Ludk Novk, CISA, CISSP

Information Security Standards

2nd May 2007

Agenda
Sub-commission JTC 1/SC 27 IT Security
techniques
Information security management standards
(ISO/IEC 27000 family)
Cryptographical standards
Security evaluation standards
Security controls and services
Identity management and privacy

IT Service management

2
Tutorial aims

Introduction to activities of organizations for standardization

ISO International Organization for Standardization
http://www.iso.org
NI Czech standards institute
http://www.cni.cz
Compact overview of new and upcoming information security
standards
Activities of sub-commission JTC1/SC27
IT Security techniques

It is not possible discussed details of the standards

3
Introduction of sub-commission JTC 1/SC 27

Focus of sub-commission JTC 1/SC 27 IT Security

techniques
Identification of generic requirements (including requirements
methodology) for IT system security services
Development of security techniques and mechanisms (including
registration procedures and relationships of security components)
Development of security guidelines
(e.g., interpretative documents, risk analysis)
Development of management support documentation and
standards (e.g., terminology and security evaluation criteria)
Sub-commission activities review
Over 80 projects (nearly 50 active)
More than 50 published information security standards
A lot of interesting suggestion has shown up recently

4
Structure of JTC1/SC 27 IT Security techniques
From 2006 Till 2006
JTC 1/SC 27/WG 1 JTC 1/SC 27/WG 1
Information security Requirements, security
management systems (ISMS) services and guidelines
JTC 1/SC 27/WG 4
Security controls and services

JTC 1/SC 27/WG 2 JTC 1/SC 27/WG 2

Cryptography a security Security techniques and
mechanisms mechanisms
JTC 1/SC 27/WG 3 JTC 1/SC 27/WG 3
Security evaluation and Security evaluation criteria
assessment
JTC 1/SC 27/WG 5
Identity management and
privacy technologies

5
 Working group aims

Source: JTC 1/SC 27

6
 Work programme for WG1:
Information Security Management System (ISMS)
Published Upcoming
ISO/IEC 27001:2005 ISO/IEC 27005
Information security management Information security risk
system Requirements management
ISO/IEC 27002:2005 (ISO/IEC 17799) ISO/IEC 27004
Code of practice for information Information security management
security management metrics and measurements
ISO/IEC 27006:2007 ISO/IEC 27000
Requirements for the accreditation Information security management
of bodies providing certification of system fundamentals and
ISMS vocabulary
ISO/IEC 27003
ISO/IEC 13335 Information security management
Management of information and system implementation guidance
communications technology ISO/IEC 27007
security Information security management
ISO/IEC TR 13335 system auditor guidelines
Guidelines for the management of (not approved)
IT Security

7
 ISO/IEC 27000 family
New family accepted in the spring 2005
Different numbers for BS 7799 based standards
(ISO/IEC 17799 vice versa ISO/IEC 24743)
Harmonization of two concepts
ISO/IEC 13335 academic approach
BS 7799 pragmatic approach
ISO/IEC 27000 family criteria
Provide direct support or detailed guidance and interpretation for the
implementation of the PDCA processes and requirements of defined
in ISO/IEC 27001 (e.g. risk assessment, identification of assets, ISMS
effectiveness)
Address conformity assessments or sector-specific requirements for
ISMS
Contribute and add value to ISO/IEC 27001 of the PDCA processes
Specification of a relationship to ISO/IEC 27001
Standards excluded from this ISMS family are those that only
address the implementation of controls from ISO/IEC 27002 see
WG4 activities

8
 ISO/IEC 27000 family review

ISMS Overview and vocabulary

ISO/IEC 27000:2008? (ISO/IEC 13335-1)

ISMS Certification scheme

ISO/IEC 27006:2007 (EA 7/03)

ISMS Requirements
Risk management ISO/IEC 27001:2005
BS 7799-3:2006 (BS 7799-2:2002) ISMS Measurement
ISO/IEC 27005:2007? ISO/IEC 27004:2008?
(ISO/IEC TR 13335-3:1998) Annex A

ISMS Implementation ISMS Code of practice ISMS Auditor Guidelines

guidelines ISO/IEC 27002:2005 ISO/IEC 27007?
ISO/IEC 27003:2008? (ISO/IEC17799)

Specific standards and guidelines

9
ISO/IEC 27001:2005 (formerly BS 7799-2)
Information security management system Requirements
Standards is based on BS 7799-2:2002
ISO/IEC 27001 published in October 2005
(BS 7799-2 validity was finished)
Czech version (SN ISO/IEC 27001:2006) published
in October 2006
ISMS Certification is based on this standard !!!
Transformation period for BS 7799-2 is 1,5 year
i.e. till 14th April 2007
Audits after 14th April 2006 should follow ISO/IEC 27001
Accreditation bodies specifies necessary details

10
 ISO/IEC 27001:2005 principles
Definition of requirements on Information Security Management
System ISMS
Information security management process based on PDCA Model
Plan Do Check Act
Ensure the selection of adequate and proportionate security controls
that protect information assets and give confidence to interested
parties
All defined requirements are mandatory and it is not possible to
exclude anyone
But it is not necessary to implement all security controls !!!

Plan
Requirements Requirements
Customers

Suppliers
Do Act

Satisfaction Satisfaction

Check

11
 Plan Establish ISMS

ISMS process requirements Recommendations

ISMS Scope Assign a responsible security
ISMS Policy manager
Risk management (BS 7799-3) ISMS training
Define a risk management Project team
approach Asset owners
Identify and assess risks Appropriate risk management
Evaluate risk treatment Adequate approach to risks
options Assets and their owners
Select security controls identification
(ISO/IEC 27002:2005)
Maintenance of the risk
Management approval catalog
ISMS Operation Statement of applicability
Residual risks Key document for any
Statement of applicability security manager

12
 Implement and operate ISMS

Plan outline of activities during a year/cycle

Manual ISMS long term policies, rules and
procedures
Measurement ISMS effectiveness indicators and
metrics
Awareness people should know, understand and
follow the policies
Sources there is no ISMS without people (and
tools)
Documentation document live cycle rules
!!! Records evidence of particular ISMS activities

13
Monitor and review ISMS

ISMS monitoring and checking

Management and responsible persons
Security incidents assessment
Results of ISMS measurements

ISMS Internal audits

Internal auditors

ISMS Reviews
Senior management

14
Maintain and improve ISMS
Continual improvement
Positively based
using chances to improve ISMS

Corrective actions
Preventive actions
Negatively based eliminate nonconformities,
mistakes, failures,

15
 ISO/IEC 27001:2005 main changes

Slightly revised BS 7799-2:2002

New requirement to measure effectiveness of ISMS
ISMS internal linkages are more important
Demonstrate relationship from selected controls back to risk
assessment and treatment
New requirements on statement of applicability
Information if control is currently implemented
Review of risk assessment as a part of ISMS management review
(at least annually)
Small changes in text and structure
ISMS Internal audit as the chapter 6 formerly 6.4
Annex B was removed Guidance on use of the standard
(it will be transferred to ISO/IEC 27003)
Using of security controls from ISO/IEC 17799:2005

16
 ISO/IEC 27002:2005 (ISO/IEC 17799)

Code of practice for information Information security best

security management
Complex and balanced set of controls
how to protect information assets
Code of practice is respected
internationally
Published in June 2005
Czech edition in August 2006
ISO/IEC 27002 should be used since
spring 2007
practice is described
11 security clauses
39 control objectives
133 controls
Structured description
Control
Implementation guidance
Other information
Verb should is used

There is no management system in the standard

There are no management techniques how to select and
enforce security controls (see ISO/IEC 27001)

17
 Structure of ISO/IEC 27002:2005 (ISO/IEC 17799)

Security clauses
Security policy

Asset management Access control

Human Information Business

resources systems continuity
Communications acquisition, management
Organizing security and operations
management development
information and
security Physical and maintenance
environmental
security Information security incident management

Compliance

Source: ISO/IEC 17799:2005

18
Main changes in ISO/IEC 27002:2005 (ISO/IEC 17799)
Formal changes
Structured control description
Control, implementation guidance, other information
More precise terminology
Security forum -> Management commitment to information security
Selected changes in control catalogue
External subject security
Merge of third parties and outsourcing, customer access security
New approach to human resource security
Follows employment live-cycle: prior to employment, duding employment, termination or
change of employment
New clause for information security incident management
New controls related to progress of security needs
Responsibility for assets (ownership of assets and acceptable use of assets)
Controls against mobile codes
On-line transactions
Technical vulnerability management
Removal of some so technical controls
Cryptography, data network, ...

19
 !!! ISO/IEC 17799:2000 using danger !!!

Attention!
There are a lot of mistakes and inaccuracies in the
version from 2000 high risk of using
inappropriate methodology
including SN ISO/IEC 17799:2001 or SN ISO/IEC 17799:2005

Big disadvantage of the old version is that

authorizations are not taken away
There is no control for employment termination
It has influence to a lot of security controls
A lot of trivialities are missing e.g. changing of passwords set by
vendors,

ISO/IEC 27002:2005 solves the problems

Operating system access controls are also applicable e.g. on DBMS
20
ISMS Overview and vocabulary
ISO/IEC 27000 ISMS Overview and vocabulary
Fundamental principles, concepts and vocabulary for ISMS
Based on OECD principles
Awareness of the need for information security
Responsibility assignment of information security
Response to prevent and detect information security incidents
Ethics respecting legitimate interests
Democracy to ensure information security is compatible with society values
Risk Management providing levels of assurance towards acceptable risks
Security design and implementation incorporated as an essential element
Security management ensuring a comprehensive approach
Continuous improvement of information security
Harmonization with other management systems
(QMS, EMS, ITSMS, )
Publishing planed at the end of 2008
ISO/IEC 13335-1:2004 will be withdrawn

21
ISMS Implementation guidance
ISO/IEC 27003 Information Security Management
System Implementation Guidance
Recommendation how to implement ISMS effectively
Critical success factors
Deep explanation of all ISMS requirements following PDCA
Objectives
Preconditions
Organizing the work
Who to involve
How is it done
Results
Document and record recommendations

Be published at the end of 2008

22
 ISMS Measurements

ISO/IEC 27004 Information Security Management Measurements

A tool for definition of ISMS metrics and indicators
Pre-defined structure for metrics and how to deal with metrics
Measure name and code
Purpose of measure
Measurement calculation details
Value and scale Nominal, Ordinal, Interval, Ratio
Data Collection Procedure
Stakeholders Owner, Customer, Collector, Communicator, Reviewer
Life cycle frequency of collection, periodicity of reporting, period of
analysis etc.
Decision criteria

Completely new standard publishing is planed in 2008 (middle)

Important for the future indicator based argumentation

23
 ISMS Measurement as a feedback

Business needs

Security Security Decision

management effectiveness criteria

Risk Indicators
management Define
measurement
priorities

Security Information flows Measurement

measures methods

Source: draft of ISO/IEC 27004

24
 Examples of ISMS metrics

Percentage (%) of system users/security personnel that have received

basic awareness training
Average frequency of audit records review and analyses for inappropriate
activity
Percentage of systems using automated mechanisms to conduct analysis
and reporting of inappropriate activities
Percentage (%) of systems that are compliant with the baseline
configuration
Percentage (%) of systems successfully addressed in the testing of the
contingency plan
Percentage of accounts not associated with specific users
Percentage (%) of system components that undergo maintenance on
schedule
Cost of information security incidents of unauthorized access to
information systems, due to physical security failures
Percentage (%) of employees who signed acknowledgement that they
have read and understood rules of behavior, before being authorized
access to the information system
Source: NIST SP 800-80 Guide for Developing Performance Metrics for Information Security (draft)
http://csrc.nist.gov/publications/drafts/draft-sp800-80-ipd.pdf

25
Risk management
ISO/IEC 27005 Information Security Risk Management
Based on ISO/IEC TR 13335-3
A lot of texts, where essential is a bit hidden
BS 7799-3 as pragmatic approach
Concept interprets risk assessment and treatment requirements
of ISO/IEC 27001
Wide catalogues of threats and vulnerabilities
Harmonization with general risk management rules
(upcoming standard ISO/IEC 25700 Risk management)
Publishing planed at the end of 2007
ISO/IEC TR 13335 parts 3 and 4 will be withdrawn

26
Information Security Risk Management
BS 7799-3:2006 Guidelines for Information Security Risk
Management
Risk assessment
Asset identification
Legal, regulatory and contractual requirements
Asset valuation
Identification and assessment of threats and vulnerabilities
Risk calculation and evaluation
Risk assessor
Risk treatment and management decision-making
Decision-making
Risk treatment (reduce/accept/avoid/transfer risks)
Residual risk
Ongoing risk management activities
Maintenance and monitoring
http://www.bsi-global.com/ICT/Security/bs7799-3.xalter

27
 ISMS certification rules

ISO/IEC 27006 Requirements for the

accreditation of bodies providing certification
of information security management systems
Hot issue
Previous rules EA-7/03 follow BS 7799-2:1999
which was not based on PDCA model
Close relationship with new compliance rules
ISO/IEC 17021:2006
Certification body requirements
Certification audit requirements
Certification auditor requirements
ISMS audit recommendations
Published February 2007

28
Management of ICT security (ISO/IEC 13335 future)

ISO/IEC 13335 Management of Information and

Communications Technology Security (MICTS)
Part 1: Concepts and models for information and
communications technology security management (2004)
Merge of part 1 and 2 of previous ISO/IEC TR 13335
Part 1: Concepts and models for IT Security
Part 2: Managing and planning IT Security
It will be withdrawn by publishing of ISO/IEC 27000
ISO/IEC TR 13335 Guidelines for the management of IT
Security (GMITS)
Part 3: Techniques for the management of IT Security (1998)
Part 4: Selection of safeguards (2000)
Previously planed as revision of ISO/IEC 13335-2
As ISO/IEC 27005 a member of ISO/IEC 27000 family
They will be withdrawn by publishing of ISO/IEC 27005
Part 5: Management guidance on network security (2001)
Covered by ISO/IEC 18028 IT Network security
29
 BSI (British Standard Institute) Guidelines

BIP 0071 Guidelines on requirements and preparation

for ISMS certification based on ISO/IEC 27001

BIP 0072 Are you ready for ISMS audit based

on ISO/IEC 27001:2005?

BIP 0073 Guide to the implementation and auditing of

ISMS controls based on ISO/IEC 27001

BIP 0074 Measuring the effectiveness of your ISMS

implementations based on ISO/IEC 27001

http://www.bsi-global.com/ICT/Security/index.xalter

30
ISMS for industrial branches
ISO TR 13569:2005 Information Security
Guidelines for Financial Services
ISO 27799 Security Management in Health
Using ISO/IEC 17799
ISO/IEC 27031 Security management
guidelines for telecommunications
(ISMS-T X.1051)

Considered projects
ISMS for lotteries
ISMS for transportation
ISMS for automotive industry
ISMS for small and medium business

31
 Financial services security

ISO TR 13569:2005 Financial Services

Information Security Guidelines
Corporate information security policy
Management of information security Security programme
Organization for information security
Risk analysis and assessment
Security controls implementation and selection
IT systems controls
Implementation of specific controls
(financial cards, cheques, electronic money, ...)
Miscellaneous
Follow-up safeguards
Incident handling
Focused on financial specifics + useful examples
Guidelines are not fully compliant with ISO/IEC 27000 family

32
ISMS in health
ISO 27799 Security Management in
Health Using ISO/IEC 17799
Specific requirements for ISMS in health
industry
ISO/IEC 27001 interpretation of ISMS
requirements
ISO/IEC 17799 details for security controls
(if necessary)
General ISMS is strictly followed

It is a pity that number of ISO/IEC 17799 is

changing

33
 Work programme for WG2:
Cryptography and Security Mechanisms (1)

ISO/IEC 7064 Data processing Check character systems

Published 2003
ISO/IEC 9796 Digital signature schemes giving message recovery
3 parts published 2002 2006, under revision
ISO/IEC 9797 Message authentication codes (MACs)
2 parts published 1999 2002, under revision, 3rd part is upcoming
ISO/IEC 9798 Entity authentication
6 parts published 1997 2005
ISO/IEC 10116 Modes of operation for an n-bit block cipher algorithm
Published 2006
ISO/IEC 10118 Hash-functions
4 parts published 1998 2004 (2006), under revision
ISO/IEC 11770 Key management
4 parts published 1996 2006, under revision

34
 Work programme for WG2:
Cryptography and Security Mechanisms (2)
ISO/IEC 13888 Non-repudiation
3 parts published 1997 2004, under revision
ISO/IEC 14888 Digital signatures with appendix
3 parts published 1998 2006, under revision
ISO/IEC 15946 Cryptographic techniques based on elliptic curves
4 parts published 2002 2004, under revision
ISO/IEC 18031 Random bit generation
Published 2005
ISO/IEC 18032 Prime number generation
Published 2005
ISO/IEC 18033 Encryption algorithms
4 parts published in 2005 2006
ISO/IEC 19772 Data encapsulation mechanisms
Upcoming

35
Work programme for WG3:
Security Evaluation and Assessment
Common criteria etc.
ISO/IEC 15408:2005
Evaluation criteria for IT
Security
ISO/IEC 18045:2005
Methodology for IT security
evaluation
ISO/IEC TR 19791:2006
Security assessment of
operational systems
ISO/IEC 15292:2003
Protection profile registration
procedures
ISO/IEC TR 15446:2004
Guide on the production of
protection profiles and
security targets
ISO/IEC 19790:2006
Security requirements for
cryptographic modules
ISO/IEC 24759
Test requirements for
cryptographic modules
ISO/IEC 21827:2003
Systems Security Engineering
Capability Maturity Model
(SSE-CMM)
ISO/IEC 15443
A framework for IT security
assurance
36
Common criteria and their progress
ISO/IEC 15408 Evaluation criteria for IT security
Part 1: Introduction and general model
Part 2: Security functional requirements
Part 3: Security assurance requirements
ISO/IEC 18045 Methodology for IT security evaluation
ISO/IEC 15446 Guide for the production of protection profiles and
security targets

Common criteria are general framework

Trend to simplify works of evaluators without reduction of evaluation quality

37
 Operational system assessment

ISO/IEC TR 19791:2006
Security assessment of
operational systems

Implementation and operation

security aspects enlargement
of evaluation scheme based
on Common criteria
(ISO/IEC 15408)

New groups of requirements

System protection profile (SPP)
System security target (SST)

38
 Operation security requirements
Seven new classes for operation security functions
FOD Administration
Security policy, management forum, management review, personnel roles and
responsibilities, risk management, incident management, service agreements
FOS IT Systems
Security requirements, change control, malicious code control, development and
operational environment, network security, monitoring, records
FOA User Assets
User assets management, roles and responsibilities, privacy
FOB Business
Business impact analysis, fault isolation, business continuity plans, intellectual property
FOP Facility and Equipment
Equipment, facilities and premises within the operational system
FOT Third party
Security operational control requirements for third parties
FOM Management
Management of operational controls (security parameters, classification of assets, security
responsibilities, reporting of security incidents)

Nine new classes for operation security assurance

39
CMM Security

ISO/IEC 21827 Systems Security Engineering

Capability Maturity Model (SSE-CMM)
Capability model for security
Advantage: more levels to compare security enforcement
Not fully compliant with ISMS (ISO/IEC 27001)

40
SSE-CMM process structure
Security Base Practices
PA01 Administer Security Controls
PA02 Assess Impact
PA03 Assess Security Risk
PA04 Assess Threat
PA05 Assess Vulnerability
PA06 Build Assurance Argument
PA07 Coordinate Security
PA08 Monitor Security Posture
PA09 Provide Security Input
PA10 Specify Security Needs
PA11 Verify and Validate Security

Project and Organizational Base Practices

PA12 PA 22: Ensure quality, manage configurations, manage project, manage
product line evolution, coordinate with suppliers,

Harmonized with software live cycle rules

ISO/IEC 15504 Process assessment
ISO/IEC 15288 System life cycle processes

41
 Cryptographic modules security
ISO/IEC 19790:2006 Security Security features
requirements for cryptographic Cryptographic module
modules specification
International version of FIPS 140-2 Cryptographic module ports
and interfaces
Security requirements in 4 levels
Roles, services, and
Security testing of cryptographic authentication
modules outside US Finite state model
Physical security
Evaluation methodology defined as Operational environment
ISO/IEC 24759 Test
requirements for cryptographic Cryptographic key
management
modules
Self-tests
It is expected that FIPS 140-3 will Design assurance
be incorporated into next revision Mitigation of other attacks

42
IT Security assurance
ISO/IEC TR 15443 A framework
for IT security assurance

43
 Some studied methods
ISO/IEC 12207 Software Life Cycle
Processes
ISO/IEC 14598 Software product
evaluation
ISO/IEC 15288 System Life Cycle
Processes
ISO/IEC 15504 Software Process
Assessment
ISO/IEC 13335 Management of
information and communications
technology security (MICTS)
ISO/IEC 15408 Evaluation criteria for IT
security
ISO/IEC 17799 Code of practice for
information security management
BS 7799.2 Information security
management systems Specification with
guidance for use
ISO/IEC 21827 Systems Security
Engineering Capability Maturity Model
(SSE-CMM)
CMM Capability Maturity Model (for
Software)
SA-CMM Software Acquisition
Capability Maturity Model
SE-CMM Systems Engineering
Capability Maturity Model
CMMI Capability Maturity Model
Integration
TSDM Trusted Software
Development Methodology
IT Baseline Protection Manual
Penetration Testing
Personnel Assurance e.g. CISA,
CISM, CISSP, CPP
Rational Unified Process (RUP)
CobiT Control Objectives for
Information and related Technology
44
 Work programme for WG4:
Security Controls and Services
ISO/IEC 14516
Guidelines on the use and
management of Trusted Third
Party services
ISO/IEC 15945
Specification of TTP services to
support the application of digital
signatures
ISO/IEC 18014
Time stamping services and
protocols
ISO/IEC 24762
Guidelines for information and
communications technology
disaster recovery services
45
ISO/IEC 18028
IT network security
ISO/IEC 15947
IT intrusion detection
framework
ISO/IEC 18043:2006
Guidelines for the selection,
deployment and operations
of Intrusion Detection
Systems (IDS)
ISO/IEC TR 18044:2004
Information security incident
management
ISO/IEC 18028 IT network security
ISO/IEC 18028-1:2006
Part 1: Network security management

ISO/IEC 18028-2:2006
Part 2: Network security architecture

ISO/IEC 18028-3:2005
Part 3: Securing communications between networks using
security gateways

ISO/IEC 18028-4:2004
Part 4: Securing remote access

ISO/IEC 18028-5:2005
Part 5: Securing communications across networks using virtual
private networks

46
Network security management
ISO/IEC 18028-1:2006 IT network security
Part 1: Network security management
Using of PDCA Model (Plan Do Check Act)
Harmonized with general approaches to information security
management
Security controls harmonized with ISO/IEC 27002
(ISO/IEC 17799)
Security risks and controls for different types of networks
Local Area Networking
Wide Area Networking
Wireless Networks
Radio Networks
Broadband Networking
IP Convergence (data, voice, video)

47
Concept of network security management

48
 Appropriate Potential Control Areas

Network Security Architecture (ISO/IEC 18028-2)

Secure Service Management Framework
Network Security Management
Technical Vulnerability Management (ISO/IEC 17799:12.6)
Identification and Authentication (ISO/IEC 17799:11.4)
Network Audit Logging and Monitoring (ISO/IEC 17799:10.10)
Intrusion Detection (ISO/IEC 17799:13)
Protection against Malicious Code (ISO/IEC 17799:10.4)
Common Infrastructure Cryptographic Based Services
(ISO/IEC 17799:12.3)
Business Continuity Management (ISO/IEC 17799:14)

49
 Tree views on reference architecture
ISO/IEC 18028-2:2006 IT network security
Part 2: Network security architecture
Security Dimension
Grouping of security measures that are used to
implement particular aspects of network security

Security Layer
Hierarchy of network equipment and facility groupings

Security Plane
Certain type of network activity protected by the
mechanisms

50
Security Dimension
Access Control
Authorization for the use of the network resources
Authentication
Confirmation of identities or other authorizing attributes of communicating
entities.
Non-repudiation
Technical means for preventing an individual or entity from denying having
performed a particular action
Data Confidentiality
Protection of data from unauthorized disclosure
Communication Flow
Ensurance that information flows only between the authorized end points
Data Integrity
Ensurance of correctness or accuracy
Availability
Ensurance that there is no denial of authorized access to network elements,
stored information, information flows, services and applications due to events
impacting the network
Privacy
Protection of any information that might be derived from the observation of
network activities

51
Security layers
Application Security Layer
Security of the network-based applications accessed by
customers (web, e-mail, ASP, ...)
Service Security Layer
Security of services that Service Providers provide to
their customers (from basic transport and connectivity to
service enablers)
Infrastructure Security Layer
Network transmission facilities as well as individual
network elements (routers, switches, servers,
communication links, ...)

52
Security plane
End-user Security Plane
Security of access and use of the Service Provider's
network by customers
Control Security Plane
Protection of the activities that enable the efficient
delivery of information, services and applications across
the network
Management Security Plane
Protection of Operations Administration Maintenance
and Provisioning (OAM&P) functions of the network
elements, transmission facilities, back-office systems
(Operations Support Systems, Business Support
Systems, Customer Care Systems, etc.) and Data
Centres

53
Reference architecture for network security

54
Network security policy (example)

Introduction
Starting points
Terms and definitions
Network security areas
Application services security
Communication services security
Infrastructure security
Network security control
Network security management
Security goals
Policy updating Applied controls

55
 Using security gateways
ISO/IEC 18028-3:2005 Part 3: Securing communications
between networks using security gateways

Techniques Selection and configuration

Packet filtering Selection of a security gateway
Stateful packet inspection architecture and appropriate
Application proxy components
Network Address Translation (NAT) Hardware and software platform
Content analyzing and filtering Configuration
Security features and settings
Security Gateway Architectures Administration
Packet filter firewall Logging
Dual-homed gateway Documentation
Screened host Audit
Screened subnet Training and education

56
Remote access security
ISO/IEC 18028-4:2004 Part 4: Securing remote access
Information on the various types and techniques for remote
access and helps the intended audience to identify adequate
measures to protect remote access against identified threats
Includes wireless access
Security policy example

57
Virtual private networks
ISO/IEC 18028-5:2005 Part 5: Securing communications
across networks using Virtual Private Networks
VPN Security objectives and requirements
Guidelines for the selection of secure VPNs
Guidelines for the implementation of secure VPNs
Technologies and protocols used to implement VPNs
Layer 2, layer 3, upper layers
FR, ATM, MPLS, PPP, L2F, L2TP, IPsec, SSL, SShell

58
 Intrusion detection systems
ISO/IEC 18043:2006 Selection, deployment and operations of
intrusion detection systems
IDS Selection
Information Security Risk Assessment
Host or Network IDS
Considerations
Tools that complement IDS (SIM, )
Scalability
Technical support
Training
IDS Deployment
Advantages/disadvantages
of different IDS types
IDS Operations
IDS Tuning
IDS Vulnerabilities
Handling IDS Alerts
Response Options
Legal Considerations

59
Security incident management
ISO/IEC TR 18044:2004
Information Security Incident Management
Plan ISIRT Plan and Prepare
Information Security Incident Management Policy, Scheme and Policies
Establishment of Information Security Incident Response Team (ISIRT)
Awareness and Training
Do ISIRT Use
Detection and Reporting
Event/Incident Assessment and Decision
Responses
Check ISIRT review
Further Forensic Analysis
Lessons Learnt
Identification of Security and/or Scheme Improvements
Act ISIRT Improve
Make Security Improvements
Security Risk Analysis and Management Improvement
Make Scheme Improvements

60
 Home network security
ISO/IEC 24767 Home Network Security
Secure interconnection of electronic equipments in home networks
Part 1: Security Requirements and Internal Security Services:
Secure Communication Middleware Protocol
Part 2: External security service
Prepared by sub-commission JTC1/SC25
Published during 2007

61
Business continuity management (BCM)
Complexity of BCM is similar to ISMS
Two/tree independent activities related to BCM
British Standards Institution is preparing
a new standard BS 25999
Part 1: Code of practice (published 2006)
Part 2: Specification (in development)
JTC 1/SC 27 is working on a new standard
ISO/IEC 24762 Guidelines for information and
communications technology disaster recovery services
Based on Singapore standard SS 507 for Business
Continuity/Disaster Recovery (BC/DR) Service Providers
JTC 1/SC 27 is waiting for BCM project approval

62
 Business continuity management (BCM)

Code of practice BS 25999-1:2006

BCM policy
BCM programme management
Understanding the organization
Determining business continuity
strategy
Developing and implementing
a BCM response
Exercising, maintaining and
reviewing
BCM arrangements
Embedding BCM in
the organizations culture

BCM Specification will be published as BS 25999-2 during 2007

BS 25999 replaces PAS 56:2003

63
Work programme for WG5:
Privacy, Identity and Biometric Security
ISO/IEC 15816 ISO/IEC 19792
Security information objects A framework for security
for access control evaluation and testing of
biometric technologies
ISO/IEC 24760
A framework for identity ISO/IEC 24745
management Biometric template protection

ISO/IEC 29100 ISO/IEC 24761

A privacy framework Authentication context for
ISO/IEC 29101 biometrics
A privacy reference
architecture ISO/IEC 29115
Authentication assurance

64
Summary of JTC 1/SC 27 work
Systematic progress and standard harmonization
Pragmatic approach to standard development
using best practice
PDCA Model as basic part for process definition

Standardization future
Security management for small and medium business
Privacy
Controls for security control failure
PDCA Cycle feedback
Monitoring and checking
ISMS Auditing
Continual improvement

Source:
http://isotc.iso.org/livelink/livelink?func=ll&objId=327974&objAction=browse&sort=name

65
Security related management systems
Software engineering rules
Quality management and software live cycle
IT Service management

High influence on risks in IT environment

Important security improvements

66
 Quality management (QMS)

Quality ability of products/services to satisfies defined and

expected requirements
QMS is well-known and generally accepted management system
Tool for communication with other departments and end-users
Basic requirements on resource, document and record management
etc.
Primary aim for information technology management
ISO/IEC 90003 Guidelines for the application of ISO 9001:2000
to computer software

ISO/IEC 90003
Quality Measurement,
Management Resource Product
management analysis and
responsibility management realization
system improvements

Source: ISO Fosus, February 2005

67
 Concept of software engineering
ISO 9001:2000 Quality management
ISO/IEC 90003:2004 Software quality management
ISO/IEC 15504
Process assessment

ISO/IEC 9126 ISO/IEC 14143

Product quality Functional size measurement

ISO/IEC 16326 ISO/IEC 14102

Project management ISO/IEC 12207 Evaluation and selection of CASE tools
Software life
ISO/IEC 15846/ISO 10007 cycle processes ISO/IEC 15026
Configuration management System and software integrity levels

ISO/IEC 14598 ISO/IEC 14764

Software product avaluation Software maitenance
ISO/IEC 15910
Software user documentation process

ISO/IEC 15939
Software measurement process

Zdroj: ISO Fosus, February 2005 68

 IT Service management (ITSM)

IT Service a described set of facilities, IT and non-IT,

supported by the IT service provider that fulfils one or more
needs of the Customer and that is perceived by the Customer
as a coherent whole
ITSM definition
Specification ISO/IEC 20000-1:2005 (BS 15000-1)
Code of practice ISO/IEC 20000-2:2005 (BS 15000-2)
Other resources
ITIL IT Infrastructure Library (nowadays version 2)
(detail explanation of ISO/IEC 20000 processes)
ITIL version 3 will be released in May 2007
Some ITIL derivations IBM, HP, Microsoft, Sun,
Microsoft Operations Framework http://www.microsoft.com/mof
IT Service Management Forum Czech Republic http://www.itsmf.cz

69
 ISO/IEC 20000 Overview
International standard for IT service management
Part 1: Specification
Part 2: Code of practice
ISO/IEC 20000 based on BS 15000
Just small changes and improvements
Based on PDCA Model
Using of ITIL best practice
As ISO published in December 2005
Czech version of part 1 published in October 2006
Part 2 will be published during 2007

70
 ISO/IEC 20000 and ITIL relationship

ISO/IEC 20000 International standard

Part 1: Specification (16 pages)
Part 2: Code of practice (34 pages)
BSI Interpretations and recommendations ISO/IEC 20000
BIP 0005 A Manager's Guide
to Service Management
BIP 0015 IT Service Management. BIP 0005
Self-assessment workbook (72 pages) BIP 0015
BIP 0030 BIP 0039 Publications
ITIL Detail explanation of processes
Service support (~ 300 pages) ITIL
Service delivery (~ 350 pages)
Business perspective (~ 180 pages)

71
 IT service management processes
Planning and implementing
new or changed services
Service Delivery Processes
Capacity Service Level Information Security
Management Management Management

Service Service Reporting

Continuity and Budgeting and
Accounting for
Availability Control Processes IT services
Management
Configuration Management
Release Change Management Relationship
Process Processes
Resolutin Business
Processes Relationship
Release Incident Management Management
Management Supplier
Problem Management Management

Source: ISO/IEC 20000

72
 ISO/IEC 20000 Processes (1)
Service delivery processes
Service level management
Objective: To define, agree, record and manage levels of service
Service reporting
Objective: To produce agreed, timely, reliable, accurate reports
for informed decision making and effective communication
Service continuity and availability management
Objective: To ensure that agreed service continuity and
availability commitments to customers can be met in all
circumstances
Budgeting and accounting for IT services
Objective: To budget and account for the cost of service provision
Capacity management
Objective: To ensure that the service provider has, at all times,
sufficient capacity to meet the current and future agreed
demands of the customers business needs
Information security management
Objective: To manage information security effectively within all
service activities

Source: ISO/IEC 20000

73
 ISO/IEC 20000 Processes (2)
Relationship processes
Business relationship management
Objective: To establish and maintain a good relationship
between the service provider and the customer based on
understanding the customer and their business drivers
Supplier management
Objective: To manage suppliers to ensure the provision of
seamless, quality services
Resolution processes
Incident management
Objective: To restore agreed service to the business as soon
as possible or to respond to service requests
Problem management
Objective: To minimize disruption to the business by proactive
identification and analysis of the cause of incidents and by
managing problems to closure.

Source: ISO/IEC 20000

74
 ISO/IEC 20000 Processes (3)
Control processes
Configuration management
Objective: To define and control the components of the service
and infrastructure and maintain accurate configuration
information
Change management
Objective: To ensure all changes are assessed, approved,
implemented and reviewed in a controlled manner

Release process
Release management process
Objective: To deliver, distribute and track one or more changes
in a release into the live environment

Planning and implementing new services

Planning and implementing new or changed services
Objective: To ensure that new services and changes to services
will be deliverable and manageable at the agreed cost and
service quality.

Source: ISO/IEC 20000

75
 PDCA Model for IT service management

Business Manage services

requirements Business
Management responsibility results
Customer
requirements PLAN
Plan service Customer
management satisfaction
Request for new/
changed services Planning and implementing
new or changed services
Service Delivery Processes
Capacity Service Level Information Security
New / changed
Other processes DO Management Management Management
ACT services
e. g. business, Implement Service
Continuity and
Availability
Service Reporting

Control Processes
Budgeting and
Accounting for
IT services Continual
supplier, cusromer service Management
Configuration Management

management Release
Process
Change Management Relationship
Processes
improvement
Resolutin
Processes
Business
Relationship
Other processes
Release
Management
Incident Management Management
Supplier e.g. business,
Service Desk Problem Management Management
suplier, customer
CHECK
Other teams, Monitor, measure
e.g. security, and review Team and people
IT operations satisfaction

Source: ISO/IEC 20000 and Jenny Dugmore

76
 ISO/IEC 20000 Processes (4)
IT service management system processes
Requirements for a management system
Objective: To provide a management system, including policies and
a framework to enable the effective management and
implementation of all IT services
Plan service management
Objective: To plan the implementation and delivery of service
management
Implement service management and provide the services
Objective: To implement the service management objectives and
plan.
Monitoring, measuring and reviewing
Objective: To monitor, measure and review that the service
management
Continual improvement
Objective: To improve the effectiveness and efficiency of service
delivery and management

Source: ISO/IEC 20000

77
 BSI Publications related to ISO/IEC 20000
BIP 0030 Achieving ISO/IEC 20000 Management Decisions
BIP 0031 Achieving ISO/IEC 20000 Why People Matter
BIP 0032 Achieving ISO/IEC 20000 Making Metrics Work
BIP 0033 Achieving ISO/IEC 20000 Managing End-to-end
Service
BIP 0034 Achieving ISO/IEC 20000 Finance for Service
Managers
BIP 0035 Achieving ISO/IEC 20000 Enabling Change
BIP 0036 Achieving ISO/IEC 20000 Keeping the Service
Going
BIP 0037 Achieving ISO/IEC 20000 Capacity Management
BIP 0038 Achieving ISO/IEC 20000 Integrated Service
Management ISO/IEC 20000
BIP 0039 Achieving ISO/IEC 20000 The Differences
Between BS 15000 and ISO/IEC 20000 BIP 0005
BIP 0015
Source: http://www.bsi-global.com/ICT/Service/index.xalter
ITIL
78
Conclusion
It is always easier to copy than starts form
beginning

ISO and NI standards are good source for

copying
Basic vision, what and how can be used, is needed

Copying si also needs high level of

professionalism

Thanks for your attention and good lack

79
ludek.novak@anect.com