1 Information Security Standards Gary Gaskell © 2001

1

Information Security Standards

Gary Gaskell© 2001

Gary Gaskell, 3 May 2001 2

Contents

Overview of security standards Type of standards List of standards Quick insight to each standard Conclusions


Types of Standards

Risk based Management Technical Lightweight Thorough

System-wide focus Product focus Assurance based Prescriptive

controls Checklists


Security Standards - Pick One!

AS/NZS 4444 (BS 7799, ISO 17799) US TCSEC (Rainbow series) ITSEC (Europe) Common Criteria (ISO 15408) IETF Site Security Handbook (RFC 2196) Vendor handbooks and checklists, B.S.I.,

SANS Website certification services SAS-70


AS/NZS 4444

Information Security Management Standard

Part 1 - 1999 Part 2 - 2000 JANZAS Based BS7799 BS7799 based on industry - Shell Oil

etc


AS 4444

Good internal security management Information Security Management

System Explicit Target - trusted

interconnection Catalogue of controls Recommended baselines Risk based assessments


AS4444 Controls

Security policy Asset classification

and control Physical and

environmental security

Access control Business continuity

management

Security organisation Personnel security Communications and

operations management

Systems development and maintenance

Compliance


TCSEC

Trusted Computer Security Evaluation Criteria - 1983

US Government specification “Orange book” and “Raindbow series” Origin of C2, B1, B3 etc Functionality & Assurance tightly

coupled Superceded by still in use


ITSEC

Information Technology Security Evaluation Criteria - 1991

UK, France, Germany & The Netherlands Used by Australia System and product use http://www.dsd.gov.au/infosec/aisep/

EPL/prod.html Superceded but still in use


Common Criteria

Common Criteria for Information Technology Security Evaluation - 1999

ISO 15408 (CC v 2.1) Merge of TCSEC & ITSEC Emerging standard Assurance level separate from functionality

level Mutual recognition agreement - 13

countries


RFC 2196

IETF Site Security Handbook Developed by CERT/CC of the CMU Response oriented Good practical advice Explicit about system hardening and

patch installation


Vendor Checklists

SGI Compaq/Digital Sun Microsystems (Blue prints) AIX (redbooks) Microsoft Apache Oracle


Vendor Checklists - Continued

Explicit and specific Good for specification in designs or

outsourcing “how to” oriented Sometimes too light


Third Party Vendor Checklists

AusCERT/CERT Unix security checklist Windows NT 4 NSA/Trusted Systems

checklist (http://www.trustedsystems.com)

Windows 2000 security checklist (http://www.systemexperts.com)

Books - e.g. Practical Unix and Internet Security - Spafford & Garfinkel


BSI

Bundesamt fuer Sicherheit in der Informationstechnik

http://www.bsi.de/gshb/english/etc/inhalt.htm

IT Baseline Protection Manual More practical than other

government attempts


SANS

System and Network Security http://www.sans.org Advice on policy and controls training (& certification ?) Checklists Vulnerability service


Website Certification Programs

TruSecure (ICSA/TruSecure) Web trust beTRUSTed (PwC) SysTrust (AICPA) Others?


SAS-70

Statement on Auditing Standards American Institute of Certified Public

Accountants Formal Audit Standard - background

of financial audits Two levels

Type I - inspections of key area Type II - testing of effective of controls


Miscellaneous

IS 18 - Qld Government VISA - security for merchants sites NIST - FIPS 102 US - HIPAA OECD - Guidelines for the Security of

Information Systems ISO 13335 - Guidelines for the

Management of IT Security


Miscellaneous - continued

System Security Engineering Capability Maturity Model (SSE-CMM) - International Systems Security Engineering Association (ISSEA)

CoBIT - “IT Governance” - AICPA


Conclusions

Great choice of standards None are a full solution

Documents

1 Information Security Standards Gary Gaskell © 2001