Information Security Management, Standards and

best practices

Σ. Κοκολάκης

Με τη συνεισφορά των Μ. Καρύδα και Α. Τσώχου

2

Standards & Standardization Process

• De facto – de jure standards• Standardization bodies

– ISO (International Organization for Standardization) National bodies – Technical Committees

– ΕΛΟΤ (Ελληνικός Οργανισμός Τυποποίησης) – CEN, ANSI, NIST, BSI

• Processes– Certification– Accreditation

3

Why?• Threat of legal liability

– Organizations and software vendors are being held to a higher degree of accountability for security, if not in the courtroom, by their customers

• Business partners and stakeholders demanding security – Organizations are challenged to prove they are

managing security to a level that will satisfy their business partners and stakeholders.

• Proliferation of standards, regulations and legislation – Organizations face complex requirements to

comply with a myriad of regulations.

4

Comprehensive IS Management – Principles Based

• OECD Guidelines for the Security of Information Systems and Networks (2002): 9 pervasive principles for information security

• NIST (National Institute of Standards and Technology)– SP 800-14 Generally Accepted Principles and Practices for

Securing IT Systems, 1996 – SP 800-18, Guide for Developing Security Plans for Federal

Information Systems,1998 (revised 2006)– SP 800-30 Risk Management Guide for IT Systems, 2002

• IFAC International Guidelines on Information Technology Management—Managing Information Technology Planning for Business Impact: International Federation of Accountants, New York, 1999.

5

Comprehensive IS Management - Controls Based

• BS 7799 – Parts 1, 2 & 3 Code of Practice for Information Security Management (British Standards Institute)

• ISO 27001: Information Technology – Information Security Management Systems - Requirements

• ISO 27002: Information Technology – Code of Practice for Information Security Management (former ISO 17799)

• ISO 27003: Information Technology – Information management system implementation guidance

• ISO 27004: Information technology - Information security management - Measurement

• ISO 27005: Information Technology– Information security risk management

• IT Baseline Protection Manual - BSI (Bundesamt für Sicherheit in der Informationstechnik)

• NIST – 800-53 - Recommended Security Controls for Federal Information Systems – Several specific standards (e.g. Secure Web Services, PDA security,

Implementing HIPAA, Contingency planning, etc.)

6

Other categories• Capability Maturity Model

– ISO 21827 System Security Engineering - Capability Maturity Model (SSE-CMM)

• Product Security Models – ISO 15408 Common Criteria – TCSEC, ITSEC

• Business Continuity Management– ISO24762: Information Technology – Guidelines for information

and communication technology disaster recovery services– ISO27031: Information Technology – Security Techniques –

Guidelines for ICT readiness for Business Continuity– BS25999: Business Continuity Management– ISO18044 – Information technology – Information security incident

management• Governance Guides

– ISO38500: Corporate guidance of IT• COBIT – Control Objectives for Information and Related

Technologies (ISACA)– IT Governance Implementation Guide (ISACA)

7

OECD Guidelines -1-“towards a culture of security”1. Awareness

– Participants should be aware of the need for security of information systems and networks and what they can do to enhance security.

2. Responsibility– All participants are responsible for the security of

information systems and networks.

3. Response– Participants should act in a timely and co-operative manner

to prevent, detect and respond to security incidents.

4. Ethics– Participants should respect the legitimate interests of

others.

5. Democracy– The security of information systems and networks should

be compatible with essential values of a democratic society.

8

OECD Guidelines -2-

6. Risk assessment– Participants should conduct risk assessments.

7. Security design and implementation– Participants should incorporate security as an essential

element of information systems and networks.

8. Security management– Participants should adopt a comprehensive approach to

security management.

9. Reassessment– Participants should review and reassess the security of

information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures.

9

Information Security Standards

• TCSEC (Orange Book)

• ITSEC

• Common Criteria

10

Standards’ history -1-• 1983: Trusted Computer System Evaluation

Criteria (TCSEC) developed in the United States.

• 1991: Information Technology Security Evaluation Criteria (ITSEC) version 1.2 published by the European Commission (joint development by France, Germany, the Netherlands, and the UK).

• 1993: Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) version 3.0, published as a combination of the ITSEC and TCSEC approaches.

11

Standards’ history -2-

• 1990: the International Organization for Standardization (ISO) starts to develop an international standard evaluation criteria for general use.

• June 1993: the sponsoring organisations of the CTCPEC, FC, TCSEC and ITSEC began a joint activity to align their separate criteria into a single set of IT security criteria that could be widely used. This activity was named the CC Project.

12

Common Criteria -1-• Meant to be used as the basis for evaluation of

security properties of IT products and systems.• Permits comparability between the results of

independent security evaluations.• Guide for the development of products or systems

with IT security functions and for the procurement of commercial products and systems with such functions.

• Addresses protection of information from unauthorised disclosure,modification, or loss of use (confidentiality, integrity, availability).

• It is applicable to IT security measures implemented in hardware, firmware or software.

13

Common Criteria -2-

• Does not contain security evaluation criteria pertaining to administrative security measures not related directly to the IT security measures.

• De facto standard in the US since 1998.• Accepted as ISO 15408• Includes

– CC documents– CC Evaluation Methodology (CEM)– CC National Scheme

• 7 Evaluation Assurance Levels – [EAL1 to EAL7]

• 11 Functionality Requirements Classes• 10 Assurance Requirements Classes

14

Evaluation Context

15

Common Criteria Target Group• Consumers

They can use the results of evaluations to help decide whether an evaluated product or system fulfils their security needs. They can also use the evaluation results to compare different products or systems.

• DevelopersCC can support developers in preparing for and assisting in the evaluation of their products or systems and in identifying security requirements to be satisfied by each of their products or systems.

• EvaluatorsThe CC contains criteria to be used by evaluators when forming judgments about the conformance of TOEs to their security requirements.

• OthersAuditors, Security Officers

16

Common Criteria: Basic concepts

• Protection Profile (PP)– An implementation-independent set of security

requirements for a category of TOEs that meet specific consumer needs.

• Target of Evaluation (TOE)– An IT product or system and its associated administrator

and user guidance documentation that is the subject of an evaluation.

• Security Target (ST)– A set of security requirements and specifications

to be used as the basis for evaluation of an identified TOE.

17

TOE Development Method

• Protection Profile (PP)

• Target of Evaluation (TOE)

• Security Target (ST)

18

ISO 27002 (former 17799)

• First edition: 2000. Current edition: 2005• Prepared by the British Standards Institution

(as BS 7799) and was adopted by Joint Technical Committee ISO/IEC JTC 1, Information Technology, in parallel with its approval by national bodies of ISO and IEC.

• “Information technology — Code of practice for information security management”

19

ISO 27002 as a code of practice

• May be regarded as a starting point for developing organization specific guidance.

• Not all of the guidance and controls in this code of practice may be applicable.

• Furthermore, additional controls not included in this document may be required.

20

ISO 27002

• Gives recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization.

• It is intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.

• Recommendations from this standard should be selected and used in accordance with applicable laws and regulations.

21

ISO 27002: Information Security Policy

• Information security policy document

• Review and evaluation

22

ISO 27002: Organizational Security

• “Information security is a business responsibility shared by all members of the management team.”

• Information security infrastructure– management framework: management fora with

management leadership should be established to approve the information security policy, assign security roles and co-ordinate the implementation of security across the organization

– multi-disciplinary approach to information security: involving the co-operation and collaboration of managers, users, administrators, application designers, auditors and security staff, and specialist skills in areas such as insurance and ``

23

ISO 27002: Asset classification and control

• Asset accountability – Accountability should remain with the

owner of the asset. Responsibility for implementing controls may be delegated.

• Information classification– Information should be classified to

indicate the need, priorities and degree of protection, depending on varying degrees of sensitivity and criticality.

24

ISO 27002: Personnel security

• Security in job definition and resourcing• User training

– Users should be trained in security procedures and the correct use of information processing facilities to minimize possible security risks.

• Responding to security incidents and malfunctions– Weaknesses, malfunctions – Learning from incidents– Disciplinary process

25

ISO 27002: Physical and environmental security

• Secure areas– Security perimeter, entry controls– Protection provided should be

commensurate with the identified risks.

• Equipment security– Safety

26

ISO 27002: Communications and operations management

• Operational procedures and responsibilities– Incident management procedures– Segregation of duties– Separation of development and operational facilities

• System planning and acceptance– Capacity planning, performance requirements, system

acceptance• Protection against malicious software• Back ups, logging• Network management• Media handling

– tapes, disks, cassettes• Information exchange between organizations

– Policy on Email– Electronic commerce security

27

ISO 27002: Access control

• Access control policy• User access management

– Access rights, passwords

• User responsibilities• Network access control

– Network segregation

• Operating system access control• Application access control• Monitoring system access and use• Mobile computing and teleworking

28

ISO 27002: Systems development and maintenance

• Security requirements of systems– “built-in” security

• Security in application systems– Message authentication, hash

algorithms, cryptography

• Cryptographic controls– To protect the confidentiality, authenticity

or integrity of information (encryption, digital signatures, key management)

29

ISO 27002: Business continuity management -1-• “To counteract interruptions to business

activities and to protect critical business processes from the effects of major failures or disasters.”

• A business continuity management process should be implemented to reduce the disruption caused by disasters and security failures (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventative and recovery controls.

30

ISO 27002: Business continuity management -2-

• The consequences of disasters, security failures and loss of service should be analyzed. Contingency plans should be developed and implemented to ensure that business processes can be restored within the required time-scales. Such plans should be maintained and practiced to become an integral part of all other management processes.

• Business continuity management should include controls to identify and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations.

31

ISO 27002: Compliance

• Compliance with legal requirements– Data protection and privacy of personal

information– Intellectual property rights (IPR)– Regulation of cryptographic controls

• Compliance with security policy

32

ISO/IEC 27001: 2005

• Specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within the context of the organization’s overall business risks.

• May serve as a suitable basis for ISMS certification.

33

ISO/IEC 27001: 2005

• Contains requirements for the implementation of security controls customized to the needs of individual organizations or parts of them.

• Contains requirements in a structure of:– 11 control clauses that include– 39 control objectives – 133 controls

34

The PDCA model of ISO/IEC 27001

35

PLAN: Establish the ISMS

36

Define the scope of ISMS (a.)

Definition of the boundaries of the ISMS in terms of the characteristics:

• the business, • the organization, • its location, • assets, • technology, • justified details of any exclusions from the

scope.

37

Define an ISMS policy (b.)

Definition of an ISMS policy that:

1. includes a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security;

2. takes into account business and legal or regulatory requirements, and contractual security obligations;

3. aligns with the organization’s strategic risk management context in which the establishment and maintenance of the ISMS will take place;

4. establishes criteria against which risk will be evaluated, and

5. has been approved by management.

38

Risk assessment (c.-d.-e.)

Risk assessment is the process of combining risk identification, risk analysis and risk evaluation.

ISO/IEC 13335-1: 2004

The results of the risk assessment will help to guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks.

ISO/IEC 27002: 2005

39

Risk assessment (c.-d.-e.)

The three stages are risk assessment execution:

• Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements.

• Develop criteria for accepting risks and identify the acceptable levels of risk.

• Identify the risks (assets, threats, vulnerabilities, impacts)

• Analyze and evaluate the risks (estimation of level of risks and evaluation whether they are acceptable or require treatment).

40

Risk Assessment activities

Risk assessment consists of the following activities:

• Risk analysis which comprises: – Risk identification – Risk estimation

• Risk evaluation

41

Prepare Statement of Applicability (j.)

The Statement of Applicability shall include the following:

• the control objectives and controls selected and the reasons for their selection

• the control objectives and controls currently implemented, and

• the exclusion of any control objectives and controls in Annex A and the justification for their exclusion.

42

DO: Implement and Operate the ISMS (1)

• Formulate a risk treatment plan, that shall contain:– The method selected for treating the risk– What controls are in place– What additional controls are proposed– Time frame for controls’ implementation– Identified acceptable level of risk (and residual

risk)

• Implement the risk treatment plan in order to achieve the identified control objectives.

43

DO: Implement and Operate the ISMS (2)

• Implement controls selected to meet the control objectives.

• Define how to measure the effectiveness of the selected controls.

• Implement training and awareness programs.• Manage operation of the ISMS.• Manage resources for the ISMS.• Implement procedures and other controls

capable of enabling prompt detection of security events and response to security incidents.

44

CHECK: Monitor and review (1)Execute monitoring and reviewing procedures and other

controls to:• promptly detect errors • promptly identify attempted and successful security

breaches and incidents• enable management to determine whether the security

activities delegated to people or implemented by information technology are performing as expected,

• help detect security events by the use of indicators, and• determine whether the actions taken to resolve a breach

of security were effective.

45

CHECK: Monitor and review (2)

• Undertake regular reviews of the effectiveness of the ISMS.• Measure the effectiveness of controls to verify that security

requirements have been met.• Review risk assessments at planned intervals and review

the residual risks and the identified acceptable levels of risks, taking into account potential changes.

• Conduct internal ISMS audits at planned intervals.

• Update security plans to take into account the findings of monitoring and reviewing activities.

• Record actions and events that could have an impact on the effectiveness or performance of the ISMS.

46

ACT: Maintain and Improve the ISMS

The organization shall regularly:

• Implement the identified improvements in the ISMS.

• Take appropriate corrective and preventive actions

• Apply the lessons learnt from the security experiences of other organizations and those of the organization itself.

• Communicate the actions and improvements to all interested parties

• Ensure that the improvements achieve their intended objectives.

47

Required documentation (1)

• Documented statements of the ISMS policy and objectives

• The scope of the ISMS • Procedures and controls in support of the

ISMS• A description of the risk assessment

methodology• The risk assessment report • The risk treatment plan

48

Required documentation (2)

• Documented procedures needed by the organization to ensure the effective planning, operation and control of its information security processes and describe how to measure the effectiveness of controls

• Records required by the ISO/IEC 27001:2005, and

• The Statement of Applicability (SOA).

49

Annex A - Control objectives and controls

1. Security Policy 2. Organizing Information Security3. Asset Management 4. Human Resources Security5. Physical and Environmental Security6. Communications and Operations Management7. Access Control8. Information Systems Acquisition, Development and

Maintenance9. Information Security Incident Management10.Business Continuity Management11.Compliance

50

Annex A - Control objectives and controls: Examples (1)

A5: Security Policy

Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations

A5.1: Information security policy document

Control: An information security policy document shall be approved by management, and published and communicated to all employees and relevant external parties.

51

Annex A - Control objectives and controls: Examples (2)

A.11 Access control

A.11.2 User access management

Objective: To ensure authorized user access and to prevent unauthorized access to information systems

A11.2 User responsibilities

• Objective: To prevent unauthorized user access, and compromise or theft of information and information processing facilities

A11.2.3: User password management

Control: The allocation of passwords shall be controlled through a formal management process

A11.2.1: Password use

Control: Users shall be required to follow good security practices in the selection and use of passwords

52

Trends

• More regulatory and legislative oversight.• Executive and board oversight of information security.• ISO27001/ISO27002 have become the de facto

standard for information security program.• ISO27000 series

– ISO27000: Glossary– ISO27003: Implementation of ISMS– ISO27004: Measurement and metrics– ISO27005: Risk management– ISO27006: Accreditation guidelines– ISO27k …to be continued…

53

References • Γκρίτζαλης Σ., Διασφάλιση και Αξιολόγηση Ασφάλειας

Συστημάτων και Προϊόντων (Κεφ.9), στο Κάτσικας Σ., Γκρίτζαλης Δ. και Γκρίτζαλης Σ. (επιμέλεια) Ασφάλεια Πληροφοριακών Συστημάτων, Εκδόσεις Νέων Τεχνολογιών, Αθήνα 2004, σελ. 267-315.

• Καρύδα Μ., Πολιτικές Ασφάλειας Πληροφοριακών Συστημάτων, στο Κάτσικας Σ., Γκρίτζαλης Δ. και Γκρίτζαλης Σ. (επιμέλεια) Ασφάλεια Πληροφοριακών Συστημάτων, Εκδόσεις Νέων Τεχνολογιών, Αθήνα 2004, σελ. 377-406.