ISO-IEC 17799

The New International

Standard for Information
Security Management

Caroline Hamilton
RiskWatch, Inc.
With assistance from:
Mike Nash, Gamma Secure Systems Ltd
Camberley, United Kingdom
1
 IMPORTANCE OF
STANDARDS
 Examples from America’s past include

Railroad Tracks

Shoe Sizing

2
 FOUNDING OF NIST - 1901
 At that time, the United States had few, if any,
authoritative national standards for any quantities or
products. What it had was a patchwork of locally and
regionally applied standards, often arbitrary, that
were a source of confusion in commerce. It was
difficult for Americans to conduct fair transactions or
get parts to fit together properly. Construction
materials were of uneven quality, and household
products were unreliable. Few Americans worked as
scientists, because most scientific work was based
overseas.

3
 The Baltimore Fire of 1904
 The need for standards was dramatized in 1904,
when more than 1,500 buildings burned down in
Baltimore, Md., because of a lack of standard fire-
hose couplings. When firefighters from Washington
and as far away as New York arrived to help douse
the fire, few of their hoses fit the hydrants. NIST had
collected more than 600 sizes and variations in fire-
hose couplings in a previous investigation and, after
the Baltimore fire, participated in the selection of a
national standard.

4
 Competing Standards
 US-Government - -NIST Standards

 BS 7799 -- ISO-IEC 17799 Standard

5
International Standards
 International Standards in Information Security are
developed by Security Techniques Committee
ISO/IEC
JTC 1 SC 27
 Three Areas
– WG 1 - Security Management
– WG 2 - Security Algorithms/Techniques
– WG 3 - Security Assessment/Evaluation
 Includes responsibility for ISO/IEC 17799 (BS
7799), the main topic for today.

6
 History
 SC 27 formed in 1990
– Replaced previous ISO/IEC security committee
which was failing to make progress
– Scope excluded standardisation of algorithms
» (now relaxed)

7
 Membership
 Members of SC 27 are National Standards
Bodies
– Participating or Observing
– Also liaisons from other standards making
bodies or committees
 Working Groups are composed of experts
nominated by National Bodies
– Up to 200 participating experts

8
 Participating Members
 SAI Australia  KATS Korea, Rep of
 IBN Belgium  DSM Malaysia
 ABNT Brazil  NEN Netherlands
 SCC Canada  NTS/IT Norway
 CSBTS/CESI China  PKN Poland
 CSNI Czech Rep  GOST R Russian Fed
 DS Denmark
 SABS South Africa
 SFS Finland
 AENOR Spain
 AFNOR France
 DIN Germany
 SIS Sweden
 MSZT Hungary
 SNV Switzerland
 BIS India  BSI UK
 UNINFO Italy  DSTU Ukraine
 JISC Japan  ANSI USA

9
 Adoption of New Standard
 Australia/New Zealand
 AS/NZS ISO/IEC 17799:2000
 The primary information security standard
in Australia was AS4444, and in New
Zealand was NZS4444. These have been
replaced with a new international standard,
17799. See Standards Australia OnLine at
http://www.standards.com.au.
10
 Observers
 ASRO Romania  ON Austria
 DSN Indonesia  PSB Singapore
 EVS Estonia  SII Israel
 IPQ Portugal  SNZ New Zealand
 IRAM Argentina  SUTN Slovakia
 NSAI Ireland  SZS Yugoslavia

11
WG 2 Security Techniques
 There are International Standards for:
– Encryption (WD 18033)
– Modes of Operation (IS 8372)
– Message Authentication Codes (IS 9797)
– Entity Authentication (IS 9798)
– Non-repudiation Techniques (IS 13888)
– Digital Signatures (IS 9796, IS 14888))
– Hash Functions (IS 10118)
– Key Management (IS 11770)
– Elliptic Curve Cryptography (WD 15946)
– Time Stamping Services (WD 18014)

12
Other Standards
 US Government Standards
– Data Encryption Standard (DES) (FIPS 46)
– Advanced Encryption Standard (AES)
(FIPS 197) (FIPS - Federal Information
Processing Standard)
 Proprietary Standards
– e.g. RSA (The Rivest Shamir Adleman
algorithm)

13
WG 3 Security Evaluation
 Third Party Evaluation
– Criteria for an independent body to form an
impartial and repeatable assessment of the
presence, correctness and effectiveness of
security functionality
 “Common Criteria” (CC) (IS 15408)

14
Common Criteria
 Produced by a consortium of Government
bodies in North America / European Union
– Mainly National Security Agencies
 Influenced by International Standardisation
committee
– Adopted as International Standard 15408
 Adopted and recognised by other major
Governments
– All EU, Australia, Japan, Russia
 Replaces “Orange Book” (US) and ITSEC (EU)

15
Content of CC
 Part 1 – Introduction and General Model
 Part 2 – Functional Components
 Part 3 – Assurance Components
 Related standards:
– Protection Profile Registration Procedures (IS 15292)
– Framework for Assurance (WD 15443)
– Guide on Production of Protection Profiles (WD
15446)
– Security Evaluation Methodology (WD 18045)

16
Relevance of CC
 The Common Criteria and its predecessors
(Orange Book, ITSEC) raised the level and
reliability of security functionality found in
standard products
– Operating Systems, Databases, Firewalls
 Important for major product vendors
 Important for high-risk Government systems
 Important for Smart Cards
 Irrelevant to everyone else

17
Why?
 Common Criteria is complex
 Evaluation is complex and time consuming
 Limited number of approved Evaluation
Facilities
– Expensive
– Inflexible
 Money is usually better spent improving
security
18
WG 1 Security Management
 Two key standards:
– Guidelines for Information Security Management (GMITS)
(TR 13335)
– Code of Practice for Information Security Management (IS
17799)
 Other standards:
– Guidelines on the use and management of trusted third parties
(TR 14516)
– Guidelines for implementation, operation and management of
Intrusion Detection Systems (WD 18043)
– Guidelines for security incident management (WD 18044)

19
GMITS and 17799
 GMITS developed by ISO/IEC JTC 1 SC 27
(standards committee)
 IS 17799 is (almost) identical to BS 7799-1
– BS 7799-1 was the most widely purchased security standard
worldwide
 Officially, no overlap
– This is rubbish
 GMITS is dying
– Scope is IT security, not Information Security
– Only a TR (Technical Report)
– Editors of GMITS are moving to work on 17799

20
 ISO/IEC 17799 and BS7799-2
 IS 17799 is a catalogue of good things to do
 BS 7799 Part 2 is a specification for an ISMS
(Information Security Management System)
 ISMS compliance can be independently
assessed

21
What is an ISMS?

22
 ISO/IEC 17799 Layout
 10 Major Headings
 36 Objectives
 127 Major Controls
 Several Thousand Pieces of Guidance

23
 The 10 Major Headings
 Security Policy
 Security Organisation
 Asset Classification and Control
 Personnel Security
 Physical and Environmental Security
 Comms and Operational Management
 Access Control
 Systems Development and Maintenance
 Business Continuity Management
 Compliance

24
 Security Objectives
 Security Policy
 Security Organisation
• Secure
 Asset Classification Areas
and Control
 Personnel Security
• Equipment
 Physical and Environmental Security
Security
• General
 Comms and Operational Controls
Management
 Access Control
 Systems Development and Maintenance
 Business Continuity Management
 Compliance

25
 Security Controls
 Security Policy• Secure Areas
 Security Organisation
• Equipment
 Asset Classification Security
and Control
• General Controls
 Personnel Security
 Physical and Environmental Security
• Siting
 Comms and Operational Management
 Access Control • Power Supplies
 Systems Development and Maintenance
• Cabling
 Business Continuity Management
• Maintenance
 Compliance
•
Off-premises
• Disposal/reuse26
 ISO/IEC 17799
 A standard for Information Security Management
– Very wide acceptance
 Based on British Standard BS 7799
– Replaced Part 1 of BS 7799
– Part 2 of BS 7799 still exists and is current
– Part 2 describes how to build and assess a security management
system
– National equivalents to BS 7799-2 exist in most developed
countries
– Except North America

27
 BS 7799-2
 ISMS Requirements
– Scope
– Security Policy
– Risk Assessment
– Statement of Applicability
– Develop./maintain ISMS
– Documentation
 ISO/IEC 17799 Controls (in imperative
format)
28
 Complying with BS 7799-2
 Security Policy
 Risk Assessment
 Statement of Applicability
 Management System

29
 Security Policy
 Scope
 Confidentiality
 Integrity
 Availability
 Accountability
 Assets
 Risk Assessment
 Regulatory/Legal

30
 Risk Assessment

Asset
Asset Threat
Threat Vulnerability
Vulnerability

RISK
RISK

31
 Statement of Applicability
 Identifies actual security controls
 Must consider all 7799-2 listed controls
– include or exclude with justification
 Select applicable controls by business and
risk analysis

32
33
34
 Security Management
 The means by which Management Monitors
and Controls security
 Requires regular checks that:
– Controls are still in place and effective
– Residual risks are still acceptable
– Assumptions about threats etc. remain valid

35
 Revision of IS 17799
 ISO/IEC 17799 was identical in technical content
to BS 7799-1:1999
 Part of the negotiations for adoption was the
initiation of an immediate major revision process
 Revision started April 2002
– First meeting in Berlin failed to finish its agenda
– Lot of fuss over philosophy and definitions
e.g. “What is security?”
– Editors sent away to finish the job
– Having difficulties finding enough changes to justify a major
revision

36
 Revision of BS 7799-2
 BS 7799-2:2002 issued as draft for
comment in March 2002
– Aligned with other continuous review standards (“Plan-
Do-Check-Act”)
– Comment period now closed
 Final text agreed 10th June 2002
 Publication as a British Standard in July
2002

37
 In closing
 Information Security Standards matter
 Many standards are for a specialist audience
 ISO/IEC 17799 is relevant to every security
professional

38
For more info about ISO
17799
Gamma Secure Systems Ltd
http://www.gammassl.co.uk/

Caroline Hamilton
RiskWatch, Inc.
Chamilton@riskwatch.com
39