the
existence and general extent of measures...for the security of information systems.
• Ethics - The Information systems and the security of information systems should be provided
and used in such a manner that the rights and legitimate interest of others are respected.
• Multidisciplinary - Measures, practices and procedures for the security of information
systems should take account of and address all relevant considerations and viewpoints....
• Proportionality - Security levels, costs, measures, practices and procedures should be
appropriate and proportionate to the value of and degree of reliance on the information
systems and to the severity, probability and extent of potential harm....
• Integration - Measures, practices and procedures for the security of information systems
should be coordinated and integrated with each other and other measures, practices and
procedures of the organization so as to create a coherent system of security.
• Timeliness - Public and private parties, at both national and international levels, should act in
a timely coordinated manner to prevent and to respond to breaches of security of
information systems.
• Reassessment - The security of information systems should be reassessed periodically, as
information systems and the requirements for their security vary over time.
• Democracy - The security of information systems should be compatible with the legitimate
use and flow of data and information in a democratic society.
OECD's Guidelines for the Security of Information Systems
Qualification Criteria
Example: Common Criteria
Common Criteria
The CC philosophy is to provide assurance based upon an evaluation (active investigation) of the IT product or system that is to be trusted. Evaluation has been the traditional means of providing assurance and is the basis for prior evaluation criteria documents. In aligning the existing approaches, the CC adopts the same philosophy. The CC proposes measuring the validity of the documentation and of the resulting IT product or system by expert evaluators with increasing emphasis on scope, depth, and rigor.
(Common Criteria v 2.1, Part 3 p. 2)
ISO/IEC 15408
Participants
• Canada: Communications Security Establishment
• France: Service Central de la Sécurité des Systèmes d'Information
• Germany: Bundesamt für Sicherheit in der Informationstechnik
• Netherlands: Netherlands National Communications Security Agency
• United Kingdom: Communications-Electronics Security Group
• United States: National Institute of Standards and Technology
• United States: National Security Agency
Common Criteria
Context Model
Common Criteria
Goal Model
Common Criteria
Common Criteria Structure
Safeguards Frameworks and Controls
Richard Baskerville