1

De Nieuwe Code voor Informatiebeveiliging

Piet Donga, INGVoorzitter NEN NC 27 - IT Security

2

Agenda

• Standardisation of Information security• The new Code of Practice for Information

Security• The Code used inside ING

3

Cooperation on various levelsISO

SC27

IEC

JTC1

CEN

NEN

ITU

ETSI

NEC

CENELEC

381027

Global

European

Nationalhttp://www.iso.chhttp://www.din.de/ni/sc27/http://www.jtc1.orghttp://www.nen.nl

4

ISO/IEC JTC 1/SC27 structure

WG1: Requirements, services, guidelines

Convenor: Mr. T. Humpreys

WG2: Security techniques and

mechanismsConvenor:

Mr. K. Naemura

WG3: Security evaluation criteria

Convenor: Mr. M. Ohlin

ISO/IEC JTC 1/SC27 Information Technology – Security TechniquesChairman: Mr. W. Fumy

Vice Chair: Mrs. M. De Soete

WG4: Security controls and services

Convenor: Mr. Kang

WG5: Identity management &

privacy technologiesConvenor: unknown

5

History of the Code of Practice

2005

Industry ‘Code of

Practice for IS’

published

1992

‘Code of Practice’published

as BS7799

1995First

edition of Dutch CvI

Revised version of

BS7799(-1)

1999

Dutch version of BS7799-1:1999

and BS7799-2:1998

ISO/IEC 17799

published

2000

ISO/IEC 17799:2005 published

First BS7799-2

Publication of NEN BS7799-3

(UK)

27001 published

NEN- ISO-IEC 17799:2005 (UK)

NEN-ISO-IEC 17799: 2002 (NL)

1994

BS7799-2:2002

2002

&

&

&

&

2006

1998

NEN- ISO-IEC 17799:2005 (NL) &

27001 (NL)

6

27000 series• Need for a family of standards around ISO17799• Inspired by ISO9000 and ISO14000 series• Consistent with standard framework guidelines such as ISO Guide

72 and ISO Guide 73• Typing of standards• A lot of discussion regarding loss of 7799

brand name

7

27000 seriesCurrent status

27000: ISMS Fundamentals and Vocabulary

27001: ISMS Requirements

27002: Code of Practice for Information Security Man.

27003: ISMS Implementation Guidance

27004: Information Security Management Measurements

27005: Information Security Risk Management 2nd CD

4th WD

2nd WD

IS

IS

1st WD

27006: ISMS Accreditation FCD

ExpectedIS

2008

-

2007 (renum)

2008

2008

2007

2007

8

The Code of Practice forInformation Security

9

27002: Code of Practice for Information Security Management

• RISK ASSESSMENT AND TREATMENT• SECURITY POLICY• ORGANIZING INFORMATION SECURITY• ASSET MANAGEMENT• HUMAN RESOURCES SECURITY• PHYSICAL AND ENVIRONMENTAL SECURITY• COMMUNICATIONS AND OPERATIONS MANAGEMENT• ACCESS CONTROL• INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND

MAINTENANCE• INFORMATION SECURITY INCIDENT MANAGEMENT• BUSINESS CONTINUITY MANAGEMENT• COMPLIANCE

10

• Update controls to keep them up to date and to include new developments– Emerging trends and managing new and

emerging risks, threats and vulnerabilities – Due diligence, governance and fit for purpose– Greater customer assurance and demands– Growth in use of services and new ways of

doing business– New technologies, new ways of using

technologies and access to more diverse networked business

REVISION OF ISO/IEC 17799

* From Presentation Ted Humphreys, www.xisec.com

11

• Update controls to keep them up to date and to include new developments– Emerging trends and managing new and emerging

risks; bringing into place management controls and Best Practice

– Maintain backwards compatibility– User friendly interface

• Improve ‘internationalisation’ of the text– Language, Culture and Context

REVISION OF ISO/IEC 17799

* From Presentation Ted Humphreys, www.xisec.com

12

Changes: enhancements*OLD Sections 17799:2000

Security PolicySecurity organisation

Asset classification & controlPersonnel security

Physical & environm. securityComm. & oper. management

Access ControlSystems development & maint.

Business continuityCompliance

NEW Sections 17799:2005Security policyOrganising inform. SecurityAsset managementHuman resources securityPhysical & environm. SecurityComm. & oper. ManagementAccess controlInf. Syst. Acquis. Dev. & maint.Inf. security incident handlingBusiness cont. managementCompliance

* From Presentation Marijke de Soete, Security4Biz; e-mail address: marijke.desoete@pandora.be

13

Changes: structure*

* From Presentation Marijke de Soete, Security4Biz; e-mail address: marijke.desoete@pandora.be

Old Control text New Control text

Control,

Implementation guidance and

other supporting text

Control

Implementation guidance

Other information

14

Changes

• 9 old controls modified• 116 controls remaining• 17 controls added• Now 133 paragraphs (was 127)

15

New controls - 1• Management commitment to information security (6.1.1)• Contacts with special interest groups (6.1.7)• Ownership of assets (7.1.2)• Acceptable use of assets (7.1.3)• Service delivery (10.2.1)• Monitoring and review of third party services (10.2.2)• Managing changes to third party services (10.2.3)• Controls against mobile code (10.4.2)• Electronic messaging (10.8.4)• Electronic commerce (10.9.1)• On-line transactions (10.9.2)

16

New controls - 2• Protecting log information (10.10.3)• Control of technical vulnerability (12.6.1)• Reporting information security evidence (13.1.1)• Reporting security weaknesses (13.1.2)• Management of security incidents – Responsibilities and

procedures (13.2.1)• Collection of evidence (13.2.2)

17

The Code used within ING

18

Policies and Standards Development

• Policies and standards developed in 2002• Goal: Develop a set of consistent, actionable information security

operational-level policies to establish a baseline of security across the Group

• Use ISO 17799 as primary input– Strategic and Tactical Level Group policies– Dutch National Bank guidance– Basel Committee guidelines– Existing EC/MC/OC policies, standards, procedures, etc.

ü Gain input from business and support activities– Four review rounds of drafts– “Sanity check” review by MC ISO’s and other stakeholders

19

Recognizing Reality of ING in 2002

• ING has over 60 operating companies, many regulated businesses with different rules

• ING is in over 80 countries, national laws, customs• ING has an enormous infrastructure, new and old technology• ING has over 50 million customers, reputation and service

expectation• ING has over 110,000 employees, training and labor rules

20

Development Strategy• Security has to be business driven, support goals of the business• Use a layered approach consisting of policies, standards, procedures

and guidelines• Requirements must be adequate but flexible

– Give OC’s room to innovate and remain compliant– Require what and when but not how– Require who only when important– Do not mandate specific products, protocols, etc.– Detailed requirements only when very important

• Use concepts of risk management not risk elimination• Deployment of baseline security

21

Policy Set

•37 documents produced in three categories– 14 perimeter security– 17 infrastructure security– 6 business unit specific securityü23 policiesü11 standardsü2 proceduresüGlossary

22

SOX IT, ISO and IS policies

ING

SO

XFr

amew

orko

f Con

trols

INGGroup

SOX ITIL

ISO(BS 17799)

COBIT

Information securitypolicies & standards

INGGroup

23

Information Security Maturity

• Baseline: 3 implementation levels basedon ISO/IEC 17799

• 5 Maturity levels ofr IRM Processes; required levels enforced throughintegrated operational risk scorecards (OR capital reduction)

24

Thank you for your attention

Piet Donga

ING / Global Information Risk Management

Policy, Governance & Risk Management

Piet.donga@mail.ing.nl

25

Appendix

26

ISO/IEC JTC 1/SC27

• ISO/IEC 27000 family of standards – ISO/IEC 27001 ISMS requirements – ISO/IEC 27003 ISMS implementation guidance– ISO/IEC 27004 ISM metrics and measurements– ISO/IEC 27005 Information Security Risk Management– ISO/IEC 27006 ISMS Accreditation– ISO/IEC 27007 ISMS Audit guidelines

• ISO/IEC 17799 Code of practice for information security management

• ISO/IEC 13335 Management of ICT security (MICTS)

WG1

27

ISO/IEC JTC 1/SC27

• ISO/IEC 9796 Digital signature schemes giving message recovery• ISO/IEC 9797 Message authentication codes • ISO/IEC 9798 Entity authentication• ISO/IEC 10118 Hash-functions• ISO/IEC 11770 Key management• ISO/IEC 14888 Digital signatures with appendix• ISO/IEC 15946 Cryptographic techniques based on elliptic curves• ISO/IEC 18014 Time stamping services• ISO/IEC 18033 Encryption algorithms• ISO/IEC 24745 Biometric template protection

WG2

28

ISO/IEC JTC 1/SC27

• ISO/IEC 15946 Cryptographic techniques based on elliptic curves

• ISO/IEC 18014 Time stamping services• ISO/IEC 18031 Random bit generation• ISO/IEC 18032 Prime number

generation• ISO/IEC 18033 Encryption algorithms• ISO/IEC 19772 Data encapsulation

mechanisms• ISO/IEC 24745 Biometric template

protection

WG2

29

ISO/IEC JTC 1/SC27

• ISO/IEC 15408 Evaluation criteria for IT security

• ISO/IEC 15443 A framework for IT security assurance ISO/IEC 18045 Methodology for IT security evaluation

• ISO/IEC 19790 Security requirements for cryptographic modules

• ISO/IEC 19791 Security assessment of operational systems

• ISO/IEC 19792 A framework for security evaluation and testing of biometric technology

WG3

30

ISO/IEC JTC 1/SC27

• ISO/IEC 18028 IT Network security• ISO/IEC 18043 Selection, deployment and

operations of intrusion detection systems• ISO/IEC 18044 Information security incident

management • ISO/IEC 24762 Disaster recovery services

WG4

31

ISO/IEC JTC 1/SC27

• ISO/IEC 24745 Biometric template protection• ISO/IEC 24761 Authentication context for biometrics• ISO/IEC 24760 A framework for biometrics

WG5