You are on page 1of 157

Information Security HarmonisationClassification of Global Guidance

Information Systems Audit and Control Association With more than 35,000 members in more than 100 countries, the Information Systems Audit and Control Association (ISACA) (www.isaca.org) is a recognised worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, develops international information systems auditing and control standards, and administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 38,000 professionals since inception, and the Certified Information Security Manager (CISM) designation, a groundbreaking credential earned by 5,100 professionals in its first two years. IT Governance Institute The IT Governance Institute (ITGI) (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprises information technology. Effective IT governance helps ensure that IT supports business goals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities. The IT Governance Institute offers symposia, original research and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities. Disclaimer The Information Systems Audit and Control Association (the Owner) and the authors have designed and created this publication, titled Information Security Harmonisation Classification of Global Guidance (the Work), primarily as an educational resource for security professionals. The Owners make no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, the security professional should apply his/her own professional judgement to the specific circumstances presented by the particular systems or information technology environment. Disclosure Copyright 2005 by Information Systems Audit and Control Association. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), without the prior written authorisation of ITGI. Information Systems Audit and Control Association 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.590.7491 Fax: +1.847.253.1443 E-mail: info@isaca.org Web site: www.isaca.org ISBN 1-933284-05-6 Information Security HarmonisationClassification of Global Guidance Printed in the United States of America

ii

Acknowledgements

Acknowledgements
From the Publisher Information Systems Audit and Control Association wishes to recognise:
The author Leslie Ann Macartney, CISA, CISM, UK The Board of Directors Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, International President Abdul Hamid Bin Abdullah, CISA, CPA, Auditor Generals Office, Singapore, Vice President William C. Boni, CISM, Motorola, USA, Vice President Ricardo Bria, CISA, SAFE Consulting Group, Argentina, Vice President Everett C. Johnson, CPA, Deloitte & Touche (retired), USA, Vice President Howard Nicholson, CISA, City of Salisbury (South Australia), Australia, Vice President Bent Poulsen, CISA, CISM, VP Securities Services, Denmark, Vice President Frank Yam, CISA, CIA, CCP, CFE, Focus Strategic Group Inc., Hong Kong, Vice President Robert S. Roussey, CPA, University of Southern California, USA, Past International President Paul A. Williams, FCA, MBCS, Paul Williams Consulting, UK, Past International President The expert reviewer Robert G. Parker, CISA, CA, FCA, CMC, Deloitte & Touche LLP, Canada The CISM Certification Board Chair, Leslie Macartney, CISA, CISM, UK Kent Anderson, CISM, Network Risk Management LLC, USA Luis A. Capua, CISM, Sindicatura General de la Nacin, Argentina Robert Stephen Coles, Ph.D., CISA, CISM, FCCA, MBCS, Royal Bank of Scotland Group, UK Arnold Dito, CISA, USA Danny Q. Le, CISA, CISM, KPMG, USA Kyeong-Hee Oh, CISA, CISM, CISSP, Green Soft, Korea Ashok Shankar Pawar, CISA, CISM, CAIIB, State Bank of India, India David Simpson, CISA, CISM, CISSP, CQR Consulting, Australia The authors of COBIT MappingOverview of International IT Guidance Jimmy Heschl, CISA, CISM ISACA Austria Chapter

iii

Information Security HarmonisationClassification of Global Guidance

iv

Table of Contents

Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Purpose for Classification of the Guidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Security Guidance Included in This Research . . . . . . . . . . . . . . . . . . . . . . . . . 1 The Classification Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Document Taxonomy Chart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 The CISM Domain Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 How to Use This Publication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 History and Role of ISACA and ITGI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Approach to the Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1. BS 7799 Part 2:2002 Information Security Management SystemsSpecification With Guidance for Use . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2. COBIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3. SSE-CMM Systems Security EngineeringCapability Maturity Model 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 4. GAISP Version 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5. The Standard of Good Practice for Information Security . . . . . . . . . . . . . . . . . . 39 6. ISO/IEC 13335 Information TechnologyGuidelines for the Management of IT Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 7. ISO/TR 13569:1997 Banking and Related Financial ServicesInformation Security Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 8. ISO/IEC 15408:1999 and Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 9. ISO/IEC 17799:2000 Information Technology Code of Practice for Information Security Management . . . . . . . . . . . . . . . . . . . 73 10. Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 11. NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 12. NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems . . . . . . . . . . . . . . . . . . . 99 13. NIST 800-18 Guide for Developing Security Plans for Information Technology Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 14. NIST 800-53 Recommended Security Controls for Federal Information Systems, Second Public Draft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 15. OCTAVE Criteria Version 2.0 Networked Systems Survivability Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Information Security HarmonisationClassification of Global Guidance

16. Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan . . . . . . . . . . . . . . . . . . . . . 129 17. Managers Guide to Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 AnnexCISM Job Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Note each of the chapters contains the following subsections: Issuer Document Taxonomy Circulation Goal(s) of the Standard or Guidance Publication Information Security Drivers for Implementing the GuidanceWhy Related Risks of NoncomplianceWhat Could Happen Target Audience Timeliness Certification Opportunities Completeness Availability Recognition/Reputation Usage CISM Domain Alignment Description and Guidance on Use Reference

vi

Introduction

Introduction
Purpose for Classification of the Guidance
The role of the information security manager has evolved over the past few years. It has shifted from a position that focussed essentially on IT to one where business acuity takes equal priority. At the same time, numerous security standards, codes of practices, methodologies, etc., have been developed and published, all with the purpose of providing some level of direction or support for security objectives. All of them are focussed on one or more issues of importance. However, because there are so many and a harmonisation framework did not exist, the perception has existed that there is a standards quagmire. This is where this technical study from ITGI intends to add some clarity to the picture. The purpose of this document is to provide Certified Information Security Manager (CISM) holders and all other information security managers with a road map to the more recognised and widely available information security guidance documents. Seventeen internationally accepted security-focussed guidance documents were examined across 12 separate evaluative criteria, enabling information security managers to identify those that may be of best use within their own organisation or most appropriate for improving their own skills and knowledge. This report will also be useful in presenting the concept of managing risk on an enterprisewide basis, from the boardroom to the network. It helps link risk management and the information presented to governance. Despite the quantity and diversity of available security guidance worldwide, there remain areas of information security management that do not appear to be addressed to the level or detail required in todays environments. ISACA/ITGI will follow up this research with further work to define these gaps and produce additional guidance as required. Additionally, this document will be updated periodically to reflect additional guidance, changes to guidance and advice on how the guidance can be used, based on best practice surveys.

Security Guidance Included in This Research


The scope of this first version of Information Security Harmonisation was defined as identifying, classifying and reporting on the most commonly known and accepted worldwide guidance. The author did not identify every piece of guidance in all countries, but attempted to deal first with the most common and generally accepted. The following were included in this research: BS 7799 Part 2:2002 Information Security Management SystemsSpecification With Guidance for Use is a specification for an information security management system.
1

Information Security HarmonisationClassification of Global Guidance

Control Objectives for Information and related Technology (COBIT), published by the IT Governance Institute, represents a collection of documents that can be classified as generally accepted framework and standards for IT governance, security, control and assurance. Systems Security EngineeringCapability Maturity Model (SSE-CMM) Model Description Document 3.0 is a guide to the concepts and application of a model to improve and assess security engineering capability. Generally Accepted Information Security Principles (GAISP) is a collection of security principles that has been defined and produced as a collective effort by members of the organisations involved. The Information Security Forums (ISFs) Standard of Good Practice for Information Security is a collection of information security principles and practices. ISO/IEC 13335 Information TechnologyGuidelines for the Management of IT Security, released by the International Organisation for Standardisation and the International Electrotechnical Commission, is technical guidance subdivided into five parts which provide guidance on aspects of information security management. ISO/TR 13569: 1997 Banking and Related Financial ServicesInformation Security Guidelines, released by the International Organisation for Standardisation, is a grouping of security concepts and suggested control objectives and solutions for financial sector organisations. ISO/IEC 15408:1999 Security TechniquesEvaluation Criteria for IT Security is based on the Common Criteria for Information Technology Security Evaluation 2.0 (CC). ISO/IEC 15408:1999 is used as a reference to evaluate and certify the security of IT products and systems. ISO/IEC 17799:2000 Information TechnologyCode of Practice for Information Security Management is a collection of information security practices. The IT Infrastructure Librarys (ITIL Security Management is a methodology s) describing how IT security management processes link into other IT infrastructure management processes. NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook, released by the US National Institute of Standards and Technology (NIST), describes the common requirements for managing and implementing a computer security programme and some guidance on the types of controls that are required. NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems is a collection of principles and practices to establish and maintain system security. NIST 800-18 Guide for Developing Security Plans for Information Technology Systems provides a format and guidance for developing a system security plan. NIST 800-53 Recommended Security Controls for Federal Information Systems provides a set of baseline security controls. Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE) is a set of principles, attributes and outputs for risk assessment. Organisation for Economic Co-operation and Development (OECD) Guidelines for the Security of Information Systems and Networks provides a set of nine information security principles aimed at fostering a culture of security.
2

Introduction

Open Groups Managers Guide to Information Security is a booklet providing general guidance for IT managers on acquiring secure IT products and systems.

The Classification Framework


A goal of this project was to produce a comprehensive document that evaluated all selected security guidance in the same manner, using the same criteria. The following approach was used to evaluate the guidance: IssuerWho issued the guidance and what organisation(s) are supporting it and keeping it current? Document taxonomyIs the guidance an international or a national standard, a collection of best practices, or guidance? CirculationIs the guidance used internationally or is it limited to a specific geographical area? Goal(s) of the standard or guidance publicationWhat is the stated purpose of the guidance? For example, the guidance may focus on information security management or baseline protection, or it may provide a methodology or framework. Information security drivers for implementing the guidanceWhat are some specific reasons for considering the implementation of the guidance? Related risks of not using or implementingWhat are some identified risks if the guidance is not implemented? Target audienceWhat is the stated target audience of the guidance? TimelinessHow current is the publication and how frequently is it revised? Certification opportunitiesIs there a certification for adherence to or knowledge of the guidance, either at the organisation or the individual level? CompletenessHow complete is the guidance in meeting its own stated purposes and in terms of use for designing, implementing and managing an enterprisewide information security management programme? AvailabilityWhere and how can the security guidance be obtained? Recognition/reputationWhat are the recognition levels of the guidance and CISM holders opinions on its acceptability to the information security industry? Conclusions represent a summary of results of a global survey of more than 5,000 CISMs conducted in the fourth quarter of 2004. UsageHow widely is it used by security practitioners, and is it considered comprehensive and effective in this use? Conclusions represent a summary of results of a global survey of more than 5,000 CISMs conducted in the fourth quarter of 2004. CISM domain alignmentWhat level of coverage does the publication provide when compared against the task/knowledge statements in the CISM job domains? DescriptionThis section provides a brief, high-level description of the contents of the respective guidance under review, including brief excerpts of all criteria within the framework and conclusions that were reached. The conclusions result from the authors and others reading.

Information Security HarmonisationClassification of Global Guidance

Document Taxonomy Chart


As a part of this research, ITGI wanted to present an analysis of the degree to which the various security guidance documents fulfilled five principal areas of security. The areas, and how they are presented in the taxonomy chart (figure 1), are: Information security management programme componentsThe respective guidance contains suggestions for the types of activities an information security manager would normally address within an information security programme, including justifications, objectives and approaches. Security principlesThe guidance suggests key security principles upon which an information security programme should be based, including justifications that can be interpreted to align with most, if not all, variations of business objectives. High-level information security controlsThe guidance contains information security controls, but not necessarily the detailed practices of how the control can be applied. Detailed control practicesThe guidance contains detailed information security control practices. Model or methodologyThe guidance describes a framework, model or methodology for one or more activity in which an information security manager may be engaged. Figure 1Document Taxonomy
Security Guidance Areas of Security Focus High-level Detailed Security Security Control Principles Controls Practices X X X X X X

Management Programme Components

BS 7799 COBIT1 SSE-CMM GAISP ISF ISO/IEC 13335 ISO/TR 13569 ISO/IEC 15408 ISO/IEC 17799 ITIL NIST 800-12 NIST 800-14 NIST 800-18 NIST 800-53 OCTAVE OECD Open Group
1

Model or Methodology X X X

X X

X X

X X X X X

X X

X X

X X X X X X X

X X

X X

COBIT provides detailed control practices for IT governance. Information security controls are also included within its scope.

Introduction

Note that BS 7799 and ISO/IEC 17799 have different qualifications because one is a specification (or method) for information security management whilst the other is a set of guidelines and recommended information security practices.

The CISM Domain Chart


CISM is ISACAs groundbreaking credential earned by more than 5,100 professionals in its first two years. It is for the individual who must maintain a view of the big picture by managing, designing, overseeing and assessing an enterprises information security. CISM is specifically geared toward experienced information security managers and those who have information security management responsibilities. It helps provide executive management with assurance that those earning the designation have the required knowledge and ability to provide effective security management and consulting. It is business-oriented and focusses on information risk management whilst addressing management, design and technical security issues at a conceptual level. Whilst its central focus is security management, all those in the IS profession with security experience can find value in CISM. The CISM domain chart in figure 3 provides a summary of how and to what level of detail each of the 17 global guidance documents provides coverage of the task and knowledge requirements within the five CISM domains. It suggests its likely usefulness to the CISM who feels weak in the knowledge requirements of one or more domains. Secondly, it provides to all security practitioners potentially new approaches to common information security management activities. This research has allocated each of the global guidance documents a ranking2 of 4, 3, 2, 1 or 0 for each of the five CISM domains. These rankings are not intended to indicate the quality of the publication but are designed to indicate their helpfulness to a CISM (or someone seeking to gain CISM certification) in addressing the specific objectives of each CISM domain. The five levels are further defined in figure 2.

The use of a ranking of 5 has been specifically excluded as none of the examined guidance documents was found to provide full coverage of a CISM domain.

Information Security HarmonisationClassification of Global Guidance

Figure 2CISM Domain Rankings


Ranking 4 Ranking Descriptions The publication addresses many of the respective CISM domains tasks, providing not only the what needs to be done but also suggestions on how it can be achieved. The publication contains detailed guidance on one or more of the CISM domain tasks. Other tasks within the domain either are not addressed or the level provided is inadequate for real learning purposes. The publication should be considered a useful complement to other resources, but on its own does not supply sufficient guidance for the respective CISM domain. The publication is unlikely to provide real benefit to the reader in addressing this CISM domain. Any references are either incomplete or very high level. There are little or no references to this CISM domain.

The overall score uses the same definitions, but in relation to all five CISM domains. In this context, the overall score is not necessarily an average of the individual scores. Figure 3Security Guidance Coverage of CISM Domains
CISM Domains Coverage Information Overall Information Security Information of Security Risk Programme Security Response CISM Governance Management Management Management Management Domains 2 1 2 2 1 2 2 1 2 2 1 2 2 2 2 2 2 2 2 1 1 1 0 2 2 2 3 2 1 2 4 3 4 4 1 4 2 3 3 2 1 2 0 0 2 0 0 2 1 1 3 2 2 2 1 0 2 2 1 2 4 3 4 4 3 4 2 1 2 2 2 2 1 1 3 1 1 2 1 1 3 1 1 2 2 4 4 1 1 3 2 1 1 0 1 1 0 0 1 1 0 1

Publication

BS 7799 COBIT SSE-CMM GAISP ISF ISO/IEC 13335 ISO/TR 13569 ISO/IEC 15408 ISO/IEC 17799 ITIL NIST 800-12 NIST 800-14 NIST 800-18 NIST 800-53 OCTAVE OECD Open Group

Introduction

A full description of the CISM job domains and the associated task and knowledge statements is provided in the appendix of this document.

How to Use This Publication


Best use of this publication depends upon the readers familiarity with security standards and guidance. Another factor is how the readers enterprise embraces global standards, guidance and best practices. Therefore, the following suggested approach may or may not fit the readers needs. One size does not fit all. Consider the guidance currently used by the enterprise and then review the document taxonomy in figure 1. Determine whether the guidance currently used is adequate for the anticipated needs of the enterprise in the future across the five areas mapped: Information security management programme component Security principles High-level information security controls Detailed control practices Model or methodology Then consider the information security drivers for implementing each standard/guidance described in this book. Review the related risks of not using or implementing the guidance. Helpful information to arrive at the best practice for the enterprise is presented in the CISM domain alignment section for each standard/guidance and the recognition levels of the guidance and CISM holders opinions on its acceptability to the information security industry. Remember that the standards/guidance reviewed in this publication do not include every guidance available, only the more globally recognised and widely available information security guidance documents. Each enterprise must analyse its unique security needs in relation to the available guidance. In the end, each enterprise must analyse its needs and evaluate its weaknesses and strengths as they relate to information security.

History and Role of ISACA and ITGI


The Information Systems Audit and Control Association, established in 1969, is a nonprofit member organisation which has for many years worked with security and IT assurance professionals. It is globally recognised as the major provider of standards and controls for the general IT environment. ISACAs CISA certification was developed in 1978 and remains the most successful and internationally recognised IT auditor certification available, with more than 38,000 certified globally since inception.
7

Information Security HarmonisationClassification of Global Guidance

In 1996, ISACAs affiliated foundation published the first version of COBIT as a framework within which IT governance could be managed. COBIT, now in its third edition, is published in several languages, including Dutch, French, German and Spanish, amongst others, and is generally considered to be the leading governance, security, control and assurance framework across the world. ISACA reflected the growing awareness of the vital role of technology in helping businesses achieve their corporate aims with the creation of the IT Governance Institute in 1998. Effective IT governance helps ensure that IT supports business goals, maximises business investment in IT, and appropriately manages IT-related risks and opportunities. In 2002, the CISM certification was launched. It was specifically developed to reflect the increasing importance of the role of information security managers and, in particular, to reflect their increased profile within organisations and their vital role in corporate and IT governance.

Approach to the Classification


Descriptions of the guidance have been provided based on the authors review. Whilst attempts have been made to keep these descriptions factual, subjective opinions of the author are unavoidable. All guidance was evaluated/classified using the same approach and framework. The intent was to provide a comprehensive solution for answering questions about how the various guidance documents address the security space. In completing this classification, information relating to the reputation, recognition, acceptance and usage of the publications was obtained from a survey of holders of the CISM certification. A comprehensive survey was sent to more than 5,000 CISMs. Nearly 1,900 completed and returned the survey for a 37 percent response rate. Information was classified by geographic location3 to identify regional differences. CISM holders and other readers of this document are encouraged to provide ISACA with feedback on their own specific experiences of using the referenced guidance and to suggest others that should be included in this classification. The security guidance included in this document undoubtedly will undergo change/modification and, as mentioned previously, it is intended that this report will be updated regularly to reflect changes and finalisation, in addition to new guidance that comes into existence.

Five geographic locations were used: Asia, Central/South America, Europe/Africa, North America and Oceania.

BS 7799 Part 2:2002 Information Security Management SystemsSpecification With Guidance for Use

1. BS 7799 Part 2:2002 Information Security Management SystemsSpecification With Guidance for Use
Issuer
The United Kingdom Standards Policy and Strategy Committee provides authority for publication of documents as British Standards. BS 7799 has been adopted and modified by several countries, for example, AS/NZS 7799-2 for Australia and New Zealand.

Document Taxonomy
The original BS 7799 was issued as two parts: BS 7799-1: Information TechnologyCode of Practice for Information Security Management BS 7799-2: Information Security Management SystemsSpecification with Guidance for Use BS 7799-1 no longer exists, having been replaced by ISO/IEC 17799, which is discussed later in this research.

Circulation
BS 7799-2 is a British Standard that is widely known and used internationally.

Goal of the Standard or Guidance Publication


The purpose of this guidance was to specify the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system. It has been designed to be compatible with ISO/IEC 9001:2000 Quality Management Principles and ISO/IEC 14001:1996 Environmental Management.

Information Security Drivers for Implementing the GuidanceWhy


It may provide assurance to customers and trading partners that the organisation is managing its information security risks to meet a recognised minimum standard.

Information Security HarmonisationClassification of Global Guidance

Following the defined guidance for an information security management system, regardless whether one is seeking certification, can be a good method of instilling discipline into the security management process.

Related Risks of NoncomplianceWhat Could Happen


Whilst there is no specific risk in following the model defined by BS 7799-2, organisations failing to address all of the process areas are unlikely to be managing security to a satisfactory level.

Target Audience
The guidance is prepared for business managers and their staff as a model for an information security management system. It can also be used by certification bodies.

Timeliness
BS 7799-2 was first developed and issued in 1998 as a specification to complement BS 7799-1 (now ISO/IEC 17799). It was revised in 1999 to reflect changes in part 1 and again in 2002 to harmonise with other ISO management standards. British Standards are normally revised every three to five years. The next version of ISO/IEC 17799 is due for release in April 2005 and it is anticipated that BS 77992, updated to reflect the ISO/IEC 17799:2005, may very well become an ISO standard by the end of 2006.

Certification Opportunities
A certification scheme exists to certify organisations toward compliance. Although this is a British Standard, more than 9004 organisations in more than 40 countries have been evaluated and certified to BS 7799-2.

Completeness
BS 7799-2 is a model that includes every activity required to establish, implement, operate, monitor, review, maintain and improve a documented information security management system. It is designed to be used by organisations of any size or type, and is not geographically specific.

Figures obtained from the International Information Security Management System User Group web site at www.xisec.com.

10

BS 7799 Part 2:2002 Information Security Management SystemsSpecification With Guidance for Use Unlike ISO/IEC 17799 Code of Practice for Information Security Management, BS 7799 contains no guidance on how to undertake the activities it describes. It also avoids describing specific control practices as these naturally vary across organisations. However, it does recommend other documents that may be helpful to organisations applying the guidance. The appendix of BS 7799-2 contains a list of controls (summarised from ISO/IEC 17799) that organisations can use as the basis for identifying and setting their own organisational security control frameworks. However, this list is not intended to be exhaustive and the onus is on the organisation to supplement those provided.

Availability
The guidance is available for purchase from www.bsi-global.com (GB sterling 28.00 for British Standard Institute members and 56.00 for nonmembers).

Recognition/Reputation
Based on the global survey of CISMs (described in this documents Introduction), BS 7799-2 is globally recognised and considered to be a widely accepted standard by a large majority (74 percent) of the respondents.

Usage
BS 7799-2 is comprehensive and is being actively used (i.e., implemented, used as best practice or used for assessment) by the majority (57 percent) of surveyed CISMs in Europe/Africa, Central/South America and Oceania. Asia figures are slightly below this (48 percent) and in North America the figure falls to 39 percent. These are significant figures for an individual standard.

CISM Domain Alignment


When reviewing BS 7799-2 to see how it address the five domains of the CISM certification, the following rankings are evident.

Information Security Governance, 2


The document provides a model that includes many of the tasks an information security manager must undertake but it does not give detailed guidance on how the information security manager should complete these tasks.

11

Information Security HarmonisationClassification of Global Guidance

Risk Management, 1
BS 7799-2 contains references to and definitions of risk management activities but it provides no guidance on development and application of risk management methods.

Information Security Programme Management, 2


It is a good model for those wishing to design, develop and manage an information security programme and a must for organisations intending to apply for BS 7799 certification. However, the guidance provides little direction on how to carry out the activities, meaning the user of the model should already be experienced in information security management.

Information Security Management, 2


This is a good model for the operational aspects of information security management, but limited detail is provided on how to carry out the tasks.

Response Management, 1
The guidance contains only brief references to response management, and as a whole is limited in this area and provides no direction.

Overall, 2
This is a useful model for those wishing to establish a framework for the management of an information security management system and a must for those seeking BS 7799 certification. It needs to be used by an experienced information security manager and must be supplemented with other information security standards and guidance.

Description and Guidance on Use


BS 7799-2 uses 33 pages to describe a model for setting up and managing an information security management system. There are eight chapters and a number of annexes and reference tables. It is a useful model but insufficient in itself for an inexperienced information security manager. Even the experienced IT security professional should, as is recommended within BS 7799-2, refer to other publications for guidance on undertaking the activities described. The guidance includes an introduction to the plan-do-check-act (PDCA) model that is used in other management systems standards such as ISO/IEC 9001. The PDCA model also reflects some of the principles set out in OECDs Guidelines for the Security of Information Systems and NetworksTowards a Culture of Security and COBIT, which are reviewed later in this document.

12

BS 7799 Part 2:2002 Information Security Management SystemsSpecification With Guidance for Use Since the PDCA is an approach used in several globally respected standards, the following is a brief description of the approach that would be used to manage a comprehensive information security management system. Plan activities address the establishment of the information security management system and include: Definition of the information security management system coverage (e.g., location, assets, technology) Definition of an information security policy that reflects organisational needs Definition of a risk assessment methodology Identification and assessment of risks Identification and evaluation of options for the treatment of risks Selection of control objectives and controls Preparation of a statement of applicability (which gives the reasons for selection and exclusion of controls) Do activities are concerned with the implementation and operation of the information security management system and include: Creation of plans to allocate responsibilities and priorities for risk treatment Implementation of controls Training and awareness programmes Operations and resource management Procedures for detecting and reacting to incidents Check activities are concerned with monitoring and reviewing the information security management system and include: Execution of monitoring and other control procedures Reviews of information security management system effectiveness Reviews of residual risks and acceptable risks Act activities are concerned with maintaining and improving the information security management system and include: Implementing improvements (including taking corrective and preventive actions to eliminate the cause of nonconformities and guard against future nonconformities) Learning from experiences (ones own and those of other organisations) Ensuring that improvements meet the objectives The standard describes the types of documentation needed to establish and manage the information security management system as well as those needed to satisfy the British Standard (and are therefore necessary for certification to the standard). It also describes the procedures that need to be in place to control documents and records. Management responsibilities are identified and include management commitment, resource management and information security management system review. The following provides the level of detail that is contained in BS 7799-2.
13

Information Security HarmonisationClassification of Global Guidance

Extract from 4.3.1 General Documentation Requirements


The information security management system documentation shall include the following: a) Documented statement of the security policy (see 4.2.1b) and control objectives. b) The scope of the information security management system (see 4.2.1c) and procedures and controls in support of the information security management system. c) Risk assessment report (see 4.2.1c to 4.2.1b). d) Risk treatment plan (see 4.2.2b). e) Documented procedures needed by the organisation to ensure the effective planning, operation and control of its information security processes (see 6.1). f) Records required by this British Standard (see 4.3.3). g) Statement of applicability. h) All documentation shall be made available as required by the information security management system policy. Annex A of the standard is a list of control objectives and controls that are directly derived from those listed in ISO/IEC 17799:2000 and must be used as part of the controls selection process identified in the plan stage. Annex B provides guidance on the use of the standard, including details on what should be documented in scope statements, risk assessments and risk treatment plans. There is also guidance on what type of checking and self-policing procedures may be applied, how to approach information security management system audits and dealing with nonconformities. A table within annex B maps seven of the nine OECD security principles against the PDCA model of BS 7799-2.

Extract from B.4.3 Self-policing Procedures


A self-policing procedure is a control that has been constructed so that any error or failure perpetrated during execution is capable of prompt detection. An example would be a device that monitors a network (e.g., for equipment failures or errors) and raises an alarm. The alarm alerts the responsible people to the problem, and they then have the task of diagnosing the cause of the problem and fixing it. However, if the problem is not corrected within a defined period of time, additional alarms are raised to more senior management, thus escalating the problem automatically.

Reference
www.bsi-global.com

14

COBIT

2. COBIT
Issuer
The IT Governance Institute is the copyright holder and issuer of the COBIT guidance. COBIT is a worldwide de facto standard.

Document Taxonomy
COBIT represents a collection of documents and a framework that are classified as generally accepted best practices for IT governance, control and assurance. Its use reaches IT management, security, control and user management. The framework, along with the Committee of Sponsoring Organisations of the Treadway Commission (COSO), is considered to be critical to compliance with the US Sarbanes-Oxley Act.

Circulation
COBIT is accepted worldwide. In addition to the English version, it has been translated into several languages, including Dutch, French, German and Spanish.

Goals of the Standard or Guidance Publication


The COBIT mission is to research, develop, publicise and promote an authoritative, up-to-date, international, generally accepted information technology control framework for day-to-day use by business managers, IT professionals and security assurance professionals.

Information Security Drivers for Implementing the GuidanceWhy


There would not generally be one specific security driver behind implementing COBIT, as it is aimed at IT governance, of which security management is a part.

15

Information Security HarmonisationClassification of Global Guidance

Related Risks of NoncomplianceWhat Could Happen


There is no direct security risk from not complying, although it is widely accepted that security operates more effectively in an environment with good IT governance and controls.

Target Audience
Within organisations, three levels are addressed: management, IT users, and control and security professionals. Many types of organisations, public and private companies and external assurance professionals form the relevant target group.

Timeliness
The first edition of COBIT was issued in 1996. In 1998 the second edition was published with additional control objectives as well as the Implementation Tool Set. The third edition was issued in 2000 and included the Management Guidelines as well as an overall update. Management Guidelines includes a maturity model for IT governance and each of the objectives, as well as key goal indicators, critical success factors and key performance indicators. It is still relevant and up to date. The latest enhancements to COBIT at the time of this publication in 2005 include: COBIT Quickstart COBIT Online IT Governance Implementation Guide Control Practices COBIT Security Baseline The next update to COBIT is targeted for release in late 2005.

Certification Opportunities
COBITs audit guidelines contain information for auditing and self-assessment against the control objectives, but there is no certification programme available for any part of COBIT. The COBIT framework is used frequently by Certified Public Accountants (CPAs) and Chartered Accountants (CAs), for instance, when performing an SAS 70 review, and has rapidly become the IT control framework of choice for organisations addressing international regulatory issues, such as the US Sarbanes-Oxley Act of 2002.

16

COBIT

Completeness
COBIT addresses a broad spectrum of duties in IT management and can be of significant interest and use to the security manager, particularly if the organisation decides to build an IT governance framework using COBIT as its model. It does not contain the full depth of security management activities contained in ISO/IEC 17799.

Availability
COBIT is available in a variety of ways. First, the most dynamic and useful manner is through COBIT Online. It can be purchased by going to www.isaca.org/cobitonline. The approach allows users to customise a version of COBIT to suit their own enterprise, then store and manipulate that version as desired. It also offers full online access to all of COBIT, an editable Access database download feature, real-time surveys, an active community forum and a robust benchmarking feature. Also, most parts of COBIT are readily accessible for complimentary electronic download from the ISACA or ITGI web sites, www.isaca.org or www.itgi.org. The audit guidelines are posted for complimentary download for ISACA members only. Alternatively, a printed set and fully searchable CD-ROM can be purchased from the ISACA Bookstore, bookstore@isaca.org.

Recognition/Reputation
Based on the global survey of CISMs (described in this documents Introduction), recognition of COBIT is extremely high, at over 98 percent. Of equal or more interest is that a majority (58 percent) of surveyed CISMs (security professionals) felt that COBIT is a well-accepted global standard.

Usage
COBIT is considered to be comprehensive and effective and is being actively used (i.e., implemented, used as best practice or used for assessment) by more than 40 percent of surveyed information security managers globally (rising to in excess of 60 percent in Central/South America). These are significant figures for an individual standard and are exceeded only by ISO/IEC 17799 and BS 7799. Although this high level of use may be explained by the CISM populations relationship to ISACA, it should also be noted that security managers do not, in general, make use of standards they hold in low esteem.

17

Information Security HarmonisationClassification of Global Guidance

CISM Domain Alignment


Information Security Governance, 2
COBIT addresses a number of information security governance tasks as part of IT governance, but most likely not in the level of detail required by an information security manager.

Risk Management, 1
Risk management is referenced specifically in the PO9 process of COBIT. The remaining areas address it, but not to any great detail.

Information Security Programme Management, 2


COBIT provides a simple model for planning and building an information security programme, but it does not have sufficient detail nor does it address all the responsibilities of an information security manager.

Information Security Management, 2


COBIT provides a straightforward model for supporting and monitoring an information security programme, but it does not have sufficient detail nor does it address all the responsibilities of an information security manager.

Response Management, 1
Response management is referenced, but not to any detail.

Overall, 2
This guidance, although comprehensive, would be useful to an information security manager if his/her organisation is planning to implement COBIT and/or enhance the broader IT governance concepts, including how security management fits into the overall equation. Since much of the security material is aimed at educating IT management in security matters rather than as guidance to security managers, its use beyond overall governance is somewhat limited.

Description and Guidance on Use


Enterprise governance (the system, which includes the policies, procedures and standards guidance, by which organisations are governed and controlled) and IT governance (the system by which the organisations IT is governed and controlled) arefrom a COBIT point of viewhighly interdependent. Enterprise governance is inadequate without IT governance and vice versa. IT can extend and influence the performance of the organisation, but it has to be subject to adequate governance. On the other hand, business processes require information from the IT processes, and this interrelationship has to be governed as well.
18

COBIT

This theme can be taken further by considering information security governance. It, too, has a highly interdependent relationship with enterprise governance and IT governance. Whilst COBIT has not been developed specifically with the information security manager as a primary target, a large amount of the material is relevant to the information security programme. There are several publications that make up COBIT. Of key interest to the information security manager are addressed in the following subsections.

COBIT Framework
The COBIT Framework (65 pages) has been designed as a method of creating an IT governance framework that bridges the business control model with a focussed IT control model. In designing the framework, work performed by many organisations was referenced, including ISO/IEC 17799 Code of Practice for Information Security Management and several of the NIST publications. Also considered were business control models by COSO in Internal ControlIntegrated Framework of 1992, Cadbury in the UK, CoCo in Canada and King in South Africa. The framework identifies the need to satisfy the quality, fiduciary and security requirements for information. These broad requirements are then broken into seven distinct, but overlapping, categories: Quality: 1. EffectivenessInformation must be relevant and pertinent to the business process as well as be delivered in a timely, correct, consistent and useable manner. 2. EfficiencyThis calls for provisioning information through the most optimal (productive and economical) use of resources. Security: 3. ConfidentialitySensitive information must be protected from unauthorised disclosure. 4. IntegrityInformation must be complete and accurate and in line with business values and expectations. 5. AvailabilityInformation, and associated resources and capabilities, must be available when needed now and in the future. Fiduciary: 6. ComplianceThis deals with laws, regulation and contractual arrangements to which the business is subject. 7. Reliability of informationThis category relates to provision of the information needed by management to operate the entity and to exercise financial and compliance reporting responsibilities.

19

Information Security HarmonisationClassification of Global Guidance

The framework then describes the IT resources necessary to deliver on the principles. There are five: DataIn its widest sense (i.e., internal and external), structured and nonstructured, graphics, sound, etc. Application systemsThe sum of manual and programmed procedures TechnologyIncludes hardware, operating systems, database management, networking, etc. FacilitiesResources needed to house and support information systems PeopleIncludes staff skills, awareness and production to plan, organise, acquire, deliver, support and monitor information systems and services The framework then provides 34 control objectives that are described within four domains. The domains are designed to fit in with the same PDCA models used by OECD security guidance, ISO/IEC 9000, 14000, 15000 and BS 7799-2:2002. The four domains (see figure 4) are: Plan and Organise11 objectives, numbered P01 to P11 Acquire and Implement6 objectives, numbered AI1 to AI6 Deliver and Support13 objectives, numbered DS1 to DS13 Monitor and Evaluate4 objectives, numbered M1 to M4 Figure 4COBIT IT Processes Defined Within the Four Domains
BUSINESS OBJECTIVES

IT GOVERNANCE

M1 M2 M3 M4

monitor the processes assess internal control adequacy obtain independent assurance provide for independent audit

INFORMATION
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability

PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 PO11

define a strategic IT plan define the information architecture determine the technological direction define the IT organisation and relationships manage the IT investment communicate management aims and direction manage human resources ensure compliance with external requirements assess risks manage projects manage quality

MONITOR AND EVALUATE

PLAN AND ORGANISE

IT RESOURCES
People Application systems Technology Facilities Data

DELIVER AND SUPPORT


DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 define and manage service levels manage third-party services manage performance and capacity ensure continuous service ensure systems security identify and allocate costs educate and train users assist and advise customers manage the configuration manage problems and incidents manage data manage facilities manage operations

ACQUIRE AND IMPLEMENT

AI1 AI2 AI3 AI4 AI5 AI6

identify automated solutions acquire and maintain application software acquire and maintain technology infrastructure develop and maintain procedures install and accredit systems manage changes

20

COBIT

COBIT Control Objectives


The COBIT Control Objectives (148 pages) document takes the 34 high-level control objectives and breaks them into more detailed control objectives, resulting in a comprehensive list of 318 control objectives. Extract of AI1.8 Risk Analysis Report The organisations system development life cycle methodology should provide for, in each proposed information system development, implementation or modification project, an analysis and documentation of the security threats, potential vulnerabilities and impacts, and the feasible security and internal control safeguards for reducing or eliminating the identified risk. This should be realised in line with the overall risk assessment framework. Extract of DS2 Deliver and Support, Manage Third-party Services Control over the IT process of managing third-party services that satisfies the business requirement to ensure that roles and responsibilities of third parties are clearly defined, adhered to and continue to satisfy requirements. Is enabled by control measures aimed at the review and monitoring of existing agreements and procedures for the effectiveness and compliance with organisation policy. And takes into consideration: Third-party service agreements Contract management Nondisclosure agreements Legal and regulatory requirements Service delivery monitoring and reporting Enterprise and IT risk assessments Performance rewards and penalties Internal and external organisational accountability Analysis of cost and service level variances

COBIT Management Guidelines


COBIT Management Guidelines (121 pages) provides a link between IT control and IT governance. The guidelines are action-oriented and generic, and provide management-specific guidance and direction for getting the enterprises information and related processes under control, monitoring achievement of organisational goals, monitoring and improving performance within each IT process and benchmarking organisational achievement. Management Guidelines includes for each of the 34 control objectives a maturity model, key goal indicators, critical success factors and key performance indicators.

21

Information Security HarmonisationClassification of Global Guidance

Extract from PO9 Maturity Model Level 2Repeatable but Intuitive There is an understanding that IT risks are important and need to be considered. Some approach to risk assessment exists, but the process is still immature and developing. The assessment is usually at a high level and is typically applied only to major projects. The assessment of ongoing operations depends mainly on IT managers raising it as an agenda item, which often happens only when problems occur. IT management has not generally defined procedures or job descriptions dealing with risk management.

COBIT Security Baseline


COBIT Security Baseline (38 pages) was developed primarily to help IT managers understand the need for information security and to provide essential security awareness messages for varying audiences including home users, professional users, managers, executives and boards of directors. Information security is defined within the document along with a list of 39 main steps that are needed to obtain a security baseline. These are grouped under the four COBIT domains and crossreferenced to the relevant control objectives from ISO/IEC 17799 and the 34 COBIT control objectives. Extract of Steps 17 and 18 of Managing Changes Step 17 Evaluate all changes, including patches, to establish the impact on the integrity, exposure or loss of sensitive data, availability of critical services, and validity of important transactions. Based on this impact, perform adequate testing prior to making the change. Step 18 Record and authorise all changes, including patches (emergency changes possibly after the fact). COBIT Security Baseline also provides six survival kits, each aimed at a different audience, consisting of a checklist of actions that need to be addressed to ensure baseline security. Extract of Questions From Information Security Survival Kit 5 Senior Executives How is the board kept informed of information security issues? When was the last briefing made to the board on security risks and status of security improvements? Is the enterprise clear on its position relative to IT and security risks? Does it tend toward risk avoidance or risk taking? How much is being spent on information security? On what? How were the expenditures justified? What projects were undertaken to improve security last year? Have sufficient resources been allocated?
22

COBIT

How many staff had security training last year? How many of the management team (members) received security training?

Control Practices
Control Practices (226 pages) expands the capabilities of COBIT by providing the practitioner with an additional level of detail. Whilst the COBIT IT processes, business requirements and detailed control objectives define what needs to be done to implement an effective control structure, Control Practices provides the more detailed how and why. Each of the 318 control objectives is listed here along with a brief rationale for why, and control practices for how. Extract of AI6.4 Emergency Changes Why Do It? Controlling emergency changes by implementing the control practices will ensure: Emergency procedures are used in declared emergencies only. Urgent changes can be implemented without compromising integrity, availability, reliability, security, confidentiality or accuracy. Control Practices 1. Management defines parameters, characteristics and procedures that identify and declare emergencies. 2. All emergency changes are documented, if not before, then after implementation. 3. All emergency changes are tested, if not before, then after implementation. 4. All emergency changes are formally authorised by system owners and management before implementation. 5. Before and after images, as well as an intervention log, are retained for subsequent review.

COBIT Quickstart
This special version (46 pages) is a baseline for many small to medium enterprises (SMEs) and other entities where IT is not mission-critical or essential for survival. It can also serve as a starting point for other enterprises in their move toward an appropriate level of control and governance of IT. COBIT Quickstart was developed in response to comments that COBIT, in its complete form, can be a bit overwhelming. Those who operate with a small IT staff often do not have the resources to implement all of COBIT. This version of COBIT constitutes a subset of the entire COBIT volume. Only those control objectives that are considered the most critical are included, so that implementation of COBIT fundamental principles can take place easily, effectively and relatively quickly.

23

Information Security HarmonisationClassification of Global Guidance

COBIT Online
This online version of COBIT allows users to customise a version of COBIT for their own enterprise, then store and manipulate that version as desired. It offers online, real-time surveys and benchmarking, as well as a discussion facility for sharing experiences and questions.

References
www.isaca.org/cobit www.itgi.org

24

SSE-CMM Systems Security EngineeringCapability Maturity Model 3.0

3. SSE-CMM Systems Security Engineering Capability Maturity Model 3.0


Issuer
The International Systems Security Engineering Association (ISSEA) is a nonprofit organisation formed in 1999 to continue development and promotion of SSECMM. (SSE-CMM is copyrighted by Carnegie Mellon University.) Members may be interested individuals or organisations.

Document Taxonomy
SSE-CMM Model Description Document 3.0 (SSE-CMM 3.0) is a guide to the concepts and application of a model to improve and assess security engineering capability. Version 2 was made ISO/IEC 21827 in 2002.

Circulation
The guidance is widely known and used internationally by organisations involved in security engineering.

Goals of the Standard or Guidance Publication


The SSE-CMM 3.0 is intended to be used as a: Tool for engineering organisations to evaluate security engineering practices and define improvements to them Standard mechanism for customers to evaluate a providers security engineering capability Basis for security engineering evaluation organisations (e.g., system certifiers and product evaluators) to establish organisation capability-based confidences (as an ingredient to system or project security assurance)

Information Security Drivers for Implementing the GuidanceWhy


Customers want assurance of the level of security engineering in products and services.

25

Information Security HarmonisationClassification of Global Guidance

Related Risks of NoncomplianceWhat Could Happen


No specific noncompliance risks exist unless the act of compliance begins to provide competitive advantage amongst suppliers that comply with the CMM.

Target Audience
The guidance is primarily aimed at organisations that practice security engineering in the development of operating systems software, security managing and enforcing functions, software and middleware of applications programmes. Specific users are likely to be product developers, service providers, system integrators, system administrators and security specialists. The guide will also be of use to evaluation organisations or acquiring organisations (e.g., in Requests for Proposal).

Timeliness
Development of SSE-CMM began in 1995, with the first version published in 1996. Version 2 followed and was made ISO/IEC 21827 in 2002. Version 3 was released in 2003 and the ISSEA remains dedicated to improving the model.

Certification Opportunities
There is a documented SSE-CMM Appraisal Method that includes support materials for an appraisal. It was designed primarily for internal process improvement. An Appraiser Certification Programme is being developed.

Completeness
The document is an excellent capability maturity model for evaluating and improving the quality of security engineering. However, it provides only limited information on the full role and responsibilities of an information security manager who is establishing, implementing and managing an enterprisewide information security programme, so it should be supplemented with other security publications.

Availability
SSE-CMM 3.0 is available by free download from the SSE-CMM web site at www.sse-cmm.org. Version 2, now published as ISO/IEC 21827, can be purchased from www.iso.org for Swiss CHF 208.00.

26

SSE-CMM Systems Security EngineeringCapability Maturity Model 3.0

Recognition/Reputation
Based on the global survey of CISMs in 2004 (described in this documents Introduction), SSE-CMM is well recognised (60 to 70 percent) in Asia, North America and Central/South America, but much less so in Oceania and Europe/Africa (more than 40 percent had no experience with the guidance). The majority of CISMs (52 percent) in all regions felt it has only limited acceptance amongst security professionals.

Usage
Active usage (i.e., implemented, used as best practice or used for assessment) of SSE-CMM is disappointing at only 20 percent, although this rises to one-third in Central/South America. The majority (69 percent) of all CISMs familiar with it found it to be effective, but views on its level of comprehensiveness varied, with Oceania in particular having reservations.

CISM Domain Alignment


Information Security Governance, 2
Following the SSE-CMM would improve information security governance performance but it is best used by an experienced information security practitioner with an information security governance framework already defined and in place.

Risk Management, 2
Following the SSE-CMM would improve performance in this domain, but it is best used by an experienced information security manager who already has the domain activities established.

Information Security Programme Management, 2


Following the SSE-CMM would improve performance in this domain, but it is best used by an experienced information security manager who already has the domain activities established.

Information Security Management, 2


Following the SSE-CMM would improve performance in this domain, but it is best used by an experienced information security manager who already has the domain activities established.

27

Information Security HarmonisationClassification of Global Guidance

Response Management, 2
Following the SSE-CMM would improve performance in this domain, but it is best used by an experienced information security manager who already has the domain activities established.

Overall, 2
This is an excellent model for improving capabilities but it does not in itself provide guidance to an information security manager on how to define and establish an enterprisewide information security management programme. It would be most effective in the hands of an experienced information security manager.

Description and Guidance on Use


The guidance (340 pages) describes SSE-CMM as a process reference model that focuses on the requirements for implementing security engineering in a system(s). It was designed with the IT domain in mind, but it can also be used for non-IT security domains. The guide describes security engineering in terms of the following goals (describes rather than defines as the role is evolving and, it claims, there is no consensus in the security community): Gain understanding of the security risks associated with an enterprise. Establish a balanced set of security needs in accordance with identified risks. Transform security needs into security guidance to be integrated into the activities of other disciplines employed on a project and into descriptions of a system configuration or operation. Establish confidence or assurance in the correctness and effectiveness of security mechanisms. Determine that operational impacts due to residual security vulnerabilities in a system or its operation are tolerable (acceptable risks). Integrate the efforts of all engineering disciplines and specialties into a combined understanding of the trustworthiness of a system. SSE-CMM was designed to fill a perceived gap between the existence of security engineering principles and evaluation of practices by providing a framework within which an evaluation can be carried out. The guide introduces the concept of maturity models to security. Explanations are given to the importance of statistical control processes and how they can predict defects and help identify where improvements in a process can be made. It also addresses the concept of process maturity describing it as the extent to which a specific process is explicitly defined, managed, measured, controlled, and effective. Applied to security engineering this means that a capability maturity

28

SSE-CMM Systems Security EngineeringCapability Maturity Model 3.0

model can help an organisation evolve from an ad hoc, less organised, less effective state to a highly structured and highly effective state. The guide describes expected results from using SSE-CMM as most likely to be: Improvements in predictabilityOrganisations are better at knowing whether they will meet their targets and, if not, by how much they will miss. Improvements in controlTargets are revised more accurately and corrective actions are evaluated to select the best application of control measures. Improvements in process effectivenessTargeted results improve as the costs decrease, and productivity and quality increase. There are three main security engineering areas in the SSE-CMM: RiskIdentifying and prioritising dangers EngineeringDetermining and implementing solutions that address the risks AssuranceBeing able to give customers confidence in the solutions A number of practices are used in each of these areas. Practices are split into base practices and generic practices. The generic practices are those that indicate process management, whilst base practices are those that collectively define security engineering. One performs generic practices as a part of performing a base practice. This is most easily explained using the example provided by the guide.

Extract From 3.3 SSE-CMM Architecture Description


A fundamental part of security engineering is the identification of security vulnerabilities. This activity is captured in the SSE-CMM in Base Practice 05.02, Identify System Security Vulnerabilities. One way to determine an organizations ability to do something is to check whether it has a process for allocating resources to the activities it claims to be doing. This characteristic of mature organizations is reflected in the SSECMM in Generic Practice 2.1.1, Allocate Resources. Putting the base practice and generic practice together provides a way to check an organisations capability to perform a particular activity. Here an interested party might ask, does your organization allocate resources for identifying system security vulnerabilities? If the answer is yes, the interviewer learns a little about the organizations capability, additional information is gained from the supporting documentation or artefacts. The SSE-CMM has 61 base practices within 11 process areas that cover security engineering. As security engineering must integrate with so many other areas, the guide also includes for context 68 base practices and 11 process areas that address project and organisation (drawn from both the Systems Engineering CMM and the Software CMM).

29

Information Security HarmonisationClassification of Global Guidance

The 11 security processes are numbered for reference and are purposely referred to in alphabetical order to discourage thoughts that the process areas are ordered by life cycle. The 11 security process areas are: PA01 Administer Security ControlsThe intended security for the system is achieved in its operational state. PA02 Assess ImpactIdentify impacts (tangible and intangible) and the likelihood of the impacts occurring. PA03 Assess Security RiskIdentify and assess the likelihood of exposures. PA04 Assess ThreatIdentify and characterise security threats. PA05 Assess VulnerabilityIdentify and characterise security vulnerabilities. PA06 Build Assurance ArgumentClearly convey that security requirements are met (evidential activities). PA07 Co-ordinate SecurityEnsure open communications between security engineering and all other involved parties (e.g., project personnel). PA08 Monitor Security PostureIdentify and report all breaches or attempted breaches of security as well as mistakes that could lead to breaches. PA09 Provide Security InputProvide security information needed by interested parties (e.g., system architects, designers). PA10 Specify Security NeedsExplicitly identify security needs for the system. PA11 Verify and Validate SecurityVerify and validate throughout design and development and against the customers operational security needs.

Extract of a Security Practice from Process Area PA02 Assess Impact


BP.02.03 Select Impact Metric(s) Select the impact metric(s) to be used for this assessment. Description A number of metrics can be used to measure the impact of an event. It is advantageous to predetermine which metrics will be used for the particular system under consideration, i.e., example work products, selected impact metrics. Notes A limited set of consistent metrics minimizes the difficulty in dealing with divergent metrics. Quantitative and qualitative measurements of impact can be achieved in a number of ways, such as: Establishing the financial cost Assigning an empirical scale of severity, e.g., 1 through 10 The use of adjectives selected from a predefined list, e.g., low, medium, high

30

SSE-CMM Systems Security EngineeringCapability Maturity Model 3.0

Generic practices are grouped into five capability levels and reflect the maturity of the capability. Each has common features that describe an organisations characteristic manner of performing a work process, as follows: Level 1 Performed InformallyBase practices. You have to do it before you can manage it is how SSE-CMM characterises this level. Level 2 Planned and TrackedProject-level definition, planning and performance, characterised by SSE-CMM as understanding what is happening on the project before defining organisationwide processes. Level 3 Well DefinedDisciplined tailoring, characterised as using the best of what is learned from projects to create organisationwide processes. Level 4 Quantitatively ControlledMeasurements tied to organisational business goals, characterised by you cannot measure it until you know what it is and managing with measurement is only meaningful when youre measuring the right things. Level 5 Continuously ImprovingSustaining gains and improvements, characterised by a culture of continuous improvement (that) requires a foundation of sound management practice, defined processes, and measurable goals.

Extract of a Generic Practice Performed at Capability Level 2


GP 2.1.5 Ensure Training Description Ensure that the individuals performing the process area are appropriately trained in how to perform the process. Notes Training, and how it is delivered, will change with process capability due to changes in how the process(es) is performed and managed. Relationships Training and training management is described in PA21 Provide Ongoing Skills and Knowledge. The guide also contains advice on how to use the SSE-CMM separately addressing process improvement, capability evaluation and gaining assurance.

31

Information Security HarmonisationClassification of Global Guidance

Extract from 4.2 Using the SSE-CMM for Process Improvement


Stimulus for Change The first step in any process improvement is to identify the business reasons for changing the organizations practices. There are many potential catalysts for an organization to understand and improve its processes. Acquisition organizations may require certain practices to be in place for a particular program, or they may define a capability level as the minimally accepted standard for potential contractors. Organizations may have realized certain processes would allow them to more quickly and efficiently produce quality evidence in support of evaluation and certification efforts, provide an alternate means to formal evaluations for customers, or increase consumer confidence that security needs are adequately addressed. Regardless of the catalyst for change, a clear understanding of the purpose of examining existing processes in light of security is vital to the success of a systems security engineering process improvement effort.

References
www.issea.org www.sse-cmm.org www.iso.org

32

GAISP Version 3.0

4. GAISP Version 3.0


Issuer
Generally Accepted Information Security Principles (GAISP) is being produced by the Information Systems Security Association (ISSA), a not-for-profit international organisation of information security practitioners. The current draft version of GAISP appeared as of August 2003 as a merged effort between Generally Accepted System Security Principles (GASSP), produced by International Information Security Foundation (IISF) in the early 1990s, and Commonly Accepted Security Practices and Recommendations (CASPR), produced by the CASPR Working Group.

Document Taxonomy
GAISP is a collection of security principles that is being defined and produced as a collective effort by members of the organisations involved.

Circulation
GAISP is known to the wider information security community, but particularly so by members of ISSA and within North America.

Goal of the Standard or Guidance Publication


The major goal of ISSAs GAISP Committee is to Identify and develop pervasive, broad, functional and detailed GAISP in a comprehensive framework of emergent principles, standards, conventions, and mechanisms that will preserve the availability, confidentiality, and integrity of information.

Information Security Drivers for Implementing the GuidanceWhy


GAISP represents a good foundation of principles that have been developed by experienced security practitioners.

33

Information Security HarmonisationClassification of Global Guidance

Related Risks of NoncomplianceWhat Could Happen


There are no specific risks from noncompliance.

Target Audience
This is not stated explicitly in GAISP, but it would appear to be most suited to the information security practitioner and is flexible enough to serve most types and sizes of organisation.

Timeliness
Version 3 of GAISP is described on the Internet as a draft document. It is undated but has obviously been altered as recently as August 2003. However, many of the references provided are well out of date and it is likely that much of the document in its current form was written in the early to mid 1990s. As of the date of this publication, it has not yet been updated or finalised.

Certification Opportunities
There is no certification process for adhering to GAISP principles.

Completeness
GAISP provides a good set of general principles that addresses the necessary areas of information security management and should be relevant for an organisation of any type, size or geographic location. It does not contain any level of detail below information security principles.

Availability
GAISP is currently in draft mode and can be downloaded without cost from www.gaisp.org.

34

GAISP Version 3.0

Recognition/Reputation
Based on data gathered from the global CISM survey (described in this documents Introduction), GAISP is generally well known in North America (67 percent) but is less known elsewhere, particularly in Europe/Africa (40 percent). Acceptance of GAISP as a standard is rather limited (90 percent feel it has either limited or no acceptance), a view expressed in all geographic regions.

Usage
Usage of GAISP is very low (less than 18 percent), even in North America where it is well known. However, it is thought to be reasonably comprehensive and effective in what it addresses by all regions except Europe/Africa.

CISM Domain Alignment


Information Security Governance, 2
GAISP addresses only lightly some of the tasks within the governance domain but it does contain some useful principles that would be helpful in establishing highlevel security policies.

Risk Management, 1
GAISP addresses risk management as a principle, but not in great depth.

Information Security Programme Management, 1


It provides a set of principles, but does not supply great detail.

Information Security Management, 1


GAISP provides a set of principles, but no great detail.

Response Management, 0
Response management is briefly addressed as a principle.

Overall, 2
GAISP contains a good set of principles upon which an information security programme can be created, but it provides very little in the way of detailed guidance. What it does provide, not found elsewhere, is examples to support each of the principles.

35

Information Security HarmonisationClassification of Global Guidance

Description and Guidance on Use


GAISP is a document of 54 pages covering what it describes as pervasive principles and broad functional principles. There is a chapter heading for detailed security principles that has not yet been written. The document also contains a number of appendices. Pervasive principles are described as those that provide general governance-level guidance to establish and maintain the security of information. Pervasive principles form the basis of the broad functional principles and detailed principles. There are nine pervasive principles and each is briefly described in GAISP along with a rationale for the principle and an example of application. The nine principles were founded on those contained within the Guidelines for Security of Information Systems published by the OECD in 1992. The OECD reissued its guidelines in 2002 with a different set of principles. Although GAISP is in line with the original nine that were issued in 1992, each is still valid in the way in which it is described. GAISPs nine pervasive principles are: Accountability principleEnsuring that responsibilities and accountability are clearly defined and accepted Awareness principleEnsuring that everyone, regardless of organisational role, has the required security knowledge Ethics principleEnsuring that the application and administration of security practices are undertaken in an ethical manner Multidisciplinary principleEnsuring that everyones needs, across all disciplines, are met in the way security is defined and applied Proportionality principleEnsuring that the costs of security are practical and appropriate to the risk Integration principleEnsuring that security complements and integrates with other organisational compliance requirements Timeliness principleEnsuring that the response to threats and events is timely Assessment principleEnsuring that risks are assessed on a regular basis Equity principleEnsuring that the rights and dignity of individuals are respected

Extract of 2.4 Multidisciplinary Principle


Principles, standards, conventions, and mechanisms for the security of information and information systems should address the considerations and viewpoints of all interested parties. Rationale: Information security is achieved by the combined efforts of information owners, users, custodians, and information security personnel. Decisions made with due consideration of all relevant viewpoints and technical capabilities can enhance information security and receive better acceptance.

36

GAISP Version 3.0

Example: When developing contingency plans, the organization can establish a contingency planning team of information owners, representatives from facilities management, technology management, and other functional areas in order to better identify the various expectations and viewpoints from across the organization and other recognized parties. Broad functional principles are described as the building blocks that provide guidance for operational accomplishment of pervasive principles. There are 14 broad functional principles and GAISP contains a table showing how they address the nine pervasive principles. Each of the 14 broad functional principles is described in a brief paragraph and is accompanied by a longer rationale and example of the principle in practice. The 14 broad functional principles are generally self-explanatory and are: Information security policy Education and awareness Accountability Information asset management Environmental mmanagement Personnel qualifications Incident management Information systems life cycle Access control Operational continuity and contingency planning Information risk management Network and Internet security Legal, regulatory and contractual requirements of information security Ethical practices

Extract from 3.1 Information Security Policy


Management shall ensure that policy and supporting standards, baselines, procedures, and guidelines are developed and maintained to address all aspects of information security. Such guidance must assign responsibility, the level of discretion, and how much risk each individual or organizational entity is authorized to assume. Rationale: In order to assure that information assets are effectively and uniformly secured consistent with their value and associated risk factors, management must clearly articulate its security strategy and associated expectations. In the absence of this clarity, some resources will be under-securedthat is, ineffective; other resources will be over-securedthat is, inefficient.

37

Information Security HarmonisationClassification of Global Guidance

Appendix A provides a page-long list of major recommendations contained within Computers at Risk5 which are addressed by GAISP. Appendix B contains the entirety of the OECD Guidelines for the Security of Information Systems, published by OECD in 1992.

References
www.gaisp.org www.issa.org

National Research Council; Dr. David Clark (MIT), committee chair; Computers at Risk, National Academy Press, 1991

38

The Standard of Good Practice for Information Security

5. The Standard of Good Practice for Information Security


Issuer
Information Security Forum is a corporate member-based organisation currently compromised of more than 250 organisations, a large percentage based in Europe with global operations.

Document Taxonomy
The standard is a collection of information security principles and control practices that was generated by members of ISF. The precursor to ISF was the European Security Forum (ESF).

Circulation
The standard was previously known and available only to ISF members, but it was made publicly available a few years ago and since has begun to build a wider recognition.

Goals of the Standard or Guidance Publication


The stated goals of the standard are to promote good practice in information security in all organisations world-wide; help organisations improve their level of security and to reduce their information risk to acceptable levels; assist in the development of standards that are practical, focussed on the right areas and effective in reducing information risk.

Information Security Drivers for Implementing the GuidanceWhy


This guidance is for those who want to improve their security benchmark against other major organisations.

Related Risks of NoncomplianceWhat Could Happen


There is no direct risk from not complying unless the organisation has an inherent need to comply with this standard.
39

Information Security HarmonisationClassification of Global Guidance

Target Audience
The standard is specifically aimed at major national and international organisations although the ISF believes it is also likely to be of use to any organisation regardless of industry, geographic location or size. It is also likely to be of practical use to information security practitioners, IT management and assurance professionals.

Timeliness
It is planned to be updated every two to three years and a specific aim is to ensure that the latest security hot topics are addressed. The ISF produced version 4 of the Standard of Good Practice for Information Security in March 2003.

Certification Opportunities
No certification is available. However, ISF (corporate) members can benchmark their performance against the standard through ISFs biannual information security status survey.

Completeness
The standard provides a broad and detailed range of security principles, control objectives and security practices. It is particularly aimed at large organisations of any industry type in any geographic location. The standard does not deal with security management concepts nor provide guidance on how to select appropriate controls. If it is to be used, it needs to be applied by an experienced security practitioner or in combination with other guidance publications.

Availability
The standard is publicly available as a free download at www.isfsecuritystandard.com.

Recognition/Reputation
Results from the ISACA global survey of 5,000 CISMs (described in this documents Introduction) revealed that this standard is generally well recognised (approximately two-thirds of surveyed CISMs) although slightly less so in the Oceania region. However, the majority (55 percent) of CISMs familiar with the publication feel it has only limited acceptance as a standard.
40

The Standard of Good Practice for Information Security

Usage
Of those familiar with the standard, at least one-fifth are actively using it in some form or another (i.e., implemented, used as best practice or used for assessment) within their organisation. Usage is practised by almost one-third in Europe/Africa. A good majority (73 percent) of surveyed CISMs familiar with its contents believe the standard has a good level of comprehensiveness and it is also generally considered to be effective in use.

CISM Domain Alignment


Information Security Governance, 2
The standard provides implicitly (through its controls listings) some of the activities an information security manager should address in this domain, but it does not provide any real guidance and direction on how to set up and maintain an information security governance framework.

Risk Management, 2
It provides a good list of risk analysis requirements throughout the organisation. It does not describe approaches and methods of risk management.

Information Security Programme Management, 3


The standard is an excellent source of controls and practices that should help an organisation establish its security baselines and integrate them within the various parts of the organisation. This is clearly the best part of this guidance document. However, it contains nothing about how to develop and maintain security plans, project management methods and techniques, nor advice on establishment of metrics.

Information Security Management, 2


The guidance provides implicitly (through its controls listings) some of the activities an information security manager should address within this domain with particularly good lists on security awareness. However, it does not provide any guidance on how to establish or carry out these activities.

Response Management, 1
It defines the requirement for response management but provides very little that would help an information security manager develop and maintain a response management capability.

41

Information Security HarmonisationClassification of Global Guidance

Overall, 2
This is a good source of controls and detailed control practices for the experienced information security practitioner. Those with less experience may find it overwhelming and have difficulty deciding which control practices are appropriate for their own organisation.

Description and Guidance on Use


ISFs Standard of Good Practice (the standard) is a document of 248 pages covering a range of principles and practice statements for the management of information security. An introductory section within the document explains the background to the development of the standard and provides drivers and benefits for its use. The standard is comprehensive in its coverage and depth of practices and should be used by security managers experienced in determining whether the cost of applying the security practices provides adequate benefits. The standards framework splits information security management into five distinct aspects, each of which covers a particular type of environment: Security management (enterprisewide)High-level direction and control Critical business applicationsRisks and protection of applications Computer installationsRequirements for the setup and running of computer services NetworksRequirements for the setup and running of networks Systems developmentIncorporation of security requirements into new systems The five aspects are broken into a number of supporting areas, which are then further broken into sections containing a principle and objective. Suggested practice statements advising on how each principle and objective can be met, usually between four and six statements per section, are also provided. A detailed second index addressing a wide range of security-related topics provides easy reference to every practice statement. As each of the five aspects is designed to be complete within its own right, some sections (e.g., risk analysis) are repeated, with the practice statements being varied accordingly. The structure of the standard is shown in figure 5.

42

The Standard of Good Practice for Information Security

Figure 5Structure of the Standard

Aspect e.g., a critical business application

?
Area 3

Area 1

Area 2

Section 1.1 Statement of Good Practice

Section 1.2 Statement of Good Practice

Section 1.3 Statement of Good Practice

Section 2.1 Statement of Good Practice

Section 3.1 Statement of Good Practice

Section 3.2 Statement of Good Practice

Source: Information Security Forum, The Standard of Good Practice for Information Security, Version 4.1, January 2005

Extract From Area 1 High-Level Direction from the Security Management Aspect
Section SM1.2Security Policy PrincipleA comprehensive, documented information security policy should be produced and communicated to all individuals with access to the enterprises information and systems. ObjectiveTo document top managements direction on and commitment to information security, and communicate it to all relevant individuals. SM1.2.3 (i.e., the third practice statement for this section) The information security policy should require: a) Critical information and systems to be subjected to a risk analysis on a regular basis b) That an ownertypically the person in charge of a particular business application, computer installation or networkis assigned for all critical information and systems c) That information and systems are classified in a way that indicates their criticality to the enterprise d) That staff are made aware of information security

43

Information Security HarmonisationClassification of Global Guidance

e) Compliance with software licenses and with legal, regulatory and contractual obligations f) Breaches of the security policy and suspected security weaknesses to be reported g) Information to be protected in terms of its requirements for confidentiality, integrity and availability The standard addresses the following major topic areas under each aspect: Security management Establishing, documenting and communicating direction and commitment for information security Making the organisational arrangements necessary for managing and applying security throughout the enterprise Establishing classification and ownership schemes for information assets Defining arrangements for a secure environment Taking steps for protection from and response to malicious attacks Including special topics: e-mail, cryptography, PKI and outsourcing Ensuring adequate audit, review and monitoring of the security environment Critical business applications Assessing the security requirements of an application Managing applications, including roles and responsibilities, internal controls, change management, and continuity planning Controlling access to applications Ensuring that applications are adequately supported and backed up Addressing practices for application security co-ordination, classification, risk analysis and review Including special topics: third-party agreements, key management and web-enabled applications Computer installations Running and monitoring the computer installations to a desired level Designing and configuring the live environment Ensuring basic controls over the operations of systems Controlling access to information and systems in the computer installation Addressing practices for computer installation security co-ordination, classification, risk analysis and review Developing, maintaining and validating contingency plans Networks Designing and running computer networks to a desired level Ensuring that unauthorised network traffic is prevented Managing and monitoring network performance and resilience Addressing practices for network security co-ordination, classification, risk analysis and review Ensuring the security of voice networks Systems development Managing the systems development process, environment and staff

44

The Standard of Good Practice for Information Security

Addessing practices for systems development security co-ordination and review Ensuring arrangements for specification of security requirements Addressing security during design, acquisition and build Addressing practices for system testing and implementation

Reference
www.isfsecuritystandard.com

45

Information Security HarmonisationClassification of Global Guidance

46

ISO/IEC 13335 Information TechnologyGuidelines for the Management of IT Security

6. ISO/IEC 13335 Information Technology Guidelines for the Management of IT Security


Issuer
The International Organisation for Standardisation and International Electrotechnical Commission established a joint technical committee, the ISO/IEC JTC1, Subcommittee SC27 (IT security techniques), which is tasked with publishing international standards (e.g., ISO/IEC 17799:2000).

Document Taxonomy
ISO/IEC 13335 Information TechnologyGuidelines for the Management of IT Security is a collection of five technical documents that provide guidance on aspects of information security management.

Circulation
The guidance is known and recognised globally by the information security community. Parts of it have been in existence since 1996.

Goals of the Standard or Guidance Publication


The goal of ISO was to create a document that provides guidance on aspects of IT security management, and is divided into five parts: 1. The management tasks of IT security are outlined, providing an introduction to security concepts and models. 2-3. These parts discuss implementation and management aspects and techniques of IT security management, such as planning, design and testing. 4. This section provides guidance on the selection of safeguards, considering the type of IT systems as well as security concerns and threats. 5. This portion contains information on identifying and analysing communicationrelated factors that should be taken into account when introducing network security.

47

Information Security HarmonisationClassification of Global Guidance

Information Security Drivers for Implementing the GuidanceWhy


ISO/IEC 13335: Provides guidance for information security management Provides a structured approach Offers internationally recognised security practices Enables the enterprise to meet audit, regulatory and legal expectations

Related Risks of NoncomplianceWhat Could Happen


There is no direct risk from not complying unless the organisation has an inherent need to comply with this guidance.

Target Audience
The guidance is applicable to organisations of all types, size and geographic location. Part 1, containing the management aspects of IT, explicitly addresses senior management and information security managers, whereas the other parts target individuals responsible for the implementation of security measures, for instance, IT managers and IT security staff.

Timeliness
Dates of publication range from 1996 (part 1) to 2001 (part 5). Parts 1 and 2 have been revised into a new part 1 titled Concepts and Models for ICT Security Management, which is to be published in 2006. Parts 3 and 4 are at an early stage of redevelopment and will be made into a new part 2 titled Techniques for Information Security Risk Management. Part 5 is also in the early stages of redevelopment.

Certification Opportunities
There is no specific certification available.

Completeness
ISO/IEC 13335 contains comprehensive guidance on managing IT security; however, this does not detract from its general validity or usefulness. The guidance could be used by organisations of any type or size, although small organisations may find the level of detail overwhelming.
48

ISO/IEC 13335 Information TechnologyGuidelines for the Management of IT Security

There is a good list of safeguards provided in part 4, although purely due to its age (part 4 was published in 2000), these may not fully address all of todays technical risks.

Availability
The documents can be purchased from ISO at www.iso.org (where prices range between Swiss CHF 73.00 and 158.00 depending on the portion ordered), and from the American National Standards Institute (ANSI) at http://webstore.ansi.org (prices from US $58.00 to US $125.00 depending on the part ordered).

Recognition/Reputation
Results of the ISACA global survey of 5,000 CISM holders (described in this documents Introduction) indicated that the guidance is known to at least 60 percent of surveyed CISMs, with recognition levels in Oceania particularly high at 85 percent. Figures for North America and Asia are surprisingly low for such a longestablished international standard. The majority (60 percent) of those CISMs familiar with the guidance felt it has only limited acceptance within the information security community.

Usage
More than one-quarter of surveyed CISMs in Oceania actively use the guidance (i.e., implemented, used as best practice or used for assessment). The level of usage is much lower in other areas (as low as 11 percent in Central/South America). Of those CISMs familiar with it, at least half consider it both comprehensive in its coverage and effective in use.

CISM Domain Alignment


Information Security Governance, 4
By far, this is the best aspect of the guidance. It provides sound guidance for the information security manager covering most of the tasks in this domain, even though some of the documents and information provided within are somewhat dated.

Risk Management, 3
The guidance provides good fundamentals for information security risk management but it stops short of providing the detail that would be required for an appropriate methodology to be developed and used within an organisation.
49

Information Security HarmonisationClassification of Global Guidance

Information Security Programme Management, 4


ISO/IEC 13335 provides sound guidance for the information security manager, covering most of the tasks in this domain even though some of the documents are somewhat dated. No guidance is provided on project management.

Information Security Management, 4


It provides sound guidance for the information security manager, covering most of the tasks in this domain even though some of the documents are somewhat dated.

Response Management, 1
Response management is referenced but not in any detail.

Overall, 4
The guidance is recommended as an excellent source of guidance for those involved in the management of information security.

Description and Guidance on Use


The current version of the report consists of five parts that have been written and published over the period of 1996 to 2001.

Part 1Concepts and Models for IT Security


The first part (23 pages) was published in 1996 with the objective of providing an introduction to the management of IT security. Whilst it purposely does not suggest a particular IT security management approach, it does provide a general discussion of concepts, models, tools and techniques. The requirements for the definition of a policy, the identification of roles and responsibilities, systematic risk management, configuration and change management, contingency/disaster recovery planning, selecting and implementing safeguards, and follow-up activities are all described at a high level that is suitable for senior managers not involved in IT security or those just beginning to work in IT security. Part 1 identifies how corporate objectives, strategies and policies influence the organisations general security objectives, strategies and policies, which in themselves form the basis for the narrower set of IT security objectives, strategies and policies. IT system security objectives, strategies and policies are derived from the more general level of overall IT security.

50

ISO/IEC 13335 Information TechnologyGuidelines for the Management of IT Security

The major elements involved in the security management process are: Assets (physical assets, information, software, people and intangibles) Threats (human and environmental) Vulnerabilities Impact Risk Safeguards Residual risk Constraints The ongoing process of IT security management consists of the subprocesses: Configuration managementChanges in the configuration may not lead to a reduction of the security level. Furthermore, tracking of changes is available, and changes to the systems are reflected in various types of documentation (e.g., disaster recovery plan). Change managementThis is the process of identifying security requirements when systems change. Risk managementRisk management is to be performed throughout the systems life cycle. A risk management process compares risks with benefits and costs of different types of safeguards. Risk analysisRisks are identified by the analysis of asset values, threats and vulnerabilities, resulting in a statement of the likelihood of risks to previously mentioned assets. AccountabilityResponsibility for security is to be assigned explicitly. Ownership is assigned to assets. Security awarenessThis explains the security objectives, strategies and policies and the need to comply with them. MonitoringA periodic review of the safeguards is needed to assure their effectiveness. Contingency plans and disaster recoveryContingency plans describe how to maintain core business processes in the case of system outages. Disaster recovery contains information on restoration of systems affected by an unintended outage.

Part 2Managing and Planning IT Security


Part 2 (19 pages), published in 1997, contains guidelines that address essential topics on the management of IT security. Establishing and maintaining an IT security programme is the main task of IT security management. It consists of a planning and management process, risk management, implementation, follow-up (maintenance and monitoring) and integration throughout the organisation. A sound corporate IT security policy should address the following questions: ObjectivesWhat is to be achieved? How are these objectives to be achieved? What are the rules for achieving these objectives?
51

Information Security HarmonisationClassification of Global Guidance

Management commitmentWhat are the commitment and support of senior management? Policy relationshipsWhat are the relationships amongst corporate strategy, marketing policy, security policy, IT policy, IT security policy and system-specific policies? Policy elementsIs there a comprehensive list of topics that are to be covered? Organisational aspects of IT security, such as roles and responsibilities, the initiation of a security forum and the nomination of security, project and system security officers, are discussed. The need for support by all levels of management is outlined, as is the importance of following a consistent approach throughout the organisation and to all systems. Strategic options for a risk management strategy are presented thereafter. The specific advantages and disadvantages are addressed. The approaches are: Baseline approachBy selecting a set of safeguards to all systems, a baseline protection level is achieved. Informal approachA pragmatic risk analysis for all systems, it requires experience of individuals and seems to be suitable for small organisations. Detailed risk analysisA detailed analysis begins with the identification and valuation of assets, the threats to those assets, a selection of appropriate safeguards and the identification of an acceptable level of residual risk. Combined approachUsing the detailed approach at a high level identifies systems with a high risk, which are analysed in a more comprehensive manner. The other systems are appropriate for a baseline protection approach. The security recommendations section addresses different types of safeguards, their interdependency and recommendations for selecting and maintaining them as well as the need for acceptance of residual risk and its classification into acceptable and unacceptable. Following the discussion of risk management, other issues briefly mentioned are: IT system security policyContents and endorsement IT security planDocumentation of actions to be taken for implementing the IT security policy Implementation of safeguardsImplementing the safeguards as defined in the plan, including security training Security awarenessPassing the knowledge from the security officer to all levels of the organisation Follow-upActivities such as maintenance of safeguards and policies, security compliance checking, monitoring and incident handling

52

ISO/IEC 13335 Information TechnologyGuidelines for the Management of IT Security

Part 3Techniques for the Management of IT Security


Management techniques are described and recommended in this part, which was published in 1998 and is 54 pages. In addition to general information, an overview of the IT security management process is provided. Its major activities are: Analysis of security requirementsThe definition of security objectives, strategy and the development of a corporate IT security policy Selection of a corporate risk analysis strategyIdentification and assessment of risks and their reduction to an acceptable level based on security requirements of different systems Implementation of the IT security planImplementation of safeguards, including security awareness and security training Follow-upChecking of compliance, monitoring, change management practices and incident handling The importance of a corporate IT security policy is discussed, and recommended parts are listed. A detailed table of contents is provided in the annex of the report. The implementation of safeguards and a security awareness programme follows the methodology-based identification of security needs. During the implementation phase, a security awareness programme is used to increase the level of awareness within the organisation. A sound awareness programme consists of: Needs analysisExisting and targeted levels of awareness within different target groups and identification of necessary methods Programme deliveryInteractive and promotional techniques MonitoringPeriodic performance evaluation to determine the level of awareness and comprehensive change management to ensure that skills and awareness reflect modifications to systems Internal or external experts ensure the achievement of the objectives by closing the implementation phase with an approval of the implemented systems. Part 3 concludes with a discussion of follow-up activities, such as maintenance, compliance checking, change management, monitoring and incident handling. In the annex, after the aforementioned table of contents of a security policy, a comprehensive list of possible threat types and vulnerabilities and a description of a risk analysis method are provided.

Part 4Selection of Safeguards


Part 4 (70 pages) was published in 2000 and promotes the selection of safeguards based on a high-level risk analysis. The high-level result is the identification of systems requiring a detailed risk analysis and the need for baseline protection. The method for detailed risk analysis is discussed in part 3. Baseline protection can come in two flavours: selection of safeguards according to the type of IT system and safeguards according to security concern and threats.
53

Information Security HarmonisationClassification of Global Guidance

The basic assessments of the safeguard selection process are: Identification of the type of systemIT systems can be a standalone workstation, a workstation connected to a network or a server/workstation sharing resources via a network. Identification of physical/environmental conditionsIn addition to general considerations concerning the environment of the organisation, more specific concerns are to be taken into account, such as perimeter and building (physical situation, single occupant or multi-occupied, information about other occupants, identification of sensitive/critical areas), access control (access to the building, physical access controls, robustness and structure of the building, protection level of doors, windows, etc.) or the protection in place (protection of rooms, fire detection/suppression facilities, water leakage detection, UPS, temperature and humidity controls, etc.). Assessment of existing/planned safeguardsBy identifying existing safeguards, reselection of safeguards should be prevented. The identification is done by a review of documentation, a check with responsible personnel, or a walk through of the building. It has to be borne in mind that existing safeguards may exceed the current needs. Safeguards can be classified into organisational/physical and system-specific safeguards: Organisational and physical safeguards IT security management and policies Security compliance checking Incident handling Personnel Operational issues Business continuity planning Physical security System-specific safeguards Identification and authentication Logical access control and audit Protection against malicious code Network management Cryptography The organisational/physical safeguard categories are applicable to all IT systems. Thus all safeguards from this category should be considered first when following the baseline approach. IT system-specific safeguards require an in-depth consideration of the needs of the type and characteristics of the system. When selecting safeguards, the security concernsthe loss of confidentiality, integrity, availability, accountability, authenticity or reliabilityshould be considered. Each of these categories faces several threats.

54

ISO/IEC 13335 Information TechnologyGuidelines for the Management of IT Security

No specific threats are listed in the report, only such exemplary threats as account sharing; lack of traceability; masquerading user identity; software failure; unauthorised access to computers, data and applications; or a weak authentication of identity. Examples of countermeasures to the previously mentioned threats are provided in the report. During the selection of a specific safeguard, it has to be decided which basic aspect should be addressed by the safeguard. These aspects are: ThreatReduction of the likelihood VulnerabilityRemoval of the vulnerability or making it less serious ImpactReduction or avoidance of the impact During the implementation of an organisationwide baseline, it must be decided whether the organisation can be protected by the same baseline or if different levels have to be identified. The annexes contain a short description of several sources of information concerning baseline protection and IT security.

Part 5Management Guidance on Network Security


Part 5 (38 pages), published in 2001, deals with network security and provides guidance for identification and analysis of communication and networks. It also provides an introduction to safeguard areas. The following series of activities is recommended for the process of identification and analysis of communications-related factors: Review corporate IT security requirementsThe IT security policy states the requirements for confidentiality, integrity, availability, nonrepudiation, accountability, authenticity and reliability of information. Review network architectures and applicationsDepending on the types of networks, the protocols used, the applications installed and other considerations such as trust relationships, different safeguard areas may be identified. Identify types of network connectionsNetworks are usually connected in different topologies and at different organisational levels: A single controlled location within an organisation Connection amongst different geographical parts but within an organisation Connection between an organisation site and personnel working in locations away from the organisation Connection amongst different organisations with a closed community Connections with other organisations Connections with the Internet

55

Information Security HarmonisationClassification of Global Guidance

Review networking characteristics and related trust relationshipsThe characteristics can be classified into public or private networks and data and/or voice networks. Another distinction can be made between packet (using hubs) or switched network. The trust relationship isdepending on its environment classified into low, medium and high. The combination of the two classes of publicity of the network connection (private or public) and trust environment (low, medium or high) provides basic information for identification of safeguards. Determine the types of security risksDepending on the type of security risk (loss of confidentiality, loss of integrity, etc.) and the previous combination of characteristics and trust, characteristic safeguards are nominated. Identify appropriate potential safeguard areasOn the basis of the security risks, several safeguards can be identified. They are grouped into disciplines, such as: Secure service management Identification and authentication Audit trails Intrusion detection Protection against malicious code Network security management Security gateways Data confidentiality over networks Data integrity over networks Nonrepudiation Virtual private networks Business continuity and disaster recovery Document and review security optionsThe documentation of the intended architecture allows a final analysis of its design. Prepare for the allocation of safeguard selection, design, implementation and maintenanceAn organisation can be set up and specific tasks defined for selection, implementation and maintenance of the safeguard. A suitable security gateway arrangement will protect the organisations internal systems and securely manage and control the traffic flowing across them, in accordance with a documented security gateway service access policy.

References
www.iso.org http://webstore.ansi.org

56

ISO/TR 13569:1997 Banking and Related Financial Services Information Security Guidelines

7. ISO/TR 13569:1997 Banking and Related Financial ServicesInformation Security Guidelines


Issuer
ISO/TR 13569:1997 is published by the International Organisation for Standardisation (ISO). It was prepared by ISO Technical Committee ISO/TC68/SC2, which develops financial services security standards and guides.

Document Taxonomy
The guidance Banking and Related Financial ServicesInformation Security Guidelines is a technical report containing guidelines on security concepts and suggested control objectives and solutions for financial sector organisations.

Circulation
This guidance is recognised internationally, but more so by the banking and financial services industry at which it is specifically aimed.

Goals of the Standard or Guidance Publication


The guidance states three objectives: To present an information security programme structure To present a selection guide to security and control that represents accepted prudent business practice To be consistent with existing standards, as well as emerging work in objective and accreditable security criteria

Information Security Drivers for Implementing the GuidanceWhy


Amongst the reasons for implementing ISO/TR 13569:1997 are: Financial services organisations are expected to conform to internationally accepted standards. Conformance to the standard may improve trust relationships with other financial organisations. Conformance enables the organisation to meet regulatory, audit and legal expectations.
57

Information Security HarmonisationClassification of Global Guidance

Related Risks of NoncomplianceWhat Could Happen


There is no direct risk from not complying unless the organisation has an inherent need to comply with this standard.

Target Audience
The guidance is intended for use by financial institutions of all sizes and types and by providers of service to financial institutions.

Timeliness
The first edition of ISO/TR 13569:1997 was issued in 1996 and then reissued in 1998. It has not been updated since. Most of its content is still valid and relevant but it should be noted that, due to technology changes, parts of the document are either stale or outdated. A new version of the standard is currently under development with no date given for expected completion.

Certification Opportunities
There is no certification associated with the guidance.

Completeness
The majority of the guidance is concerned with documenting control objectives and controls for the financial services sector and in this it covers a broad range of areas, many of which are specific to financial services (e.g., automated teller machines). Its age means that the controls are light for many technical areas; for instance, networking of trusted third parties (TTPs) was a new concept at the time of issue in 1996, and there is no mention of Internet banking. However, most of the controls remain appropriate as a source of commonly accepted security practices. The section on information security programme components is detailed enough for management briefing purposes and, although it is aimed toward the financial services sector, it is generally applicable to all organisations.

Availability
The documents can be acquired from the ISO web site, www.iso.org, at a cost of Swiss CHF 184.00.

58

ISO/TR 13569:1997 Banking and Related Financial Services Information Security Guidelines

Recognition/Reputation
Results of the global CISM survey that was conducted by ISACA in 2004 (described in this documents Introduction) indicate that the document is less known than some of the others reviewed for this research. However, the ISO standard still scored a reasonable 60 percent recognition level amongst surveyed CISMs (only 50 percent in Asia). However, the majority (59 percent) of those CISMs familiar with the guidance believe it has only limited acceptance as a standard.

Usage
The IT guideline is being put to practical use (i.e., implemented, used as best practice or used for assessment) by less than 15 percent of CISMs (only 2.5 percent in Central/South America), but that could be due to its emphasis on financial institutions. Over half of CISMs familiar with the guidance found it effective in use (rising to almost 90 percent in Oceania). Whilst more than half also found it comprehensive, this figure fell to only 36 percent in Oceania.

CISM Domain Alignment


Information Security Governance, 2
ISO/TR 13569:1997 provides good descriptions of the components for establishing and maintaining information security, but it does not provide guidance on how to undertake the various tasks required.

Risk Management, 3
The guidance provides a simple risk assessment methodology that could easily be used and adapted by anyone. It may not provide the level of detail required for evaluating very high-risk systems and it does not address all the aspects of risk management.

Information Security Programme Management, 3


Overall, it provides a good set of baseline controls over a wide range of topics although some controls contain insufficient detail due to technology changes. It does not provide guidance on security programme planning or project management.

Information Security Management, 2


The guidance addresses many of the tasks in this domain implicitly through the controls practices, but there is limited guidance on establishing and carrying out the tasks.

59

Information Security HarmonisationClassification of Global Guidance

Response Management, 1
Response management is referenced in the guideline, but only limited guidance is provided.

Overall, 2
ISO/TR 13569:1997 is a valuable reference source of control practices, particularly for financial organisations, but since it was last published in early 1998, it is dated.

Description and Guidance on Use


The ISO/TR 13569:1997 guidance is a 97-page document that briefly describes the components of an information security programme and provides a range of control objectives and suggested solutions. The guidance is split into nine sections and a number of annexes. The first sections deal with introductions, references, executive summary, etc. Section 6 of the guideline describes the components of an information security programme: General dutiesResponsibilities for a range of roles within the organisation, including directors, managers, employees, legal and security Risk acceptanceProcess for accepting risks that fall outside the organisations policies, standards and directives InsuranceLiaising with others to ensure that insurance conditions are understood and can be dealt with, and insurance premiums are kept to a minimum AuditDescribes the activities of audit in the area of information security Regulatory complianceLiaising with others to ensure that the information security requirements of regulations are understood and implemented Disaster recovery planningActivities within a disaster recovery plan to recover information and information processing facilities Information security awarenessEnsuring that the awareness programme achieves a balance of control and accessibility External services providersIncluding Internet service providers, red-teams (penetration testers) and electronic money token providers Cryptographic operationsBenefits and issues in selecting and using cryptographic controls PrivacyAreas that should be addressed through policies and procedures

Extract From 6.8.2 Red-Teams


The use of a red-team, usually a contractor, to test system security by attempting system penetration with the knowledge and consent of an appropriate official of the institution, is a method of deriving assurance for the security programme. As computer systems become more and more complex, security will become increasingly harder to maintain. Use of red-teams can help in finding specific points of weakness in an institutions system.
60

ISO/TR 13569:1997 Banking and Related Financial Services Information Security Guidelines Section 7 addresses control objectives and suggested solutions. In this part of the guideline, there are 20 main topic areas, many broken down into further topics, as follows: Information classification, including suggested labels and descriptions for criticality and sensitivity Logical access control, further broken into a number of topics Audit trails Change control (including emergency procedures) Computers Networks Software Human factors Voice, telephone and related equipment Facsimile and image Electronic mail Paper documents Microform and other media storage (disclosure, destruction, etc.) Financial transaction cards (physical security, abuse, PINS, audit, etc) Automated teller machines (user identification, fraud prevention, maintenance, etc.) Electronic fund transfers Checks Electronic commerce Steganography Electronic money Appendix A contains a number of sample forms including: Information security policyA simple, one-page document that can be easily amended Employee awareness formWhich can be signed by the employee and his/her manager Sign-on warning screenAlerting users that they must be authorised to use the system Risk acceptance formDetailing all relevant facts about the risk, with spaces for signatures of the relevant management Telecommuting agreementDescribing the duties and obligations of the employee and company Appendix E contains a simple risk assessment process that includes step-by-step instructions and guidance along with a number of useful tables.

Reference
www.iso.org

61

Information Security HarmonisationClassification of Global Guidance

62

ISO/IEC 15408:1999 and Common Criteria

8. ISO/IEC 15408:1999 and Common Criteria


The international standard ISO/IEC 15408:1999 Security TechniquesEvaluation Criteria for IT Security is based on Common Criteria for Information Technology Security Evaluation 2.0 (referred to as Common Criteria or CC), thus they are treated in one chapter. Common Criteria succeeds Information Technology Security Evaluation Criteria (ITSEC), published by the European Commission in 1991. The naming of those documents is synonymous.

Issuer
ISO/IEC 15408:1999 was published in 1999 by the ISO/IEC JTC1 working group in collaboration with the Common Criteria Project Sponsoring Organisation, which published Common Criteria. Members of this organisation are: CanadaCommunications Security Establishment FranceService Central de la Scurit des Systmes dInformation GermanyBundesamt fr Sicherheit in der Informationstechnik NetherlandsNetherlands National Communications Security Agency United KingdomCommunications-Electronics Security Group United StatesNational Institute of Standards and Technology and National Security Agency From a historical point of view, the various standards/guidance issued by some of the member bodies were influenced by other standards/guidance, as shown in figure 6.

Figure 6Standards Influences

US Orange Book TCSEC (1985) Canadian Criteria (1993) UK Confidence Levels (1989) Federal Criteria Draft (1993) German Criteria Common Criteria v2.0 (1998) French Criteria ITSEC (1991) Common Criteria v2.1 (1999) Common Criteria v2.2 (2004) ISO/IEC 15408 (1999) Common Criteria v1.0 (1996)

63

Information Security HarmonisationClassification of Global Guidance

Document Taxonomy
ISO/IEC 15408:1999 is an international standard. Common Criteria is labelled as a multipart standard.

Circulation
Because it was developed by an international committee and published as an international standard, Common Criteria has gained worldwide recognition.

Goal of the Standard or Guidance Publication


Common Criteria was issued to define criteria as the basis for a common and comparable evaluation of IT security, focussing on the security of systems and products.

Information Security Drivers for Implementing the GuidanceWhy


ISO/IEC 15408:1999 is especially suited for: Implementation of security products or systems that shall be certified Security that is imperative to the development of semifinished products (e.g., control systems)

Related Risks of NoncomplianceWhat Could Happen


There is no direct risk for not complying unless the organisation has an inherent need to comply with this standard.

Target Audience
CC describes three specific target audiences, with a fourth having some tangential targeting. They are: ConsumersThe needs of consumers are considered throughout the evaluation process. The level of security provided by an evaluated product is comprehensible for consumers. DevelopersDevelopers have a guideline to prepare the evaluation of their systems. On the other hand, CC helps in identifying security requirements. CC can be useful as a source of security functions that may be implemented into a system.

64

ISO/IEC 15408:1999 and Common Criteria

EvaluatorsEvaluators have clear and agreed criteria to assess the security of a system. Steps necessary for an evaluation are included, but the standard does not stipulate procedures to be followed. OthersCC may be seen as a useful source of information by others, such as security and assurance professionals.

Timeliness
ISO/IEC 15408:1999 was first published in 1999 and is now somewhat out of step with the latest Common Criteria version 2.2, published in 2004 (CC2.2) If the past serves as an indicator, it seems likely that CC2.2 (following some minor editorial changes) will be accepted as the new version of ISO/IEC 15408, perhaps by 2006.

Certification Opportunities
The purpose of the document is to provide common criteria for the certification of security products and systems.

Completeness
There is a detailed description of the criteria that must be fulfilled to obtain certification of security products and systems. It does not describe the full role and responsibilities of an information security manager for establishing, implementing and maintaining an enterprisewide information security programme. Whilst the document contains security controls, they are not in a format that would make them easy to find and use by the average organisation defining security controls for itself.

Availability
The international standard can be purchased from ISO at www.iso.org for Swiss CHF 142.00, 294.00 and 230.00 for parts 1, 2 and 3 respectively. Common Criteria is freely available for public use from www.nist.gov and www.commoncriteriaportal.org.

Recognition/Reputation
Referring to the global survey of CISMs conducted in 2004 (described in this documents Introduction), two-thirds of surveyed CISMs are aware of the Common Criteria, slightly more in the Europe/Africa and Oceania regions. Well over half of all CISMs familiar with the CC felt it had only limited acceptance in the

65

Information Security HarmonisationClassification of Global Guidance

information security community. This is a rather surprisingly high figure considering its background; however, this may be a reflection of its more narrow focus primarily on security products and systems rather than a specific criticism of the standard.

Usage
CC is being used (mostly as best practice or for assessment) by approximately onefifth of surveyed CISMs except in Central/South America and Asia where usage is quite low (5 and 11 percent, respectively). It is considered by more than half of CISMs familiar with the standard to be comprehensive. At the same time, however, half the CISMs in Europe/Africa and Central/South America felt it had only limited effectivenessagain, most likely due to the focus on security products.

CISM Domain Alignment


Information Security Governance, 0
Information security governance is not addressed at all in the guidance.

Risk Management, 0
Risk management is not addressed at all in the guidance.

Information Security Programme Management, 2


CC provides detailed descriptions for identifying, designing and developing security requirements of security products and systems, but it is aimed at the security engineer rather than the information security manager.

Information Security Management, 0


Information security management is not addressed at all in this guidance.

Response Management, 0
Response management is not addressed at all in this guidance.

Overall, 2
This guidance would mostly be of use to a security engineer as the level of technical detail is much greater than that of normal interest to an information security manager with enterprisewide responsibilities. The exception may be in organisations developing security products.

66

ISO/IEC 15408:1999 and Common Criteria

Description and Guidance on Use


Common Criteria 2.2 is supplied in three parts. It is primarily focussed on applicable IT security measures implemented in hardware, software and firmware.

Part 1Introduction and General Model


Part 1 is a document of 64 pages and explains the general model, general concepts and the principles to be considered when evaluating IT security. Identification of threats, vulnerabilities, risks and countermeasures are addressed conceptually, in particular as they pertain to the development of products. Guidance is also provided on activities that need to be addressed as part of the development process. This is done in a general manner without specific development methodologies being recommended or preferred. Extract of Paragraph 129 The CC does not mandate a specific set of design representations. The CC requirement is that there should be sufficient design representations presented at a sufficient level of granularity to demonstrate where required: a) that each refinement level is a complete instantiation of the higher levels (i.e., all target of evaluation (TOE) security functions, properties, and behaviour defined at the higher level of abstraction must be demonstrably present in the lower level); b) that each refinement level is an accurate instantiation of the higher levels (i.e., there should be no TOE security functions, properties, and behaviour defined at the lower level of abstraction that are not required by the higher level). Instructions for writing high-level specifications for products and systems are provided in two annexes. Annex A addresses security targets and annex B addresses protection profiles. A security target contains the IT security requirements of an identified TOE and specifies the functional and assurance security measures offered by that TOE to meet stated requirements. A protection profile defines an implementation-independent set of IT security requirements for a category of TOEs. Extract From Paragraph 234 Rationale for the Security Target c) The TOE summary specification rationale shall show that the TOE security functions and assurance measures are suitable to meet the TOE security requirements. The following shall be demonstrated: that the combination of specified TOE IT security functions works together so as to satisfy the TOE security functional requirements; that the strength of TOE function claims made are valid, or that assertions that such claims are unnecessary are valid; that the claim is justified that the stated assurance measures are compliant with the assurance requirements.

67

Information Security HarmonisationClassification of Global Guidance

The statement of rationale shall be presented at a level of detail that matches the level of detail of the definition of the security functions.

Part 2Security Functional Requirements


Part 2 is a document of 365 pages and contains functional components that are used for expressing the security requirements of TOEs in a standardised manner. It is structured into sets of functional components, families and classes. It is noted within the document that not all security functional requirements can be assumed to be included, but rather all of those that were known and agreed to be of value by the CC part 2 authors at the time of release. The security classesthe highest level in the catalogue structureare: FAUSecurity audit FCOCommunication FCSCryptographic support FDPUser data protection FIAIdentification and authentication FMTSecurity management FPRPrivacy FPTProtection of the TOE security function FRUResource utilisation FTATOE access FTPTrusted path/channels Extract of Paragraphs 319 and 320 of Security Attribute Expiration of the Security Management Class (FMT_SAE) 319 FMT_SAE.1 Time-limited authorisation provides the capability for an authorised user to specify an expiration time on specified security attributes. 320 The following actions could be considered for the management functions in FMT Management: a) managing the list of security attributes for which expiration is to be supported b) the actions to be taken if the expiration time has passed There are a number of annexes providing explanatory information for potential users of the functional components and classes including a complete crossreference table of the functional component dependencies. Extract of Paragraph 1051 From Annex H Security Attribute Expiration (FMT_SAE) 1051 For FMT_SAE.1.1, the PP/ST author should provide the list of security attributes for which expiration is to be supported. An example of such an attribute might be a users security clearance.

68

ISO/IEC 15408:1999 and Common Criteria

Part 3Security Assurance Requirements


A set of assurance components is included in part 3 (171 pages), enabling a standardised approach for defining assurance requirements for IT products and services. The structure of the catalogue is similar to the one in part 2 in that it is subdivided into components, families and classes. Evaluation criteria for protection profiles (PPs) and security targets (STs) are also included in part 3. The evaluation of PP and ST is to be performed before evaluating the TOE. The evaluation criteria tasks for PPs are: APE_DESTOE description APE_ENVSecurity environment APE_INTPP introduction APE_OBJSecurity objectives APE_REQIT security requirements APE_SREExplicitly stated IT security requirements (applicable only for an extended evaluation) The ST evaluation tasks are: ASE_DESTOE description ASE_ENVSecurity environment ASE_INTST introduction ASE_OBJSecurity objectives ASE_PPCPP claims ASE_REQIT security requirements ASE_SREExplicitly stated IT security requirements (applicable only when evaluating extended requirements) ASE_TSSTOE summary specification Detailed requirements of each of seven assurance components, grouped by class and family, are provided. The seven assurance classes with their respective families are: ACMConfiguration management ACM_AUTAutomation ACM_CAPCapabilities ACM_SCPScope ADODelivery and operation ADO_DELDelivery ADO_IGSInstallation, generation and start-up ADVDevelopment ADV_FSPFunctional specification ADV_HLDHigh-level design ADV_IMPImplementation representation ADV_INTTSF internals ADV_LLDLow-level design ADV_RCRRepresentation correspondence ADV_SPMSecurity policy modelling
69

Information Security HarmonisationClassification of Global Guidance

AGDGuidance documents AGD_ADMAdministrator guidance AGD_USRUser guidance ALCLife cycle support ALC_DVSDevelopment security ALC_FLRFlaw remediation ALC_LCDLife cycle definition ALC_TATTools and techniques ATETests ATE_COVCoverage ATE_DPTDepth ATE_FUNFunctional tests ATE_INDIndependent testing AVAVulnerability assessment AVA_CCACovert channel analysis AVA_MSUMisuse AVA_SOFStrength of TOE security functions AVA_VLAVulnerability analysis Extract from AGD_ADM.1 Administrator Guidance AGD_ADM.1.1C The administrator guidance shall describe the administrative functions and interfaces available to the administrator of the TOE. AGD_ADM.1.2C The administrator guidance shall describe how to administer the TOE in a secure manner. AGD_ADM.1.3C The administrator guidance shall contain warnings about functions and privileges that should be controlled in a secure processing environment. AGD_ADM.1.4C The administrator guidance shall describe all assumptions regarding user behaviour that are relevant to secure operation of the TOE. Seven evaluation assurance levels (EALs) are presented, representing packages of assurance components. These EALs allow the IT security rating of products and services. For each EAL a description of its objectives and minimal assurance components is provided. The EALs identified within Common Criteria are as follows: EAL1Functionally tested EAL2Structurally tested EAL3Methodically tested and checked EAL4Methodically designed, tested and reviewed EAL5Semiformally designed and tested EAL6Semiformally verified design and tested EAL7Formally verified design and tested

70

ISO/IEC 15408:1999 and Common Criteria

References
www.iso.org www.iec.org www.nist.gov www.commoncriteriaportal.org

71

Information Security HarmonisationClassification of Global Guidance

72

ISO/IEC 17799:2000 Information TechnologyCode of Practice for Information Security Management

9. ISO/IEC 17799:2000 Information TechnologyCode of Practice for Information Security Management


Issuer
ISO/IEC 17799 Information TechnologyCode of Practice for Information Security Management was published by the International Organisation for Standardisation and International Electrotechnical Commission. The technical committee identified as ISO/IEC JTC1/SC27 WG1 is responsible for its maintenance.

Document Taxonomy
ISO/IEC 17799:2000 is a collection of information security practices, and is based on British Standard BS 7799-1:1999, Code of Practice for Information Security Management.

Circulation
ISO/IEC 17799:2000 is available and used internationally. It has been published in several languages including Chinese, Czech, Danish, Dutch, Finnish, French, German, Icelandic, Japanese, Korean, Norwegian, Portuguese and Swedish.

Goal of the Standard or Guidance Publication


ISO/IEC 17799:2000 provides information to parties responsible for implementing information security within an organisation. It can be seen as a basis for developing security standards and management practices within an organisation to improve reliability on information security in interorganisational relationships.

Information Security Drivers for Implementing the GuidanceWhy


ISO/IEC 17799:2000 offers internationally recognised security practices that enable an organisation to meet audit, regulatory and legal expectations. Compliance can help promote an organisation as trusted and can be used as part of the basis for certification to BS 7799-2:2002.

73

Information Security HarmonisationClassification of Global Guidance

Related Risks of NoncomplianceWhat Could Happen


There is no direct risk from not complying unless the organisation has an inherent need to comply with this standard.

Target Audience
During the drafting of ISO/IEC 17799:2000 it was assumed that the execution of its provisions would be entrusted to appropriately qualified and experienced people. As all of the contents are considered guidance as opposed to mandatory requirements, it is assumed that the individual implementing ISO/IEC 17799:2000 will have the experience needed to evaluate and apply controls as they relate to the specific risks and needs of their organisation.

Timeliness
ISO/IEC 17799:2000 is a first edition, currently being reviewed as part of the normal three-to-five-year ISO revision process. Whilst the majority of its contents remain valid, changes in IT inevitably have meant that some of the guidance may be dated or incomplete. A new version has already been developed and is expected for publication within 2005.

Certification Opportunities
There is no certification available for ISO/IEC 17799:2000. However, it can be used as guidance for those wishing to achieve certification to BS 7799-2:2002.

Completeness
ISO/IEC 17799:2000 is designed to be comprehensive to a level that meets the needs of the majority of organisations, from small to large, and across industry sectors. As a set of control objectives and security practices it has good coverage although it does not deal with technology changes that have taken place over the last four or five years. Security management concepts are only briefly addressed.

Availability
ISO/IEC 17799:2000 can be purchased from ISO at www.iso.org for Swiss CHF 172.00, as well as from many national standards bodies.

74

ISO/IEC 17799:2000 Information TechnologyCode of Practice for Information Security Management

Recognition/Reputation
Findings from the global CISM survey that was conducted by ISACA in 2004 (described in this documents Introduction) indicate that ISO/IEC 17799:2000 has made a significant impact on the information security community, and was recognised by more than 97 percent of the surveyed CISMs. Acceptance levels of the standard are also very high: more than 85 percent of the surveyed CISMs (falling to 65 percent in North America) believed it to be an acceptable standard, whilst most of the remaining CISMs thought it has at least limited acceptance.

Usage
As the survey indicated, active usage (i.e., implemented, used as best practice or used for assessment) of the standard is very high at greater than 58 percent, with a large majority of surveyed CISMs (in excess of 80 percent) finding it comprehensive.

CISM Domain Alignment


Information Security Governance, 1
Some aspects of information security governance are referenced in the introduction. No further detail is present.

Risk Management, 1
Some references are made to risk management in the introduction. No further detail is present.

Information Security Programme Management, 3


It provides a very good set of general security controls, although it does not address some of the latest technology areas. No guidance is provided on security planning or project management.

Information Security Management, 2


ISO/IEC 17799:2000 addresses implicitly through its guidance many of the activities undertaken in information security management. It does not provide any guidance on how to establish or carry out these activities.

Response Management, 2
The guidance provides a good list of important control practices for business continuity, but it does not fully address all areas of this domain nor provide guidance on how to establish and manage a response management function.
75

Information Security HarmonisationClassification of Global Guidance

Overall, 2
This is a good source of controls and control practices designed to be used by an experienced information security practitioner. However, those with less experience may find it difficult to decide which control practices are necessary.

Description and Guidance on Use


ISO/IEC 17799:2000 (94 pages) describes guiding principles as the initial point when implementing information security. They rely on either legal requirements or generally accepted best practices. Measures based on legal requirements are (amongst others): Protection and nondisclosure of personal data Protection of internal information Protection of intellectual property rights Best practices mentioned are: Information security policy Assignment of responsibility for information security Problem escalation Business continuity management When implementing a system for information security management, several critical success factors should be considered: The security policy, its objectives and its activities reflect the business objectives. The implementation considers cultural aspects of the organisation. Open support and engagement of senior management are required. Thorough knowledge of security requirements, risk assessment and risk management is required. Effective marketing of security targets is to all personnel, including members of management. The security policy and security measures are communicated to contracted third parties. Users are trained in an adequate manner. A comprehensive and balanced system for performance measurement, which supports continuous improvement by giving feedback, is available. Security meets requirements of agreements and contracts. After the introductory information (scope, terms and definitions), guidance is presented for initiating, implementing and maintaining information security. This guidance is structured into 10 sections, which contain 36 objectives and 127 controls. Suggestions are provided on how each control can be met.

76

ISO/IEC 17799:2000 Information TechnologyCode of Practice for Information Security Management Information security should at least consider the following parts: Security policy An information security policy should define the direction and contain the commitment and the support of management. The policy should be communicated throughout the organisation. Organisational security The definition of adequate organisation structures for the management of information security within the organisation should include: An information security management forum A forum for co-ordination Assignment of responsibility for information security to individuals Definition of responsibility areas for managers Definition of an authorisation process for IT facilities Definition of responsibility for investigation of security-relevant know-how Defined range for co-operation with third parties as well as independent security reviews Comprehensive measures should exist for management of third-party services (definition or risks and security requirements). Risks caused by outsourcing contracts should be managed. Asset classification and control The inventory of assets and the assignment of the responsibility should be seen as a prerequisite to sound accountability for assets. Information should be classified following a generally accepted system, thus ensuring an appropriate level of protection. Personnel security Security responsibilities, confidentiality agreements and the contract of employment should be part of the job responsibility. Adequate controls for personnel screening should be in place. Information security education and training should increase users security awareness. The process of reporting security incidents, weaknesses and software malfunctions should be defined. This should include the assessment of the adequacy of the controls implemented by a permanent process of learning from incidents. Physical and environmental security Central equipment should be installed only within a secure area, where adequate access controls and damage prevention are implemented. These areas include offices, rooms and facilities. There is also a need for special attention to delivery and loading areas. Equipment should be protected against loss, damage or compromise by being sited and protected in an appropriate manner. Power supplies, an adequate level of cabling security and correct maintenance of the equipment should be in place. Equipment installed off-premises and disposal or reuse of information should be considered.
N N N N N N N

77

Information Security HarmonisationClassification of Global Guidance

General controls (such as a clear desk and clear screen policy) to protect information processing facilities or to prevent damage caused by unauthorised offsite usage of equipment should be in place. Communications and operations management Operations should follow documented procedures. All changes to equipment should be documented. Procedures for sound incident management should be defined. Duties should be segregated, ensuring that no individual can both initiate and authorise an event. Development and operational facilities should be separated. Risks caused by contracted external facilities organisations should be covered. Capacity demands should be observed and future demands should be projected. Acceptance criteria for new systems should be defined. Damage caused by malicious software should be prevented, using preventive and detective controls, formal policies, and defined recovery procedures. Information should be backed up and the backup files tested regularly. Activities performed by operational staff and errors should be logged. Networks should be set up and managed with a view to ensuring the necessary level of security. Removable media should be handled with special care. Media with sensitive information should be disposed of in a secure manner. Adequate controls in information handling procedures (e.g., labelling of media, ensuring completeness of inputs, storage of media) should be considered. System documentation should be protected, as it may contain sensitive information. Agreements for the exchange of information and software should be established, including media in transit, electronic commerce transactions, electronic mail, electronic office systems, publicly available systems and other forms of information interchange. Access control Access to information should be granted in accordance with business and security requirements. A formal access control policy should be in place. Access control rules should be specified. User access management (registration, privilege management, password management, review of user access rights) should follow a formal process. Responsibilities of users should be clearly defined. Networked services, operating systems and applications should be protected appropriately. System access and use should be monitored constantly. Mobile computing and teleworking should be performed in a secure manner. Systems development and maintenance Security issues should be considered when implementing systems, following defined requirements.

78

ISO/IEC 17799:2000 Information TechnologyCode of Practice for Information Security Management Security in application systems should take into account the validation of input data, adequate controls of internal processing, message authentication and output data validation. Use of cryptographic systems should follow a defined policy. Access to system files (including test data and source libraries) should be controlled. Project and support environments should allow for security by being rigorously controlled (e.g., change management procedures, arrangements for outsourced development). Business continuity management A comprehensive business continuity management process should permit prevention of interruptions to business processes. The business continuity management process should not be restricted to ITrelated areas and activities. An impact analysis should be executed that results in a strategy plan. Business continuity plans should be developed following a single framework. Business continuity plans should be tested, maintained and reassessed continuously. Compliance Any unlawful act (e.g., data protection acts) should be avoided. Compliance with the security policy should be ensured by periodic reviews.

Extract From 3.1.2 Security Policy Review and Evaluation


The policy should have an owner who is responsible for its maintenance and review according to a defined review process. The process should ensure that a review takes place in response to any changes affecting the basis of the original risk assessment, e.g., significant security incidents, new vulnerabilities or changes to the organisational or technical infrastructure. There should also be scheduled, periodic reviews of the following: a) The policys effectiveness, demonstrated by the nature, number and impact of recorded security incidents b) Cost and impact of controls on business efficiency c) Effects of changes to technology

References
www.iso.org www.iec.org www.bsi-global.co.uk

79

Information Security HarmonisationClassification of Global Guidance

80

Security Management

10. Security Management


Issuer
IT Infrastructure Library (ITIL) is a collection of best practices and guidelines for IT service management and comprises a series of books on the quality provision of IT-related services. They are published and copyrighted by the UKs Office of Government Commerce (OGC).

Document Taxonomy
ITIL Security Management, published in 1999, is a methodology describing how s IT security management processes link into other IT infrastructure management processes.

Circulation
Although developed by the UK government, ITIL is used internationally.

Goal of the Standard or Guidance Publication


ITIL was designed to provide a foundation for the management of the IT infrastructure. Security Management is included as comprising one of many activities that must be addressed by IT management, e.g., service level management and business continuity planning.

Information Security Drivers for Implementing the GuidanceWhy


An important part of the ITIL library, organisations implementing ITIL would benefit from also including ITIL Security Management. It formalises the relationships between IT security management processes and other IT management processes and can be used as part of the process for conformance with BS 15000 Specification for IT Service Management, which is based on ITIL.

81

Information Security HarmonisationClassification of Global Guidance

Related Risks of NoncomplianceWhat Could Happen


Organisations implementing ITIL but not including ITIL Security Management may find critical processes fragmented or incomplete.

Target Audience
The stated audience of Security Management is anyone responsible for critical IT processes as well as business managers who may find it helpful in defining their requirements for security.

Timeliness
ITIL Security Management has not been updated since 1999. There are some plans that call for ITIL to begin a scoping process for change in 2005. No further details were available at the time of publication.

Certification Opportunities
There is no certification for ITIL Security Management, but it is suggested that by following its guidance (along with that provided in the other ITIL IT services publications), an organisation would be well placed to obtain certification to BS 15000 Specification for IT Service Management.

Completeness
Within the scope of ITIL Security Management, security management processes are well covered and are suitable for any type of organisation with a large or complex IT infrastructure. However, ITIL does not extend outside the management of the IT infrastructure, meaning this is not an ideal publication for establishing an enterprisewide security function. The document includes a number of control practices but not to great depth, instead referring the reader to ISO/IEC 17799:20006 for more detailed information.

ITIL actually uses the term BS 7799 and refers to the 1995 and draft 1999 versions of the Code of Practice that eventually evolved into BS 7799-1:1999 and then ISO/IEC17799:2000. No mention is made by ITIL of BS 7799-2:2002, which was published much later than ITIL Security Management.

82

Security Management

Availability
ITIL Security Management can be purchased from The Stationery Office (TSO) in the UK (online at www.tso.co.uk). The cost is GB Sterling 44.95.

Recognition/Reputation
Based on the ISACA global survey of CISMs (described in this documents Introduction), ITIL has wide international recognition (around 85 percent of the surveyed CISMs) although slightly less so in North America (68 percent). More than half of all CISMs felt the standard has only limited acceptance, although 35 percent felt it has wide acceptance.

Usage
The CISM survey results showed that ITIL is actively used (i.e., implemented, used as best practice or used for assessment) by 40 percent in the Oceania and Europe/Africa regions. Usage is also strong (more than 23 percent) in other regions. It is considered by most to be effective in use (except for Oceania with half feeling it has only limited effectiveness). More than half of those familiar with ITIL felt it is either somewhat comprehensive or comprehensive.

CISM Domain Alignment


Information Security Governance, 1
There are several references to the activities within this domain, but they are not addressed in any great detail and are focussed on security management only as it relates to the operation of the IT infrastructure.

Risk Management, 0
Risk management is rarely addressed within this document.

Information Security Programme Management, 2


The guidance provides a good model for planning and establishment of information security services within the IT infrastructure. It does not cover all areas of an information security programme and provides controls at only a high level.

83

Information Security HarmonisationClassification of Global Guidance

Information Security Management, 2


Security Management provides a good model for the delivery and monitoring of information security services within the IT infrastructure. It does not cover all areas of an information security programme.

Response Management, 1
References are made to security incident registration and problem management, but not to any great level.

Overall, 2
This is most likely to be of interest to an information security manager if the organisation is implementing ITIL or plans to apply for BS 15000 certification. Its main audience is likely to be IT managers.

Description and Guidance on Use


Security Management is a document of 94 pages devoted to processes of integrating IT security management into the overall IT services management framework. It is designed to be used somewhat like a workbook to be of practical assistance. Chapter 1 provides a brief introduction to the document, and chapter 2 describes the basics of security management. The third chapter describes the links to other ITIL processes. Chapter 4 covers measures and chapter 5 provides guidelines for implementing the security management function. There are also five useful annexes.

Chapter 2Fundamentals of Information Security


Information security is explained from a business perspective and that of the IT infrastructure management. The majority of the emphasis is placed on the IT security management process as that is within the scope of ITIL, but acknowledgement is made of the wider role for security. In simple terms, a customer defines requirements for security and these are reflected in a service level agreement (SLA). A control process is then used to manage four major activity areas: Plan (includes policy statement, contracts, etc.) Implement (includes awareness, classification, control of access rights, etc.) Evaluate (includes internal and external audits) Maintain (includes learning and improvement) Reporting is then used to link back to the customer, confirming that security arrangements within SLAs have been met.

84

Security Management

Chapter 3ITIL and Security Management


ITIL is concerned with best practice and exploitation of the IT infrastructure and managing an existing working environment. This chapter puts security management into context with other ITIL processes. However, ITIL is not specifically concerned with system development nor strategic and tactical processes for developing the IT architecture and infrastructure, so these areas that are also of concern to the security manager are not addressed. ITIL defines its processes under sets and the relationship with security management is described in each case in varying detail. There are three sets: Managers setThe strategic layer that is important with regard to the organisation of information security activities of the IT service provider Service delivery setRepresents the tactical processes where SLAs are drawn up and service provided. Other processes that link with security management are: Service level management Availability management Performance and capacity management (including workload, resource and demand management) Business continuity planning Financial management and costing Service support setThe operational layer that provides beneficial processes for service delivery and includes links to: Configuration and asset management Incident control/help desk Problem management Change management Release management Extract from 3.3.4.1. Change Management and Security Management Security proposals also form part of the RFC (request for change). The starting point here is again the agreements contained in the SLA, as well as the security baseline chosen by the IT service provider. The general security profiles are often used, which specify which security measures have to be implemented for which types of products. For example, the following have to be specified for each operating system: identification and authentication, authorisation, access control, audit/logging, and management (including user management and the management of rights). Security proposals therefore consist of a collection of security measures that are often combined in a procedure laid down in documentation.

85

Information Security HarmonisationClassification of Global Guidance

Chapter 4Security Management Measures


This chapter provides a general overview of security measures (controls rather than metrics) that are implemented through the security management process. They have been based on, but do not approach the depth or detail of, the guidelines provided in ISO/IEC 17799:2000. Included are: Organisation of information security Asset classification and control Personnel security Communication and operations management Access control Control measures are also defined for the auditing and evaluation of security in IT systems, maintenance and reporting. Annex A provides a cross-reference table providing an easy reference to the areas covered and not covered by ITIL. Extract of Some of the Possible Reports a Security Manager May Provide into the Service Level Management Process Reports on the Plan activity: Reports on conformance to the SLA including the agreed upon KPIs for security Reports on underpinning contracts and any disconformities in their fulfilment Reports on operation level agreements and policy statements Regular reports on the Implementation activity: Status of information (such as) implemented measures, education and reviews including self-assessments and risk analyses Overview of security incidents and the reaction to these incidentsthis compared to a previous time frame Status of awareness programmes Trends on incidents per system, per process, per department, etc.

Chapter 5Guidelines for Implementing Security Management


Five areas are covered in this chapter: AwarenessThe types of activities that can be taken to improve awareness across the organisation Organisation of security managementThe choices available in how to organise security and the characteristics that one may look for in a security manager DocumentationThe types of documentation that should be produced and their corporate placement Security management for small and medium enterprisesA brief description of minimum security requirements (based on the original 10 key controls contained within ISO/IEC 17799:2000) Pitfall and success factorsA few ideas on what not to do

86

Security Management

Annexes
Annex A provides a cross-reference table showing the relationship between ITIL and ISO/IEC 17799:2000. Annex A recommends the use of ISO/IEC 17799:2000 when implementing Security Management. Annex B provides a specimen security section in the SLA. Annex C describes a framework that can be used in drawing up a security plan. Annex D is a reference showing the various documents that were referred to in drawing up Security Management, potentially useful web sites and a list of other ITIL books.

Reference
www.tsoonline.co.uk

87

Information Security HarmonisationClassification of Global Guidance

88

NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook

11. NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook


Issuer
The Computer Security Resource Centre (CSRC) of the National Institute of Standards and Technology (NIST), a department of the US Department of Commerce, published the document. It is part of NISTs 800 series (computer security) and was published in October 1995.

Document Taxonomy
NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook describes the common requirements for managing and implementing a computer security programme and some guidance on the types of controls that are required. It is the first in a NIST series of three and is followed by: NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems (September 1996) NIST 800-18 Guide for Developing Security Plans for Information Technology Systems (December 1998)

Circulation
The guidance is published by a US government department, thus it is more commonly used by US organisations. However, the NIST series of security publications is internationally known by the information security industry. NIST is also the US representative in Common Criteria guidance.

Goal of the Standard or Guidance Publication


The guidance is designed to provide a broad overview of computer security and assistance to the reader in developing and implementing a computer security programme. It does not intend to provide detailed guidance on implementation of the computer security programme nor to specify control requirements in detail. Rather, it focusses on the benefits that good security promotes.

89

Information Security HarmonisationClassification of Global Guidance

Information Security Drivers for Implementing the GuidanceWhy


Compliance with NIST 800-12 is often driven by a need to comply with principles and criteria for US government organisations.

Related Risks of NoncomplianceWhat Could Happen


There is no direct risk from not complying unless the organisation has an inherent need to comply with this guidance.

Target Audience
The guidance states that it is aimed at those with responsibilities for computer security, particularly those in US government organisations. However, the majority of its contents could be applicable to any individual with information security responsibilities.

Timeliness
The guidance is somewhat dated on the controls side, having been produced in 1995. However, its overall guidance on a computer security programme remains valid. No updates have been published.

Certification Opportunities
No certification is available for NIST 800-12.

Completeness
Although it was designed primarily for US government agencies, it is also considered appropriate for organisations of any type or size. Many of the references are US-specific, but this should not be a major problem for non-US readers. The controls are somewhat dated and are provided at a relatively high level compared with guidance available in other publications. Despite this, it does a good job of meeting its stated objectives.

Availability
The guidance is posted for complimentary download electronically from the CSRC web site, www.csrc.nist.gov. Printed versions are not available.
90

NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook

Recognition/Reputation
Based on the results of the global CISM survey conducted in 2004 (described in this documents Introduction), the guidance is well recognised by more than 60 percent of surveyed CISMs globally, particularly in North America (85 percent). Around half of the surveyed CISMs felt the guidance has only limited acceptance although responses from North America were much more positive.

Usage
The guidance is actively used (i.e., implemented, used as best practice or used for assessment) by one-third of all North American CISMs and also by many in Central/South America. The application levels are quite low (less than 14 percent) in other areas. Despite this low usage outside the Americas, more than half of all CISMs familiar with the publication considered it to be comprehensive and effective.

CISM Domain Alignment


Information Security Governance, 4
NIST 800-12 provides sound guidance for the information security manager, covering most of the tasks in this domain even though the content is somewhat dated and focussed on US government requirements.

Risk Management, 3
The guidance provides good descriptions of risk management concepts, but it does not provide direction on how to carry out risk assessments.

Information Security Programme Management, 4


It provides good guidance on setting up and managing an information security programme although aspects of project management are not addressed.

Information Security Management, 4


NIST 800-12 provides sound guidance for the information security manager, covering most of the tasks in this domain even though some of the documents are somewhat dated.

Response Management, 3
It provides good guidance on the components of contingency planning, but it does not go fully into response management nor cover forensics.

91

Information Security HarmonisationClassification of Global Guidance

Overall, 4
NIST 800-12 is a good guideline that covers many aspects of information security management. It is focussed on the US government and may be somewhat cumbersome for small, commercial organisations, but overall it is a valuable source of guidance. It would benefit from being updated as it was last published in 1995.

Description and Guidance on Use


The NIST Handbook is a document of 290 pages split into a number of sections, further divided into chapters. Section I provides an introduction to the handbook and also includes the foundations upon which the chapters on controls are based. The handbooks general approach to computer security is based on eight major principles. The principles are based on those published by the Organisation for Economic Co-operation and Development in 1992, and imply the premise of being generally accepted and applied when developing or maintaining IT systems. The 1992 OECD principles are accountability, awareness, ethics, multidisciplinary, proportionality, integration, timeliness, reassessment and democracy. (The OECD published new principles in 2002.) Taking these into account, the handbooks eight principles are: Computer security supports the mission of the organisationEven though the protection of assets (information, hardware and software) is essential to achieve the goals of the organisation, security is frequently seen as inconsistent with the business objectives. Thus, management needs to understand the mission of the organisation and how this mission is supported by IT systems. Security is a means to an end, not an end in itself. Computer security is an integral element of sound managementManagement must accept the fact that harm to assets can be caused even though security provisions are in place. Management has to commit to the level of risk it is willing to accept. Computer security should be cost-effectiveThe cost for securing systems has to be aligned with the security need. This requires that the cost and benefits of security be examined in monetary and nonmonetary terms. Direct and indirect costs should be considered when analysing the costs. System owners have security responsibilities outside their own organisations System owners have to inform external users of the security measures of their systems, and they are responsible for incidence response in a timely and coordinated manner. Computer security responsibilities and accountability should be made explicit Every organisation, regardless of size, should document responsibilities and accountabilities of owners, providers and users. Those with specific responsibilities for IT security, e.g., programmers and software development managers, should also have these responsibilities documented.
92

NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook

Computer security requires a comprehensive and integrated approachComputer security and areas outside computer security should be considered. The interdependence of security controls and other controls must be understood and a mix of managerial, operational and technical controls applied to enable an adequate and stable level of security. Computer security should be periodically reassessedThe need for re-evaluation of security measures is obvious in the wake of permanent changes to organisations, business environments, legal issues, threats or technologies. Computer security is constrained by societal factorsSecurity measures may come into conflict with other limitations, such as workplace privacy. Those conflicts must be solved. Another chapter within section I provides ideas on how roles and responsibilities for security may be allocated within an organisation. These roles and responsibilities are nonprescriptive, and it is recognised within the handbook that they will vary depending on many factors, including size of organisation. Examples are given for 18 typical roles, including senior management, audit, quality assurance, help desk, system management and administration. Common threats to information are explained under nine headings, including fraud and theft, employee sabotage, malicious hackers, malicious code, errors and omissions, and espionage. Sections II, III and IV address controls that have been divided into three areas: management, technical and operational. Section II contains management controls and these are divided into a number of chapters, each addressing a specific area.

Computer Security Policy Chapter


This chapter breaks policy into three types: Programme policy is defined as that which is used to create an organisations computer security programme. Guidance is provided on defining programme purpose, scope, responsibilities and compliance. Programme policy is assumed to be broad-based and relatively stable. Issue-specific policy is related to consideration of areas that are new or more likely to need change, for instance, resulting from dynamics in technology. Examples given include Internet and e-mail. System-specific policy relates to the detailed attention that must be given to an individual system, keeping in mind that different systems may need different levels of protection. A distinction is drawn between security objectives (explicitly defined requirements based on the confidentiality, integrity and availability needs) and operational security rules (documenting the who, what and when).

93

Information Security HarmonisationClassification of Global Guidance

Computer Security Programme Management Chapter


This chapter provides suggestions on how the computer security programme should be structured. Examples provided reflect common structures found in US federal organisations, with an emphasis on the fact that organisations differ and there is no single solution that will work for everyone. Detailed guidance is also provided on the benefits of centralised computer security programmes vs. system-level computer security programmes and how the two approaches can be used and work together.

Computer Security Risk Management Chapter


This chapter goes into detail on explaining risk management by breaking it down into three main areas: Risk assessment is defined as the process of analyzing and interpreting risk. Within this activity area are determination of scope, methodology to be used, collection of data, analysis and interpretation of results. Asset valuation and threat, vulnerability and safeguard assessment are defined. Risk mitigation covers the selection and implementation of additional safeguards (to the point where residual risk is acceptable) and the process of monitoring them for effectiveness. Uncertainty analysis is described as the need to understand how accurate and reliable the risk analysis has been (e.g., the accuracy of the valuation of assets) to enable management to use the analysis results effectively.

Security and Planning in the Computer System Life Cycle Chapter


Five basic phases are described for life cycle planning: Initiation is when the sensitivity of the system and the information it will process are determined to provide an early indication of the likely security safeguards and their costs. Development and acquisition is when security requirements are defined in more detail (including consideration of legal requirements, policies, standards and cost), incorporated into designs and either built or acquired. Implementation includes security testing and accreditation (the formal authorization by the accrediting management official for system operation and an explicit acceptance of risk). Operation and maintenance covers operations and administration of safeguards, assurance that they are being followed and working, and reanalysis of safeguards with reaccreditation as necessary. Disposal includes discarding information, hardware and software using appropriate methods.

94

NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook

Assurance Chapter
The handbook defines computer security assurance as the degree of confidence one has that the security measures, both technical and operational, work as intended to protect the system and the information it processes. This chapter examines both accreditation and assurance, describing objectives, methods and when assurance is required within planning, design, implementation and operations of systems. Many tools and methods for obtaining assurance (e.g., penetration testing and automated tools) are described. Extract From 7.1.2 Collecting and Analyzing Data Risk has many different components: assets, threats, vulnerabilities, safeguards, consequences, and likelihood. This examination normally includes gathering data about the threatened area and synthesizing and analyzing the information to make it useful. Because it is possible to collect much more information than can be analyzed, steps need to be taken to limit information gathering and analysis. This process is called screening. A risk management effort should focus on those areas that result in the greatest consequence to the organization (i.e., can cause the most harm). This can be done by ranking threats and assets. A risk management methodology does not necessarily need to analyze each of the components of risk separately. For example, assets/consequences or threats/likelihoods may be analyzed together. Section III on operational controls also contains a number of chapters describing controls requirements for specific areas.

Personnel/User Issues Chapter


Staffing issues include consideration of the sensitivity of positions, segregation of duties, screening before employment and the requirements for training. User account management is also covered, with guidance provided on the creation/maintenance/deletion of user accounts, processes for tracking usage, review of authorisations, and dealing with staff transfers and departures.

Preparing for Contingencies and Disasters Chapter


This chapter describes the six main activities for contingency planning as: Identifying business critical functions Identifying required resources Anticipating disasters Selecting a strategy Implementing the strategy Testing/revising the plan

95

Information Security HarmonisationClassification of Global Guidance

Resources addressed include human, computer-based, data, infrastructure and documentary. Some examples are provided on the different types of questions that may arise in planning, given different scenarios. Suggestions are also provided on the types of backup sites that may be considered, depending on requirements.

Computer Security Incident Handling Chapter


The chapter describes the benefits of having an incident handling capability and describes the common characteristics that are most likely to lead to success, although not in much detail. Also included are guidelines on the types of technical, mechanical information security management system that will help ensure rapid communication and response in the event of an incident.

Awareness, Training and Education Chapter


This chapter defines the three main purposes for security awareness, training and education as: Improving awareness of the need to protect system resources Developing skills and knowledge so computer users can perform their jobs more securely Building in-depth knowledge, as needed, to design, implement or operate security programmes for organisations and systems It describes the different objectives, suggested teaching methods and impacts for awareness, education and training and provides a seven-step approach to implementing a programme to address all three: Identify programme scope, goal and objectives. Identify training staff. Identify target audiences. Motivate management and employees. Administer the programme. Maintain the programme. Evaluate the programme.

Security Considerations in Computer Support and Operations Chapter


This chapter describes seven main areas that need addressing to run a computer system: user support, software support, configuration management, backups, media controls, documentation and maintenance. Media controls include those for marking, logging, integrity verification, physical safety, movement and disposal.

Physical and Environmental Security Chapter


This chapter considers the controls necessary to protect buildings and infrastructure. It addresses this in the context of three areasthe type of facility, the

96

NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook

geographic location and the services supporting facilities (human and technical) and recognises that variations mean that the likelihood of some threats will differ. Amongst the threats considered are physical damage to buildings, intruders (physical) and physical theft. Extract from 14.1 User Support An important security consideration for user support personnel is being able to recognize which problems (brought to their attention by users) are securityrelated. For example, users inability to log onto a computer system may result from disabling their accounts due to too many failed access attempts. This could indicate the presence of hackers trying to guess users passwords. In general, system support and operations staff need to be able to identify security problems, respond appropriately, and inform appropriate individuals. A wide range of possible security problems exists. Some will be internal to custom applications, while others apply to off-the-shelf products. Additionally, problems can be software- or hardware-based. Section IV addresses technical controls and is, again, split into a number of chapters.

Identification and Authentication Chapter


This chapter describes the three means of authentication (what you know, what you have and what you are) and provides the different methods used for each, along with associated benefits, problems and suggestions on how they should be used. It also considers implementation and maintenance of the identification and authentication system.

Logical Access Control Chapter


This chapter addresses access criteria and control mechanisms, including ACLs, encryption and firewalls. It includes consideration of roles, locations, time restrictions, service constraints and common types of access modes (e.g., read and execute). Amongst the internal controls described are passwords, encryption, security labels, port protection devices and host-based authentication. Administration of access control is also considered, along with comparisons made for centralised and decentralised administration functions.

Audit Trails Chapter


This chapter considers the benefits of audit trails under the four areas of accountability, event reconstruction, intrusion detection and problem analysis. Types of auditing are also discussed with examples provided of system logs and application logs. There is also guidance on implementing and protecting audit logs, reviewing logs and the types of tools that can be used for log analysis.

97

Information Security HarmonisationClassification of Global Guidance

Cryptography Chapter
This chapter explains the differences between secret and public key cryptography, and common applications for their use, including integrity checking and digital signatures. Guidance is also provided on selection and implementation issues such as hardware vs. software, key management and export controls. Chapter 20 of the handbook provides a detailed example of how computer security may be addressed, using a hypothetical government agency. The example describes an environment, provides details and outcome of risk assessment, identifies threats, defines existing security measures and existing vulnerabilities, and finishes with recommendations for mitigation.

References
www.nist.gov www.csrc.nist.gov

98

NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems

12. NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
Issuer
The Computer Security Resource Centre of the National Institute of Standards and Technology, a department of the US Department of Commerce, published the document. It is part of NISTs 800 series (computer security), and was published in 1996.

Document Taxonomy
NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems is a collection of principles and practices to establish and maintain system security. It is labelled as a special publication and is one of a series of three produced by NIST. The other two are: NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook (October 1995) NIST 800-18 Guide for Developing Security Plans for Information Technology Systems (December 1998)

Circulation
The NIST 800-14 guidance was published by a US government department, thus it is more commonly used by US organisations. However, the NIST series of security publications is internationally known by the information security industry.

Goal of the Standard or Guidance Publication


NIST 800-14 intends to provide a baseline for establishing or reviewing IT security programmes. It should help in gaining an understanding of basic security requirements of IT systems. It not only focusses on security practices, it also describes the intrinsic expectations of security provisions from a high viewpoint in the form of principles.

99

Information Security HarmonisationClassification of Global Guidance

Information Security Drivers for Implementing the GuidanceWhy


Compliance with NIST 800-14 is often driven by the need to comply with the principles and criteria for US government organisations.

Related Risks of NoncomplianceWhat Could Happen


There is no direct risk from not complying unless the organisation has an inherent need to comply with this standard.

Target Audience
NIST 800-14 targets management, security practitioners, users, system developers and internal auditors. Thus, it explicitly addresses all parties responsible for IT security. When following the document, the security principle and practices are to be applied for governmental IT systems, particularly for systems of e-governance.

Timeliness
The document was published in September 1996, and no subsequent revision is available. However, the majority of contents are high-level and still relevant.

Certification Opportunities
Certification to these principles is not available.

Completeness
NIST 800-14 describes at a high level the issues that must be considered in selecting appropriate policy and controls for an organisation. It does not provide the level of detail an organisation would need in deciding on appropriate security controls and practices, instead providing more of a framework. It provides a good foundation for those new to information security management albeit more ITfocussed than many modern approaches to the subject.

Availability
The guidance is posted for complimentary download electronically from the CSRC web site at www.csrc.nist.gov.
100

NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems

Recognition/Reputation
The results produced by a global CISM survey conducted in 2004 (described in this documents Introduction) showed that NIST 800-14 is highly recognised in North America (80 percent). However, it scored only slightly more than half (55 percent) in Europe/Africa and Asia. The guidance was also considered to have only limited or no acceptance by a huge majority (88 percent) of CISMs except, again, in North America where acceptance levels are higher but still are not overwhelming.

Usage
The global CISM survey showed that NIST 800-14 is being actively used (i.e., implemented, used as best practice or used for assessment) by more than one-third of North American CISMs but levels in Oceania, Europe/Africa and Asia show very low usage, at less than 15 percent. Despite this low usage, it is considered by more than half of all CISMs familiar with it to be comprehensive and effective.

CISM Domain Alignment


Information Security Governance, 2
NIST 800-14 contains a useful set of information security principles that can be used as a foundation for an information security policy and gives high-level descriptions of activities needed for an information security governance framework.

Risk Management, 1
The guidance describes a risk management framework, but not in sufficient detail to undertake risk assessments or make risk-based decisions.

Information Security Programme Management, 2


It provides guidance for creating a security plan to implement the governance framework and offers high-level controls.

Information Security Management, 2


NIST 800-14 addresses through its guidance many of the activities undertaken in information security management. However, it does not provide any guidance on how to establish or carry out these activities.

Response Management, 2
It provides a good list of important control practices for business continuity, but it does not fully address all areas of this domain nor provide guidance on how to establish or carry out the practices.
101

Information Security HarmonisationClassification of Global Guidance

Overall, 2
NIST 800-14 is good as an introduction for those new to information security and/or for briefing and educating IT and business managers. It would be particularly useful for smaller organisations or those that have never addressed information security.

Description and Guidance on Use


NIST 800-14 (56 pages) describes eight principles and fourteen practices. The principles are based on those published by the Organisation for Economic Cooperation and Development in 1992, and imply the premise of being generally accepted and applied when developing or maintaining IT systems. The 1992 OECD principles provided by the guideline are accountability, awareness, ethics, multidisciplinary, proportionality, integration, timeliness, reassessment and democracy. (The OECD published new principles in 2002.) Similar to NIST 800-12, the eight principles are: Computer security supports the mission of the organisation. Computer security is an integral element of sound management. Computer security should be cost-effective. System owners have security responsibilities outside their own organisations. Computer security responsibilities and accountability should be made explicit. Computer security requires a comprehensive and integrated approach. Computer security should be periodically reassessed. Computer security is constrained by societal factors. Each of the principles applies to each of the practices although their relationship varies. The 14 common practices in IT security are meant as a companion to the NIST Special Publication 800-12 An Introduction to Computer SecurityThe NIST Handbook. NIST 800-14 describes itself as the broad overview of computer security and an excellent primer, with NIST 800-12 providing the what and why to and a template for deriving the practices. Each of the 14 practices is to a level that would allow a security manager to put together an information security programme framework, and these practices are also considered the minimum required for any organisation. Most of the practices provided in the guideline are quite common and the style is similar to the international standard ISO/IEC 17799:2000, which was used as a reference during the development of the practices in NIST 800-14 and is recommended as further reading. The 14 practices are: PolicyPolicy is further broken down into different types, described as programme, issue-specific and system-specific. Each type of policy has seven or eight recommended activities.
102

NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems Programme managementProgramme management includes a central security programme that applies to the enterprise and system-level programme, which is concerned with typical systems life cycle activities. Risk managementThis practice addresses risk assessment, risk mitigation and uncertainty analysis and also provides a number of common definitions and explanations. Life cycle planningLife cycle planning has six phases, described as security plan, initiation phase, development/acquisition phase, implementation phase, operation/maintenance phase and disposal phase. Personnel/user issuesThese activities address staffing and user administration, including steps for dealing with terminations. Preparing for contingencies and disastersFive main activities in this practice are business plan, identification of resources, scenario development, strategy development and test/revision of plan. Computer security incident handlingThis is split into descriptions of how the incident response capability can be used and suggestions on its common characteristics. Awareness and trainingThe practice describes seven steps: identify programme scope, goal and objectives; identify training staff; identify target audiences; motivate management and employees; administer the programme; maintain the programme; and evaluate the programme. Security considerations in computer support and operationsThis practice describes eight considerations, including user support, configuration management, media controls and standardised logon banner. Physical and environmental securityThis practice includes consideration of physical access controls, fire, flood and interception of data. Identification and authenticationThis includes practices for identification, authentication and password, with common aspects such as limited logon attempts being addressed. Logical access controlThe practice addresses access criteria and control mechanisms, including ACLs, encryption and firewalls. Audit trailsThis practice is split into four areas covering audit trail content, audit trail security, audit trail reviews and keystroke monitoring. CryptographyThis practice includes consideration of selection, design and key management.

Extract From 3.10 Physical and Environmental Security, Fire Safety Factors
Building fires are a particularly important security threat because of the potential for complete destruction of both hardware and data, the risk to human life, and the pervasiveness of the damage. Smoke, corrosive gases, and high humidity from a localized fire can damage systems throughout an entire building. Consequently, it is important to evaluate the fire safety of buildings that house systems.

103

Information Security HarmonisationClassification of Global Guidance

References
www.nist.gov www.csrc.nist.gov

104

NIST 800-18 Guide for Developing Security Plans for Information Technology Systems

13. NIST 800-18 Guide for Developing Security Plans for Information Technology Systems
Issuer
The Computer Security Resource Centre (CSRC) of the National Institute of Standards and Technology (NIST), a department of the US Department of Commerce, published the document. It is part of NISTs 800 series (computer security) and was published in December 1998.

Document Taxonomy
NIST 800-18 Guide for Developing Security Plans for Information Technology Systems is the third in a trilogy of NIST publications on IT security and provides a format and guidance for developing a system security plan. The first publications are: NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook (October 1995) NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems (September 1996)

Circulation
The publication is from a US government department, so it is more commonly used by US organisations. However, the NIST series of security publications is internationally known by the information security industry.

Goal of the Standard or Guidance Publication


Following on from the previous two NIST publications describing the why and the what of computer security, this guide was created to provide a format and guidance for developing a system security plan (which is a requirement for US federal offices).

Information Security Drivers for Implementing the GuidanceWhy


Implementation of NIST 800-18 is generally driven by the need to comply with the principles and criteria for US government organisations.
105

Information Security HarmonisationClassification of Global Guidance

Related Risks of NoncomplianceWhat Could Happen


There is no direct risk from not complying unless the organisation has an inherent need to comply with this standard.

Target Audience
The guideline is directed at those with little or no computer security expertise, but who are responsible for IT security at the system or organisational level. The concepts are intended to be generic and as such could be used by the private or public sector. The guideline can also be used as an auditing tool.

Timeliness
The guideline was published in 1998 but still remains valid and appropriate. No subsequent revision of the document is available.

Certification Opportunities
There is no certification for this guideline.

Completeness
NIST 800-18 provides a comprehensive template and instruction for completing a security plan. It needs to be used in combination with other reference material and, by itself, does not describe all of the responsibilities and activities that are likely to be performed by an information security manager.

Availability
The guidance is posted for complimentary download electronically from the CSRC web site, www.csrc.nist.gov.

Recognition/Reputation
The results of the global CISM survey (described in this documents Introduction) indicate that the recognition of the guideline is very high in North America, at nearly 85 percent of CISMs, but it falls to a bit more than 50 percent in

106

NIST 800-18 Guide for Developing Security Plans for Information Technology Systems

Europe/Africa and Asia. At least half of CISMs in all regions feel it has at least limited or wide acceptance as a guideline.

Usage
The CISM survey results indicate that the guideline is actively used (i.e., implemented, used as best practice or used for assessment) by one-third of North America CISMs, but usage is less than 17 percent elsewhere. However, it is considered by more than half of those familiar with it to be both comprehensive and effective.

CISM Domain Alignment


Information Security Governance, 1
NIST 800-18 implicitly addresses some of the activities in this domain but only as part of the process of creating a security plan.

Risk Management, 1
The guidance implicitly addresses some of the activities in this domain but only as part of the process of creating a security plan.

Information Security Programme Management, 3


It provides an excellent model for building an information plan for a system. It does not address programme management or project management.

Information Security Management, 1


The guide implicitly addresses some of the activities in this domain but only as part of the process of creating a security plan.

Response Management, 1
It implicitly addresses some of the activities in this domain but only as part of the process of creating a security plan.

Overall, 2
This publication was designed to provide guidance on developing a security plan for a system and it does so very well. It could be a valuable tool but should be used by an experienced information security practitioner alongside other tools and methodologies.

107

Information Security HarmonisationClassification of Global Guidance

Description and Guidance on Use


The guideline is a document of 101 pages providing guidance on how a security plan should be devised. It describes the purpose of a security plan as to provide an overview of the security requirements of the system and describes the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The guideline describes the process of system analysis as the first step in creating a security plan. System analysis is concerned with understanding and defining a system in enough detail to know what type of security plan will be needed. Within this step, system boundaries are defined (e.g., whether the system includes PCs using the application even when they are not directly connected) and the system is categorised. The guideline has two categories: major application or general support system. Major application is used for systems performing functions that can be clearly defined, whilst general support systems are for less tangible systems, such as LANs and backbones. Within appendix C of the guideline are security plan templates, one for major applications and one for general support systems. Each is nine pages long and contains probing questions that may be asked to complete the template. The remaining chapters of the guideline provide further guidance on completing the plan.

Plan Development Chapter


This chapter provides guidance on how to complete the first parts of the templates, what to consider and what level of detail may be appropriate. Several examples are provided. Extract From 3.5 System Environment Provide a brief (one-three paragraphs) general description of the technical system. Include any environmental or technical factors that raise special security concerns, such as: The system is connected to the Internet It is located in a harsh or overseas environment Software is rapidly implemented The software resides on an open network used by the general public or with overseas access The application is processed at a facility outside of the organizations control The general support mainframe has dial-up lines

108

NIST 800-18 Guide for Developing Security Plans for Information Technology Systems

Management Controls
The guideline explains how to complete the management controls section of the template. This includes the results of a risk assessment, what types of security reviews the system has had (or are planned) and rules of behaviour for using the system. Reference is also made to the five-phase security life cycle (initiation, development/acquisition, implementation, operation/maintenance, disposal) and what aspects of the security plan can be considered and documented through each phase. Extract From 4.3 Rules of Behavior Chapter The rules of behavior should clearly delineate responsibilities and expected behavior of all individuals with access to the system. The rules should state the consequences of inconsistent behavior or noncompliance. The rules should be in writing and form the basis for security awareness and training.

Operational Controls
The guideline discusses operational controls for major applications separately from those for general support systems. In each case, issues to consider and guidance on decision-making factors are provided. Guidance is provided under the headings of: Major applications Personnel Physical and environment protection Input/output controls Contingency planning Application software maintenance controls Data integrity/validation control Documentation Security awareness and training General support systems Personnel Physical and environment protection Input/output controls Contingency planning Hardware and system software maintenance controls Integrity control Documentation Security awareness and training Incident response capability Extract From 5.MA.1 Personnel Security Have all positions been reviewed for sensitivity level? If all positions have not been reviewed, state the planned date for completion of position sensitivity analysis.

109

Information Security HarmonisationClassification of Global Guidance

A statement as to whether individuals have received the background screening appropriate for the position to which they are assigned. If all individuals have not had appropriate background screening, include the date by which such screening will be completed. If individuals are permitted system access prior to completion of appropriate background screening, describe the conditions under which this is allowed and any compensating controls to mitigate the associated risk. Is user access restricted (least privilege) to data files, to processing capability, or to peripherals and type of access (e.g., read, write, execute, delete) to the minimum necessary to perform the job?

Technical Controls
Technical controls are also addressed differently in the guide for major applications and general support systems. Again, in each case, issues to consider and guidance on decision-making factors are provided. Each considers controls under the headings of identification and authentication, logical access control and audit trails. Major applications also considers control for public access. Extract From 6.GSS.1.2 Authentication Describe the method of user authentication (password, token, and biometrics). If a password system is used, provide the following specific information: Allowable character set; Password length (minimum, maximum); Password aging time frames and enforcement approach; Number of generations of expired passwords disallowed for use; Procedures for password changes; Procedures for handling lost passwords, and Procedures for handling password compromise. Procedures for training users and the materials covered. Note: The recommended minimum number of characters for a password is six to eight characters in a combination of alpha, numeric, or special characters. Indicate the frequency of password changes, describe how password changes are enforced (e.g., by the software or system administrator), and identify who changes the passwords (the user, the system, or the system administrator). In addition to the template plans, the appendix also has examples of rules of behaviour (one for major applications and one for general support systems) in the form of a document designed to be read and signed by the relevant users.

References
www.nist.gov www.csrc.nist.gov
110

NIST 800-53 Recommended Security Controls for Federal Information Systems, Second Public Draft

14. NIST 800-53 Recommended Security Controls for Federal Information Systems, Second Public Draft
Issuer
The National Institute of Standards and Technology is a US-based organisation responsible for providing US agencies with standards and guidelines for information security. The 800 series contains a number of security-related guides, many of which are designed to be suitable for the private as well as the public sectors. NIST 800-53 Recommended Security Controls for Federal Information Systems was published as a first draft in October 2003 and followed by a second draft in September 2004. Although written for US federal agencies, it is expected to have a wide audience amongst businesses.

Document Taxonomy
NIST 800-53 Recommended Security Controls for Federal Information Systems is a public draft document containing baseline security controls. It is one of a series of documents published and planned on security for US federal information systems to be finalised in the first quarter of 2005. NIST 800-53 will be replaced in 2005 by FIPS Publication 200 Minimum Security Controls for Federal Information Systems, which will be the mandatory standard for US federal agencies.

Circulation
The publication is from a US government department, so it is likely to be more commonly used by US organisations. However, the NIST series of security publications is internationally known and used by the information security industry. Although a relatively new document, it is also likely to already have been considered by a wide audience.

Goal(s) of the Standard or Guidance Publication


NIST 800-53 is designed to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal [US] government. The ultimate aim of the US government is to ensure that day-to-day government operations are undertaken with adequate security.

111

Information Security HarmonisationClassification of Global Guidance

Information Security Drivers for Implementing the GuidanceWhy


This will become a mandatory standard for US federal agencies in 2005.

Related Risks of NoncomplianceWhat Could Happen


There is no direct risk from not complying unless the organisation has an inherent need to comply with this standard.

Target Audience
The NIST 800-53 draft dated October 2003 was incomplete when issued for reviewers to comment. Despite this, extensive feedback was received and the second draft issued in September 2004 was a shorter but complete version. Draft 2 was also open to comment until November 2004, with the final version expected to be published in 2005. NIST 800-53 will be of specific interest to any individual who has security responsibilities and works in a US federal agency. However, it would be of interest to information security practitioners, IT managers and auditors in any type or size of organisation.

Timeliness
NIST 800-53 is in final drafting, with the final version due in the first quarter of 2005.

Certification Opportunities
There is no certification to this guide; however, NIST Special Publication 37 provides guidance on security certification and accreditation of information systems.

Completeness
NIST 800-53 is focussed on providing security controls; therefore, it does not describe in any detail the role of the information security manager or the requirements for establishing, implementing and maintaining an enterprisewide information security programme. A total of 154 security controls are described, with guidance and, in many cases, actions to enhance the control for higher risk systems. The set of controls within draft 2 is shorter and in less detail than those provided in draft 1.
112

NIST 800-53 Recommended Security Controls for Federal Information Systems, Second Public Draft

Availability
The draft is posted for complimentary download (as will be the final version) from the CSRC web site, www.crsc.nist.gov.

Recognition/Reputation
The global survey of CISMs (described in this documents Introduction) shows that NIST 800-53 is already known to 80 percent of North American CISMs but recognition falls to around half in Europe/Africa and Asia. The vast majority (90 percent) of those familiar with it feel it has only limited or no acceptance. The exception to this is in North America, but, even there more than 50 percent feel it has only limited acceptance. One can assume this will change when the final document is published in 2005 and becomes a US government agency mandatory standard.

Usage
Surprising for a new and still draft document, NIST 800-53 is already being actively used (i.e., implemented, used as best practice or used for assessment) by almost one-third of North American CISMs. However, usage figures for other areas are less than 15 percent. CISMs familiar with NIST 800-53 also generally feel it is (or will be) comprehensive and effective.

CISM Domain Alignment


Information Security Governance, 1
This domain is addressed only lightly in NIST 800-53s description of security fundamentals.

Risk Management, 1
The domain is addressed only lightly in its description of security fundamentals.

Information Security Programme Management, 3


NIST 800-53 provides a good set of basic security controls, with suggestions on additional controls for higher risk systems. No guidance is provided on security planning or project management.

113

Information Security HarmonisationClassification of Global Guidance

Information Security Management, 1


This domain is addressed only lightly in its description of security fundamentals.

Response Management, 1
This domain is addressed only lightly in the documents description of security fundamentals.

Overall, 2
This is a good source of controls and control practices designed to be used by US government agencies. It provides a good source of basic security controls and will be even more useful when completed in 2005.

Description and Guidance on Use


NIST 800-53 is a document of 94 pages, primarily describing recommended security controls. There are three initial chapters covering introduction and security fundamentals. NIST 800-53 identifies the need for an organisation to consider not only which controls are necessary to protect assets and fulfil legal responsibilities, but also which can be maintained on a day-to-day basis. It also points out the need for a practical implementation plan for any controls that have been selected. NIST 800-53 describes an effective security programme as including the following eight important areas: Periodic assessment of riskTaking into account the needs of the organisation and potential impacts of incidents Policies and proceduresEnsuring that these are based on the organisations risk assessment and are integrated throughout the life cycle Security plansFor every part of the IT infrastructure or organisation as necessary Security awareness trainingTo be tailored to the needs of each individuals activities Periodic testing and evaluationTo ensure that policies and procedures remain effective Remedial processesTo ensure that deficiencies are dealt with formally and effectively Incident responseTo ensure that problems are detected and dealt with effectively Continuity planningTo ensure that information systems continue to operate at the required levels

114

NIST 800-53 Recommended Security Controls for Federal Information Systems, Second Public Draft

Figure 7NIST Control Families Identifier AC AT AU CA CM CP IA IR MA MP PE PL PS RA SA SC SI Family Access Control Awareness and Training Audit and Accountability Certification, Accreditation and Security Assessments Configuration Management Contingency Planning Identification and Authentication Incident Response Maintenance Media Protection Physical and Environmental Protection Planning Personnel Security Risk Assessment System and Services Acquisition System and Communications Protection System and Information Integrity Number of Controls 18 4 10 7 6 10 7 7 6 8 20 5 8 4 9 18 7

A major objective of NIST 800-53 is to provide a set of controls for selection and implementation. There are 154 controls categorised over 17 families, each of which is given a two-character identifier, as shown in figure 7. Controls are numbered within each family and each control has three components: The control section gives the specific security-related activity or action that is required to be undertaken. There may be some flexibility for the organisation in applying the control and this is indicated by assignment and selection options. For instance, an assignment may enable the organisation to define its own frequency or time period for reviews. A selection may provide, for instance, four or five possible actions, of which the organisation must implement at least two. Supplemental guidance gives addition detail that an organisation may need to consider, including applicable federal legislation, directives, etc. Controls enhancements provide the additional steps necessary to strengthen the basic controls when a risk assessment has determined that this is necessary. NIST 800-53 differentiates between common security controls and system-specific controls. It describes common security controls as those that can be applied across one or more organisational information systems, and as having properties that allow their development, implementation and assessment to be assigned to responsible
115

Information Security HarmonisationClassification of Global Guidance

organisational officials or organisational elements. Common security controls are those that can be centrally managed to ensure consistency and reduce costs. System-specific controls are simply described as the responsibility of the system owner. NIST 800-53 points out the need to ensure clarity in differentiating which controls are common and which are system-specific. It goes on to contend that information system owners are not responsible for the common security controls protecting their systems, only those that are system-specific issues. (Authors note: Such an approach may not meet the needs of every organisation.) As this piece of security guidance is aimed at US federal systems, and how to go about selecting baseline controls, it is of course based on US federal standards for categorising the system for security. Categories are low, moderate and high and selection is based on the highest value, given the potential impacts on confidentiality, integrity and availability. NIST 800-53 requires the highest value to be ascertained using the FIPS Publication 199 security category of the system. This system derives the security category as being the triple of the associated potential impacts for confidentiality, integrity and availability and is expressed as: SC = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are low, moderate, or high. Having determined the security category, appendix D can be referenced to determine which are the minimum security (baseline) controls required (i.e., corresponding to low, moderate, or high impact). The full controls catalogue is provided in appendix F.

Extract From Appendix F of System and Information Integrity Control Number SI-6
SI-6 SECURITY FUNCTIONALITY VERIFICATION Control: The information system verifies the correct operation of security functions [Selection (one or more): upon system start-up and restart, upon command by the user with appropriate privilege, periodically every (Assignment: organization-defined time-period)] and [Selection (one or more): notifies system administrator, shuts the system down, restarts the system] when anomalies are discovered. Supplemental Guidance: None. Control Enhancements: (1) The organization employs automated mechanisms to provide centralized notification of failed security tests. (2) The organization employs automated mechanisms to support centralized management of distributed security testing.

116

NIST 800-53 Recommended Security Controls for Federal Information Systems, Second Public Draft Security assurance requirements are provided via appendix E. In general, low baseline controls are generally expected to have no obvious errors and should be corrected, as necessary, in a timely manner. Moderate baseline controls require a higher level of correctness and should be designed in a manner such that correctness is incorporated into its design. High baseline controls continue this theme with a requirement for capabilities that support ongoing, consistent operation and continuous improvement. The activities relating to management of organisational risk are described within NIST 800-53 in the context of the system development life cycle. Nine activities are described as: Categorise the information system based on the FIPS 199 impact assessment. Select baseline controls. Adjust controls based on specific organisational requirements. Document the agreed list of controls including justifications for changes made. Implement the controls. Assess to ensure that the implemented controls are working as expected. Determine risk from the continued operation of the system. Authorise that this level of risk is acceptable. Monitor controls on a continuous basis. The draft of appendix G conveniently provides a mapping of the 154 NIST 800-53 controls against ISO/IEC 17799:2000 Code of Practice for Information Security Management, NIST Special Publication 800-26 Security Self-assessment Guide for Information Technology Systems, and the US Government Accountability Office (GAO) Federal Information System Controls Audit Manual.

References
www.crsc.nist.gov www.nist.com

117

Information Security HarmonisationClassification of Global Guidance

118

OCTAVE Criteria Version 2.0 Networked Systems Survivability Program

15. OCTAVE Criteria Version 2.0 Networked Systems Survivability Program


Issuer
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Criteria Version 2.0 Networked Systems Survivability Program was published by the Carnegie Mellon Software Engineering Institute (SEI) in December 2001. The Software Engineering Institute is a federally funded research and development centre sponsored by the US Department of Defence.

Document Taxonomy
The OCTAVE criteria are a set of principles, attributes and outputs. OCTAVE Method (18 volumes) and OCTAVE-S (10 volumes) provide a full methodology for applying the criteria, including detailed process guidelines, worksheets, security practices and presentation slides. Introduction to the OCTAVE Approach has also been published.

Circulation
OCTAVE is available and promoted through the CERT organisation of SEI, which is internationally well known in the information security industry.

Goal of the Standard or Guidance Publication


OCTAVEs purpose was to provide a risk-based strategic assessment and planning technique for security. OCTAVE defines criteria for operationally critical threat, asset and vulnerability evaluations with the goal of defining a general approach for evaluating and managing information security risks. The OCTAVE approach provides a method to use the criteria for large organisations (e.g., 300-plus employees), whilst OCTAVE-S is an abridged version of the method for smaller organisations.

119

Information Security HarmonisationClassification of Global Guidance

Information Security Drivers for Implementing the GuidanceWhy


OCTAVE is a recognised methodology for risk management that allows an organisation to take ownership and accountability for risks.

Related Risks of NoncomplianceWhat Could Happen


There are no risks associated with not complying unless an organisation has decided to make it mandatory.

Target Audience
OCTAVE is aimed at the individuals within an organisation responsible for evaluating risks and ensuring appropriate protection strategies are developed and implemented.

Timeliness
The OCTAVE framework was first published in 1999, and since then, the SEI has continued to improve and develop the approach and method. The latest issuance occurred in 2001.

Certification Opportunities
No certification exists for OCTAVE.

Completeness
OCTAVE provides a complete methodology, with supporting documents, for the evaluation of security risks and selection of practices for the management of these risks. It has been designed to be suitable for organisations of any type, size or geographic location. OCTAVE covers only activities relating to evaluating risks, setting priorities and selecting controls. It does not address the full role and responsibilities of information security management.

Availability
OCTAVE documents are freely available from www.cert.org/octave.
120

OCTAVE Criteria Version 2.0 Networked Systems Survivability Program

Recognition/Reputation
According to the global survey of CISMs that was conducted in 2004 (described in this documents Introduction), OCTAVE has fairly low recognition amongst surveyed CISMs compared to many other standards (50 percent, with only 40 percent in Europe/Africa). Acceptance levels are also very low, with less than 10 percent in all regions believing the method to be widely accepted and more than half believing it has no acceptance whatsoever. This seems to be a very low figure for such a comprehensive methodology.

Usage
Usage (i.e., implemented, used as best practice or used for assessment) of OCTAVE is highest in North America and Asia, but still is at only 14 percent. There are varying opinions on how comprehensive it is considered, with North America, Europe/Africa and Central/South America coming out at more than 50 percent in favour of its coverage. Oceania, Central/South America and Asia find it most effective (60 to 80 percent).

CISM Domain Alignment


Information Security Governance, 2
OCTAVE includes many governance activities within its model but it does not provide any real guidance on how to set up and maintain an information security governance framework.

Risk Management, 4
OCTAVE includes a detailed and well-explained methodology for risk management that can be applied to large and small organisations.

Information Security Programme Management, 4


The OCTAVE catalogue of practices contains a good set of security practices. Following the methodology inherently helps in the planning, project management and ongoing review of an information security programme.

Information Security Management, 1


OCTAVE addresses implicitly through its guidance many of the activities undertaken in information security management. It does not provide any guidance on how to establish or carry out these activities.

121

Information Security HarmonisationClassification of Global Guidance

Response Management, 1
It provides a list of important control practices for response, but does not fully address all areas of this domain or provide guidance on how to establish and manage a response management function.

Overall, 3
OCTAVE is an excellent methodology designed to involve management and staff at all levels in selecting and implementing information security controls. It is a bit detailed, and may be best suited to implementation and integration of security management.

Description and Guidance on Use


OCTAVE is an approach, based on self-determination, for undertaking an evaluation of the threats and vulnerabilities of operationally critical assets, including the process for identifying the assets and determining criticality. There are a number of documents; the main ones are described below.

Introduction to the OCTAVE Approach


This document (37 pages) provides an excellent overview of the OCTAVE approach, including an overview of the criteria and brief descriptions of the OCTAVE method for large companies and OCTAVE-S for smaller firms. It also provides guidance on how to choose the two methods and, for those firms needing a combination of the two, information on which method suits which organisational attribute. The OCTAVE approach is designed to be self-directed and takes into account operational risks and security practices. A three-phased process is described that, when followed, should provide a comprehensive picture of an organisations information security needs: Phase 1. Build asset-based threat profilesThe identification of information assets, evaluation of existing controls, and selection of the most critical assets, their security needs and their specific threat profiles Phase 2. Identify infrastructure vulnerabilitiesThe evaluation of IT infrastructure including the identification of key components and their resistance to network attacks Phase 3. Develop security strategy and plansIdentification of risks to critical assets and decision and protection strategies for mitigation

OCTAVE Criteria
This document (143 pages) contains an introduction and background to OCTAVE along with a more detailed description of the OCTAVE approachs three phases and how they fit into an ongoing process or continuum.
122

OCTAVE Criteria Version 2.0 Networked Systems Survivability Program

The criteria are built on a foundation of principles, attributes and outputs. There are 10 principles that are grouped into three areas: Information security risk evaluation principles 1. Self-directionPeople within an organisation should manage and direct their own evaluations and make their own decisions on risk. 2. Adaptable measuresEvaluations must be done through a flexible process to enable changes in the organisation and technology to be reflected. 3. Defined processStandardised procedures for evaluation should be used to ensure consistency in results. 4. Foundation for a continuous processGood practices should be adopted and a continuous improvement process should be introduced. Risk management principles 5. Forward-looking viewStrategic thinking should identify the impacts of risks on the organisations mission and business objectives. 6. Focus on the critical fewThe majority of effort should focus on the most critical areas to ensure efficient use of resources. 7. Integrated managementSecurity should be integrated into other organisation strategies, including consideration of business goals when deriving security policy. Organisational and cultural principles 8. Open communicationCollaborative approaches should be used in determining risks and communicating them in an open manner. 9. Global perspectiveA common view of security should be ensured throughout the organisation. 10. TeamworkAn interdisciplinary approach, including business and technical employees, should be undertaken. There are 15 attributes, each of which has a primary relationship with one or more of the principles. Each of the attributes is described and an explanation of its importance is provided: Self-direction RA.1 Analysis teamDescribes a multidisciplinary team of employees and their responsibilities RA.2 Augment analysis team skillsEnables the primary analysis team to find, when needed, specialist skills from other parts of the organisation or externally Adaptable measures RA.3 Catalogue of practicesThe requirement for a set of practices that address strategic and operational security, including management practices, technical security, physical security, etc. RA.4 Generic threat profileAssessment of threats, including system, human and environmental RA.5 Catalogue of vulnerabilitiesTechnological vulnerabilities and tools for their identification and evaluation

123

Information Security HarmonisationClassification of Global Guidance

Defined process RA.6 Defined evaluation activitiesDocumented procedures for every step of the evaluation process RA.7 Documented evaluation resultsDocumented risks to the organisation and strategies for mitigation RA.8 Evaluation scopeClearly documenting what has been included or not within the scope of the evaluation Foundation for a continuous process RA.9 Next stepsThe activity of documenting next steps and assigning ownership for their progression RA.3 Catalogue of practicesAs above Forward-looking view RA.10 Focus on riskExamining interrelationships amongst assets, threats to assets and vulnerabilities, and their effect on the organisations business objectives Focus on the critical few RA.8 Evaluation scopeAs above RA.11 Focussed activitiesEnsuring that evaluation activities focus on critical assets for efficient use of resources Integrated management RA.12 Organisational and technological issuesEnsuring that technology is considered alongside existing practices used by staff RA.13 Business and information technology participationEnsuring participation from all areas of the business and from all levels (senior management to junior staff) RA.14 Senior management participationActive sponsorship, involvement in and review of the output of evaluations Open communication RA.15 Collaborative approachUsing workshops or other interactive approaches to ensure interdisciplinary knowledge and skills Global perspective RA.12 Organisational and technological issuesAs above RA.13 Business and information technology participationAs above Extract of Organisational and Technological Issues (RA.12) Requirements The evaluation process must examine both organizational and technological issues. Information security risk evaluations typically include the following practice- and vulnerability-related information: Current security practices used by staff members Missing or inadequate security practices (also called organizational vulnerabilities) Technological weaknesses present in key information technology systems and components

124

OCTAVE Criteria Version 2.0 Networked Systems Survivability Program

Importance Because security has both organizational and technological components, it is important that an evaluation surface both organizational and technological issues. The analysis team analyzes both types of issues in relation to the mission and business objectives of the organization when creating the organizations protection strategy and risk mitigation plans. By doing this, the team is able to address security by creating a global picture of the information security risks with which the organization must deal. The criteria also describe the various outputs required from each of the three phases: RO1.1 Critical assets RO1.2 Security requirements for critical assets RO1.3 Threats to critical assets RO1.4 Current security practices RO1.5 Current organisation vulnerabilities RO2.1 Key components RO2.2 Technology vulnerabilities RO3.1 Risks to critical assets RO3.2 Risk measures RO3.3 Protection strategy RO3.4 Risk mitigation plans Extract of RO3.3 Protection Strategy Output Requirements A protection strategy must be an output of the evaluation process. An organizations protection strategy defines its direction with respect to efforts to improve information security. It includes approaches for enabling, implementing, and maintaining security practices in an organization. A protection strategy tends to incorporate long-term organizationwide initiatives and is structured using the practice areas defined in the catalog of practices. (See Attribute RA.3.) Importance Creating a protection strategy is important because it charts a course for organizational improvement with respect to information security activities.

OCTAVE Method
Included within this 18-volume set of documentation is an introduction on how to use the method and guidelines on how to prepare for an OCTAVE assessment, including selection of the team. Volumes 3 to 12 contain all of the information for the three phases and eight processes of the method, including detailed processes, worksheets, slides for presentations with notes and examples results.

125

Information Security HarmonisationClassification of Global Guidance

Extract of Guidance for Running a Workshop to Capture Senior Management Knowledge/Views Prior to the workshop, you should review the following types of information: The organizations security policies and procedures An organizational chart Any laws and regulations with which your organization must comply An understanding of the information contained in the above items will be useful as you facilitate this workshop and as you analyze information in later workshops. You should use the slides provided to explain the concepts and activities of this workshop to the participants as you conduct the workshop. The process guidelines for Process 1 are written primarily for the lead facilitator of the workshop. All guidance for the scribe is specifically noted in these guidelines. Other members of the analysis team will support the lead facilitator, observe all activities, and take general notes. Regardless of workshop roles, all members of the analysis team should read and understand these guidelines. The volumes also include a number of appendices, which include flow diagrams and more examples. Volume 15: Appendix, the OCTAVE Catalogue of Practices (48 pages), provides a good range of practices defined as either strategic or operational that organisations can use when creating their own practices. These practices include: Strategic practices SP1 Security awareness and training SP2 Security strategy SP3 Security management SP4 Security policies and regulations SP5 Collaborative security management SP6 Contingency planning/disaster recovery Operational practices OP1.1 Physical security plans and procedures OP1.2 Physical access control OP1.3 Monitoring and auditing physical security OP2.1 System and network management OP2.2 System administration tools OP2.3 Monitoring and auditing IT security OP2.4 Authentication and authorisation OP2.4 Vulnerability management OP2.6 Encryption OP2.7 Security architecture and design OP3.1 Incident management OP3.2 General staff practices
126

OCTAVE Criteria Version 2.0 Networked Systems Survivability Program

Extract of One of the SP3 Security Management Practices SP3.5 The organization manages information security risks, including: Assessing risks to information security both periodically and in response to major changes in technology, internal/external threats, or the organizations systems and operations Taking steps to mitigate risks to an acceptable level Maintaining an acceptable level of risk using information security risk assessments to help select cost-effective security/control measures, balancing implementation costs against potential losses The catalogue of practices also contains a survey that can be used to obtain a view on the existing security posture, along with suggestions on where the various security statements could apply. Extract of One of the Survey Questions on Vulnerability Management (OP2.5) There is a documented set of procedures for managing vulnerabilities, including: Selecting vulnerability evaluation tools, checklists, and scripts Keeping up to date with known vulnerability types and attack methods Reviewing sources of information on vulnerability announcements, security alerts, and notices Identifying infrastructure components to be evaluated Scheduling of vulnerability evaluations Interpreting and responding to the results Maintaining secure storage and disposition of vulnerability data

Reference
www.cert.org/octave

127

Information Security HarmonisationClassification of Global Guidance

128

Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan

16. Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan
Issuer
The Organisation for Economic Co-operation and Development is a member organisation of 30 countries and has active relationships with another 70 countries. The OECDs Guidelines for the Security of Information Systems and Networks was first produced in 1992 and the latest update was issued in July 2002. The Implementation Plan was released as a second draft in July 2003 and is still under review.

Document Taxonomy
Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security provides a set of nine principles aimed at fostering a culture of security. The associated Implementation Plan describes the responsibilities of government, business and civil society in implementing the guidelines.

Circulation
Although OECD is internationally known to those working in government economic departments and corporate finance and law, its profile within the information security industry remains low.

Goals of the Standard or Guidance Publication


OECD was first established in 1960 predominately to help achieve sustainable economic growth and financial stability in member countries and to contribute to economic expansion and world trade. In progressing these aims, OECD takes a prominent role in fostering good governance in public services and corporate activity. The guidelines are meant to provide a framework of principles to promote better understanding of how participants (in OECD) may benefit from, and contribute to, the development of a culture of security. The Implementation Plan is aimed predominately at government responsibilities but also refers to the roles of business and civil society.

129

Information Security HarmonisationClassification of Global Guidance

Information Security Drivers for Implementing the GuidanceWhy


OECD guidelines are taken seriously by a number of countries and have formed the foundation for security principles defined in other standards and guidance documents. The principles are in keeping with many of the current and planned legislative changes being made by OECD member countries. Corporate social responsibility is becoming an important business driver for many large international organisations.

Related Risks of NoncomplianceWhat Could Happen


Noncompliance with the principles, whether defined in the same manner or not, may lead to breaches of local law or regulation.

Target Audience
The guidelines are aimed at senior persons within organisations responsible for governance, ethics (corporate social responsibility) and development of IT systems.

Timeliness
The guidelines are high-level and have been reviewed at least twice since first issued to ensure that they reflect changes in world economics, technology and events.

Certification Opportunities
Unlike conventions, the guidelines are nonbinding and governments are not legally bound to their use. However, a number of governments have produced publicly available plans on how they are implementing the principles. No certification is available.

Completeness
The guidelines are intended to be high-level and in this context are complete in the coverage they provide relating to information security principles. They are broadbased enough to relate to any type of organisation, of any size or geographic location. No security or technical knowledge is assumed or required. However, these guidelines would need to be heavily complemented with other publications for an information security manager as they do not begin to cover the full range of issues that must be addressed for enterprisewide information security management.
130

Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan

Availability
The guidelines are publicly available as a complimentary download at www.oecd.org.

Recognition/Reputation
The results of the 2004 global survey of CISMs (described in this documents Introduction) revealed that recognition is very low, with the highest in Oceania at just slightly more than 60 percent and Central/South America the lowest at 32 percent. The guidelines are felt to have very low acceptance across all regions, with almost 50 percent giving them no acceptance at all.

Usage
The guidelines are actively used (i.e., implemented, used as best practice or used for assessment) by only 8 percent or fewer of surveyed CISMs. Bearing in mind that the principles within the guidelines are used in other security-related publications (e.g., NIST), it is likely that many CISMs are applying the principles but with different wording, or they are just not aware of them as OECD principles. There are mixed opinions on the level of comprehensiveness and effectiveness, both positive and negative.

CISM Domain Alignment


Information Security Governance, 2
OECDs guidelines contain a useful set of information security principles that have been adopted by many governments and are slowly being built into law within some countries. They will also be of value to organisations with a business ethics or corporate social responsibility function.

Risk Management, 1
Risk assessment is one of the nine principles, but it is not addressed in a comprehensive manner.

Information Security Programme Management, 1


The guidelines are of limited interest to those working in government as they define the expectations of government.

131

Information Security HarmonisationClassification of Global Guidance

Information Security Management, 0


This domain is not addressed at all by the guidance.

Response Management, 1
One of the principles deals with response management, but not in a comprehensive manner.

Overall, 1
The document does not provide much in the way of guidance for the information security manager, although knowledge of the OECD and its nine security principles is highly recommended as they are referenced in many other information security standards and guides.

Description and Guidance on Use


OECD Guidelines for the Security of Information Systems and Networks is a short document of just 16 pages, including a history of the documents development, introduction and references. The guidelines provide nine principles that are designed to be complementary and are aimed at promoting a culture of security. Each principle is briefly explained. Perhaps uniquely, the principles include ethics and democracy. And, unusually, the risk assessment principle identifies the need to consider risks to others as well as to oneself. The guidelines should be of particular interest to an organisation with a business ethics or corporate social responsibility function. The nine principles address: Awareness Responsibility Response (i.e., to incidents) Ethics Democracy Risk assessment Security design and implementation Security management Reassessment

Extract of Principle 6 Risk Assessment


Participants should conduct risk assessments. Risk assessment identifies threats and vulnerabilities and should be sufficiently broad-based to encompass key internal and external factors, such as

132

Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan
technology, physical and human factors, policies and third-party services with security implications. Risk assessment will allow determination of the acceptable level of risk and assist the selection of appropriate controls to manage the risk of potential harm to information systems and networks in light of the nature and importance of the information to be protected. Because of the growing interconnectivity of information systems, risk assessment should include consideration of the potential harm that may originate from others or be caused to others. The Implementation Plan for the Guidelines for the Security of Information Systems and Networks is a brief document of six pages. The majority of the document is aimed at defining the roles and responsibility of government in promoting a culture of security, but there are a couple of references to business and civil societies.

Extract of Paragraph Nine Describing One of the Government Responsibilities for Public Policy
9. A second aspect of the governments public policy role is to conduct outreach and support efforts by all participants to address security. In the first instance government action should raise awareness of law and policy that address cybersecurity. Beyond this, the government should facilitate awareness and appropriate responses by other participants through programmes and initiatives.

Reference
www.oecd.org

133

Information Security HarmonisationClassification of Global Guidance

134

Managers Guide to Information Security

17. Managers Guide to Information Security


Issuer
The Open Group is a vendor-neutral technology consortium with a vision to create boundaryless information flow achieved through global interoperability in a secure, reliable and timely manner. The booklet itself was written by members of the Open Group Security Forum, a forum established for more than 10 years.

Document Taxonomy
Managers Guide to Information Security, issued in July 2002, provides general guidance on acquiring secure IT products and systems.

Circulation
The Open Group is internationally recognised. However, no information is available on circulation of the booklet.

Goal of the Standard or Guidance Publication


The booklet has been produced to help nonsecurity business managers understand what to look for when purchasing security products and services.

Information Security Drivers for Implementing the GuidanceWhy


There are no specific drivers for this guidance.

Related Risks of NoncomplianceWhat Could Happen


No risks of noncompliance were identified by the authors of this document.

Target Audience
The booklet is aimed primarily at business managers responsible for some aspect of IT systems or those who evaluate or approve information security purchases.

135

Information Security HarmonisationClassification of Global Guidance

Timeliness
The booklet was published in 2002 as a simple guide to business managers. It is nontechnical and remains valid in its content.

Certification Opportunities
No certification exists.

Completeness
As this is not directed at the information security manager, it does not begin to cover the full range of issues that must be addressed for enterprisewide information security management. However, it does provide some simple explanations of, and arguments for, security that information security managers may find useful when discussing information security with business managers.

Availability
This booklet is available for purchase from the Open Group at www.opengroup.org for US $9.95.

Recognition/Reputation and Usage


Since this publication is not designed for, nor aimed at, information security managers, CISM usage has not been surveyed.

CISM Domain Alignment


Information Security Governance, 0
Information security governance is not addressed.

Risk Management, 0
Risk management is not addressed.

Information Security Programme Management, 1


The booklet may be of some use for identifying some security questions before purchasing IT products.

136

Managers Guide to Information Security

Information Security Management, 1


It may be of some use for educating business managers with purchasing power for IT products and services.

Response Management, 0
Response management is not addressed.

Overall, 1
This publication is designed for business managers; It is not aimed at information security managers. However, it may be of some use in educating business managers with purchasing power for IT products and services.

Description and Guidance on Use


This 50-page booklet provides a brief introduction to the importance of security, including looking at information security from a business perspective. Simple explanations are given to a number of common queries that are made by business managers, including: How much security do you need? What are the risks? What sort of protection do you need? The booklet makes clear that it is the business manager who responsible for identifying and valuing the risks significant to the business. Technical risks evaluation is up to trained security practitioners. It also talks about IT security as a service to the organisation, helping it to run more effectively. The need for activity logging and detection and response processes is briefly addressed as is the need for security awareness and training. This naturally leads to explanations on the reality of how much security is already present in IT systems and whether or not it is properly enabled to meet the organisations acceptance of risks.

Extract from Security from a Business Perspective, Detection and Response


Remember, a completely secure system is impossible. You must be able to detect and respond to failures in the enforcement of your policies. Information security systems should monitor your systems to identify anomalous patterns of activity. This monitoring, together with the logging and audit functions described above, will also help you (or your auditors) to determine that those responsible for setting up and maintaining the system have done the job correctly. The booklet describes the types of things to expect from security solutions, and in each case, this is provided in a simple and easy-to-understand manner. Included are:
137

Information Security HarmonisationClassification of Global Guidance

AdministrationExplaining how access policies need to be enforced by the security system Assurance and auditDescribing the reasons and benefits of logging and monitoring ProtectionVery general concepts from passwords to firewalls Know who is who and proving who is whoSimple concepts of identification and authentication Managing the listRegistering with LDAP, for example What to allowSimple concepts of authorisation services Confidence in documentsDigital signatures in simple terms Keeping trustReasons for cryptography and PKI Extend your reachThe use of VPNs Smell and detect troubleScanning and intrusion detection explained

Extract from 4. What to expect from Security Solutions


Digital signatures have a curious property that real signatures dont. A real signature is placed on the document it goes with. It cant be separated from the document without leaving a mark or a tear. A digital signature contains a fingerprint of the document! While it can be physically separated from the document, it is always possible to tell which document a signature was attached to. Because of this odd property, a digital signature can help prove that a document hasnt been changed since it was signed. If the document is changed, the fingerprint inside the signature will reveal the fact. So digital signatures are, in some ways, more powerful that real signatures. Finally, the booklet addresses what to do next by explaining the options of handling security in-house or outsourcing.

Reference
www.opengroup.org

138

AnnexCISM Job Domains

AnnexCISM Job Domains


Information Security Governance
Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations.

Tasks
Develop the information security strategy in support of business strategy and direction. Obtain senior management commitment and support for information security throughout the enterprise. Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities. Establish reporting and communication channels that support information security governance activities. Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise. Establish and maintain information security policies that support business goals and objectives. Ensure the development of procedures and guidelines that support information security policies. Develop business case and enterprise value analysis that support information security programme investments.

Knowledge Statements
Knowledge of information security concepts Knowledge of the relationship between information security and business operations Knowledge of techniques used to secure senior management commitment and support of information security management Knowledge of methods of integrating information security governance into the overall enterprise governance framework Knowledge of practices associated with an overall policy directive that captures senior management level direction and expectations for information security in laying the foundation for information security management within an organisation Knowledge of an information security steering group function Knowledge of information security management roles, responsibilities and organisational structure Knowledge of areas of governance (for example, risk management, data classification management, network security, system access)

139

Information Security HarmonisationClassification of Global Guidance

Knowledge of centralised and decentralised approaches to co-ordinating information security Knowledge of legal and regulatory issues associated with Internet businesses, global transmissions and transborder data flows (for example, privacy, tax laws and tariffs, data import/export restrictions, restrictions on cryptography, warranties, patents, copyrights, trade secrets, national security) Knowledge of common insurance policies and imposed conditions (for example, crime or fidelity insurance, business interruptions) Knowledge of the requirements for the content and retention of business records and compliance Knowledge of the process for linking policies to enterprise business objectives Knowledge of the function and content of essential elements of an information security programme (for example, policy statements, procedures and guidelines) Knowledge of techniques for developing an information security process improvement model for sustainable and repeatable information security policies and procedures Knowledge of information security process improvement and its relationship to traditional process management Knowledge of information security process improvement and its relationship to security architecture development and modelling Knowledge of information security process improvement and its relationship to security infrastructure Knowledge of generally accepted international standards for information security management and related process improvement models Knowledge of the key components of cost-benefit analysis and enterprise transformation/migration plans (for example, architectural alignment, organisational positioning, change management, benchmarking, market/competitive analysis) Knowledge of methodology for business case development and computing enterprise value proposition

Risk Management
Identify and manage information security risks to achieve business objectives.

Tasks
Develop a systematic, analytical and continuous risk management process. Ensure that risk identification, analysis and mitigation activities are integrated into life cycle processes. Apply risk identification and analysis methods. Define strategies and prioritise options to mitigate risk to levels acceptable to the enterprise. Report significant changes in risk to appropriate levels of management on a periodic and event-driven basis.
140

AnnexCISM Job Domains

Knowledge Statements
Knowledge of information resources used in support of business processes Knowledge of information resource valuation methodologies Knowledge of information classification Knowledge of the principles of development of baselines and their relationship to risk-based assessments of control requirements Knowledge of life cycle-based risk management principles and practices Knowledge of threats, vulnerabilities and exposures associated with confidentiality, integrity and availability of information resources Knowledge of quantitative and qualitative methods used to determine sensitivity and criticality of information resources and the impact of adverse events Knowledge of use of gap analysis to assess generally accepted standards of good practice for information security management against current state Knowledge of recovery time objectives (RTO) for information resources and how to determine RTO Knowledge of RTO and how it relates to business continuity and contingency planning objectives and processes Knowledge of risk mitigation strategies used in defining security requirements for information resources supporting business applications Knowledge of cost-benefit analysis techniques in assessing options for mitigating risks, threats and exposures to acceptable levels Knowledge of managing and reporting status of identified risks

Information Security Programme Management


Design, develop and manage an information security programme to implement the information security governance framework.

Tasks
Create and maintain plans to implement the information security governance framework. Develop information security baseline(s). Develop procedures and guidelines to ensure that business processes address information security risk. Develop procedures and guidelines for IT infrastructure activities to ensure compliance with information security policies. Integrate information security programme requirements into the organisations life cycle activities. Develop methods of meeting information security policy requirements that recognise the impact on end users. Promote accountability by business process owners and other stakeholders in managing information security risks. Establish metrics to manage the information security governance framework. Ensure that internal and external resources for information security are identified, appropriated and managed.
141

Information Security HarmonisationClassification of Global Guidance

Knowledge Statements
Knowledge of methods to develop an implementation plan that meets security requirements identified in risk analyses Knowledge of project management methods and techniques Knowledge of the components of an information security governance framework for integrating security principles, practices, management and awareness into all aspects and all levels of the enterprise Knowledge of security baselines and configuration management in the design and management of business applications and the infrastructure Knowledge of information security architectures (for example, single sign-on, rules-based as opposed to list-based system access control for systems, limited points of systems administration) Knowledge of information security technologies (for example, cryptographic techniques and digital signatures, to enable management to select appropriate controls) Knowledge of security procedures and guidelines for business processes and infrastructure activities Knowledge of the systems development life cycle methodologies (for example, traditional SDLC, prototyping) Knowledge of planning, conducting, reporting and follow-up of security testing Knowledge of certifying and accrediting the compliance of business applications and infrastructure to the enterprises information security governance framework Knowledge of types, benefits and costs of physical, administrative and technical controls Knowledge of planning, designing, developing, testing and implementing information security requirements into an enterprises business processes Knowledge of security metrics design, development and implementation Knowledge of acquisition management methods and techniques (for example, evaluation of vendor service level agreements, preparation of contracts)

Information Security Management


Oversee and direct information security activities to execute the information security programme.

Tasks
Ensure that the rules of use for information systems comply with the enterprises information security policies. Ensure that the administrative procedures for information systems comply with the enterprises information security policies. Ensure that services provided by other enterprises, including outsourced providers, are consistent with established information security policies. Use metrics to measure, monitor and report on the effectiveness and efficiency of information security controls and compliance with information security policies.
142

AnnexCISM Job Domains

Ensure that information security is not compromised throughout the change management process. Ensure that vulnerability assessments are performed to evaluate effectiveness of existing controls. Ensure that noncompliance issues and other variances are resolved in a timely manner. Ensure the development and delivery of the activities that can influence culture and behaviour of staff, including information security education and awareness.

Knowledge Statements
Knowledge of how to interpret information security policies into operational use Knowledge of information security administration process and procedures Knowledge of methods for managing the implementation of the enterprises information security programme through third parties, including trading partners and security services providers Knowledge of continuous monitoring of security activities in the enterprises infrastructure and business applications Knowledge of methods used to manage success/failure in information security investments through data collection and periodic review of key performance indicators Knowledge of change and configuration management activities Knowledge of information security management due diligence activities and reviews of the infrastructure Knowledge of liaison activities with internal/external assurance providers performing information security reviews Knowledge of due diligence activities, reviews and related standards for managing and controlling access to information resources Knowledge of external vulnerability reporting sources, which provide information that may require changes to the information security in applications and infrastructure Knowledge of events affecting security baselines that may require risk reassessments and changes to information security requirements in security plans, test plans and reperformance Knowledge of information security problem management practices Knowledge of information security manager facilitative roles as change agents, educators and consultants Knowledge of the ways in which culture and cultural differences affect the behaviour of staff Knowledge of the activities that can change the culture and behaviour of staff Knowledge of methods and techniques for security awareness training and education

143

Information Security HarmonisationClassification of Global Guidance

Response Management
Develop and manage a capability to respond to and recover from disruptive and destructive information security events.

Tasks
Develop and implement processes for detecting, identifying and analysing security-related events. Develop response and recovery plans, including organising, training and equipping the teams. Ensure periodic testing of the response and recovery plans where appropriate. Ensure the execution of response and recovery plans as required. Establish procedures for documenting an event as a basis for subsequent action, including forensics when necessary. Manage post-event reviews to identify causes and corrective actions.

Knowledge Statements
Knowledge of the components of an incident response capability Knowledge of information security emergency management practices (for example, production change control activities, development of computer emergency response team) Knowledge of disaster recovery planning and business recovery processes Knowledge of disaster recovery testing for infrastructure and critical business applications Knowledge of escalation processes for effective security management Knowledge of intrusion detection policies and processes Knowledge of help desk processes for identifying security incidents reported by users and distinguishing them from other issues dealt with by the help desks Knowledge of the notification process in managing security incidents and recovery (for example, automated notice and recovery mechanisms, in response to virus alerts in a real-time fashion) Knowledge of the requirements for collecting and presenting evidence, rules for evidence, admissibility of evidence, quality and completeness of evidence Knowledge of post-incident reviews and follow-up procedures

144

ITGI Publications

Other Publications
All publications come with detailed assessment questionnaires and work programmes. For further information, please visit www.isaca.org/bookstore or e-mail bookstore@isaca.org.

Managing Enterprise Information Integrity


The Centre for IS Assurance conducted this project to define the key elements of enterprise information integrity, as well as benefits criteria associated with them, and to present a framework and process for management. In an increasingly dynamic global environment, IT organisations must address complex solutions and operating environments to provide assurance of the dependability and trustworthiness of information across the enterprise. 2004

COBIT Security Baseline


Control Objectives for Information and related Technology covers security in addition to other risks that can occur with the use of IT. Using the COBIT framework, this guide focusses on the specific risks of IT security in a way that is simple to follow and implement for all userssmall to medium enterprises, executives and board members of larger organisations, and home users. It is available through the ISACA Bookstore at www.isaca.org/bookstore. COBIT Security Baseline provides: Useful background reading: An introduction to information securityWhat does it mean and what does it cover? An explanation of why security is important, with examples of the most common things that can go wrong Thought-provoking questions to help determine the risks The COBIT-based security baseline, providing key controls Six information security survival kits, offering essential awareness messages An appendix containing a summary of technical security risks 2004

Control Practices
Control Practices extends the capabilities of the COBIT framework with an additional level of detail. The COBIT IT processes, business requirements and control objectives define what needs to be done to implement an effective control structure. The control practices provide the more detailed how and why needed by management, service providers, end users and control professionals, to help them justify and design the specific controls needed to address IT project and operational risks and improve IT performance by providing guidance on why controls are needed, and what the best practices are for meeting specific control objectives. All of the control practices are individually integrated into COBIT Online. This publication, which contains control practices for all of the 34 high-level COBIT control objectives, is available in the ISACA Bookstore. 2004
145

Information Security HarmonisationClassification of Global Guidance

IT Control Objectives for Sarbanes-Oxley


The publication explains, step-by-step in a road map approach, the current focus on enhancing corporate accountability, the audit committees responsibility, the need to adopt and use an internal control framework (COSO), the need to consider fraud in an audit or review of internal control, the necessary but unique challenge of focussing on IT controls and using a compatible IT governance framework (COBIT), and how to seize the opportunity of turning compliance into a competitive challenge. The document provides IT professionals and organisations with assessment ideas and approaches, IT control objectives mapped into COSO for disclosure and financial reporting purposes, and a clear road map to deal with the murkiness of these regulatory times. 2004

COBIT Mapping: Mapping ISO/IEC 17799:2000 With COBIT


The mapping document is a profound source of information for all stakeholders responsible for, and interested in, IT governance and information security management and their respective controls. It provides clear insights as to how COBIT and ISO/IEC 17799:2000 interrelate and fit together. This paper is a valuable source and useful guideline for implementation of these standards in an organisation, independent of its size, geography or industry. It will help improve completeness and quality and reduce the cost of such implementations. ISACA member download posted at www.isaca.org/research. 2004

COBIT Mapping: Overview of International IT Governance


A global overview of the most important standards relative to control and security of IT and how they relate to each other on a high level. The research includes: An overview of the most important standards relative to control and security of IT A demonstration of the possible integration of COBIT with other standards into live IT processes A high-level overview of COBIT, COSO, ITIL, ISO/IEC 17799:2000, ISO/IEC 13335, ANSI, TickIT and the Common CriteriaISO/IEC 15408:1999 The publication is posted at www.isaca.org/cobitmapping. 2004

Board Briefing on IT Governance, 2nd Edition


The Board Briefing on IT Governance, 2nd Edition is addressed to boards of directors, supervisory boards, audit committees, chief executive officers, chief information officers and other executive management, and is designed to help these individuals understand why IT governance is important, what its issues are and what their responsibility is for managing it. The document is posted at www.itgi.org. The document covers: A summarised background on governance Where IT governance fits in the larger context of enterprise governance A simple framework with which to think about IT governance

146

ITGI Publications

Questions board members should ask Good practices and critical success factors Performance measures board members can track A maturity model against which to benchmark organisations 2003

Other Titles
Oracle Database Security, Audit and Control Features (2004) OS/390z/OS: Security, Control and Audit Features (2003) IT Governance Implementation Guide (2003) COBIT Quickstart (2003) Risks of Customer Relationship Management: A Security, Control and Audit Approach (2003) Security Provisioning: Managing Access in Extended Enterprises (2002) Electronic and Digital Signatures: A Global Status Report (2002) Virtual Private NetworkNew Issues for Network Security (2001) COBIT 3rd Edition (2000) Control Objectives for Net Centric Technology (CONCT) (1999) Digital SignaturesSecurity and Controls (1999) ERP Series: Security, Audit and Control Features PeopleSoft: A Technical and Risk Management Reference Guide (2004) Security, Audit and Control Features Oracle Applications: A Technical and Risk Management Reference Guide (2003) Security, Audit and Control Features SAPR/3: A Technical and Risk Management Reference Guide (2002) E-commerce Security Series: Securing the Network Perimeter (2002) Business Continuity Planning (2002) Trading Partner Authentication, Registration and Enrollment (2000) Public Key Infrastructure (2001) A Global Status Report (2000) Enterprise Best Practices (2000)

Web Postings (www.isaca.org/research)


Enterprise Identity Management: Managing Secure and Controllable Access in the Extended Enterprise Environment (2004) Introduction to Voice-over IP Technology (2004) Peer-to-peer Networking Security and Control (2003)

147

Information Security HarmonisationClassification of Global Guidance

Future Publications
Cybercrime: Incident Response and Digital Forensics
The research describes the threat posed by cybercrime and discuss the increase in incidents. The publication will also provide an analysis of the type of risks and guidelines to prevent, detect and respond appropriately. It will highlight the new partnership and initiatives between the US government and the IT industry, and the strategy that could mitigate the potential risks.

Linux Security and Control Requirements


The project studies the Linux security issues for one of the more popular versions of Linux: Redhat 7.2. A technical security configuration table will be included, which could be used as a standard reference by security administrators, security professionals and IS auditors. The publication will provide guidance to IT management in the areas of identification of vulnerabilities of the Linux operating system, a detailed checklist giving the best practices to be followed, deployment of Linux on different hardware platforms, and comparison of the security features of major Linux implementations. The publication will address risk management issues with an action-oriented perspective.

Security AwarenessBest Practice to Serve Your Enterprise


Today, from the most senior executive to junior staff, all have a role to play in the protection of the enterprises information assets. Awareness of the risks and available safeguards is the first line of defence. Information systems and networks can be affected by internal and external risks, and everyone must understand that security failures may significantly harm those systems and the information under their control, as well as interdependencies. Additionally, the increased regulatory pressure of the European Data Protection Directive, Sarbanes-Oxley, HIPAA and others is requiring organisations to implement formal security policies. The education of employees is certainly a frontline defence for adherence and proper implementation. This research publication will provide the steps needed to implement an awareness effort and how to build concurrence of other departments, and provides baselines, maturity levels and control objectives. A security awareness self-assessment programme and a case study will be included.

148

ITGI Publications

Information Security Governance: Top Actions for Security Managers


Information Security Governance: Guidance for Boards of Directors and Executive Management, published by ITGI in 2001, provides a background as to why information security is important. Its focus is on what the board and senior management should do to fit information security within the governance framework. Information Security Governance: Top Actions for Security Managers furthers that research by taking the list of questions and creating specific actions for information security managers and CISOs. It will address: Uncovering the information security issues in an enterprise from a business and management perspective Dealing with managements perception of information security and security risk management issues Positioning information security as a component of IT and business governance Establishing what is required to ensure that information security governance is successfully implemented within the enterprise

IT Governance DomainsPractices and Competencies


The IT Governance Institute is conducting a survey of executives around the globe. An in-depth personal interview is being held with 200 IT directors and managers for feedback on the following five domains: Value deliveryObtaining a return on IT investments Performance measurement Risk management IT alignmentIT strategy committees Managing IT resourcesOutsourcing

149

Information Security HarmonisationClassification of Global Guidance

150

ITGI Publications

151

You might also like