Professional Documents
Culture Documents
Information Systems Audit and Control Association With more than 35,000 members in more than 100 countries, the Information Systems Audit and Control Association (ISACA) (www.isaca.org) is a recognised worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, develops international information systems auditing and control standards, and administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 38,000 professionals since inception, and the Certified Information Security Manager (CISM) designation, a groundbreaking credential earned by 5,100 professionals in its first two years. IT Governance Institute The IT Governance Institute (ITGI) (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprises information technology. Effective IT governance helps ensure that IT supports business goals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities. The IT Governance Institute offers symposia, original research and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities. Disclaimer The Information Systems Audit and Control Association (the Owner) and the authors have designed and created this publication, titled Information Security Harmonisation Classification of Global Guidance (the Work), primarily as an educational resource for security professionals. The Owners make no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, the security professional should apply his/her own professional judgement to the specific circumstances presented by the particular systems or information technology environment. Disclosure Copyright 2005 by Information Systems Audit and Control Association. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), without the prior written authorisation of ITGI. Information Systems Audit and Control Association 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.590.7491 Fax: +1.847.253.1443 E-mail: info@isaca.org Web site: www.isaca.org ISBN 1-933284-05-6 Information Security HarmonisationClassification of Global Guidance Printed in the United States of America
ii
Acknowledgements
Acknowledgements
From the Publisher Information Systems Audit and Control Association wishes to recognise:
The author Leslie Ann Macartney, CISA, CISM, UK The Board of Directors Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, International President Abdul Hamid Bin Abdullah, CISA, CPA, Auditor Generals Office, Singapore, Vice President William C. Boni, CISM, Motorola, USA, Vice President Ricardo Bria, CISA, SAFE Consulting Group, Argentina, Vice President Everett C. Johnson, CPA, Deloitte & Touche (retired), USA, Vice President Howard Nicholson, CISA, City of Salisbury (South Australia), Australia, Vice President Bent Poulsen, CISA, CISM, VP Securities Services, Denmark, Vice President Frank Yam, CISA, CIA, CCP, CFE, Focus Strategic Group Inc., Hong Kong, Vice President Robert S. Roussey, CPA, University of Southern California, USA, Past International President Paul A. Williams, FCA, MBCS, Paul Williams Consulting, UK, Past International President The expert reviewer Robert G. Parker, CISA, CA, FCA, CMC, Deloitte & Touche LLP, Canada The CISM Certification Board Chair, Leslie Macartney, CISA, CISM, UK Kent Anderson, CISM, Network Risk Management LLC, USA Luis A. Capua, CISM, Sindicatura General de la Nacin, Argentina Robert Stephen Coles, Ph.D., CISA, CISM, FCCA, MBCS, Royal Bank of Scotland Group, UK Arnold Dito, CISA, USA Danny Q. Le, CISA, CISM, KPMG, USA Kyeong-Hee Oh, CISA, CISM, CISSP, Green Soft, Korea Ashok Shankar Pawar, CISA, CISM, CAIIB, State Bank of India, India David Simpson, CISA, CISM, CISSP, CQR Consulting, Australia The authors of COBIT MappingOverview of International IT Guidance Jimmy Heschl, CISA, CISM ISACA Austria Chapter
iii
iv
Table of Contents
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Purpose for Classification of the Guidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Security Guidance Included in This Research . . . . . . . . . . . . . . . . . . . . . . . . . 1 The Classification Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Document Taxonomy Chart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 The CISM Domain Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 How to Use This Publication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 History and Role of ISACA and ITGI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Approach to the Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1. BS 7799 Part 2:2002 Information Security Management SystemsSpecification With Guidance for Use . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2. COBIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3. SSE-CMM Systems Security EngineeringCapability Maturity Model 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 4. GAISP Version 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5. The Standard of Good Practice for Information Security . . . . . . . . . . . . . . . . . . 39 6. ISO/IEC 13335 Information TechnologyGuidelines for the Management of IT Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 7. ISO/TR 13569:1997 Banking and Related Financial ServicesInformation Security Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 8. ISO/IEC 15408:1999 and Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 9. ISO/IEC 17799:2000 Information Technology Code of Practice for Information Security Management . . . . . . . . . . . . . . . . . . . 73 10. Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 11. NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 12. NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems . . . . . . . . . . . . . . . . . . . 99 13. NIST 800-18 Guide for Developing Security Plans for Information Technology Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 14. NIST 800-53 Recommended Security Controls for Federal Information Systems, Second Public Draft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 15. OCTAVE Criteria Version 2.0 Networked Systems Survivability Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
16. Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan . . . . . . . . . . . . . . . . . . . . . 129 17. Managers Guide to Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 AnnexCISM Job Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Note each of the chapters contains the following subsections: Issuer Document Taxonomy Circulation Goal(s) of the Standard or Guidance Publication Information Security Drivers for Implementing the GuidanceWhy Related Risks of NoncomplianceWhat Could Happen Target Audience Timeliness Certification Opportunities Completeness Availability Recognition/Reputation Usage CISM Domain Alignment Description and Guidance on Use Reference
vi
Introduction
Introduction
Purpose for Classification of the Guidance
The role of the information security manager has evolved over the past few years. It has shifted from a position that focussed essentially on IT to one where business acuity takes equal priority. At the same time, numerous security standards, codes of practices, methodologies, etc., have been developed and published, all with the purpose of providing some level of direction or support for security objectives. All of them are focussed on one or more issues of importance. However, because there are so many and a harmonisation framework did not exist, the perception has existed that there is a standards quagmire. This is where this technical study from ITGI intends to add some clarity to the picture. The purpose of this document is to provide Certified Information Security Manager (CISM) holders and all other information security managers with a road map to the more recognised and widely available information security guidance documents. Seventeen internationally accepted security-focussed guidance documents were examined across 12 separate evaluative criteria, enabling information security managers to identify those that may be of best use within their own organisation or most appropriate for improving their own skills and knowledge. This report will also be useful in presenting the concept of managing risk on an enterprisewide basis, from the boardroom to the network. It helps link risk management and the information presented to governance. Despite the quantity and diversity of available security guidance worldwide, there remain areas of information security management that do not appear to be addressed to the level or detail required in todays environments. ISACA/ITGI will follow up this research with further work to define these gaps and produce additional guidance as required. Additionally, this document will be updated periodically to reflect additional guidance, changes to guidance and advice on how the guidance can be used, based on best practice surveys.
Control Objectives for Information and related Technology (COBIT), published by the IT Governance Institute, represents a collection of documents that can be classified as generally accepted framework and standards for IT governance, security, control and assurance. Systems Security EngineeringCapability Maturity Model (SSE-CMM) Model Description Document 3.0 is a guide to the concepts and application of a model to improve and assess security engineering capability. Generally Accepted Information Security Principles (GAISP) is a collection of security principles that has been defined and produced as a collective effort by members of the organisations involved. The Information Security Forums (ISFs) Standard of Good Practice for Information Security is a collection of information security principles and practices. ISO/IEC 13335 Information TechnologyGuidelines for the Management of IT Security, released by the International Organisation for Standardisation and the International Electrotechnical Commission, is technical guidance subdivided into five parts which provide guidance on aspects of information security management. ISO/TR 13569: 1997 Banking and Related Financial ServicesInformation Security Guidelines, released by the International Organisation for Standardisation, is a grouping of security concepts and suggested control objectives and solutions for financial sector organisations. ISO/IEC 15408:1999 Security TechniquesEvaluation Criteria for IT Security is based on the Common Criteria for Information Technology Security Evaluation 2.0 (CC). ISO/IEC 15408:1999 is used as a reference to evaluate and certify the security of IT products and systems. ISO/IEC 17799:2000 Information TechnologyCode of Practice for Information Security Management is a collection of information security practices. The IT Infrastructure Librarys (ITIL Security Management is a methodology s) describing how IT security management processes link into other IT infrastructure management processes. NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook, released by the US National Institute of Standards and Technology (NIST), describes the common requirements for managing and implementing a computer security programme and some guidance on the types of controls that are required. NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems is a collection of principles and practices to establish and maintain system security. NIST 800-18 Guide for Developing Security Plans for Information Technology Systems provides a format and guidance for developing a system security plan. NIST 800-53 Recommended Security Controls for Federal Information Systems provides a set of baseline security controls. Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE) is a set of principles, attributes and outputs for risk assessment. Organisation for Economic Co-operation and Development (OECD) Guidelines for the Security of Information Systems and Networks provides a set of nine information security principles aimed at fostering a culture of security.
2
Introduction
Open Groups Managers Guide to Information Security is a booklet providing general guidance for IT managers on acquiring secure IT products and systems.
BS 7799 COBIT1 SSE-CMM GAISP ISF ISO/IEC 13335 ISO/TR 13569 ISO/IEC 15408 ISO/IEC 17799 ITIL NIST 800-12 NIST 800-14 NIST 800-18 NIST 800-53 OCTAVE OECD Open Group
1
Model or Methodology X X X
X X
X X
X X X X X
X X
X X
X X X X X X X
X X
X X
COBIT provides detailed control practices for IT governance. Information security controls are also included within its scope.
Introduction
Note that BS 7799 and ISO/IEC 17799 have different qualifications because one is a specification (or method) for information security management whilst the other is a set of guidelines and recommended information security practices.
The use of a ranking of 5 has been specifically excluded as none of the examined guidance documents was found to provide full coverage of a CISM domain.
The overall score uses the same definitions, but in relation to all five CISM domains. In this context, the overall score is not necessarily an average of the individual scores. Figure 3Security Guidance Coverage of CISM Domains
CISM Domains Coverage Information Overall Information Security Information of Security Risk Programme Security Response CISM Governance Management Management Management Management Domains 2 1 2 2 1 2 2 1 2 2 1 2 2 2 2 2 2 2 2 1 1 1 0 2 2 2 3 2 1 2 4 3 4 4 1 4 2 3 3 2 1 2 0 0 2 0 0 2 1 1 3 2 2 2 1 0 2 2 1 2 4 3 4 4 3 4 2 1 2 2 2 2 1 1 3 1 1 2 1 1 3 1 1 2 2 4 4 1 1 3 2 1 1 0 1 1 0 0 1 1 0 1
Publication
BS 7799 COBIT SSE-CMM GAISP ISF ISO/IEC 13335 ISO/TR 13569 ISO/IEC 15408 ISO/IEC 17799 ITIL NIST 800-12 NIST 800-14 NIST 800-18 NIST 800-53 OCTAVE OECD Open Group
Introduction
A full description of the CISM job domains and the associated task and knowledge statements is provided in the appendix of this document.
In 1996, ISACAs affiliated foundation published the first version of COBIT as a framework within which IT governance could be managed. COBIT, now in its third edition, is published in several languages, including Dutch, French, German and Spanish, amongst others, and is generally considered to be the leading governance, security, control and assurance framework across the world. ISACA reflected the growing awareness of the vital role of technology in helping businesses achieve their corporate aims with the creation of the IT Governance Institute in 1998. Effective IT governance helps ensure that IT supports business goals, maximises business investment in IT, and appropriately manages IT-related risks and opportunities. In 2002, the CISM certification was launched. It was specifically developed to reflect the increasing importance of the role of information security managers and, in particular, to reflect their increased profile within organisations and their vital role in corporate and IT governance.
Five geographic locations were used: Asia, Central/South America, Europe/Africa, North America and Oceania.
BS 7799 Part 2:2002 Information Security Management SystemsSpecification With Guidance for Use
1. BS 7799 Part 2:2002 Information Security Management SystemsSpecification With Guidance for Use
Issuer
The United Kingdom Standards Policy and Strategy Committee provides authority for publication of documents as British Standards. BS 7799 has been adopted and modified by several countries, for example, AS/NZS 7799-2 for Australia and New Zealand.
Document Taxonomy
The original BS 7799 was issued as two parts: BS 7799-1: Information TechnologyCode of Practice for Information Security Management BS 7799-2: Information Security Management SystemsSpecification with Guidance for Use BS 7799-1 no longer exists, having been replaced by ISO/IEC 17799, which is discussed later in this research.
Circulation
BS 7799-2 is a British Standard that is widely known and used internationally.
Following the defined guidance for an information security management system, regardless whether one is seeking certification, can be a good method of instilling discipline into the security management process.
Target Audience
The guidance is prepared for business managers and their staff as a model for an information security management system. It can also be used by certification bodies.
Timeliness
BS 7799-2 was first developed and issued in 1998 as a specification to complement BS 7799-1 (now ISO/IEC 17799). It was revised in 1999 to reflect changes in part 1 and again in 2002 to harmonise with other ISO management standards. British Standards are normally revised every three to five years. The next version of ISO/IEC 17799 is due for release in April 2005 and it is anticipated that BS 77992, updated to reflect the ISO/IEC 17799:2005, may very well become an ISO standard by the end of 2006.
Certification Opportunities
A certification scheme exists to certify organisations toward compliance. Although this is a British Standard, more than 9004 organisations in more than 40 countries have been evaluated and certified to BS 7799-2.
Completeness
BS 7799-2 is a model that includes every activity required to establish, implement, operate, monitor, review, maintain and improve a documented information security management system. It is designed to be used by organisations of any size or type, and is not geographically specific.
Figures obtained from the International Information Security Management System User Group web site at www.xisec.com.
10
BS 7799 Part 2:2002 Information Security Management SystemsSpecification With Guidance for Use Unlike ISO/IEC 17799 Code of Practice for Information Security Management, BS 7799 contains no guidance on how to undertake the activities it describes. It also avoids describing specific control practices as these naturally vary across organisations. However, it does recommend other documents that may be helpful to organisations applying the guidance. The appendix of BS 7799-2 contains a list of controls (summarised from ISO/IEC 17799) that organisations can use as the basis for identifying and setting their own organisational security control frameworks. However, this list is not intended to be exhaustive and the onus is on the organisation to supplement those provided.
Availability
The guidance is available for purchase from www.bsi-global.com (GB sterling 28.00 for British Standard Institute members and 56.00 for nonmembers).
Recognition/Reputation
Based on the global survey of CISMs (described in this documents Introduction), BS 7799-2 is globally recognised and considered to be a widely accepted standard by a large majority (74 percent) of the respondents.
Usage
BS 7799-2 is comprehensive and is being actively used (i.e., implemented, used as best practice or used for assessment) by the majority (57 percent) of surveyed CISMs in Europe/Africa, Central/South America and Oceania. Asia figures are slightly below this (48 percent) and in North America the figure falls to 39 percent. These are significant figures for an individual standard.
11
Risk Management, 1
BS 7799-2 contains references to and definitions of risk management activities but it provides no guidance on development and application of risk management methods.
Response Management, 1
The guidance contains only brief references to response management, and as a whole is limited in this area and provides no direction.
Overall, 2
This is a useful model for those wishing to establish a framework for the management of an information security management system and a must for those seeking BS 7799 certification. It needs to be used by an experienced information security manager and must be supplemented with other information security standards and guidance.
12
BS 7799 Part 2:2002 Information Security Management SystemsSpecification With Guidance for Use Since the PDCA is an approach used in several globally respected standards, the following is a brief description of the approach that would be used to manage a comprehensive information security management system. Plan activities address the establishment of the information security management system and include: Definition of the information security management system coverage (e.g., location, assets, technology) Definition of an information security policy that reflects organisational needs Definition of a risk assessment methodology Identification and assessment of risks Identification and evaluation of options for the treatment of risks Selection of control objectives and controls Preparation of a statement of applicability (which gives the reasons for selection and exclusion of controls) Do activities are concerned with the implementation and operation of the information security management system and include: Creation of plans to allocate responsibilities and priorities for risk treatment Implementation of controls Training and awareness programmes Operations and resource management Procedures for detecting and reacting to incidents Check activities are concerned with monitoring and reviewing the information security management system and include: Execution of monitoring and other control procedures Reviews of information security management system effectiveness Reviews of residual risks and acceptable risks Act activities are concerned with maintaining and improving the information security management system and include: Implementing improvements (including taking corrective and preventive actions to eliminate the cause of nonconformities and guard against future nonconformities) Learning from experiences (ones own and those of other organisations) Ensuring that improvements meet the objectives The standard describes the types of documentation needed to establish and manage the information security management system as well as those needed to satisfy the British Standard (and are therefore necessary for certification to the standard). It also describes the procedures that need to be in place to control documents and records. Management responsibilities are identified and include management commitment, resource management and information security management system review. The following provides the level of detail that is contained in BS 7799-2.
13
Reference
www.bsi-global.com
14
COBIT
2. COBIT
Issuer
The IT Governance Institute is the copyright holder and issuer of the COBIT guidance. COBIT is a worldwide de facto standard.
Document Taxonomy
COBIT represents a collection of documents and a framework that are classified as generally accepted best practices for IT governance, control and assurance. Its use reaches IT management, security, control and user management. The framework, along with the Committee of Sponsoring Organisations of the Treadway Commission (COSO), is considered to be critical to compliance with the US Sarbanes-Oxley Act.
Circulation
COBIT is accepted worldwide. In addition to the English version, it has been translated into several languages, including Dutch, French, German and Spanish.
15
Target Audience
Within organisations, three levels are addressed: management, IT users, and control and security professionals. Many types of organisations, public and private companies and external assurance professionals form the relevant target group.
Timeliness
The first edition of COBIT was issued in 1996. In 1998 the second edition was published with additional control objectives as well as the Implementation Tool Set. The third edition was issued in 2000 and included the Management Guidelines as well as an overall update. Management Guidelines includes a maturity model for IT governance and each of the objectives, as well as key goal indicators, critical success factors and key performance indicators. It is still relevant and up to date. The latest enhancements to COBIT at the time of this publication in 2005 include: COBIT Quickstart COBIT Online IT Governance Implementation Guide Control Practices COBIT Security Baseline The next update to COBIT is targeted for release in late 2005.
Certification Opportunities
COBITs audit guidelines contain information for auditing and self-assessment against the control objectives, but there is no certification programme available for any part of COBIT. The COBIT framework is used frequently by Certified Public Accountants (CPAs) and Chartered Accountants (CAs), for instance, when performing an SAS 70 review, and has rapidly become the IT control framework of choice for organisations addressing international regulatory issues, such as the US Sarbanes-Oxley Act of 2002.
16
COBIT
Completeness
COBIT addresses a broad spectrum of duties in IT management and can be of significant interest and use to the security manager, particularly if the organisation decides to build an IT governance framework using COBIT as its model. It does not contain the full depth of security management activities contained in ISO/IEC 17799.
Availability
COBIT is available in a variety of ways. First, the most dynamic and useful manner is through COBIT Online. It can be purchased by going to www.isaca.org/cobitonline. The approach allows users to customise a version of COBIT to suit their own enterprise, then store and manipulate that version as desired. It also offers full online access to all of COBIT, an editable Access database download feature, real-time surveys, an active community forum and a robust benchmarking feature. Also, most parts of COBIT are readily accessible for complimentary electronic download from the ISACA or ITGI web sites, www.isaca.org or www.itgi.org. The audit guidelines are posted for complimentary download for ISACA members only. Alternatively, a printed set and fully searchable CD-ROM can be purchased from the ISACA Bookstore, bookstore@isaca.org.
Recognition/Reputation
Based on the global survey of CISMs (described in this documents Introduction), recognition of COBIT is extremely high, at over 98 percent. Of equal or more interest is that a majority (58 percent) of surveyed CISMs (security professionals) felt that COBIT is a well-accepted global standard.
Usage
COBIT is considered to be comprehensive and effective and is being actively used (i.e., implemented, used as best practice or used for assessment) by more than 40 percent of surveyed information security managers globally (rising to in excess of 60 percent in Central/South America). These are significant figures for an individual standard and are exceeded only by ISO/IEC 17799 and BS 7799. Although this high level of use may be explained by the CISM populations relationship to ISACA, it should also be noted that security managers do not, in general, make use of standards they hold in low esteem.
17
Risk Management, 1
Risk management is referenced specifically in the PO9 process of COBIT. The remaining areas address it, but not to any great detail.
Response Management, 1
Response management is referenced, but not to any detail.
Overall, 2
This guidance, although comprehensive, would be useful to an information security manager if his/her organisation is planning to implement COBIT and/or enhance the broader IT governance concepts, including how security management fits into the overall equation. Since much of the security material is aimed at educating IT management in security matters rather than as guidance to security managers, its use beyond overall governance is somewhat limited.
COBIT
This theme can be taken further by considering information security governance. It, too, has a highly interdependent relationship with enterprise governance and IT governance. Whilst COBIT has not been developed specifically with the information security manager as a primary target, a large amount of the material is relevant to the information security programme. There are several publications that make up COBIT. Of key interest to the information security manager are addressed in the following subsections.
COBIT Framework
The COBIT Framework (65 pages) has been designed as a method of creating an IT governance framework that bridges the business control model with a focussed IT control model. In designing the framework, work performed by many organisations was referenced, including ISO/IEC 17799 Code of Practice for Information Security Management and several of the NIST publications. Also considered were business control models by COSO in Internal ControlIntegrated Framework of 1992, Cadbury in the UK, CoCo in Canada and King in South Africa. The framework identifies the need to satisfy the quality, fiduciary and security requirements for information. These broad requirements are then broken into seven distinct, but overlapping, categories: Quality: 1. EffectivenessInformation must be relevant and pertinent to the business process as well as be delivered in a timely, correct, consistent and useable manner. 2. EfficiencyThis calls for provisioning information through the most optimal (productive and economical) use of resources. Security: 3. ConfidentialitySensitive information must be protected from unauthorised disclosure. 4. IntegrityInformation must be complete and accurate and in line with business values and expectations. 5. AvailabilityInformation, and associated resources and capabilities, must be available when needed now and in the future. Fiduciary: 6. ComplianceThis deals with laws, regulation and contractual arrangements to which the business is subject. 7. Reliability of informationThis category relates to provision of the information needed by management to operate the entity and to exercise financial and compliance reporting responsibilities.
19
The framework then describes the IT resources necessary to deliver on the principles. There are five: DataIn its widest sense (i.e., internal and external), structured and nonstructured, graphics, sound, etc. Application systemsThe sum of manual and programmed procedures TechnologyIncludes hardware, operating systems, database management, networking, etc. FacilitiesResources needed to house and support information systems PeopleIncludes staff skills, awareness and production to plan, organise, acquire, deliver, support and monitor information systems and services The framework then provides 34 control objectives that are described within four domains. The domains are designed to fit in with the same PDCA models used by OECD security guidance, ISO/IEC 9000, 14000, 15000 and BS 7799-2:2002. The four domains (see figure 4) are: Plan and Organise11 objectives, numbered P01 to P11 Acquire and Implement6 objectives, numbered AI1 to AI6 Deliver and Support13 objectives, numbered DS1 to DS13 Monitor and Evaluate4 objectives, numbered M1 to M4 Figure 4COBIT IT Processes Defined Within the Four Domains
BUSINESS OBJECTIVES
IT GOVERNANCE
M1 M2 M3 M4
monitor the processes assess internal control adequacy obtain independent assurance provide for independent audit
INFORMATION
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability
PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 PO11
define a strategic IT plan define the information architecture determine the technological direction define the IT organisation and relationships manage the IT investment communicate management aims and direction manage human resources ensure compliance with external requirements assess risks manage projects manage quality
IT RESOURCES
People Application systems Technology Facilities Data
identify automated solutions acquire and maintain application software acquire and maintain technology infrastructure develop and maintain procedures install and accredit systems manage changes
20
COBIT
21
Extract from PO9 Maturity Model Level 2Repeatable but Intuitive There is an understanding that IT risks are important and need to be considered. Some approach to risk assessment exists, but the process is still immature and developing. The assessment is usually at a high level and is typically applied only to major projects. The assessment of ongoing operations depends mainly on IT managers raising it as an agenda item, which often happens only when problems occur. IT management has not generally defined procedures or job descriptions dealing with risk management.
COBIT
How many staff had security training last year? How many of the management team (members) received security training?
Control Practices
Control Practices (226 pages) expands the capabilities of COBIT by providing the practitioner with an additional level of detail. Whilst the COBIT IT processes, business requirements and detailed control objectives define what needs to be done to implement an effective control structure, Control Practices provides the more detailed how and why. Each of the 318 control objectives is listed here along with a brief rationale for why, and control practices for how. Extract of AI6.4 Emergency Changes Why Do It? Controlling emergency changes by implementing the control practices will ensure: Emergency procedures are used in declared emergencies only. Urgent changes can be implemented without compromising integrity, availability, reliability, security, confidentiality or accuracy. Control Practices 1. Management defines parameters, characteristics and procedures that identify and declare emergencies. 2. All emergency changes are documented, if not before, then after implementation. 3. All emergency changes are tested, if not before, then after implementation. 4. All emergency changes are formally authorised by system owners and management before implementation. 5. Before and after images, as well as an intervention log, are retained for subsequent review.
COBIT Quickstart
This special version (46 pages) is a baseline for many small to medium enterprises (SMEs) and other entities where IT is not mission-critical or essential for survival. It can also serve as a starting point for other enterprises in their move toward an appropriate level of control and governance of IT. COBIT Quickstart was developed in response to comments that COBIT, in its complete form, can be a bit overwhelming. Those who operate with a small IT staff often do not have the resources to implement all of COBIT. This version of COBIT constitutes a subset of the entire COBIT volume. Only those control objectives that are considered the most critical are included, so that implementation of COBIT fundamental principles can take place easily, effectively and relatively quickly.
23
COBIT Online
This online version of COBIT allows users to customise a version of COBIT for their own enterprise, then store and manipulate that version as desired. It offers online, real-time surveys and benchmarking, as well as a discussion facility for sharing experiences and questions.
References
www.isaca.org/cobit www.itgi.org
24
Document Taxonomy
SSE-CMM Model Description Document 3.0 (SSE-CMM 3.0) is a guide to the concepts and application of a model to improve and assess security engineering capability. Version 2 was made ISO/IEC 21827 in 2002.
Circulation
The guidance is widely known and used internationally by organisations involved in security engineering.
25
Target Audience
The guidance is primarily aimed at organisations that practice security engineering in the development of operating systems software, security managing and enforcing functions, software and middleware of applications programmes. Specific users are likely to be product developers, service providers, system integrators, system administrators and security specialists. The guide will also be of use to evaluation organisations or acquiring organisations (e.g., in Requests for Proposal).
Timeliness
Development of SSE-CMM began in 1995, with the first version published in 1996. Version 2 followed and was made ISO/IEC 21827 in 2002. Version 3 was released in 2003 and the ISSEA remains dedicated to improving the model.
Certification Opportunities
There is a documented SSE-CMM Appraisal Method that includes support materials for an appraisal. It was designed primarily for internal process improvement. An Appraiser Certification Programme is being developed.
Completeness
The document is an excellent capability maturity model for evaluating and improving the quality of security engineering. However, it provides only limited information on the full role and responsibilities of an information security manager who is establishing, implementing and managing an enterprisewide information security programme, so it should be supplemented with other security publications.
Availability
SSE-CMM 3.0 is available by free download from the SSE-CMM web site at www.sse-cmm.org. Version 2, now published as ISO/IEC 21827, can be purchased from www.iso.org for Swiss CHF 208.00.
26
Recognition/Reputation
Based on the global survey of CISMs in 2004 (described in this documents Introduction), SSE-CMM is well recognised (60 to 70 percent) in Asia, North America and Central/South America, but much less so in Oceania and Europe/Africa (more than 40 percent had no experience with the guidance). The majority of CISMs (52 percent) in all regions felt it has only limited acceptance amongst security professionals.
Usage
Active usage (i.e., implemented, used as best practice or used for assessment) of SSE-CMM is disappointing at only 20 percent, although this rises to one-third in Central/South America. The majority (69 percent) of all CISMs familiar with it found it to be effective, but views on its level of comprehensiveness varied, with Oceania in particular having reservations.
Risk Management, 2
Following the SSE-CMM would improve performance in this domain, but it is best used by an experienced information security manager who already has the domain activities established.
27
Response Management, 2
Following the SSE-CMM would improve performance in this domain, but it is best used by an experienced information security manager who already has the domain activities established.
Overall, 2
This is an excellent model for improving capabilities but it does not in itself provide guidance to an information security manager on how to define and establish an enterprisewide information security management programme. It would be most effective in the hands of an experienced information security manager.
28
model can help an organisation evolve from an ad hoc, less organised, less effective state to a highly structured and highly effective state. The guide describes expected results from using SSE-CMM as most likely to be: Improvements in predictabilityOrganisations are better at knowing whether they will meet their targets and, if not, by how much they will miss. Improvements in controlTargets are revised more accurately and corrective actions are evaluated to select the best application of control measures. Improvements in process effectivenessTargeted results improve as the costs decrease, and productivity and quality increase. There are three main security engineering areas in the SSE-CMM: RiskIdentifying and prioritising dangers EngineeringDetermining and implementing solutions that address the risks AssuranceBeing able to give customers confidence in the solutions A number of practices are used in each of these areas. Practices are split into base practices and generic practices. The generic practices are those that indicate process management, whilst base practices are those that collectively define security engineering. One performs generic practices as a part of performing a base practice. This is most easily explained using the example provided by the guide.
29
The 11 security processes are numbered for reference and are purposely referred to in alphabetical order to discourage thoughts that the process areas are ordered by life cycle. The 11 security process areas are: PA01 Administer Security ControlsThe intended security for the system is achieved in its operational state. PA02 Assess ImpactIdentify impacts (tangible and intangible) and the likelihood of the impacts occurring. PA03 Assess Security RiskIdentify and assess the likelihood of exposures. PA04 Assess ThreatIdentify and characterise security threats. PA05 Assess VulnerabilityIdentify and characterise security vulnerabilities. PA06 Build Assurance ArgumentClearly convey that security requirements are met (evidential activities). PA07 Co-ordinate SecurityEnsure open communications between security engineering and all other involved parties (e.g., project personnel). PA08 Monitor Security PostureIdentify and report all breaches or attempted breaches of security as well as mistakes that could lead to breaches. PA09 Provide Security InputProvide security information needed by interested parties (e.g., system architects, designers). PA10 Specify Security NeedsExplicitly identify security needs for the system. PA11 Verify and Validate SecurityVerify and validate throughout design and development and against the customers operational security needs.
30
Generic practices are grouped into five capability levels and reflect the maturity of the capability. Each has common features that describe an organisations characteristic manner of performing a work process, as follows: Level 1 Performed InformallyBase practices. You have to do it before you can manage it is how SSE-CMM characterises this level. Level 2 Planned and TrackedProject-level definition, planning and performance, characterised by SSE-CMM as understanding what is happening on the project before defining organisationwide processes. Level 3 Well DefinedDisciplined tailoring, characterised as using the best of what is learned from projects to create organisationwide processes. Level 4 Quantitatively ControlledMeasurements tied to organisational business goals, characterised by you cannot measure it until you know what it is and managing with measurement is only meaningful when youre measuring the right things. Level 5 Continuously ImprovingSustaining gains and improvements, characterised by a culture of continuous improvement (that) requires a foundation of sound management practice, defined processes, and measurable goals.
31
References
www.issea.org www.sse-cmm.org www.iso.org
32
Document Taxonomy
GAISP is a collection of security principles that is being defined and produced as a collective effort by members of the organisations involved.
Circulation
GAISP is known to the wider information security community, but particularly so by members of ISSA and within North America.
33
Target Audience
This is not stated explicitly in GAISP, but it would appear to be most suited to the information security practitioner and is flexible enough to serve most types and sizes of organisation.
Timeliness
Version 3 of GAISP is described on the Internet as a draft document. It is undated but has obviously been altered as recently as August 2003. However, many of the references provided are well out of date and it is likely that much of the document in its current form was written in the early to mid 1990s. As of the date of this publication, it has not yet been updated or finalised.
Certification Opportunities
There is no certification process for adhering to GAISP principles.
Completeness
GAISP provides a good set of general principles that addresses the necessary areas of information security management and should be relevant for an organisation of any type, size or geographic location. It does not contain any level of detail below information security principles.
Availability
GAISP is currently in draft mode and can be downloaded without cost from www.gaisp.org.
34
Recognition/Reputation
Based on data gathered from the global CISM survey (described in this documents Introduction), GAISP is generally well known in North America (67 percent) but is less known elsewhere, particularly in Europe/Africa (40 percent). Acceptance of GAISP as a standard is rather limited (90 percent feel it has either limited or no acceptance), a view expressed in all geographic regions.
Usage
Usage of GAISP is very low (less than 18 percent), even in North America where it is well known. However, it is thought to be reasonably comprehensive and effective in what it addresses by all regions except Europe/Africa.
Risk Management, 1
GAISP addresses risk management as a principle, but not in great depth.
Response Management, 0
Response management is briefly addressed as a principle.
Overall, 2
GAISP contains a good set of principles upon which an information security programme can be created, but it provides very little in the way of detailed guidance. What it does provide, not found elsewhere, is examples to support each of the principles.
35
36
Example: When developing contingency plans, the organization can establish a contingency planning team of information owners, representatives from facilities management, technology management, and other functional areas in order to better identify the various expectations and viewpoints from across the organization and other recognized parties. Broad functional principles are described as the building blocks that provide guidance for operational accomplishment of pervasive principles. There are 14 broad functional principles and GAISP contains a table showing how they address the nine pervasive principles. Each of the 14 broad functional principles is described in a brief paragraph and is accompanied by a longer rationale and example of the principle in practice. The 14 broad functional principles are generally self-explanatory and are: Information security policy Education and awareness Accountability Information asset management Environmental mmanagement Personnel qualifications Incident management Information systems life cycle Access control Operational continuity and contingency planning Information risk management Network and Internet security Legal, regulatory and contractual requirements of information security Ethical practices
37
Appendix A provides a page-long list of major recommendations contained within Computers at Risk5 which are addressed by GAISP. Appendix B contains the entirety of the OECD Guidelines for the Security of Information Systems, published by OECD in 1992.
References
www.gaisp.org www.issa.org
National Research Council; Dr. David Clark (MIT), committee chair; Computers at Risk, National Academy Press, 1991
38
Document Taxonomy
The standard is a collection of information security principles and control practices that was generated by members of ISF. The precursor to ISF was the European Security Forum (ESF).
Circulation
The standard was previously known and available only to ISF members, but it was made publicly available a few years ago and since has begun to build a wider recognition.
Target Audience
The standard is specifically aimed at major national and international organisations although the ISF believes it is also likely to be of use to any organisation regardless of industry, geographic location or size. It is also likely to be of practical use to information security practitioners, IT management and assurance professionals.
Timeliness
It is planned to be updated every two to three years and a specific aim is to ensure that the latest security hot topics are addressed. The ISF produced version 4 of the Standard of Good Practice for Information Security in March 2003.
Certification Opportunities
No certification is available. However, ISF (corporate) members can benchmark their performance against the standard through ISFs biannual information security status survey.
Completeness
The standard provides a broad and detailed range of security principles, control objectives and security practices. It is particularly aimed at large organisations of any industry type in any geographic location. The standard does not deal with security management concepts nor provide guidance on how to select appropriate controls. If it is to be used, it needs to be applied by an experienced security practitioner or in combination with other guidance publications.
Availability
The standard is publicly available as a free download at www.isfsecuritystandard.com.
Recognition/Reputation
Results from the ISACA global survey of 5,000 CISMs (described in this documents Introduction) revealed that this standard is generally well recognised (approximately two-thirds of surveyed CISMs) although slightly less so in the Oceania region. However, the majority (55 percent) of CISMs familiar with the publication feel it has only limited acceptance as a standard.
40
Usage
Of those familiar with the standard, at least one-fifth are actively using it in some form or another (i.e., implemented, used as best practice or used for assessment) within their organisation. Usage is practised by almost one-third in Europe/Africa. A good majority (73 percent) of surveyed CISMs familiar with its contents believe the standard has a good level of comprehensiveness and it is also generally considered to be effective in use.
Risk Management, 2
It provides a good list of risk analysis requirements throughout the organisation. It does not describe approaches and methods of risk management.
Response Management, 1
It defines the requirement for response management but provides very little that would help an information security manager develop and maintain a response management capability.
41
Overall, 2
This is a good source of controls and detailed control practices for the experienced information security practitioner. Those with less experience may find it overwhelming and have difficulty deciding which control practices are appropriate for their own organisation.
42
?
Area 3
Area 1
Area 2
Source: Information Security Forum, The Standard of Good Practice for Information Security, Version 4.1, January 2005
Extract From Area 1 High-Level Direction from the Security Management Aspect
Section SM1.2Security Policy PrincipleA comprehensive, documented information security policy should be produced and communicated to all individuals with access to the enterprises information and systems. ObjectiveTo document top managements direction on and commitment to information security, and communicate it to all relevant individuals. SM1.2.3 (i.e., the third practice statement for this section) The information security policy should require: a) Critical information and systems to be subjected to a risk analysis on a regular basis b) That an ownertypically the person in charge of a particular business application, computer installation or networkis assigned for all critical information and systems c) That information and systems are classified in a way that indicates their criticality to the enterprise d) That staff are made aware of information security
43
e) Compliance with software licenses and with legal, regulatory and contractual obligations f) Breaches of the security policy and suspected security weaknesses to be reported g) Information to be protected in terms of its requirements for confidentiality, integrity and availability The standard addresses the following major topic areas under each aspect: Security management Establishing, documenting and communicating direction and commitment for information security Making the organisational arrangements necessary for managing and applying security throughout the enterprise Establishing classification and ownership schemes for information assets Defining arrangements for a secure environment Taking steps for protection from and response to malicious attacks Including special topics: e-mail, cryptography, PKI and outsourcing Ensuring adequate audit, review and monitoring of the security environment Critical business applications Assessing the security requirements of an application Managing applications, including roles and responsibilities, internal controls, change management, and continuity planning Controlling access to applications Ensuring that applications are adequately supported and backed up Addressing practices for application security co-ordination, classification, risk analysis and review Including special topics: third-party agreements, key management and web-enabled applications Computer installations Running and monitoring the computer installations to a desired level Designing and configuring the live environment Ensuring basic controls over the operations of systems Controlling access to information and systems in the computer installation Addressing practices for computer installation security co-ordination, classification, risk analysis and review Developing, maintaining and validating contingency plans Networks Designing and running computer networks to a desired level Ensuring that unauthorised network traffic is prevented Managing and monitoring network performance and resilience Addressing practices for network security co-ordination, classification, risk analysis and review Ensuring the security of voice networks Systems development Managing the systems development process, environment and staff
44
Addessing practices for systems development security co-ordination and review Ensuring arrangements for specification of security requirements Addressing security during design, acquisition and build Addressing practices for system testing and implementation
Reference
www.isfsecuritystandard.com
45
46
Document Taxonomy
ISO/IEC 13335 Information TechnologyGuidelines for the Management of IT Security is a collection of five technical documents that provide guidance on aspects of information security management.
Circulation
The guidance is known and recognised globally by the information security community. Parts of it have been in existence since 1996.
47
Target Audience
The guidance is applicable to organisations of all types, size and geographic location. Part 1, containing the management aspects of IT, explicitly addresses senior management and information security managers, whereas the other parts target individuals responsible for the implementation of security measures, for instance, IT managers and IT security staff.
Timeliness
Dates of publication range from 1996 (part 1) to 2001 (part 5). Parts 1 and 2 have been revised into a new part 1 titled Concepts and Models for ICT Security Management, which is to be published in 2006. Parts 3 and 4 are at an early stage of redevelopment and will be made into a new part 2 titled Techniques for Information Security Risk Management. Part 5 is also in the early stages of redevelopment.
Certification Opportunities
There is no specific certification available.
Completeness
ISO/IEC 13335 contains comprehensive guidance on managing IT security; however, this does not detract from its general validity or usefulness. The guidance could be used by organisations of any type or size, although small organisations may find the level of detail overwhelming.
48
There is a good list of safeguards provided in part 4, although purely due to its age (part 4 was published in 2000), these may not fully address all of todays technical risks.
Availability
The documents can be purchased from ISO at www.iso.org (where prices range between Swiss CHF 73.00 and 158.00 depending on the portion ordered), and from the American National Standards Institute (ANSI) at http://webstore.ansi.org (prices from US $58.00 to US $125.00 depending on the part ordered).
Recognition/Reputation
Results of the ISACA global survey of 5,000 CISM holders (described in this documents Introduction) indicated that the guidance is known to at least 60 percent of surveyed CISMs, with recognition levels in Oceania particularly high at 85 percent. Figures for North America and Asia are surprisingly low for such a longestablished international standard. The majority (60 percent) of those CISMs familiar with the guidance felt it has only limited acceptance within the information security community.
Usage
More than one-quarter of surveyed CISMs in Oceania actively use the guidance (i.e., implemented, used as best practice or used for assessment). The level of usage is much lower in other areas (as low as 11 percent in Central/South America). Of those CISMs familiar with it, at least half consider it both comprehensive in its coverage and effective in use.
Risk Management, 3
The guidance provides good fundamentals for information security risk management but it stops short of providing the detail that would be required for an appropriate methodology to be developed and used within an organisation.
49
Response Management, 1
Response management is referenced but not in any detail.
Overall, 4
The guidance is recommended as an excellent source of guidance for those involved in the management of information security.
50
The major elements involved in the security management process are: Assets (physical assets, information, software, people and intangibles) Threats (human and environmental) Vulnerabilities Impact Risk Safeguards Residual risk Constraints The ongoing process of IT security management consists of the subprocesses: Configuration managementChanges in the configuration may not lead to a reduction of the security level. Furthermore, tracking of changes is available, and changes to the systems are reflected in various types of documentation (e.g., disaster recovery plan). Change managementThis is the process of identifying security requirements when systems change. Risk managementRisk management is to be performed throughout the systems life cycle. A risk management process compares risks with benefits and costs of different types of safeguards. Risk analysisRisks are identified by the analysis of asset values, threats and vulnerabilities, resulting in a statement of the likelihood of risks to previously mentioned assets. AccountabilityResponsibility for security is to be assigned explicitly. Ownership is assigned to assets. Security awarenessThis explains the security objectives, strategies and policies and the need to comply with them. MonitoringA periodic review of the safeguards is needed to assure their effectiveness. Contingency plans and disaster recoveryContingency plans describe how to maintain core business processes in the case of system outages. Disaster recovery contains information on restoration of systems affected by an unintended outage.
Management commitmentWhat are the commitment and support of senior management? Policy relationshipsWhat are the relationships amongst corporate strategy, marketing policy, security policy, IT policy, IT security policy and system-specific policies? Policy elementsIs there a comprehensive list of topics that are to be covered? Organisational aspects of IT security, such as roles and responsibilities, the initiation of a security forum and the nomination of security, project and system security officers, are discussed. The need for support by all levels of management is outlined, as is the importance of following a consistent approach throughout the organisation and to all systems. Strategic options for a risk management strategy are presented thereafter. The specific advantages and disadvantages are addressed. The approaches are: Baseline approachBy selecting a set of safeguards to all systems, a baseline protection level is achieved. Informal approachA pragmatic risk analysis for all systems, it requires experience of individuals and seems to be suitable for small organisations. Detailed risk analysisA detailed analysis begins with the identification and valuation of assets, the threats to those assets, a selection of appropriate safeguards and the identification of an acceptable level of residual risk. Combined approachUsing the detailed approach at a high level identifies systems with a high risk, which are analysed in a more comprehensive manner. The other systems are appropriate for a baseline protection approach. The security recommendations section addresses different types of safeguards, their interdependency and recommendations for selecting and maintaining them as well as the need for acceptance of residual risk and its classification into acceptable and unacceptable. Following the discussion of risk management, other issues briefly mentioned are: IT system security policyContents and endorsement IT security planDocumentation of actions to be taken for implementing the IT security policy Implementation of safeguardsImplementing the safeguards as defined in the plan, including security training Security awarenessPassing the knowledge from the security officer to all levels of the organisation Follow-upActivities such as maintenance of safeguards and policies, security compliance checking, monitoring and incident handling
52
The basic assessments of the safeguard selection process are: Identification of the type of systemIT systems can be a standalone workstation, a workstation connected to a network or a server/workstation sharing resources via a network. Identification of physical/environmental conditionsIn addition to general considerations concerning the environment of the organisation, more specific concerns are to be taken into account, such as perimeter and building (physical situation, single occupant or multi-occupied, information about other occupants, identification of sensitive/critical areas), access control (access to the building, physical access controls, robustness and structure of the building, protection level of doors, windows, etc.) or the protection in place (protection of rooms, fire detection/suppression facilities, water leakage detection, UPS, temperature and humidity controls, etc.). Assessment of existing/planned safeguardsBy identifying existing safeguards, reselection of safeguards should be prevented. The identification is done by a review of documentation, a check with responsible personnel, or a walk through of the building. It has to be borne in mind that existing safeguards may exceed the current needs. Safeguards can be classified into organisational/physical and system-specific safeguards: Organisational and physical safeguards IT security management and policies Security compliance checking Incident handling Personnel Operational issues Business continuity planning Physical security System-specific safeguards Identification and authentication Logical access control and audit Protection against malicious code Network management Cryptography The organisational/physical safeguard categories are applicable to all IT systems. Thus all safeguards from this category should be considered first when following the baseline approach. IT system-specific safeguards require an in-depth consideration of the needs of the type and characteristics of the system. When selecting safeguards, the security concernsthe loss of confidentiality, integrity, availability, accountability, authenticity or reliabilityshould be considered. Each of these categories faces several threats.
54
No specific threats are listed in the report, only such exemplary threats as account sharing; lack of traceability; masquerading user identity; software failure; unauthorised access to computers, data and applications; or a weak authentication of identity. Examples of countermeasures to the previously mentioned threats are provided in the report. During the selection of a specific safeguard, it has to be decided which basic aspect should be addressed by the safeguard. These aspects are: ThreatReduction of the likelihood VulnerabilityRemoval of the vulnerability or making it less serious ImpactReduction or avoidance of the impact During the implementation of an organisationwide baseline, it must be decided whether the organisation can be protected by the same baseline or if different levels have to be identified. The annexes contain a short description of several sources of information concerning baseline protection and IT security.
55
Review networking characteristics and related trust relationshipsThe characteristics can be classified into public or private networks and data and/or voice networks. Another distinction can be made between packet (using hubs) or switched network. The trust relationship isdepending on its environment classified into low, medium and high. The combination of the two classes of publicity of the network connection (private or public) and trust environment (low, medium or high) provides basic information for identification of safeguards. Determine the types of security risksDepending on the type of security risk (loss of confidentiality, loss of integrity, etc.) and the previous combination of characteristics and trust, characteristic safeguards are nominated. Identify appropriate potential safeguard areasOn the basis of the security risks, several safeguards can be identified. They are grouped into disciplines, such as: Secure service management Identification and authentication Audit trails Intrusion detection Protection against malicious code Network security management Security gateways Data confidentiality over networks Data integrity over networks Nonrepudiation Virtual private networks Business continuity and disaster recovery Document and review security optionsThe documentation of the intended architecture allows a final analysis of its design. Prepare for the allocation of safeguard selection, design, implementation and maintenanceAn organisation can be set up and specific tasks defined for selection, implementation and maintenance of the safeguard. A suitable security gateway arrangement will protect the organisations internal systems and securely manage and control the traffic flowing across them, in accordance with a documented security gateway service access policy.
References
www.iso.org http://webstore.ansi.org
56
ISO/TR 13569:1997 Banking and Related Financial Services Information Security Guidelines
Document Taxonomy
The guidance Banking and Related Financial ServicesInformation Security Guidelines is a technical report containing guidelines on security concepts and suggested control objectives and solutions for financial sector organisations.
Circulation
This guidance is recognised internationally, but more so by the banking and financial services industry at which it is specifically aimed.
Target Audience
The guidance is intended for use by financial institutions of all sizes and types and by providers of service to financial institutions.
Timeliness
The first edition of ISO/TR 13569:1997 was issued in 1996 and then reissued in 1998. It has not been updated since. Most of its content is still valid and relevant but it should be noted that, due to technology changes, parts of the document are either stale or outdated. A new version of the standard is currently under development with no date given for expected completion.
Certification Opportunities
There is no certification associated with the guidance.
Completeness
The majority of the guidance is concerned with documenting control objectives and controls for the financial services sector and in this it covers a broad range of areas, many of which are specific to financial services (e.g., automated teller machines). Its age means that the controls are light for many technical areas; for instance, networking of trusted third parties (TTPs) was a new concept at the time of issue in 1996, and there is no mention of Internet banking. However, most of the controls remain appropriate as a source of commonly accepted security practices. The section on information security programme components is detailed enough for management briefing purposes and, although it is aimed toward the financial services sector, it is generally applicable to all organisations.
Availability
The documents can be acquired from the ISO web site, www.iso.org, at a cost of Swiss CHF 184.00.
58
ISO/TR 13569:1997 Banking and Related Financial Services Information Security Guidelines
Recognition/Reputation
Results of the global CISM survey that was conducted by ISACA in 2004 (described in this documents Introduction) indicate that the document is less known than some of the others reviewed for this research. However, the ISO standard still scored a reasonable 60 percent recognition level amongst surveyed CISMs (only 50 percent in Asia). However, the majority (59 percent) of those CISMs familiar with the guidance believe it has only limited acceptance as a standard.
Usage
The IT guideline is being put to practical use (i.e., implemented, used as best practice or used for assessment) by less than 15 percent of CISMs (only 2.5 percent in Central/South America), but that could be due to its emphasis on financial institutions. Over half of CISMs familiar with the guidance found it effective in use (rising to almost 90 percent in Oceania). Whilst more than half also found it comprehensive, this figure fell to only 36 percent in Oceania.
Risk Management, 3
The guidance provides a simple risk assessment methodology that could easily be used and adapted by anyone. It may not provide the level of detail required for evaluating very high-risk systems and it does not address all the aspects of risk management.
59
Response Management, 1
Response management is referenced in the guideline, but only limited guidance is provided.
Overall, 2
ISO/TR 13569:1997 is a valuable reference source of control practices, particularly for financial organisations, but since it was last published in early 1998, it is dated.
ISO/TR 13569:1997 Banking and Related Financial Services Information Security Guidelines Section 7 addresses control objectives and suggested solutions. In this part of the guideline, there are 20 main topic areas, many broken down into further topics, as follows: Information classification, including suggested labels and descriptions for criticality and sensitivity Logical access control, further broken into a number of topics Audit trails Change control (including emergency procedures) Computers Networks Software Human factors Voice, telephone and related equipment Facsimile and image Electronic mail Paper documents Microform and other media storage (disclosure, destruction, etc.) Financial transaction cards (physical security, abuse, PINS, audit, etc) Automated teller machines (user identification, fraud prevention, maintenance, etc.) Electronic fund transfers Checks Electronic commerce Steganography Electronic money Appendix A contains a number of sample forms including: Information security policyA simple, one-page document that can be easily amended Employee awareness formWhich can be signed by the employee and his/her manager Sign-on warning screenAlerting users that they must be authorised to use the system Risk acceptance formDetailing all relevant facts about the risk, with spaces for signatures of the relevant management Telecommuting agreementDescribing the duties and obligations of the employee and company Appendix E contains a simple risk assessment process that includes step-by-step instructions and guidance along with a number of useful tables.
Reference
www.iso.org
61
62
Issuer
ISO/IEC 15408:1999 was published in 1999 by the ISO/IEC JTC1 working group in collaboration with the Common Criteria Project Sponsoring Organisation, which published Common Criteria. Members of this organisation are: CanadaCommunications Security Establishment FranceService Central de la Scurit des Systmes dInformation GermanyBundesamt fr Sicherheit in der Informationstechnik NetherlandsNetherlands National Communications Security Agency United KingdomCommunications-Electronics Security Group United StatesNational Institute of Standards and Technology and National Security Agency From a historical point of view, the various standards/guidance issued by some of the member bodies were influenced by other standards/guidance, as shown in figure 6.
US Orange Book TCSEC (1985) Canadian Criteria (1993) UK Confidence Levels (1989) Federal Criteria Draft (1993) German Criteria Common Criteria v2.0 (1998) French Criteria ITSEC (1991) Common Criteria v2.1 (1999) Common Criteria v2.2 (2004) ISO/IEC 15408 (1999) Common Criteria v1.0 (1996)
63
Document Taxonomy
ISO/IEC 15408:1999 is an international standard. Common Criteria is labelled as a multipart standard.
Circulation
Because it was developed by an international committee and published as an international standard, Common Criteria has gained worldwide recognition.
Target Audience
CC describes three specific target audiences, with a fourth having some tangential targeting. They are: ConsumersThe needs of consumers are considered throughout the evaluation process. The level of security provided by an evaluated product is comprehensible for consumers. DevelopersDevelopers have a guideline to prepare the evaluation of their systems. On the other hand, CC helps in identifying security requirements. CC can be useful as a source of security functions that may be implemented into a system.
64
EvaluatorsEvaluators have clear and agreed criteria to assess the security of a system. Steps necessary for an evaluation are included, but the standard does not stipulate procedures to be followed. OthersCC may be seen as a useful source of information by others, such as security and assurance professionals.
Timeliness
ISO/IEC 15408:1999 was first published in 1999 and is now somewhat out of step with the latest Common Criteria version 2.2, published in 2004 (CC2.2) If the past serves as an indicator, it seems likely that CC2.2 (following some minor editorial changes) will be accepted as the new version of ISO/IEC 15408, perhaps by 2006.
Certification Opportunities
The purpose of the document is to provide common criteria for the certification of security products and systems.
Completeness
There is a detailed description of the criteria that must be fulfilled to obtain certification of security products and systems. It does not describe the full role and responsibilities of an information security manager for establishing, implementing and maintaining an enterprisewide information security programme. Whilst the document contains security controls, they are not in a format that would make them easy to find and use by the average organisation defining security controls for itself.
Availability
The international standard can be purchased from ISO at www.iso.org for Swiss CHF 142.00, 294.00 and 230.00 for parts 1, 2 and 3 respectively. Common Criteria is freely available for public use from www.nist.gov and www.commoncriteriaportal.org.
Recognition/Reputation
Referring to the global survey of CISMs conducted in 2004 (described in this documents Introduction), two-thirds of surveyed CISMs are aware of the Common Criteria, slightly more in the Europe/Africa and Oceania regions. Well over half of all CISMs familiar with the CC felt it had only limited acceptance in the
65
information security community. This is a rather surprisingly high figure considering its background; however, this may be a reflection of its more narrow focus primarily on security products and systems rather than a specific criticism of the standard.
Usage
CC is being used (mostly as best practice or for assessment) by approximately onefifth of surveyed CISMs except in Central/South America and Asia where usage is quite low (5 and 11 percent, respectively). It is considered by more than half of CISMs familiar with the standard to be comprehensive. At the same time, however, half the CISMs in Europe/Africa and Central/South America felt it had only limited effectivenessagain, most likely due to the focus on security products.
Risk Management, 0
Risk management is not addressed at all in the guidance.
Response Management, 0
Response management is not addressed at all in this guidance.
Overall, 2
This guidance would mostly be of use to a security engineer as the level of technical detail is much greater than that of normal interest to an information security manager with enterprisewide responsibilities. The exception may be in organisations developing security products.
66
67
The statement of rationale shall be presented at a level of detail that matches the level of detail of the definition of the security functions.
68
AGDGuidance documents AGD_ADMAdministrator guidance AGD_USRUser guidance ALCLife cycle support ALC_DVSDevelopment security ALC_FLRFlaw remediation ALC_LCDLife cycle definition ALC_TATTools and techniques ATETests ATE_COVCoverage ATE_DPTDepth ATE_FUNFunctional tests ATE_INDIndependent testing AVAVulnerability assessment AVA_CCACovert channel analysis AVA_MSUMisuse AVA_SOFStrength of TOE security functions AVA_VLAVulnerability analysis Extract from AGD_ADM.1 Administrator Guidance AGD_ADM.1.1C The administrator guidance shall describe the administrative functions and interfaces available to the administrator of the TOE. AGD_ADM.1.2C The administrator guidance shall describe how to administer the TOE in a secure manner. AGD_ADM.1.3C The administrator guidance shall contain warnings about functions and privileges that should be controlled in a secure processing environment. AGD_ADM.1.4C The administrator guidance shall describe all assumptions regarding user behaviour that are relevant to secure operation of the TOE. Seven evaluation assurance levels (EALs) are presented, representing packages of assurance components. These EALs allow the IT security rating of products and services. For each EAL a description of its objectives and minimal assurance components is provided. The EALs identified within Common Criteria are as follows: EAL1Functionally tested EAL2Structurally tested EAL3Methodically tested and checked EAL4Methodically designed, tested and reviewed EAL5Semiformally designed and tested EAL6Semiformally verified design and tested EAL7Formally verified design and tested
70
References
www.iso.org www.iec.org www.nist.gov www.commoncriteriaportal.org
71
72
Document Taxonomy
ISO/IEC 17799:2000 is a collection of information security practices, and is based on British Standard BS 7799-1:1999, Code of Practice for Information Security Management.
Circulation
ISO/IEC 17799:2000 is available and used internationally. It has been published in several languages including Chinese, Czech, Danish, Dutch, Finnish, French, German, Icelandic, Japanese, Korean, Norwegian, Portuguese and Swedish.
73
Target Audience
During the drafting of ISO/IEC 17799:2000 it was assumed that the execution of its provisions would be entrusted to appropriately qualified and experienced people. As all of the contents are considered guidance as opposed to mandatory requirements, it is assumed that the individual implementing ISO/IEC 17799:2000 will have the experience needed to evaluate and apply controls as they relate to the specific risks and needs of their organisation.
Timeliness
ISO/IEC 17799:2000 is a first edition, currently being reviewed as part of the normal three-to-five-year ISO revision process. Whilst the majority of its contents remain valid, changes in IT inevitably have meant that some of the guidance may be dated or incomplete. A new version has already been developed and is expected for publication within 2005.
Certification Opportunities
There is no certification available for ISO/IEC 17799:2000. However, it can be used as guidance for those wishing to achieve certification to BS 7799-2:2002.
Completeness
ISO/IEC 17799:2000 is designed to be comprehensive to a level that meets the needs of the majority of organisations, from small to large, and across industry sectors. As a set of control objectives and security practices it has good coverage although it does not deal with technology changes that have taken place over the last four or five years. Security management concepts are only briefly addressed.
Availability
ISO/IEC 17799:2000 can be purchased from ISO at www.iso.org for Swiss CHF 172.00, as well as from many national standards bodies.
74
Recognition/Reputation
Findings from the global CISM survey that was conducted by ISACA in 2004 (described in this documents Introduction) indicate that ISO/IEC 17799:2000 has made a significant impact on the information security community, and was recognised by more than 97 percent of the surveyed CISMs. Acceptance levels of the standard are also very high: more than 85 percent of the surveyed CISMs (falling to 65 percent in North America) believed it to be an acceptable standard, whilst most of the remaining CISMs thought it has at least limited acceptance.
Usage
As the survey indicated, active usage (i.e., implemented, used as best practice or used for assessment) of the standard is very high at greater than 58 percent, with a large majority of surveyed CISMs (in excess of 80 percent) finding it comprehensive.
Risk Management, 1
Some references are made to risk management in the introduction. No further detail is present.
Response Management, 2
The guidance provides a good list of important control practices for business continuity, but it does not fully address all areas of this domain nor provide guidance on how to establish and manage a response management function.
75
Overall, 2
This is a good source of controls and control practices designed to be used by an experienced information security practitioner. However, those with less experience may find it difficult to decide which control practices are necessary.
76
ISO/IEC 17799:2000 Information TechnologyCode of Practice for Information Security Management Information security should at least consider the following parts: Security policy An information security policy should define the direction and contain the commitment and the support of management. The policy should be communicated throughout the organisation. Organisational security The definition of adequate organisation structures for the management of information security within the organisation should include: An information security management forum A forum for co-ordination Assignment of responsibility for information security to individuals Definition of responsibility areas for managers Definition of an authorisation process for IT facilities Definition of responsibility for investigation of security-relevant know-how Defined range for co-operation with third parties as well as independent security reviews Comprehensive measures should exist for management of third-party services (definition or risks and security requirements). Risks caused by outsourcing contracts should be managed. Asset classification and control The inventory of assets and the assignment of the responsibility should be seen as a prerequisite to sound accountability for assets. Information should be classified following a generally accepted system, thus ensuring an appropriate level of protection. Personnel security Security responsibilities, confidentiality agreements and the contract of employment should be part of the job responsibility. Adequate controls for personnel screening should be in place. Information security education and training should increase users security awareness. The process of reporting security incidents, weaknesses and software malfunctions should be defined. This should include the assessment of the adequacy of the controls implemented by a permanent process of learning from incidents. Physical and environmental security Central equipment should be installed only within a secure area, where adequate access controls and damage prevention are implemented. These areas include offices, rooms and facilities. There is also a need for special attention to delivery and loading areas. Equipment should be protected against loss, damage or compromise by being sited and protected in an appropriate manner. Power supplies, an adequate level of cabling security and correct maintenance of the equipment should be in place. Equipment installed off-premises and disposal or reuse of information should be considered.
N N N N N N N
77
General controls (such as a clear desk and clear screen policy) to protect information processing facilities or to prevent damage caused by unauthorised offsite usage of equipment should be in place. Communications and operations management Operations should follow documented procedures. All changes to equipment should be documented. Procedures for sound incident management should be defined. Duties should be segregated, ensuring that no individual can both initiate and authorise an event. Development and operational facilities should be separated. Risks caused by contracted external facilities organisations should be covered. Capacity demands should be observed and future demands should be projected. Acceptance criteria for new systems should be defined. Damage caused by malicious software should be prevented, using preventive and detective controls, formal policies, and defined recovery procedures. Information should be backed up and the backup files tested regularly. Activities performed by operational staff and errors should be logged. Networks should be set up and managed with a view to ensuring the necessary level of security. Removable media should be handled with special care. Media with sensitive information should be disposed of in a secure manner. Adequate controls in information handling procedures (e.g., labelling of media, ensuring completeness of inputs, storage of media) should be considered. System documentation should be protected, as it may contain sensitive information. Agreements for the exchange of information and software should be established, including media in transit, electronic commerce transactions, electronic mail, electronic office systems, publicly available systems and other forms of information interchange. Access control Access to information should be granted in accordance with business and security requirements. A formal access control policy should be in place. Access control rules should be specified. User access management (registration, privilege management, password management, review of user access rights) should follow a formal process. Responsibilities of users should be clearly defined. Networked services, operating systems and applications should be protected appropriately. System access and use should be monitored constantly. Mobile computing and teleworking should be performed in a secure manner. Systems development and maintenance Security issues should be considered when implementing systems, following defined requirements.
78
ISO/IEC 17799:2000 Information TechnologyCode of Practice for Information Security Management Security in application systems should take into account the validation of input data, adequate controls of internal processing, message authentication and output data validation. Use of cryptographic systems should follow a defined policy. Access to system files (including test data and source libraries) should be controlled. Project and support environments should allow for security by being rigorously controlled (e.g., change management procedures, arrangements for outsourced development). Business continuity management A comprehensive business continuity management process should permit prevention of interruptions to business processes. The business continuity management process should not be restricted to ITrelated areas and activities. An impact analysis should be executed that results in a strategy plan. Business continuity plans should be developed following a single framework. Business continuity plans should be tested, maintained and reassessed continuously. Compliance Any unlawful act (e.g., data protection acts) should be avoided. Compliance with the security policy should be ensured by periodic reviews.
References
www.iso.org www.iec.org www.bsi-global.co.uk
79
80
Security Management
Document Taxonomy
ITIL Security Management, published in 1999, is a methodology describing how s IT security management processes link into other IT infrastructure management processes.
Circulation
Although developed by the UK government, ITIL is used internationally.
81
Target Audience
The stated audience of Security Management is anyone responsible for critical IT processes as well as business managers who may find it helpful in defining their requirements for security.
Timeliness
ITIL Security Management has not been updated since 1999. There are some plans that call for ITIL to begin a scoping process for change in 2005. No further details were available at the time of publication.
Certification Opportunities
There is no certification for ITIL Security Management, but it is suggested that by following its guidance (along with that provided in the other ITIL IT services publications), an organisation would be well placed to obtain certification to BS 15000 Specification for IT Service Management.
Completeness
Within the scope of ITIL Security Management, security management processes are well covered and are suitable for any type of organisation with a large or complex IT infrastructure. However, ITIL does not extend outside the management of the IT infrastructure, meaning this is not an ideal publication for establishing an enterprisewide security function. The document includes a number of control practices but not to great depth, instead referring the reader to ISO/IEC 17799:20006 for more detailed information.
ITIL actually uses the term BS 7799 and refers to the 1995 and draft 1999 versions of the Code of Practice that eventually evolved into BS 7799-1:1999 and then ISO/IEC17799:2000. No mention is made by ITIL of BS 7799-2:2002, which was published much later than ITIL Security Management.
82
Security Management
Availability
ITIL Security Management can be purchased from The Stationery Office (TSO) in the UK (online at www.tso.co.uk). The cost is GB Sterling 44.95.
Recognition/Reputation
Based on the ISACA global survey of CISMs (described in this documents Introduction), ITIL has wide international recognition (around 85 percent of the surveyed CISMs) although slightly less so in North America (68 percent). More than half of all CISMs felt the standard has only limited acceptance, although 35 percent felt it has wide acceptance.
Usage
The CISM survey results showed that ITIL is actively used (i.e., implemented, used as best practice or used for assessment) by 40 percent in the Oceania and Europe/Africa regions. Usage is also strong (more than 23 percent) in other regions. It is considered by most to be effective in use (except for Oceania with half feeling it has only limited effectiveness). More than half of those familiar with ITIL felt it is either somewhat comprehensive or comprehensive.
Risk Management, 0
Risk management is rarely addressed within this document.
83
Response Management, 1
References are made to security incident registration and problem management, but not to any great level.
Overall, 2
This is most likely to be of interest to an information security manager if the organisation is implementing ITIL or plans to apply for BS 15000 certification. Its main audience is likely to be IT managers.
84
Security Management
85
86
Security Management
Annexes
Annex A provides a cross-reference table showing the relationship between ITIL and ISO/IEC 17799:2000. Annex A recommends the use of ISO/IEC 17799:2000 when implementing Security Management. Annex B provides a specimen security section in the SLA. Annex C describes a framework that can be used in drawing up a security plan. Annex D is a reference showing the various documents that were referred to in drawing up Security Management, potentially useful web sites and a list of other ITIL books.
Reference
www.tsoonline.co.uk
87
88
Document Taxonomy
NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook describes the common requirements for managing and implementing a computer security programme and some guidance on the types of controls that are required. It is the first in a NIST series of three and is followed by: NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems (September 1996) NIST 800-18 Guide for Developing Security Plans for Information Technology Systems (December 1998)
Circulation
The guidance is published by a US government department, thus it is more commonly used by US organisations. However, the NIST series of security publications is internationally known by the information security industry. NIST is also the US representative in Common Criteria guidance.
89
Target Audience
The guidance states that it is aimed at those with responsibilities for computer security, particularly those in US government organisations. However, the majority of its contents could be applicable to any individual with information security responsibilities.
Timeliness
The guidance is somewhat dated on the controls side, having been produced in 1995. However, its overall guidance on a computer security programme remains valid. No updates have been published.
Certification Opportunities
No certification is available for NIST 800-12.
Completeness
Although it was designed primarily for US government agencies, it is also considered appropriate for organisations of any type or size. Many of the references are US-specific, but this should not be a major problem for non-US readers. The controls are somewhat dated and are provided at a relatively high level compared with guidance available in other publications. Despite this, it does a good job of meeting its stated objectives.
Availability
The guidance is posted for complimentary download electronically from the CSRC web site, www.csrc.nist.gov. Printed versions are not available.
90
Recognition/Reputation
Based on the results of the global CISM survey conducted in 2004 (described in this documents Introduction), the guidance is well recognised by more than 60 percent of surveyed CISMs globally, particularly in North America (85 percent). Around half of the surveyed CISMs felt the guidance has only limited acceptance although responses from North America were much more positive.
Usage
The guidance is actively used (i.e., implemented, used as best practice or used for assessment) by one-third of all North American CISMs and also by many in Central/South America. The application levels are quite low (less than 14 percent) in other areas. Despite this low usage outside the Americas, more than half of all CISMs familiar with the publication considered it to be comprehensive and effective.
Risk Management, 3
The guidance provides good descriptions of risk management concepts, but it does not provide direction on how to carry out risk assessments.
Response Management, 3
It provides good guidance on the components of contingency planning, but it does not go fully into response management nor cover forensics.
91
Overall, 4
NIST 800-12 is a good guideline that covers many aspects of information security management. It is focussed on the US government and may be somewhat cumbersome for small, commercial organisations, but overall it is a valuable source of guidance. It would benefit from being updated as it was last published in 1995.
Computer security requires a comprehensive and integrated approachComputer security and areas outside computer security should be considered. The interdependence of security controls and other controls must be understood and a mix of managerial, operational and technical controls applied to enable an adequate and stable level of security. Computer security should be periodically reassessedThe need for re-evaluation of security measures is obvious in the wake of permanent changes to organisations, business environments, legal issues, threats or technologies. Computer security is constrained by societal factorsSecurity measures may come into conflict with other limitations, such as workplace privacy. Those conflicts must be solved. Another chapter within section I provides ideas on how roles and responsibilities for security may be allocated within an organisation. These roles and responsibilities are nonprescriptive, and it is recognised within the handbook that they will vary depending on many factors, including size of organisation. Examples are given for 18 typical roles, including senior management, audit, quality assurance, help desk, system management and administration. Common threats to information are explained under nine headings, including fraud and theft, employee sabotage, malicious hackers, malicious code, errors and omissions, and espionage. Sections II, III and IV address controls that have been divided into three areas: management, technical and operational. Section II contains management controls and these are divided into a number of chapters, each addressing a specific area.
93
94
Assurance Chapter
The handbook defines computer security assurance as the degree of confidence one has that the security measures, both technical and operational, work as intended to protect the system and the information it processes. This chapter examines both accreditation and assurance, describing objectives, methods and when assurance is required within planning, design, implementation and operations of systems. Many tools and methods for obtaining assurance (e.g., penetration testing and automated tools) are described. Extract From 7.1.2 Collecting and Analyzing Data Risk has many different components: assets, threats, vulnerabilities, safeguards, consequences, and likelihood. This examination normally includes gathering data about the threatened area and synthesizing and analyzing the information to make it useful. Because it is possible to collect much more information than can be analyzed, steps need to be taken to limit information gathering and analysis. This process is called screening. A risk management effort should focus on those areas that result in the greatest consequence to the organization (i.e., can cause the most harm). This can be done by ranking threats and assets. A risk management methodology does not necessarily need to analyze each of the components of risk separately. For example, assets/consequences or threats/likelihoods may be analyzed together. Section III on operational controls also contains a number of chapters describing controls requirements for specific areas.
95
Resources addressed include human, computer-based, data, infrastructure and documentary. Some examples are provided on the different types of questions that may arise in planning, given different scenarios. Suggestions are also provided on the types of backup sites that may be considered, depending on requirements.
96
geographic location and the services supporting facilities (human and technical) and recognises that variations mean that the likelihood of some threats will differ. Amongst the threats considered are physical damage to buildings, intruders (physical) and physical theft. Extract from 14.1 User Support An important security consideration for user support personnel is being able to recognize which problems (brought to their attention by users) are securityrelated. For example, users inability to log onto a computer system may result from disabling their accounts due to too many failed access attempts. This could indicate the presence of hackers trying to guess users passwords. In general, system support and operations staff need to be able to identify security problems, respond appropriately, and inform appropriate individuals. A wide range of possible security problems exists. Some will be internal to custom applications, while others apply to off-the-shelf products. Additionally, problems can be software- or hardware-based. Section IV addresses technical controls and is, again, split into a number of chapters.
97
Cryptography Chapter
This chapter explains the differences between secret and public key cryptography, and common applications for their use, including integrity checking and digital signatures. Guidance is also provided on selection and implementation issues such as hardware vs. software, key management and export controls. Chapter 20 of the handbook provides a detailed example of how computer security may be addressed, using a hypothetical government agency. The example describes an environment, provides details and outcome of risk assessment, identifies threats, defines existing security measures and existing vulnerabilities, and finishes with recommendations for mitigation.
References
www.nist.gov www.csrc.nist.gov
98
NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
12. NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
Issuer
The Computer Security Resource Centre of the National Institute of Standards and Technology, a department of the US Department of Commerce, published the document. It is part of NISTs 800 series (computer security), and was published in 1996.
Document Taxonomy
NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems is a collection of principles and practices to establish and maintain system security. It is labelled as a special publication and is one of a series of three produced by NIST. The other two are: NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook (October 1995) NIST 800-18 Guide for Developing Security Plans for Information Technology Systems (December 1998)
Circulation
The NIST 800-14 guidance was published by a US government department, thus it is more commonly used by US organisations. However, the NIST series of security publications is internationally known by the information security industry.
99
Target Audience
NIST 800-14 targets management, security practitioners, users, system developers and internal auditors. Thus, it explicitly addresses all parties responsible for IT security. When following the document, the security principle and practices are to be applied for governmental IT systems, particularly for systems of e-governance.
Timeliness
The document was published in September 1996, and no subsequent revision is available. However, the majority of contents are high-level and still relevant.
Certification Opportunities
Certification to these principles is not available.
Completeness
NIST 800-14 describes at a high level the issues that must be considered in selecting appropriate policy and controls for an organisation. It does not provide the level of detail an organisation would need in deciding on appropriate security controls and practices, instead providing more of a framework. It provides a good foundation for those new to information security management albeit more ITfocussed than many modern approaches to the subject.
Availability
The guidance is posted for complimentary download electronically from the CSRC web site at www.csrc.nist.gov.
100
NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
Recognition/Reputation
The results produced by a global CISM survey conducted in 2004 (described in this documents Introduction) showed that NIST 800-14 is highly recognised in North America (80 percent). However, it scored only slightly more than half (55 percent) in Europe/Africa and Asia. The guidance was also considered to have only limited or no acceptance by a huge majority (88 percent) of CISMs except, again, in North America where acceptance levels are higher but still are not overwhelming.
Usage
The global CISM survey showed that NIST 800-14 is being actively used (i.e., implemented, used as best practice or used for assessment) by more than one-third of North American CISMs but levels in Oceania, Europe/Africa and Asia show very low usage, at less than 15 percent. Despite this low usage, it is considered by more than half of all CISMs familiar with it to be comprehensive and effective.
Risk Management, 1
The guidance describes a risk management framework, but not in sufficient detail to undertake risk assessments or make risk-based decisions.
Response Management, 2
It provides a good list of important control practices for business continuity, but it does not fully address all areas of this domain nor provide guidance on how to establish or carry out the practices.
101
Overall, 2
NIST 800-14 is good as an introduction for those new to information security and/or for briefing and educating IT and business managers. It would be particularly useful for smaller organisations or those that have never addressed information security.
NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems Programme managementProgramme management includes a central security programme that applies to the enterprise and system-level programme, which is concerned with typical systems life cycle activities. Risk managementThis practice addresses risk assessment, risk mitigation and uncertainty analysis and also provides a number of common definitions and explanations. Life cycle planningLife cycle planning has six phases, described as security plan, initiation phase, development/acquisition phase, implementation phase, operation/maintenance phase and disposal phase. Personnel/user issuesThese activities address staffing and user administration, including steps for dealing with terminations. Preparing for contingencies and disastersFive main activities in this practice are business plan, identification of resources, scenario development, strategy development and test/revision of plan. Computer security incident handlingThis is split into descriptions of how the incident response capability can be used and suggestions on its common characteristics. Awareness and trainingThe practice describes seven steps: identify programme scope, goal and objectives; identify training staff; identify target audiences; motivate management and employees; administer the programme; maintain the programme; and evaluate the programme. Security considerations in computer support and operationsThis practice describes eight considerations, including user support, configuration management, media controls and standardised logon banner. Physical and environmental securityThis practice includes consideration of physical access controls, fire, flood and interception of data. Identification and authenticationThis includes practices for identification, authentication and password, with common aspects such as limited logon attempts being addressed. Logical access controlThe practice addresses access criteria and control mechanisms, including ACLs, encryption and firewalls. Audit trailsThis practice is split into four areas covering audit trail content, audit trail security, audit trail reviews and keystroke monitoring. CryptographyThis practice includes consideration of selection, design and key management.
Extract From 3.10 Physical and Environmental Security, Fire Safety Factors
Building fires are a particularly important security threat because of the potential for complete destruction of both hardware and data, the risk to human life, and the pervasiveness of the damage. Smoke, corrosive gases, and high humidity from a localized fire can damage systems throughout an entire building. Consequently, it is important to evaluate the fire safety of buildings that house systems.
103
References
www.nist.gov www.csrc.nist.gov
104
NIST 800-18 Guide for Developing Security Plans for Information Technology Systems
13. NIST 800-18 Guide for Developing Security Plans for Information Technology Systems
Issuer
The Computer Security Resource Centre (CSRC) of the National Institute of Standards and Technology (NIST), a department of the US Department of Commerce, published the document. It is part of NISTs 800 series (computer security) and was published in December 1998.
Document Taxonomy
NIST 800-18 Guide for Developing Security Plans for Information Technology Systems is the third in a trilogy of NIST publications on IT security and provides a format and guidance for developing a system security plan. The first publications are: NIST 800-12 An Introduction to Computer SecurityThe NIST Handbook (October 1995) NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems (September 1996)
Circulation
The publication is from a US government department, so it is more commonly used by US organisations. However, the NIST series of security publications is internationally known by the information security industry.
Target Audience
The guideline is directed at those with little or no computer security expertise, but who are responsible for IT security at the system or organisational level. The concepts are intended to be generic and as such could be used by the private or public sector. The guideline can also be used as an auditing tool.
Timeliness
The guideline was published in 1998 but still remains valid and appropriate. No subsequent revision of the document is available.
Certification Opportunities
There is no certification for this guideline.
Completeness
NIST 800-18 provides a comprehensive template and instruction for completing a security plan. It needs to be used in combination with other reference material and, by itself, does not describe all of the responsibilities and activities that are likely to be performed by an information security manager.
Availability
The guidance is posted for complimentary download electronically from the CSRC web site, www.csrc.nist.gov.
Recognition/Reputation
The results of the global CISM survey (described in this documents Introduction) indicate that the recognition of the guideline is very high in North America, at nearly 85 percent of CISMs, but it falls to a bit more than 50 percent in
106
NIST 800-18 Guide for Developing Security Plans for Information Technology Systems
Europe/Africa and Asia. At least half of CISMs in all regions feel it has at least limited or wide acceptance as a guideline.
Usage
The CISM survey results indicate that the guideline is actively used (i.e., implemented, used as best practice or used for assessment) by one-third of North America CISMs, but usage is less than 17 percent elsewhere. However, it is considered by more than half of those familiar with it to be both comprehensive and effective.
Risk Management, 1
The guidance implicitly addresses some of the activities in this domain but only as part of the process of creating a security plan.
Response Management, 1
It implicitly addresses some of the activities in this domain but only as part of the process of creating a security plan.
Overall, 2
This publication was designed to provide guidance on developing a security plan for a system and it does so very well. It could be a valuable tool but should be used by an experienced information security practitioner alongside other tools and methodologies.
107
108
NIST 800-18 Guide for Developing Security Plans for Information Technology Systems
Management Controls
The guideline explains how to complete the management controls section of the template. This includes the results of a risk assessment, what types of security reviews the system has had (or are planned) and rules of behaviour for using the system. Reference is also made to the five-phase security life cycle (initiation, development/acquisition, implementation, operation/maintenance, disposal) and what aspects of the security plan can be considered and documented through each phase. Extract From 4.3 Rules of Behavior Chapter The rules of behavior should clearly delineate responsibilities and expected behavior of all individuals with access to the system. The rules should state the consequences of inconsistent behavior or noncompliance. The rules should be in writing and form the basis for security awareness and training.
Operational Controls
The guideline discusses operational controls for major applications separately from those for general support systems. In each case, issues to consider and guidance on decision-making factors are provided. Guidance is provided under the headings of: Major applications Personnel Physical and environment protection Input/output controls Contingency planning Application software maintenance controls Data integrity/validation control Documentation Security awareness and training General support systems Personnel Physical and environment protection Input/output controls Contingency planning Hardware and system software maintenance controls Integrity control Documentation Security awareness and training Incident response capability Extract From 5.MA.1 Personnel Security Have all positions been reviewed for sensitivity level? If all positions have not been reviewed, state the planned date for completion of position sensitivity analysis.
109
A statement as to whether individuals have received the background screening appropriate for the position to which they are assigned. If all individuals have not had appropriate background screening, include the date by which such screening will be completed. If individuals are permitted system access prior to completion of appropriate background screening, describe the conditions under which this is allowed and any compensating controls to mitigate the associated risk. Is user access restricted (least privilege) to data files, to processing capability, or to peripherals and type of access (e.g., read, write, execute, delete) to the minimum necessary to perform the job?
Technical Controls
Technical controls are also addressed differently in the guide for major applications and general support systems. Again, in each case, issues to consider and guidance on decision-making factors are provided. Each considers controls under the headings of identification and authentication, logical access control and audit trails. Major applications also considers control for public access. Extract From 6.GSS.1.2 Authentication Describe the method of user authentication (password, token, and biometrics). If a password system is used, provide the following specific information: Allowable character set; Password length (minimum, maximum); Password aging time frames and enforcement approach; Number of generations of expired passwords disallowed for use; Procedures for password changes; Procedures for handling lost passwords, and Procedures for handling password compromise. Procedures for training users and the materials covered. Note: The recommended minimum number of characters for a password is six to eight characters in a combination of alpha, numeric, or special characters. Indicate the frequency of password changes, describe how password changes are enforced (e.g., by the software or system administrator), and identify who changes the passwords (the user, the system, or the system administrator). In addition to the template plans, the appendix also has examples of rules of behaviour (one for major applications and one for general support systems) in the form of a document designed to be read and signed by the relevant users.
References
www.nist.gov www.csrc.nist.gov
110
NIST 800-53 Recommended Security Controls for Federal Information Systems, Second Public Draft
14. NIST 800-53 Recommended Security Controls for Federal Information Systems, Second Public Draft
Issuer
The National Institute of Standards and Technology is a US-based organisation responsible for providing US agencies with standards and guidelines for information security. The 800 series contains a number of security-related guides, many of which are designed to be suitable for the private as well as the public sectors. NIST 800-53 Recommended Security Controls for Federal Information Systems was published as a first draft in October 2003 and followed by a second draft in September 2004. Although written for US federal agencies, it is expected to have a wide audience amongst businesses.
Document Taxonomy
NIST 800-53 Recommended Security Controls for Federal Information Systems is a public draft document containing baseline security controls. It is one of a series of documents published and planned on security for US federal information systems to be finalised in the first quarter of 2005. NIST 800-53 will be replaced in 2005 by FIPS Publication 200 Minimum Security Controls for Federal Information Systems, which will be the mandatory standard for US federal agencies.
Circulation
The publication is from a US government department, so it is likely to be more commonly used by US organisations. However, the NIST series of security publications is internationally known and used by the information security industry. Although a relatively new document, it is also likely to already have been considered by a wide audience.
111
Target Audience
The NIST 800-53 draft dated October 2003 was incomplete when issued for reviewers to comment. Despite this, extensive feedback was received and the second draft issued in September 2004 was a shorter but complete version. Draft 2 was also open to comment until November 2004, with the final version expected to be published in 2005. NIST 800-53 will be of specific interest to any individual who has security responsibilities and works in a US federal agency. However, it would be of interest to information security practitioners, IT managers and auditors in any type or size of organisation.
Timeliness
NIST 800-53 is in final drafting, with the final version due in the first quarter of 2005.
Certification Opportunities
There is no certification to this guide; however, NIST Special Publication 37 provides guidance on security certification and accreditation of information systems.
Completeness
NIST 800-53 is focussed on providing security controls; therefore, it does not describe in any detail the role of the information security manager or the requirements for establishing, implementing and maintaining an enterprisewide information security programme. A total of 154 security controls are described, with guidance and, in many cases, actions to enhance the control for higher risk systems. The set of controls within draft 2 is shorter and in less detail than those provided in draft 1.
112
NIST 800-53 Recommended Security Controls for Federal Information Systems, Second Public Draft
Availability
The draft is posted for complimentary download (as will be the final version) from the CSRC web site, www.crsc.nist.gov.
Recognition/Reputation
The global survey of CISMs (described in this documents Introduction) shows that NIST 800-53 is already known to 80 percent of North American CISMs but recognition falls to around half in Europe/Africa and Asia. The vast majority (90 percent) of those familiar with it feel it has only limited or no acceptance. The exception to this is in North America, but, even there more than 50 percent feel it has only limited acceptance. One can assume this will change when the final document is published in 2005 and becomes a US government agency mandatory standard.
Usage
Surprising for a new and still draft document, NIST 800-53 is already being actively used (i.e., implemented, used as best practice or used for assessment) by almost one-third of North American CISMs. However, usage figures for other areas are less than 15 percent. CISMs familiar with NIST 800-53 also generally feel it is (or will be) comprehensive and effective.
Risk Management, 1
The domain is addressed only lightly in its description of security fundamentals.
113
Response Management, 1
This domain is addressed only lightly in the documents description of security fundamentals.
Overall, 2
This is a good source of controls and control practices designed to be used by US government agencies. It provides a good source of basic security controls and will be even more useful when completed in 2005.
114
NIST 800-53 Recommended Security Controls for Federal Information Systems, Second Public Draft
Figure 7NIST Control Families Identifier AC AT AU CA CM CP IA IR MA MP PE PL PS RA SA SC SI Family Access Control Awareness and Training Audit and Accountability Certification, Accreditation and Security Assessments Configuration Management Contingency Planning Identification and Authentication Incident Response Maintenance Media Protection Physical and Environmental Protection Planning Personnel Security Risk Assessment System and Services Acquisition System and Communications Protection System and Information Integrity Number of Controls 18 4 10 7 6 10 7 7 6 8 20 5 8 4 9 18 7
A major objective of NIST 800-53 is to provide a set of controls for selection and implementation. There are 154 controls categorised over 17 families, each of which is given a two-character identifier, as shown in figure 7. Controls are numbered within each family and each control has three components: The control section gives the specific security-related activity or action that is required to be undertaken. There may be some flexibility for the organisation in applying the control and this is indicated by assignment and selection options. For instance, an assignment may enable the organisation to define its own frequency or time period for reviews. A selection may provide, for instance, four or five possible actions, of which the organisation must implement at least two. Supplemental guidance gives addition detail that an organisation may need to consider, including applicable federal legislation, directives, etc. Controls enhancements provide the additional steps necessary to strengthen the basic controls when a risk assessment has determined that this is necessary. NIST 800-53 differentiates between common security controls and system-specific controls. It describes common security controls as those that can be applied across one or more organisational information systems, and as having properties that allow their development, implementation and assessment to be assigned to responsible
115
organisational officials or organisational elements. Common security controls are those that can be centrally managed to ensure consistency and reduce costs. System-specific controls are simply described as the responsibility of the system owner. NIST 800-53 points out the need to ensure clarity in differentiating which controls are common and which are system-specific. It goes on to contend that information system owners are not responsible for the common security controls protecting their systems, only those that are system-specific issues. (Authors note: Such an approach may not meet the needs of every organisation.) As this piece of security guidance is aimed at US federal systems, and how to go about selecting baseline controls, it is of course based on US federal standards for categorising the system for security. Categories are low, moderate and high and selection is based on the highest value, given the potential impacts on confidentiality, integrity and availability. NIST 800-53 requires the highest value to be ascertained using the FIPS Publication 199 security category of the system. This system derives the security category as being the triple of the associated potential impacts for confidentiality, integrity and availability and is expressed as: SC = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are low, moderate, or high. Having determined the security category, appendix D can be referenced to determine which are the minimum security (baseline) controls required (i.e., corresponding to low, moderate, or high impact). The full controls catalogue is provided in appendix F.
Extract From Appendix F of System and Information Integrity Control Number SI-6
SI-6 SECURITY FUNCTIONALITY VERIFICATION Control: The information system verifies the correct operation of security functions [Selection (one or more): upon system start-up and restart, upon command by the user with appropriate privilege, periodically every (Assignment: organization-defined time-period)] and [Selection (one or more): notifies system administrator, shuts the system down, restarts the system] when anomalies are discovered. Supplemental Guidance: None. Control Enhancements: (1) The organization employs automated mechanisms to provide centralized notification of failed security tests. (2) The organization employs automated mechanisms to support centralized management of distributed security testing.
116
NIST 800-53 Recommended Security Controls for Federal Information Systems, Second Public Draft Security assurance requirements are provided via appendix E. In general, low baseline controls are generally expected to have no obvious errors and should be corrected, as necessary, in a timely manner. Moderate baseline controls require a higher level of correctness and should be designed in a manner such that correctness is incorporated into its design. High baseline controls continue this theme with a requirement for capabilities that support ongoing, consistent operation and continuous improvement. The activities relating to management of organisational risk are described within NIST 800-53 in the context of the system development life cycle. Nine activities are described as: Categorise the information system based on the FIPS 199 impact assessment. Select baseline controls. Adjust controls based on specific organisational requirements. Document the agreed list of controls including justifications for changes made. Implement the controls. Assess to ensure that the implemented controls are working as expected. Determine risk from the continued operation of the system. Authorise that this level of risk is acceptable. Monitor controls on a continuous basis. The draft of appendix G conveniently provides a mapping of the 154 NIST 800-53 controls against ISO/IEC 17799:2000 Code of Practice for Information Security Management, NIST Special Publication 800-26 Security Self-assessment Guide for Information Technology Systems, and the US Government Accountability Office (GAO) Federal Information System Controls Audit Manual.
References
www.crsc.nist.gov www.nist.com
117
118
Document Taxonomy
The OCTAVE criteria are a set of principles, attributes and outputs. OCTAVE Method (18 volumes) and OCTAVE-S (10 volumes) provide a full methodology for applying the criteria, including detailed process guidelines, worksheets, security practices and presentation slides. Introduction to the OCTAVE Approach has also been published.
Circulation
OCTAVE is available and promoted through the CERT organisation of SEI, which is internationally well known in the information security industry.
119
Target Audience
OCTAVE is aimed at the individuals within an organisation responsible for evaluating risks and ensuring appropriate protection strategies are developed and implemented.
Timeliness
The OCTAVE framework was first published in 1999, and since then, the SEI has continued to improve and develop the approach and method. The latest issuance occurred in 2001.
Certification Opportunities
No certification exists for OCTAVE.
Completeness
OCTAVE provides a complete methodology, with supporting documents, for the evaluation of security risks and selection of practices for the management of these risks. It has been designed to be suitable for organisations of any type, size or geographic location. OCTAVE covers only activities relating to evaluating risks, setting priorities and selecting controls. It does not address the full role and responsibilities of information security management.
Availability
OCTAVE documents are freely available from www.cert.org/octave.
120
Recognition/Reputation
According to the global survey of CISMs that was conducted in 2004 (described in this documents Introduction), OCTAVE has fairly low recognition amongst surveyed CISMs compared to many other standards (50 percent, with only 40 percent in Europe/Africa). Acceptance levels are also very low, with less than 10 percent in all regions believing the method to be widely accepted and more than half believing it has no acceptance whatsoever. This seems to be a very low figure for such a comprehensive methodology.
Usage
Usage (i.e., implemented, used as best practice or used for assessment) of OCTAVE is highest in North America and Asia, but still is at only 14 percent. There are varying opinions on how comprehensive it is considered, with North America, Europe/Africa and Central/South America coming out at more than 50 percent in favour of its coverage. Oceania, Central/South America and Asia find it most effective (60 to 80 percent).
Risk Management, 4
OCTAVE includes a detailed and well-explained methodology for risk management that can be applied to large and small organisations.
121
Response Management, 1
It provides a list of important control practices for response, but does not fully address all areas of this domain or provide guidance on how to establish and manage a response management function.
Overall, 3
OCTAVE is an excellent methodology designed to involve management and staff at all levels in selecting and implementing information security controls. It is a bit detailed, and may be best suited to implementation and integration of security management.
OCTAVE Criteria
This document (143 pages) contains an introduction and background to OCTAVE along with a more detailed description of the OCTAVE approachs three phases and how they fit into an ongoing process or continuum.
122
The criteria are built on a foundation of principles, attributes and outputs. There are 10 principles that are grouped into three areas: Information security risk evaluation principles 1. Self-directionPeople within an organisation should manage and direct their own evaluations and make their own decisions on risk. 2. Adaptable measuresEvaluations must be done through a flexible process to enable changes in the organisation and technology to be reflected. 3. Defined processStandardised procedures for evaluation should be used to ensure consistency in results. 4. Foundation for a continuous processGood practices should be adopted and a continuous improvement process should be introduced. Risk management principles 5. Forward-looking viewStrategic thinking should identify the impacts of risks on the organisations mission and business objectives. 6. Focus on the critical fewThe majority of effort should focus on the most critical areas to ensure efficient use of resources. 7. Integrated managementSecurity should be integrated into other organisation strategies, including consideration of business goals when deriving security policy. Organisational and cultural principles 8. Open communicationCollaborative approaches should be used in determining risks and communicating them in an open manner. 9. Global perspectiveA common view of security should be ensured throughout the organisation. 10. TeamworkAn interdisciplinary approach, including business and technical employees, should be undertaken. There are 15 attributes, each of which has a primary relationship with one or more of the principles. Each of the attributes is described and an explanation of its importance is provided: Self-direction RA.1 Analysis teamDescribes a multidisciplinary team of employees and their responsibilities RA.2 Augment analysis team skillsEnables the primary analysis team to find, when needed, specialist skills from other parts of the organisation or externally Adaptable measures RA.3 Catalogue of practicesThe requirement for a set of practices that address strategic and operational security, including management practices, technical security, physical security, etc. RA.4 Generic threat profileAssessment of threats, including system, human and environmental RA.5 Catalogue of vulnerabilitiesTechnological vulnerabilities and tools for their identification and evaluation
123
Defined process RA.6 Defined evaluation activitiesDocumented procedures for every step of the evaluation process RA.7 Documented evaluation resultsDocumented risks to the organisation and strategies for mitigation RA.8 Evaluation scopeClearly documenting what has been included or not within the scope of the evaluation Foundation for a continuous process RA.9 Next stepsThe activity of documenting next steps and assigning ownership for their progression RA.3 Catalogue of practicesAs above Forward-looking view RA.10 Focus on riskExamining interrelationships amongst assets, threats to assets and vulnerabilities, and their effect on the organisations business objectives Focus on the critical few RA.8 Evaluation scopeAs above RA.11 Focussed activitiesEnsuring that evaluation activities focus on critical assets for efficient use of resources Integrated management RA.12 Organisational and technological issuesEnsuring that technology is considered alongside existing practices used by staff RA.13 Business and information technology participationEnsuring participation from all areas of the business and from all levels (senior management to junior staff) RA.14 Senior management participationActive sponsorship, involvement in and review of the output of evaluations Open communication RA.15 Collaborative approachUsing workshops or other interactive approaches to ensure interdisciplinary knowledge and skills Global perspective RA.12 Organisational and technological issuesAs above RA.13 Business and information technology participationAs above Extract of Organisational and Technological Issues (RA.12) Requirements The evaluation process must examine both organizational and technological issues. Information security risk evaluations typically include the following practice- and vulnerability-related information: Current security practices used by staff members Missing or inadequate security practices (also called organizational vulnerabilities) Technological weaknesses present in key information technology systems and components
124
Importance Because security has both organizational and technological components, it is important that an evaluation surface both organizational and technological issues. The analysis team analyzes both types of issues in relation to the mission and business objectives of the organization when creating the organizations protection strategy and risk mitigation plans. By doing this, the team is able to address security by creating a global picture of the information security risks with which the organization must deal. The criteria also describe the various outputs required from each of the three phases: RO1.1 Critical assets RO1.2 Security requirements for critical assets RO1.3 Threats to critical assets RO1.4 Current security practices RO1.5 Current organisation vulnerabilities RO2.1 Key components RO2.2 Technology vulnerabilities RO3.1 Risks to critical assets RO3.2 Risk measures RO3.3 Protection strategy RO3.4 Risk mitigation plans Extract of RO3.3 Protection Strategy Output Requirements A protection strategy must be an output of the evaluation process. An organizations protection strategy defines its direction with respect to efforts to improve information security. It includes approaches for enabling, implementing, and maintaining security practices in an organization. A protection strategy tends to incorporate long-term organizationwide initiatives and is structured using the practice areas defined in the catalog of practices. (See Attribute RA.3.) Importance Creating a protection strategy is important because it charts a course for organizational improvement with respect to information security activities.
OCTAVE Method
Included within this 18-volume set of documentation is an introduction on how to use the method and guidelines on how to prepare for an OCTAVE assessment, including selection of the team. Volumes 3 to 12 contain all of the information for the three phases and eight processes of the method, including detailed processes, worksheets, slides for presentations with notes and examples results.
125
Extract of Guidance for Running a Workshop to Capture Senior Management Knowledge/Views Prior to the workshop, you should review the following types of information: The organizations security policies and procedures An organizational chart Any laws and regulations with which your organization must comply An understanding of the information contained in the above items will be useful as you facilitate this workshop and as you analyze information in later workshops. You should use the slides provided to explain the concepts and activities of this workshop to the participants as you conduct the workshop. The process guidelines for Process 1 are written primarily for the lead facilitator of the workshop. All guidance for the scribe is specifically noted in these guidelines. Other members of the analysis team will support the lead facilitator, observe all activities, and take general notes. Regardless of workshop roles, all members of the analysis team should read and understand these guidelines. The volumes also include a number of appendices, which include flow diagrams and more examples. Volume 15: Appendix, the OCTAVE Catalogue of Practices (48 pages), provides a good range of practices defined as either strategic or operational that organisations can use when creating their own practices. These practices include: Strategic practices SP1 Security awareness and training SP2 Security strategy SP3 Security management SP4 Security policies and regulations SP5 Collaborative security management SP6 Contingency planning/disaster recovery Operational practices OP1.1 Physical security plans and procedures OP1.2 Physical access control OP1.3 Monitoring and auditing physical security OP2.1 System and network management OP2.2 System administration tools OP2.3 Monitoring and auditing IT security OP2.4 Authentication and authorisation OP2.4 Vulnerability management OP2.6 Encryption OP2.7 Security architecture and design OP3.1 Incident management OP3.2 General staff practices
126
Extract of One of the SP3 Security Management Practices SP3.5 The organization manages information security risks, including: Assessing risks to information security both periodically and in response to major changes in technology, internal/external threats, or the organizations systems and operations Taking steps to mitigate risks to an acceptable level Maintaining an acceptable level of risk using information security risk assessments to help select cost-effective security/control measures, balancing implementation costs against potential losses The catalogue of practices also contains a survey that can be used to obtain a view on the existing security posture, along with suggestions on where the various security statements could apply. Extract of One of the Survey Questions on Vulnerability Management (OP2.5) There is a documented set of procedures for managing vulnerabilities, including: Selecting vulnerability evaluation tools, checklists, and scripts Keeping up to date with known vulnerability types and attack methods Reviewing sources of information on vulnerability announcements, security alerts, and notices Identifying infrastructure components to be evaluated Scheduling of vulnerability evaluations Interpreting and responding to the results Maintaining secure storage and disposition of vulnerability data
Reference
www.cert.org/octave
127
128
Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan
16. Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan
Issuer
The Organisation for Economic Co-operation and Development is a member organisation of 30 countries and has active relationships with another 70 countries. The OECDs Guidelines for the Security of Information Systems and Networks was first produced in 1992 and the latest update was issued in July 2002. The Implementation Plan was released as a second draft in July 2003 and is still under review.
Document Taxonomy
Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security provides a set of nine principles aimed at fostering a culture of security. The associated Implementation Plan describes the responsibilities of government, business and civil society in implementing the guidelines.
Circulation
Although OECD is internationally known to those working in government economic departments and corporate finance and law, its profile within the information security industry remains low.
129
Target Audience
The guidelines are aimed at senior persons within organisations responsible for governance, ethics (corporate social responsibility) and development of IT systems.
Timeliness
The guidelines are high-level and have been reviewed at least twice since first issued to ensure that they reflect changes in world economics, technology and events.
Certification Opportunities
Unlike conventions, the guidelines are nonbinding and governments are not legally bound to their use. However, a number of governments have produced publicly available plans on how they are implementing the principles. No certification is available.
Completeness
The guidelines are intended to be high-level and in this context are complete in the coverage they provide relating to information security principles. They are broadbased enough to relate to any type of organisation, of any size or geographic location. No security or technical knowledge is assumed or required. However, these guidelines would need to be heavily complemented with other publications for an information security manager as they do not begin to cover the full range of issues that must be addressed for enterprisewide information security management.
130
Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan
Availability
The guidelines are publicly available as a complimentary download at www.oecd.org.
Recognition/Reputation
The results of the 2004 global survey of CISMs (described in this documents Introduction) revealed that recognition is very low, with the highest in Oceania at just slightly more than 60 percent and Central/South America the lowest at 32 percent. The guidelines are felt to have very low acceptance across all regions, with almost 50 percent giving them no acceptance at all.
Usage
The guidelines are actively used (i.e., implemented, used as best practice or used for assessment) by only 8 percent or fewer of surveyed CISMs. Bearing in mind that the principles within the guidelines are used in other security-related publications (e.g., NIST), it is likely that many CISMs are applying the principles but with different wording, or they are just not aware of them as OECD principles. There are mixed opinions on the level of comprehensiveness and effectiveness, both positive and negative.
Risk Management, 1
Risk assessment is one of the nine principles, but it is not addressed in a comprehensive manner.
131
Response Management, 1
One of the principles deals with response management, but not in a comprehensive manner.
Overall, 1
The document does not provide much in the way of guidance for the information security manager, although knowledge of the OECD and its nine security principles is highly recommended as they are referenced in many other information security standards and guides.
132
Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan
technology, physical and human factors, policies and third-party services with security implications. Risk assessment will allow determination of the acceptable level of risk and assist the selection of appropriate controls to manage the risk of potential harm to information systems and networks in light of the nature and importance of the information to be protected. Because of the growing interconnectivity of information systems, risk assessment should include consideration of the potential harm that may originate from others or be caused to others. The Implementation Plan for the Guidelines for the Security of Information Systems and Networks is a brief document of six pages. The majority of the document is aimed at defining the roles and responsibility of government in promoting a culture of security, but there are a couple of references to business and civil societies.
Extract of Paragraph Nine Describing One of the Government Responsibilities for Public Policy
9. A second aspect of the governments public policy role is to conduct outreach and support efforts by all participants to address security. In the first instance government action should raise awareness of law and policy that address cybersecurity. Beyond this, the government should facilitate awareness and appropriate responses by other participants through programmes and initiatives.
Reference
www.oecd.org
133
134
Document Taxonomy
Managers Guide to Information Security, issued in July 2002, provides general guidance on acquiring secure IT products and systems.
Circulation
The Open Group is internationally recognised. However, no information is available on circulation of the booklet.
Target Audience
The booklet is aimed primarily at business managers responsible for some aspect of IT systems or those who evaluate or approve information security purchases.
135
Timeliness
The booklet was published in 2002 as a simple guide to business managers. It is nontechnical and remains valid in its content.
Certification Opportunities
No certification exists.
Completeness
As this is not directed at the information security manager, it does not begin to cover the full range of issues that must be addressed for enterprisewide information security management. However, it does provide some simple explanations of, and arguments for, security that information security managers may find useful when discussing information security with business managers.
Availability
This booklet is available for purchase from the Open Group at www.opengroup.org for US $9.95.
Risk Management, 0
Risk management is not addressed.
136
Response Management, 0
Response management is not addressed.
Overall, 1
This publication is designed for business managers; It is not aimed at information security managers. However, it may be of some use in educating business managers with purchasing power for IT products and services.
AdministrationExplaining how access policies need to be enforced by the security system Assurance and auditDescribing the reasons and benefits of logging and monitoring ProtectionVery general concepts from passwords to firewalls Know who is who and proving who is whoSimple concepts of identification and authentication Managing the listRegistering with LDAP, for example What to allowSimple concepts of authorisation services Confidence in documentsDigital signatures in simple terms Keeping trustReasons for cryptography and PKI Extend your reachThe use of VPNs Smell and detect troubleScanning and intrusion detection explained
Reference
www.opengroup.org
138
Tasks
Develop the information security strategy in support of business strategy and direction. Obtain senior management commitment and support for information security throughout the enterprise. Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities. Establish reporting and communication channels that support information security governance activities. Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise. Establish and maintain information security policies that support business goals and objectives. Ensure the development of procedures and guidelines that support information security policies. Develop business case and enterprise value analysis that support information security programme investments.
Knowledge Statements
Knowledge of information security concepts Knowledge of the relationship between information security and business operations Knowledge of techniques used to secure senior management commitment and support of information security management Knowledge of methods of integrating information security governance into the overall enterprise governance framework Knowledge of practices associated with an overall policy directive that captures senior management level direction and expectations for information security in laying the foundation for information security management within an organisation Knowledge of an information security steering group function Knowledge of information security management roles, responsibilities and organisational structure Knowledge of areas of governance (for example, risk management, data classification management, network security, system access)
139
Knowledge of centralised and decentralised approaches to co-ordinating information security Knowledge of legal and regulatory issues associated with Internet businesses, global transmissions and transborder data flows (for example, privacy, tax laws and tariffs, data import/export restrictions, restrictions on cryptography, warranties, patents, copyrights, trade secrets, national security) Knowledge of common insurance policies and imposed conditions (for example, crime or fidelity insurance, business interruptions) Knowledge of the requirements for the content and retention of business records and compliance Knowledge of the process for linking policies to enterprise business objectives Knowledge of the function and content of essential elements of an information security programme (for example, policy statements, procedures and guidelines) Knowledge of techniques for developing an information security process improvement model for sustainable and repeatable information security policies and procedures Knowledge of information security process improvement and its relationship to traditional process management Knowledge of information security process improvement and its relationship to security architecture development and modelling Knowledge of information security process improvement and its relationship to security infrastructure Knowledge of generally accepted international standards for information security management and related process improvement models Knowledge of the key components of cost-benefit analysis and enterprise transformation/migration plans (for example, architectural alignment, organisational positioning, change management, benchmarking, market/competitive analysis) Knowledge of methodology for business case development and computing enterprise value proposition
Risk Management
Identify and manage information security risks to achieve business objectives.
Tasks
Develop a systematic, analytical and continuous risk management process. Ensure that risk identification, analysis and mitigation activities are integrated into life cycle processes. Apply risk identification and analysis methods. Define strategies and prioritise options to mitigate risk to levels acceptable to the enterprise. Report significant changes in risk to appropriate levels of management on a periodic and event-driven basis.
140
Knowledge Statements
Knowledge of information resources used in support of business processes Knowledge of information resource valuation methodologies Knowledge of information classification Knowledge of the principles of development of baselines and their relationship to risk-based assessments of control requirements Knowledge of life cycle-based risk management principles and practices Knowledge of threats, vulnerabilities and exposures associated with confidentiality, integrity and availability of information resources Knowledge of quantitative and qualitative methods used to determine sensitivity and criticality of information resources and the impact of adverse events Knowledge of use of gap analysis to assess generally accepted standards of good practice for information security management against current state Knowledge of recovery time objectives (RTO) for information resources and how to determine RTO Knowledge of RTO and how it relates to business continuity and contingency planning objectives and processes Knowledge of risk mitigation strategies used in defining security requirements for information resources supporting business applications Knowledge of cost-benefit analysis techniques in assessing options for mitigating risks, threats and exposures to acceptable levels Knowledge of managing and reporting status of identified risks
Tasks
Create and maintain plans to implement the information security governance framework. Develop information security baseline(s). Develop procedures and guidelines to ensure that business processes address information security risk. Develop procedures and guidelines for IT infrastructure activities to ensure compliance with information security policies. Integrate information security programme requirements into the organisations life cycle activities. Develop methods of meeting information security policy requirements that recognise the impact on end users. Promote accountability by business process owners and other stakeholders in managing information security risks. Establish metrics to manage the information security governance framework. Ensure that internal and external resources for information security are identified, appropriated and managed.
141
Knowledge Statements
Knowledge of methods to develop an implementation plan that meets security requirements identified in risk analyses Knowledge of project management methods and techniques Knowledge of the components of an information security governance framework for integrating security principles, practices, management and awareness into all aspects and all levels of the enterprise Knowledge of security baselines and configuration management in the design and management of business applications and the infrastructure Knowledge of information security architectures (for example, single sign-on, rules-based as opposed to list-based system access control for systems, limited points of systems administration) Knowledge of information security technologies (for example, cryptographic techniques and digital signatures, to enable management to select appropriate controls) Knowledge of security procedures and guidelines for business processes and infrastructure activities Knowledge of the systems development life cycle methodologies (for example, traditional SDLC, prototyping) Knowledge of planning, conducting, reporting and follow-up of security testing Knowledge of certifying and accrediting the compliance of business applications and infrastructure to the enterprises information security governance framework Knowledge of types, benefits and costs of physical, administrative and technical controls Knowledge of planning, designing, developing, testing and implementing information security requirements into an enterprises business processes Knowledge of security metrics design, development and implementation Knowledge of acquisition management methods and techniques (for example, evaluation of vendor service level agreements, preparation of contracts)
Tasks
Ensure that the rules of use for information systems comply with the enterprises information security policies. Ensure that the administrative procedures for information systems comply with the enterprises information security policies. Ensure that services provided by other enterprises, including outsourced providers, are consistent with established information security policies. Use metrics to measure, monitor and report on the effectiveness and efficiency of information security controls and compliance with information security policies.
142
Ensure that information security is not compromised throughout the change management process. Ensure that vulnerability assessments are performed to evaluate effectiveness of existing controls. Ensure that noncompliance issues and other variances are resolved in a timely manner. Ensure the development and delivery of the activities that can influence culture and behaviour of staff, including information security education and awareness.
Knowledge Statements
Knowledge of how to interpret information security policies into operational use Knowledge of information security administration process and procedures Knowledge of methods for managing the implementation of the enterprises information security programme through third parties, including trading partners and security services providers Knowledge of continuous monitoring of security activities in the enterprises infrastructure and business applications Knowledge of methods used to manage success/failure in information security investments through data collection and periodic review of key performance indicators Knowledge of change and configuration management activities Knowledge of information security management due diligence activities and reviews of the infrastructure Knowledge of liaison activities with internal/external assurance providers performing information security reviews Knowledge of due diligence activities, reviews and related standards for managing and controlling access to information resources Knowledge of external vulnerability reporting sources, which provide information that may require changes to the information security in applications and infrastructure Knowledge of events affecting security baselines that may require risk reassessments and changes to information security requirements in security plans, test plans and reperformance Knowledge of information security problem management practices Knowledge of information security manager facilitative roles as change agents, educators and consultants Knowledge of the ways in which culture and cultural differences affect the behaviour of staff Knowledge of the activities that can change the culture and behaviour of staff Knowledge of methods and techniques for security awareness training and education
143
Response Management
Develop and manage a capability to respond to and recover from disruptive and destructive information security events.
Tasks
Develop and implement processes for detecting, identifying and analysing security-related events. Develop response and recovery plans, including organising, training and equipping the teams. Ensure periodic testing of the response and recovery plans where appropriate. Ensure the execution of response and recovery plans as required. Establish procedures for documenting an event as a basis for subsequent action, including forensics when necessary. Manage post-event reviews to identify causes and corrective actions.
Knowledge Statements
Knowledge of the components of an incident response capability Knowledge of information security emergency management practices (for example, production change control activities, development of computer emergency response team) Knowledge of disaster recovery planning and business recovery processes Knowledge of disaster recovery testing for infrastructure and critical business applications Knowledge of escalation processes for effective security management Knowledge of intrusion detection policies and processes Knowledge of help desk processes for identifying security incidents reported by users and distinguishing them from other issues dealt with by the help desks Knowledge of the notification process in managing security incidents and recovery (for example, automated notice and recovery mechanisms, in response to virus alerts in a real-time fashion) Knowledge of the requirements for collecting and presenting evidence, rules for evidence, admissibility of evidence, quality and completeness of evidence Knowledge of post-incident reviews and follow-up procedures
144
ITGI Publications
Other Publications
All publications come with detailed assessment questionnaires and work programmes. For further information, please visit www.isaca.org/bookstore or e-mail bookstore@isaca.org.
Control Practices
Control Practices extends the capabilities of the COBIT framework with an additional level of detail. The COBIT IT processes, business requirements and control objectives define what needs to be done to implement an effective control structure. The control practices provide the more detailed how and why needed by management, service providers, end users and control professionals, to help them justify and design the specific controls needed to address IT project and operational risks and improve IT performance by providing guidance on why controls are needed, and what the best practices are for meeting specific control objectives. All of the control practices are individually integrated into COBIT Online. This publication, which contains control practices for all of the 34 high-level COBIT control objectives, is available in the ISACA Bookstore. 2004
145
146
ITGI Publications
Questions board members should ask Good practices and critical success factors Performance measures board members can track A maturity model against which to benchmark organisations 2003
Other Titles
Oracle Database Security, Audit and Control Features (2004) OS/390z/OS: Security, Control and Audit Features (2003) IT Governance Implementation Guide (2003) COBIT Quickstart (2003) Risks of Customer Relationship Management: A Security, Control and Audit Approach (2003) Security Provisioning: Managing Access in Extended Enterprises (2002) Electronic and Digital Signatures: A Global Status Report (2002) Virtual Private NetworkNew Issues for Network Security (2001) COBIT 3rd Edition (2000) Control Objectives for Net Centric Technology (CONCT) (1999) Digital SignaturesSecurity and Controls (1999) ERP Series: Security, Audit and Control Features PeopleSoft: A Technical and Risk Management Reference Guide (2004) Security, Audit and Control Features Oracle Applications: A Technical and Risk Management Reference Guide (2003) Security, Audit and Control Features SAPR/3: A Technical and Risk Management Reference Guide (2002) E-commerce Security Series: Securing the Network Perimeter (2002) Business Continuity Planning (2002) Trading Partner Authentication, Registration and Enrollment (2000) Public Key Infrastructure (2001) A Global Status Report (2000) Enterprise Best Practices (2000)
147
Future Publications
Cybercrime: Incident Response and Digital Forensics
The research describes the threat posed by cybercrime and discuss the increase in incidents. The publication will also provide an analysis of the type of risks and guidelines to prevent, detect and respond appropriately. It will highlight the new partnership and initiatives between the US government and the IT industry, and the strategy that could mitigate the potential risks.
148
ITGI Publications
149
150
ITGI Publications
151