Information Security Harmonisation—Classification of Global Guidance

Information Systems Audit and Control Association® With more than 35,000 members in more than 100 countries, the Information Systems Audit and Control Association (ISACA®) (www.isaca.org) is a recognised worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal®, develops international information systems auditing and control standards, and administers the globally respected Certified Information Systems Auditor™ (CISA®) designation, earned by more than 38,000 professionals since inception, and the Certified Information Security Manager® (CISM®) designation, a groundbreaking credential earned by 5,100 professionals in its first two years. IT Governance Institute® The IT Governance Institute (ITGI®) (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports business goals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities. The IT Governance Institute offers symposia, original research and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities. Disclaimer The Information Systems Audit and Control Association (the “Owner”) and the authors have designed and created this publication, titled Information Security Harmonisation— Classification of Global Guidance (the “Work”), primarily as an educational resource for security professionals. The Owners make no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, the security professional should apply his/her own professional judgement to the specific circumstances presented by the particular systems or information technology environment. Disclosure Copyright © 2005 by Information Systems Audit and Control Association. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), without the prior written authorisation of ITGI. Information Systems Audit and Control Association 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.590.7491 Fax: +1.847.253.1443 E-mail: info@isaca.org Web site: www.isaca.org ISBN 1-933284-05-6 Information Security Harmonisation—Classification of Global Guidance Printed in the United States of America

ii

Acknowledgements

Acknowledgements
From the Publisher Information Systems Audit and Control Association wishes to recognise:
The author Leslie Ann Macartney, CISA, CISM, UK The Board of Directors Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, International President Abdul Hamid Bin Abdullah, CISA, CPA, Auditor General’s Office, Singapore, Vice President William C. Boni, CISM, Motorola, USA, Vice President Ricardo Bria, CISA, SAFE Consulting Group, Argentina, Vice President Everett C. Johnson, CPA, Deloitte & Touche (retired), USA, Vice President Howard Nicholson, CISA, City of Salisbury (South Australia), Australia, Vice President Bent Poulsen, CISA, CISM, VP Securities Services, Denmark, Vice President Frank Yam, CISA, CIA, CCP, CFE, Focus Strategic Group Inc., Hong Kong, Vice President Robert S. Roussey, CPA, University of Southern California, USA, Past International President Paul A. Williams, FCA, MBCS, Paul Williams Consulting, UK, Past International President The expert reviewer Robert G. Parker, CISA, CA, FCA, CMC, Deloitte & Touche LLP, Canada The CISM Certification Board Chair, Leslie Macartney, CISA, CISM, UK Kent Anderson, CISM, Network Risk Management LLC, USA Luis A. Capua, CISM, Sindicatura General de la Nación, Argentina Robert Stephen Coles, Ph.D., CISA, CISM, FCCA, MBCS, Royal Bank of Scotland Group, UK Arnold Dito, CISA, USA Danny Q. Le, CISA, CISM, KPMG, USA Kyeong-Hee Oh, CISA, CISM, CISSP, Green Soft, Korea Ashok Shankar Pawar, CISA, CISM, CAIIB, State Bank of India, India David Simpson, CISA, CISM, CISSP, CQR Consulting, Australia The authors of COBIT Mapping—Overview of International IT Guidance Jimmy Heschl, CISA, CISM ISACA Austria Chapter

iii

Information Security Harmonisation—Classification of Global Guidance iv .

. . . . . . . . . . 1 Security Guidance Included in This Research . . . . . . . . . . . . . . 1 The Classification Framework. . . . . . . . . . . . . . . . . . Security Management . . . . . . . . . . . . . . . . . . . . . . ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . NIST 800-18 Guide for Developing Security Plans for Information Technology Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .0 . . . . . . . . . . . . . . . . . . NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ISO/TR 13569:1997 Banking and Related Financial Services—Information Security Guidelines . . 9 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3. . . 105 14. . . . . . . . . . . . . . . 99 13. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Purpose for Classification of the Guidance. . . . . 3 Document Taxonomy Chart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GAISP Version 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 4. . . BS 7799 Part 2:2002 Information Security Management Systems—Specification With Guidance for Use . . . . . . . . . . . . . . NIST 800-53 Recommended Security Controls for Federal Information Systems. . . . 33 5. . . . . . . . . . . . . . . . . . 39 6. . . . . . . . . . . . . . . . . . . . . . . . . . . 47 7. . . . . . 5 How to Use This Publication.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 The CISM Domain Chart . . . . . . . . . . . . . . . . . OCTAVE® Criteria Version 2. . . . . . ISO/IEC 17799:2000 Information Technology— Code of Practice for Information Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 15. . . . . . . . . . . . . . . . . . . . . . . . 119 v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Second Public Draft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 History and Role of ISACA and ITGI. . . . . . . . . . The Standard of Good Practice for Information Security . . . . . . . . . . . . . . . . . . . . . . .0 Networked Systems Survivability Program . . . . . . . . . . . . . . . . . . . . . . . . . . 57 8. . . . . . . 81 11. . . . . . . . . . . . . . . . . . ISO/IEC 15408:1999 and Common Criteria . . . . . . . . . . . . . . . . . . . 63 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . COBIT® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1. . . . . . . . 7 Approach to the Classification . . . . . . . . . . . . . SSE-CMM® Systems Security Engineering—Capability Maturity Model 3. . . . . . . . NIST 800-12 An Introduction to Computer Security—The NIST Handbook . . . 89 12. . . . . . . . . . .

. . . . . . . . . . . . . . 129 17. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Information Security Harmonisation—Classification of Global Guidance 16. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manager’s Guide to Information Security . . . 135 Annex—CISM Job Domains. 139 Note each of the chapters contains the following subsections: • Issuer • Document Taxonomy • Circulation • Goal(s) of the Standard or Guidance Publication • Information Security Drivers for Implementing the Guidance—Why • Related Risks of Noncompliance—What Could Happen • Target Audience • Timeliness • Certification Opportunities • Completeness • Availability • Recognition/Reputation • Usage • CISM Domain Alignment • Description and Guidance on Use • Reference vi . . . . . . . . Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan . .

have been developed and published. 1 . changes to guidance and advice on how the guidance can be used. the perception has existed that there is a standards quagmire. based on best practice surveys. etc. It has shifted from a position that focussed essentially on IT to one where business acuity takes equal priority. numerous security standards. Additionally. ISACA/ITGI will follow up this research with further work to define these gaps and produce additional guidance as required. classifying and reporting on the most commonly known and accepted worldwide guidance.. The author did not identify every piece of guidance in all countries. but attempted to deal first with the most common and generally accepted. It helps link risk management and the information presented to governance. this document will be updated periodically to reflect additional guidance. This report will also be useful in presenting the concept of managing risk on an enterprisewide basis. because there are so many and a harmonisation framework did not exist. This is where this technical study from ITGI intends to add some clarity to the picture. Seventeen internationally accepted security-focussed guidance documents were examined across 12 separate evaluative criteria. Despite the quantity and diversity of available security guidance worldwide. Security Guidance Included in This Research The scope of this first version of Information Security Harmonisation was defined as identifying. All of them are focussed on one or more issues of importance. The purpose of this document is to provide Certified Information Security Manager (CISM) holders and all other information security managers with a road map to the more recognised and widely available information security guidance documents. there remain areas of information security management that do not appear to be addressed to the level or detail required in today’s environments. At the same time. codes of practices. all with the purpose of providing some level of direction or support for security objectives. enabling information security managers to identify those that may be of best use within their own organisation or most appropriate for improving their own skills and knowledge. methodologies. The following were included in this research: • BS 7799 Part 2:2002 Information Security Management Systems—Specification With Guidance for Use is a specification for an information security management system. However. from the boardroom to the network.Introduction Introduction Purpose for Classification of the Guidance The role of the information security manager has evolved over the past few years.

Asset. • NIST 800-53 Recommended Security Controls for Federal Information Systems provides a set of baseline security controls. • NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems is a collection of principles and practices to establish and maintain system security. control and assurance. security. • The IT Infrastructure Library’s (ITIL Security Management is a methodology ’s) describing how IT security management processes link into other IT infrastructure management processes. attributes and outputs for risk assessment. and Vulnerability EvaluationSM (OCTAVE) is a set of principles.0 (CC). • Operationally Critical Threat. ISO/IEC 15408:1999 is used as a reference to evaluate and certify the security of IT products and systems.0 is a guide to the concepts and application of a model to improve and assess security engineering capability. • Generally Accepted Information Security Principles (GAISP) is a collection of security principles that has been defined and produced as a collective effort by members of the organisations involved. released by the International Organisation for Standardisation.Information Security Harmonisation—Classification of Global Guidance • Control Objectives for Information and related Technology (COBIT). 2 . • ISO/TR 13569: 1997 Banking and Related Financial Services—Information Security Guidelines. • NIST 800-12 An Introduction to Computer Security—The NIST Handbook. describes the common requirements for managing and implementing a computer security programme and some guidance on the types of controls that are required. is technical guidance subdivided into five parts which provide guidance on aspects of information security management. is a grouping of security concepts and suggested control objectives and solutions for financial sector organisations. • NIST 800-18 Guide for Developing Security Plans for Information Technology Systems provides a format and guidance for developing a system security plan. • ISO/IEC 17799:2000 Information Technology—Code of Practice for Information Security Management is a collection of information security practices. published by the IT Governance Institute. represents a collection of documents that can be classified as generally accepted framework and standards for IT governance. • The Information Security Forum’s (ISF’s) Standard of Good Practice for Information Security is a collection of information security principles and practices. • Systems Security Engineering—Capability Maturity Model (SSE-CMM) Model Description Document 3. • Organisation for Economic Co-operation and Development (OECD) Guidelines for the Security of Information Systems and Networks provides a set of nine information security principles aimed at fostering a “culture of security”. • ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security. released by the US National Institute of Standards and Technology (NIST). • ISO/IEC 15408:1999 Security Techniques—Evaluation Criteria for IT Security is based on the Common Criteria for Information Technology Security Evaluation 2. released by the International Organisation for Standardisation and the International Electrotechnical Commission.

• Information security drivers for implementing the guidance—What are some specific reasons for considering the implementation of the guidance? • Related risks of not using or implementing—What are some identified risks if the guidance is not implemented? • Target audience—What is the stated target audience of the guidance? • Timeliness—How current is the publication and how frequently is it revised? • Certification opportunities—Is there a certification for adherence to or knowledge of the guidance. implementing and managing an enterprisewide information security management programme? • Availability—Where and how can the security guidance be obtained? • Recognition/reputation—What are the recognition levels of the guidance and CISM holders’ opinions on its acceptability to the information security industry? Conclusions represent a summary of results of a global survey of more than 5. 3 . including brief excerpts of all criteria within the framework and conclusions that were reached. • CISM domain alignment—What level of coverage does the publication provide when compared against the task/knowledge statements in the CISM job domains? • Description—This section provides a brief. a collection of best practices. The conclusions result from the author’s and others’ reading. or guidance? • Circulation—Is the guidance used internationally or is it limited to a specific geographical area? • Goal(s) of the standard or guidance publication—What is the stated purpose of the guidance? For example. high-level description of the contents of the respective guidance under review.000 CISMs conducted in the fourth quarter of 2004. the guidance may focus on information security management or baseline protection. or it may provide a methodology or framework. • Usage—How widely is it used by security practitioners. and is it considered comprehensive and effective in this use? Conclusions represent a summary of results of a global survey of more than 5. using the same criteria. either at the organisation or the individual level? • Completeness—How complete is the guidance in meeting its own stated purposes and in terms of use for designing.000 CISMs conducted in the fourth quarter of 2004. The following approach was used to evaluate the guidance: • Issuer—Who issued the guidance and what organisation(s) are supporting it and keeping it current? • Document taxonomy—Is the guidance an international or a national standard.Introduction • Open Group’s Manager’s Guide to Information Security is a booklet providing general guidance for IT managers on acquiring secure IT products and systems. The Classification Framework A goal of this project was to produce a comprehensive document that evaluated all selected security guidance in the same manner.

are: • Information security management programme components—The respective guidance contains suggestions for the types of activities an information security manager would normally address within an information security programme. The areas.Information Security Harmonisation—Classification of Global Guidance Document Taxonomy Chart As a part of this research. model or methodology for one or more activity in which an information security manager may be engaged. variations of business objectives. but not necessarily the detailed practices of how the control can be applied. • Security principles—The guidance suggests key security principles upon which an information security programme should be based. • High-level information security controls—The guidance contains information security controls. and how they are presented in the taxonomy chart (figure 1). objectives and approaches. Figure 1—Document Taxonomy Security Guidance Areas of Security Focus High-level Detailed Security Security Control Principles Controls Practices X X X X X X Management Programme Components BS 7799 COBIT1 SSE-CMM GAISP ISF ISO/IEC 13335 ISO/TR 13569 ISO/IEC 15408 ISO/IEC 17799 ITIL NIST 800-12 NIST 800-14 NIST 800-18 NIST 800-53 OCTAVE OECD Open Group 1 Model or Methodology X X X X X X X X X X X X X X X X X X X X X X X X X X X X COBIT provides detailed control practices for IT governance. • Detailed control practices—The guidance contains detailed information security control practices. including justifications that can be interpreted to align with most. 4 . including justifications. if not all. Information security controls are also included within its scope. • Model or methodology—The guidance describes a framework. ITGI wanted to present an analysis of the degree to which the various security guidance documents fulfilled five principal areas of security.

The five levels are further defined in figure 2. 3. Whilst its central focus is security management. CISM is specifically geared toward experienced information security managers and those who have information security management responsibilities. Secondly. design and technical security issues at a conceptual level. This research has allocated each of the global guidance documents a ranking2 of 4. It is for the individual who must maintain a view of the “big picture” by managing. designing. overseeing and assessing an enterprise’s information security. It suggests its likely usefulness to the CISM who feels weak in the knowledge requirements of one or more domains.Introduction Note that BS 7799 and ISO/IEC 17799 have different qualifications because one is a specification (or method) for information security management whilst the other is a set of guidelines and recommended information security practices. 2. The CISM Domain Chart CISM is ISACA’s groundbreaking credential earned by more than 5. These rankings are not intended to indicate the quality of the publication but are designed to indicate their helpfulness to a CISM (or someone seeking to gain CISM certification) in addressing the specific objectives of each CISM domain. 5 . all those in the IS profession with security experience can find value in CISM. 2 The use of a ranking of 5 has been specifically excluded as none of the examined guidance documents was found to provide full coverage of a CISM domain.100 professionals in its first two years. The CISM domain chart in figure 3 provides a summary of how and to what level of detail each of the 17 global guidance documents provides coverage of the task and knowledge requirements within the five CISM domains. 1 or 0 for each of the five CISM domains. it provides to all security practitioners potentially new approaches to common information security management activities. It helps provide executive management with assurance that those earning the designation have the required knowledge and ability to provide effective security management and consulting. It is business-oriented and focusses on information risk management whilst addressing management.

the overall score is not necessarily an average of the individual scores. The publication is unlikely to provide real benefit to the reader in addressing this CISM domain.Information Security Harmonisation—Classification of Global Guidance Figure 2—CISM Domain Rankings Ranking 4 Ranking Descriptions The publication addresses many of the respective CISM domain’s tasks. Figure 3—Security Guidance Coverage of CISM Domains CISM Domains Coverage Information Overall Information Security Information of Security Risk Programme Security Response CISM Governance Management Management Management Management Domains 2 1 2 2 1 2 2 1 2 2 1 2 2 2 2 2 2 2 2 1 1 1 0 2 2 2 3 2 1 2 4 3 4 4 1 4 2 3 3 2 1 2 0 0 2 0 0 2 1 1 3 2 2 2 1 0 2 2 1 2 4 3 4 4 3 4 2 1 2 2 2 2 1 1 3 1 1 2 1 1 3 1 1 2 2 4 4 1 1 3 2 1 1 0 1 1 0 0 1 1 0 1 Publication BS 7799 COBIT SSE-CMM GAISP ISF ISO/IEC 13335 ISO/TR 13569 ISO/IEC 15408 ISO/IEC 17799 ITIL NIST 800-12 NIST 800-14 NIST 800-18 NIST 800-53 OCTAVE OECD Open Group 6 . The publication contains detailed guidance on one or more of the CISM domain tasks. but on its own does not supply sufficient guidance for the respective CISM domain. Other tasks within the domain either are not addressed or the level provided is inadequate for real learning purposes. The publication should be considered a useful complement to other resources. 3 2 1 0 The overall score uses the same definitions. but in relation to all five CISM domains. There are little or no references to this CISM domain. providing not only the “what” needs to be done but also suggestions on “how” it can be achieved. Any references are either incomplete or very high level. In this context.

is a nonprofit member organisation which has for many years worked with security and IT assurance professionals. How to Use This Publication Best use of this publication depends upon the reader’s familiarity with security standards and guidance. 7 .000 certified globally since inception. guidance and best practices. It is globally recognised as the major provider of standards and controls for the general IT environment. History and Role of ISACA and ITGI The Information Systems Audit and Control Association. each enterprise must analyse its needs and evaluate its weaknesses and strengths as they relate to information security. Therefore. the following suggested approach may or may not fit the reader’s needs. with more than 38. established in 1969. Consider the guidance currently used by the enterprise and then review the document taxonomy in figure 1. Determine whether the guidance currently used is adequate for the anticipated needs of the enterprise in the future across the five areas mapped: • Information security management programme component • Security principles • High-level information security controls • Detailed control practices • Model or methodology Then consider the information security drivers for implementing each standard/guidance described in this book. Another factor is how the reader’s enterprise embraces global standards. Each enterprise must analyse its unique security needs in relation to the available guidance. Remember that the standards/guidance reviewed in this publication do not include every guidance available. Helpful information to arrive at the best practice for the enterprise is presented in the CISM domain alignment section for each standard/guidance and the recognition levels of the guidance and CISM holders’ opinions on its acceptability to the information security industry. In the end.Introduction A full description of the CISM job domains and the associated task and knowledge statements is provided in the appendix of this document. One size does not fit all. ISACA’s CISA certification was developed in 1978 and remains the most successful and internationally recognised IT auditor certification available. only the more globally recognised and widely available information security guidance documents. Review the related risks of not using or implementing the guidance.

In 2002. A comprehensive survey was sent to more than 5. 3 Five geographic locations were used: Asia. German and Spanish. as mentioned previously. The intent was to provide a comprehensive solution for answering questions about how the various guidance documents address the security space. CISM holders and other readers of this document are encouraged to provide ISACA with feedback on their own specific experiences of using the referenced guidance and to suggest others that should be included in this classification. 8 . the CISM certification was launched. control and assurance framework across the world. it is intended that this report will be updated regularly to reflect changes and finalisation. Europe/Africa. to reflect their increased profile within organisations and their vital role in corporate and IT governance. In completing this classification. Central/South America. subjective opinions of the author are unavoidable. It was specifically developed to reflect the increasing importance of the role of information security managers and.000 CISMs.900 completed and returned the survey for a 37 percent response rate. and appropriately manages IT-related risks and opportunities. amongst others. COBIT. Whilst attempts have been made to keep these descriptions factual. security. maximises business investment in IT. in particular. Effective IT governance helps ensure that IT supports business goals. North America and Oceania. Information was classified by geographic location3 to identify regional differences. All guidance was evaluated/classified using the same approach and framework. The security guidance included in this document undoubtedly will undergo change/modification and. in addition to new guidance that comes into existence. information relating to the reputation. acceptance and usage of the publications was obtained from a survey of holders of the CISM certification. and is generally considered to be the leading governance. Approach to the Classification Descriptions of the guidance have been provided based on the author’s review. ISACA’s affiliated foundation published the first version of COBIT as a framework within which IT governance could be managed. including Dutch. recognition. is published in several languages. French.Information Security Harmonisation—Classification of Global Guidance In 1996. ISACA reflected the growing awareness of the vital role of technology in helping businesses achieve their corporate aims with the creation of the IT Governance Institute in 1998. Nearly 1. now in its third edition.

Circulation BS 7799-2 is a British Standard that is widely known and used internationally. which is discussed later in this research. for example. implementing. 9 . operating. reviewing. It has been designed to be compatible with ISO/IEC 9001:2000 Quality Management Principles and ISO/IEC 14001:1996 Environmental Management. BS 7799 has been adopted and modified by several countries. Goal of the Standard or Guidance Publication The purpose of this guidance was to specify the requirements for establishing. maintaining and improving a documented information security management system. monitoring.BS 7799 Part 2:2002 Information Security Management Systems—Specification With Guidance for Use 1. AS/NZS 7799-2 for Australia and New Zealand. Document Taxonomy The original BS 7799 was issued as two parts: • BS 7799-1: Information Technology—Code of Practice for Information Security Management • BS 7799-2: Information Security Management Systems—Specification with Guidance for Use BS 7799-1 no longer exists. having been replaced by ISO/IEC 17799. BS 7799 Part 2:2002 Information Security Management Systems—Specification With Guidance for Use Issuer The United Kingdom Standards Policy and Strategy Committee provides authority for publication of documents as British Standards. Information Security Drivers for Implementing the Guidance—Why It may provide assurance to customers and trading partners that the organisation is managing its information security risks to meet a recognised minimum standard.

can be a good method of instilling discipline into the security management process. Timeliness BS 7799-2 was first developed and issued in 1998 as a specification to complement BS 7799-1 (now ISO/IEC 17799). operate. and is not geographically specific. updated to reflect the ISO/IEC 17799:2005. regardless whether one is seeking certification. Target Audience The guidance is prepared for business managers and their staff as a model for an information security management system.xisec. Completeness BS 7799-2 is a model that includes every activity required to “establish. implement. 10 . organisations failing to address all of the process areas are unlikely to be managing security to a satisfactory level. It was revised in 1999 to reflect changes in part 1 and again in 2002 to harmonise with other ISO management standards.Information Security Harmonisation—Classification of Global Guidance Following the defined guidance for an information security management system. Related Risks of Noncompliance—What Could Happen Whilst there is no specific risk in following the model defined by BS 7799-2. more than 9004 organisations in more than 40 countries have been evaluated and certified to BS 7799-2. Certification Opportunities A certification scheme exists to certify organisations toward compliance. may very well become an ISO standard by the end of 2006. maintain and improve a documented information security management system”. monitor. It can also be used by certification bodies. 4 Figures obtained from the International Information Security Management System User Group web site at www. review. The next version of ISO/IEC 17799 is due for release in April 2005 and it is anticipated that BS 77992.com. Although this is a British Standard. It is designed to be used by organisations of any size or type. British Standards are normally revised every three to five years.

this list is not intended to be exhaustive and the onus is on the organisation to supplement those provided. It also avoids describing specific control practices as these naturally vary across organisations. These are significant figures for an individual standard. Recognition/Reputation Based on the global survey of CISMs (described in this document’s Introduction). BS 7799 contains no guidance on how to undertake the activities it describes. However.com (GB sterling £28. Availability The guidance is available for purchase from www. Usage BS 7799-2 is comprehensive and is being actively used (i. The appendix of BS 7799-2 contains a list of controls (summarised from ISO/IEC 17799) that organisations can use as the basis for identifying and setting their own organisational security control frameworks. CISM Domain Alignment When reviewing BS 7799-2 to see how it address the five domains of the CISM certification. the following rankings are evident. BS 7799-2 is globally recognised and considered to be a widely accepted standard by a large majority (74 percent) of the respondents. Information Security Governance.bsi-global..00 for nonmembers). However.e. 11 . 2 The document provides a model that includes many of the tasks an information security manager must undertake but it does not give detailed guidance on how the information security manager should complete these tasks.00 for British Standard Institute members and £56. Asia figures are slightly below this (48 percent) and in North America the figure falls to 39 percent. Central/South America and Oceania. it does recommend other documents that may be helpful to organisations applying the guidance. used as best practice or used for assessment) by the majority (57 percent) of surveyed CISMs in Europe/Africa.BS 7799 Part 2:2002 Information Security Management Systems—Specification With Guidance for Use Unlike ISO/IEC 17799 Code of Practice for Information Security Management. implemented.

and as a whole is limited in this area and provides no direction. 2 This is a good model for the operational aspects of information security management. Information Security Management. Even the experienced IT security professional should. but limited detail is provided on how to carry out the tasks. Description and Guidance on Use BS 7799-2 uses 33 pages to describe a model for setting up and managing an information security management system. However. the guidance provides little direction on how to carry out the activities. The PDCA model also reflects some of the principles set out in OECD’s Guidelines for the Security of Information Systems and Networks—Towards a Culture of Security and COBIT. Information Security Programme Management.Information Security Harmonisation—Classification of Global Guidance Risk Management. The guidance includes an introduction to the plan-do-check-act (PDCA) model that is used in other management systems standards such as ISO/IEC 9001. 1 BS 7799-2 contains references to and definitions of risk management activities but it provides no guidance on development and application of risk management methods. develop and manage an information security programme and a must for organisations intending to apply for BS 7799 certification. It is a useful model but insufficient in itself for an inexperienced information security manager. refer to other publications for guidance on undertaking the activities described. 1 The guidance contains only brief references to response management. as is recommended within BS 7799-2. 12 . There are eight chapters and a number of annexes and reference tables. 2 This is a useful model for those wishing to establish a framework for the management of an information security management system and a must for those seeking BS 7799 certification. It needs to be used by an experienced information security manager and must be supplemented with other information security standards and guidance. which are reviewed later in this document. Overall. 2 It is a good model for those wishing to design. Response Management. meaning the user of the model should already be experienced in information security management.

The following provides the level of detail that is contained in BS 7799-2.g. the following is a brief description of the approach that would be used to manage a comprehensive information security management system. assets. It also describes the procedures that need to be in place to control documents and records. resource management and information security management system review. location. Plan activities address the establishment of the information security management system and include: • Definition of the information security management system coverage (e. 13 .BS 7799 Part 2:2002 Information Security Management Systems—Specification With Guidance for Use Since the PDCA is an approach used in several globally respected standards. technology) • Definition of an information security policy that reflects organisational needs • Definition of a risk assessment methodology • Identification and assessment of risks • Identification and evaluation of options for the treatment of risks • Selection of control objectives and controls • Preparation of a statement of applicability (which gives the reasons for selection and exclusion of controls) Do activities are concerned with the implementation and operation of the information security management system and include: • Creation of plans to allocate responsibilities and priorities for risk treatment • Implementation of controls • Training and awareness programmes • Operations and resource management • Procedures for detecting and reacting to incidents Check activities are concerned with monitoring and reviewing the information security management system and include: • Execution of monitoring and other control procedures • Reviews of information security management system effectiveness • Reviews of residual risks and acceptable risks Act activities are concerned with maintaining and improving the information security management system and include: • Implementing improvements (including taking corrective and preventive actions to eliminate the cause of nonconformities and guard against future nonconformities) • Learning from experiences (one’s own and those of other organisations) • Ensuring that improvements meet the objectives The standard describes the types of documentation needed to establish and manage the information security management system as well as those needed to satisfy the British Standard (and are therefore necessary for certification to the standard).. Management responsibilities are identified and include management commitment.

Annex B provides guidance on the use of the standard.1 General Documentation Requirements The information security management system documentation shall include the following: a) Documented statement of the security policy (see 4.1b). Annex A of the standard is a list of control objectives and controls that are directly derived from those listed in ISO/IEC 17799:2000 and must be used as part of the controls selection process identified in the plan stage.3).1c to 4.3. g) Statement of applicability.com 14 .2.4. There is also guidance on what type of checking and self-policing procedures may be applied.bsi-global. An example would be a device that monitors a network (e. b) The scope of the information security management system (see 4. A table within annex B maps seven of the nine OECD security principles against the PDCA model of BS 7799-2. Extract from B. additional alarms are raised to more senior management. e) Documented procedures needed by the organisation to ensure the effective planning..2.2. d) Risk treatment plan (see 4.1).g. However.1c) and procedures and controls in support of the information security management system. how to approach information security management system audits and dealing with nonconformities. c) Risk assessment report (see 4.3 Self-policing Procedures A self-policing procedure is a control that has been constructed so that any error or failure perpetrated during execution is capable of prompt detection. h) All documentation shall be made available as required by the information security management system policy. and they then have the task of diagnosing the cause of the problem and fixing it.2b). thus escalating the problem automatically. f) Records required by this British Standard (see 4.2.2. including details on what should be documented in scope statements. risk assessments and risk treatment plans.1b) and control objectives.Information Security Harmonisation—Classification of Global Guidance Extract from 4. The alarm alerts the responsible people to the problem. for equipment failures or errors) and raises an alarm. Reference www. if the problem is not corrected within a defined period of time.3. operation and control of its information security processes (see 6.

Goals of the Standard or Guidance Publication The COBIT mission is to research. develop. The framework. French. COBIT Issuer The IT Governance Institute is the copyright holder and issuer of the COBIT guidance. security.COBIT 2. up-to-date. Its use reaches IT management. control and user management. In addition to the English version. German and Spanish. including Dutch. Information Security Drivers for Implementing the Guidance—Why There would not generally be one specific security driver behind implementing COBIT. along with the Committee of Sponsoring Organisations of the Treadway Commission (COSO). IT professionals and security assurance professionals. control and assurance. international. 15 . Circulation COBIT is accepted worldwide. publicise and promote an authoritative. Document Taxonomy COBIT represents a collection of documents and a framework that are classified as generally accepted best practices for IT governance. COBIT is a worldwide de facto standard. of which security management is a part. as it is aimed at IT governance. is considered to be critical to compliance with the US Sarbanes-Oxley Act. generally accepted information technology control framework for day-to-day use by business managers. it has been translated into several languages.

IT users. three levels are addressed: management. for instance. Certification Opportunities COBIT’s audit guidelines contain information for auditing and self-assessment against the control objectives. but there is no certification programme available for any part of COBIT. Timeliness The first edition of COBIT was issued in 1996. The latest enhancements to COBIT at the time of this publication in 2005 include: • COBIT® Quickstart™ • COBIT Online® • IT Governance Implementation Guide • Control Practices • COBIT® Security Baseline™ The next update to COBIT is targeted for release in late 2005. The third edition was issued in 2000 and included the Management Guidelines as well as an overall update. and control and security professionals. when performing an SAS 70 review. Management Guidelines includes a maturity model for IT governance and each of the objectives. and has rapidly become the IT control framework of choice for organisations addressing international regulatory issues. Many types of organisations. public and private companies and external assurance professionals form the relevant target group. It is still relevant and up to date. The COBIT framework is used frequently by Certified Public Accountants (CPAs) and Chartered Accountants (CAs). although it is widely accepted that security operates more effectively in an environment with good IT governance and controls. 16 . as well as key goal indicators.Information Security Harmonisation—Classification of Global Guidance Related Risks of Noncompliance—What Could Happen There is no direct security risk from not complying. such as the US Sarbanes-Oxley Act of 2002. In 1998 the second edition was published with additional control objectives as well as the Implementation Tool Set. Target Audience Within organisations. critical success factors and key performance indicators.

The audit guidelines are posted for complimentary download for ISACA members only.itgi. bookstore@isaca.isaca.isaca. recognition of COBIT is extremely high. make use of standards they hold in low esteem. implemented. an editable Access database download feature. Although this high level of use may be explained by the CISM population’s relationship to ISACA.COBIT Completeness COBIT addresses a broad spectrum of duties in IT management and can be of significant interest and use to the security manager.org/cobitonline.e. used as best practice or used for assessment) by more than 40 percent of surveyed information security managers globally (rising to in excess of 60 percent in Central/South America). it should also be noted that security managers do not. then store and manipulate that version as desired. a printed set and fully searchable CD-ROM can be purchased from the ISACA Bookstore. www. particularly if the organisation decides to build an IT governance framework using COBIT as its model. It can be purchased by going to www. most parts of COBIT are readily accessible for complimentary electronic download from the ISACA or ITGI web sites. The approach allows users to customise a version of COBIT to suit their own enterprise. in general. First. Also. Recognition/Reputation Based on the global survey of CISMs (described in this document’s Introduction).org. an active community forum and a robust benchmarking feature. It also offers full online access to all of COBIT. Availability COBIT is available in a variety of ways. Usage COBIT is considered to be comprehensive and effective and is being actively used (i. real-time surveys..org. Of equal or more interest is that a majority (58 percent) of surveyed CISMs (security professionals) felt that COBIT is a well-accepted global standard. It does not contain the full depth of security management activities contained in ISO/IEC 17799. Alternatively. 17 .org or www. at over 98 percent. the most dynamic and useful manner is through COBIT Online. These are significant figures for an individual standard and are exceeded only by ISO/IEC 17799 and BS 7799.

2 COBIT provides a straightforward model for supporting and monitoring an information security programme.Information Security Harmonisation—Classification of Global Guidance CISM Domain Alignment Information Security Governance. The remaining areas address it. its use beyond overall governance is somewhat limited. 18 . 1 Response management is referenced. but most likely not in the level of detail required by an information security manager. but it does not have sufficient detail nor does it address all the responsibilities of an information security manager. IT can extend and influence the performance of the organisation. by which organisations are governed and controlled) and IT governance (the system by which the organisation’s IT is governed and controlled) are—from a COBIT point of view—highly interdependent. Risk Management. would be useful to an information security manager if his/her organisation is planning to implement COBIT and/or enhance the broader IT governance concepts. 2 COBIT provides a simple model for planning and building an information security programme. 2 COBIT addresses a number of information security governance tasks as part of IT governance. On the other hand. Overall. Description and Guidance on Use Enterprise governance (the system. 2 This guidance. 1 Risk management is referenced specifically in the PO9 process of COBIT. but it has to be subject to adequate governance. and this interrelationship has to be governed as well. Enterprise governance is inadequate without IT governance and vice versa. Information Security Programme Management. Information Security Management. but not to any great detail. which includes the policies. although comprehensive. but it does not have sufficient detail nor does it address all the responsibilities of an information security manager. including how security management fits into the overall equation. business processes require information from the IT processes. Response Management. but not to any detail. Since much of the security material is aimed at educating IT management in security matters rather than as guidance to security managers. procedures and standards guidance.

Availability—Information. Compliance—This deals with laws. including ISO/IEC 17799 Code of Practice for Information Security Management and several of the NIST publications. but overlapping. There are several publications that make up COBIT. Confidentiality—Sensitive information must be protected from unauthorised disclosure. CoCo in Canada and King in South Africa. Whilst COBIT has not been developed specifically with the information security manager as a primary target. • Security: 3. 19 . consistent and useable manner. Efficiency—This calls for provisioning information through the most optimal (productive and economical) use of resources. 2. work performed by many organisations was referenced. • Fiduciary: 6. correct. These broad requirements are then broken into seven distinct. must be available when needed now and in the future. too.COBIT This theme can be taken further by considering information security governance. Cadbury in the UK. Also considered were business control models by COSO in Internal Control—Integrated Framework of 1992. and associated resources and capabilities. Integrity—Information must be complete and accurate and in line with business values and expectations. It. COBIT Framework The COBIT Framework (65 pages) has been designed as a method of creating an IT governance framework that bridges the “business control model” with a “focussed IT control model”. Reliability of information—This category relates to provision of the information needed by management to operate the entity and to exercise financial and compliance reporting responsibilities. In designing the framework. 7. Of key interest to the information security manager are addressed in the following subsections. a large amount of the material is relevant to the information security programme. regulation and contractual arrangements to which the business is subject. The framework identifies the need to satisfy the quality. has a highly interdependent relationship with enterprise governance and IT governance. Effectiveness—Information must be relevant and pertinent to the business process as well as be delivered in a timely. fiduciary and security requirements for information. categories: • Quality: 1. 4. 5.

sound. organise. The domains are designed to fit in with the same PDCA models used by OECD security guidance. awareness and production to plan. networking. The four domains (see figure 4) are: • Plan and Organise—11 objectives. numbered M1 to M4 Figure 4—COBIT IT Processes Defined Within the Four Domains BUSINESS OBJECTIVES IT GOVERNANCE M1 M2 M3 M4 monitor the processes assess internal control adequacy obtain independent assurance provide for independent audit INFORMATION Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 PO11 define a strategic IT plan define the information architecture determine the technological direction define the IT organisation and relationships manage the IT investment communicate management aims and direction manage human resources ensure compliance with external requirements assess risks manage projects manage quality MONITOR AND EVALUATE PLAN AND ORGANISE IT RESOURCES People Application systems Technology Facilities Data DELIVER AND SUPPORT DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 define and manage service levels manage third-party services manage performance and capacity ensure continuous service ensure systems security identify and allocate costs educate and train users assist and advise customers manage the configuration manage problems and incidents manage data manage facilities manage operations ACQUIRE AND IMPLEMENT AI1 AI2 AI3 AI4 AI5 AI6 identify automated solutions acquire and maintain application software acquire and maintain technology infrastructure develop and maintain procedures install and accredit systems manage changes 20 . internal and external). numbered DS1 to DS13 • Monitor and Evaluate—4 objectives. deliver. graphics.Information Security Harmonisation—Classification of Global Guidance The framework then describes the IT resources necessary to deliver on the principles. etc. 14000. acquire. database management. numbered AI1 to AI6 • Deliver and Support—13 objectives. There are five: • Data—In its widest sense (i. ISO/IEC 9000. • Facilities—Resources needed to house and support information systems • People—Includes staff skills. 15000 and BS 7799-2:2002.. numbered P01 to P11 • Acquire and Implement—6 objectives. etc. • Application systems—The sum of manual and programmed procedures • Technology—Includes hardware.e. structured and nonstructured. operating systems. support and monitor information systems and services The framework then provides 34 control objectives that are described within four domains.

monitoring achievement of organisational goals. implementation or modification project. and the feasible security and internal control safeguards for reducing or eliminating the identified risk. key goal indicators. Is enabled by control measures aimed at the review and monitoring of existing agreements and procedures for the effectiveness and compliance with organisation policy. 21 . critical success factors and key performance indicators. monitoring and improving performance within each IT process and benchmarking organisational achievement.8 Risk Analysis Report The organisation’s system development life cycle methodology should provide for. And takes into consideration: • Third-party service agreements • Contract management • Nondisclosure agreements • Legal and regulatory requirements • Service delivery monitoring and reporting • Enterprise and IT risk assessments • Performance rewards and penalties • Internal and external organisational accountability • Analysis of cost and service level variances COBIT Management Guidelines COBIT Management Guidelines (121 pages) provides a link between IT control and IT governance. The guidelines are action-oriented and generic. resulting in a comprehensive list of 318 control objectives. adhered to and continue to satisfy requirements. in each proposed information system development. Extract of DS2 Deliver and Support.COBIT COBIT Control Objectives The COBIT Control Objectives (148 pages) document takes the 34 high-level control objectives and breaks them into more detailed control objectives. Extract of AI1. Management Guidelines includes for each of the 34 control objectives a maturity model. Manage Third-party Services Control over the IT process of managing third-party services that satisfies the business requirement to ensure that roles and responsibilities of third parties are clearly defined. This should be realised in line with the overall risk assessment framework. an analysis and documentation of the security threats. potential vulnerabilities and impacts. and provide management-specific guidance and direction for getting the enterprise’s information and related processes under control.

COBIT Security Baseline COBIT Security Baseline (38 pages) was developed primarily to help IT managers understand the need for information security and to provide essential security awareness messages for varying audiences including home users. COBIT Security Baseline also provides six survival kits. to establish the impact on the integrity. perform adequate testing prior to making the change. each aimed at a different audience. The assessment is usually at a high level and is typically applied only to major projects. These are grouped under the four COBIT domains and crossreferenced to the relevant control objectives from ISO/IEC 17799 and the 34 COBIT control objectives. Based on this impact. including patches. executives and boards of directors.Information Security Harmonisation—Classification of Global Guidance Extract from PO9 Maturity Model Level 2—Repeatable but Intuitive There is an understanding that IT risks are important and need to be considered. Extract of Steps 17 and 18 of Managing Changes Step 17 Evaluate all changes. The assessment of ongoing operations depends mainly on IT managers raising it as an agenda item. professional users. Extract of Questions From Information Security Survival Kit 5— Senior Executives How is the board kept informed of information security issues? When was the last briefing made to the board on security risks and status of security improvements? Is the enterprise clear on its position relative to IT and security risks? Does it tend toward risk avoidance or risk taking? How much is being spent on information security? On what? How were the expenditures justified? What projects were undertaken to improve security last year? Have sufficient resources been allocated? 22 . but the process is still immature and developing. and validity of important transactions. IT management has not generally defined procedures or job descriptions dealing with risk management. exposure or loss of sensitive data. managers. Some approach to risk assessment exists. Information security is defined within the document along with a list of 39 main steps that are needed to obtain a security baseline. which often happens only when problems occur. consisting of a checklist of actions that need to be addressed to ensure baseline security. availability of critical services. Step 18 Record and authorise all changes. including patches (emergency changes possibly after the fact).

Extract of AI6. security. Before and after images. effectively and relatively quickly. as well as an intervention log. Only those control objectives that are considered the most critical are included. This version of COBIT constitutes a subset of the entire COBIT volume. are retained for subsequent review. then after implementation. in its complete form. characteristics and procedures that identify and declare emergencies. Control Practices provides the more detailed how and why. 3. • Urgent changes can be implemented without compromising integrity. then after implementation. reliability. All emergency changes are formally authorised by system owners and management before implementation. so that implementation of COBIT fundamental principles can take place easily. 2. availability. confidentiality or accuracy. business requirements and detailed control objectives define what needs to be done to implement an effective control structure. 23 . and control practices for how. Management defines parameters. Control Practices 1. Each of the 318 control objectives is listed here along with a brief rationale for why. All emergency changes are tested. Those who operate with a small IT staff often do not have the resources to implement all of COBIT. if not before. 5. COBIT Quickstart was developed in response to comments that COBIT. Whilst the COBIT IT processes. 4. It can also serve as a starting point for other enterprises in their move toward an appropriate level of control and governance of IT. if not before. COBIT Quickstart This special version (46 pages) is a baseline for many small to medium enterprises (SMEs) and other entities where IT is not mission-critical or essential for survival.COBIT How many staff had security training last year? How many of the management team (members) received security training? Control Practices Control Practices (226 pages) expands the capabilities of COBIT by providing the practitioner with an additional level of detail. All emergency changes are documented. can be a bit overwhelming.4 Emergency Changes Why Do It? Controlling emergency changes by implementing the control practices will ensure: • Emergency procedures are used in declared emergencies only.

References www.org 24 .org/cobit www.itgi. It offers online. real-time surveys and benchmarking. then store and manipulate that version as desired.isaca. as well as a discussion facility for sharing experiences and questions.Information Security Harmonisation—Classification of Global Guidance COBIT Online This online version of COBIT allows users to customise a version of COBIT for their own enterprise.

0 3.0 is intended to be used as a: • Tool for engineering organisations to evaluate security engineering practices and define improvements to them • Standard mechanism for customers to evaluate a provider’s security engineering capability • Basis for security engineering evaluation organisations (e. Circulation The guidance is widely known and used internationally by organisations involved in security engineering. system certifiers and product evaluators) to establish organisation capability-based confidences (as an ingredient to system or project security assurance) Information Security Drivers for Implementing the Guidance—Why Customers want assurance of the level of security engineering in products and services.g. 25 . Document Taxonomy SSE-CMM Model Description Document 3.0 (SSE-CMM 3. SSE-CMM Systems Security Engineering— Capability Maturity Model 3.) Members may be interested individuals or organisations. (SSE-CMM is copyrighted by Carnegie Mellon University.0) is a guide to the concepts and application of a model to improve and assess security engineering capability..SSE-CMM Systems Security Engineering—Capability Maturity Model 3. Goals of the Standard or Guidance Publication The SSE-CMM 3. Version 2 was made ISO/IEC 21827 in 2002.0 Issuer The International Systems Security Engineering Association (ISSEA) is a nonprofit organisation formed in 1999 to continue development and promotion of SSECMM.

Version 2 followed and was made ISO/IEC 21827 in 2002. system integrators. Version 3 was released in 2003 and the ISSEA remains dedicated to improving the model.0 is available by free download from the SSE-CMM web site at www. However.org for Swiss CHF 208. can be purchased from www. Completeness The document is an excellent capability maturity model for evaluating and improving the quality of security engineering. service providers.g. Specific users are likely to be product developers.00. An Appraiser Certification Programme is being developed.. system administrators and security specialists. in Requests for Proposal). implementing and managing an enterprisewide information security programme. now published as ISO/IEC 21827. Availability SSE-CMM 3.Information Security Harmonisation—Classification of Global Guidance Related Risks of Noncompliance—What Could Happen No specific noncompliance risks exist unless the act of compliance begins to provide competitive advantage amongst suppliers that comply with the CMM. 26 . The guide will also be of use to evaluation organisations or acquiring organisations (e. It was designed primarily for internal process improvement. Target Audience The guidance is primarily aimed at organisations that practice security engineering in the development of operating systems software. it provides only limited information on the full role and responsibilities of an information security manager who is establishing.iso.org. software and middleware of applications programmes. Timeliness Development of SSE-CMM began in 1995.sse-cmm. Version 2. security managing and enforcing functions. so it should be supplemented with other security publications. Certification Opportunities There is a documented SSE-CMM Appraisal Method that includes support materials for an appraisal. with the first version published in 1996.

Usage Active usage (i. The majority (69 percent) of all CISMs familiar with it found it to be effective. implemented. but much less so in Oceania and Europe/Africa (more than 40 percent had no experience with the guidance). but views on its level of comprehensiveness varied. 27 . Information Security Management. with Oceania in particular having reservations. but it is best used by an experienced information security manager who already has the domain activities established. North America and Central/South America.e. 2 Following the SSE-CMM would improve performance in this domain. but it is best used by an experienced information security manager who already has the domain activities established. 2 Following the SSE-CMM would improve performance in this domain.. CISM Domain Alignment Information Security Governance. 2 Following the SSE-CMM would improve performance in this domain. SSE-CMM is well recognised (60 to 70 percent) in Asia. although this rises to one-third in Central/South America. The majority of CISMs (52 percent) in all regions felt it has only limited acceptance amongst security professionals. Risk Management. 2 Following the SSE-CMM would improve information security governance performance but it is best used by an experienced information security practitioner with an information security governance framework already defined and in place.SSE-CMM Systems Security Engineering—Capability Maturity Model 3. used as best practice or used for assessment) of SSE-CMM is disappointing at only 20 percent. but it is best used by an experienced information security manager who already has the domain activities established. Information Security Programme Management.0 Recognition/Reputation Based on the global survey of CISMs in 2004 (described in this document’s Introduction).

Explanations are given to the importance of statistical control processes and how they can predict defects and help identify where improvements in a process can be made. there is no consensus in the security community): • Gain understanding of the security risks associated with an enterprise. • Establish confidence or assurance in the correctness and effectiveness of security mechanisms. It would be most effective in the hands of an experienced information security manager. Description and Guidance on Use The guidance (340 pages) describes SSE-CMM as a process reference model that focuses on the requirements for implementing security engineering in a system(s). 2 This is an excellent model for improving capabilities but it does not in itself provide guidance to an information security manager on how to define and establish an enterprisewide information security management programme. • Determine that operational impacts due to residual security vulnerabilities in a system or its operation are tolerable (acceptable risks). The guide introduces the concept of maturity models to security. and effective”. • Transform security needs into security guidance to be integrated into the activities of other disciplines employed on a project and into descriptions of a system configuration or operation. it claims. SSE-CMM was designed to fill a perceived gap between the existence of security engineering principles and evaluation of practices by providing a framework within which an evaluation can be carried out. It also addresses the concept of process maturity describing it as “the extent to which a specific process is explicitly defined. 2 Following the SSE-CMM would improve performance in this domain. The guide describes security engineering in terms of the following goals (describes rather than defines as the role is evolving and. It was designed with the IT domain in mind. measured. but it can also be used for non-IT security domains. • Establish a balanced set of security needs in accordance with identified risks. controlled. but it is best used by an experienced information security manager who already has the domain activities established. • Integrate the efforts of all engineering disciplines and specialties into a combined understanding of the trustworthiness of a system.Information Security Harmonisation—Classification of Global Guidance Response Management. Overall. managed. Applied to security engineering this means that a capability maturity 28 .

SSE-CMM Systems Security Engineering—Capability Maturity Model 3.0

model can help an organisation evolve from an “ad hoc, less organised, less effective state to a highly structured and highly effective state”. The guide describes expected results from using SSE-CMM as most likely to be: • Improvements in predictability—Organisations are better at knowing whether they will meet their targets and, if not, by how much they will miss. • Improvements in control—Targets are revised more accurately and corrective actions are evaluated to select the best application of control measures. • Improvements in process effectiveness—Targeted results improve as the costs decrease, and productivity and quality increase. There are three main security engineering areas in the SSE-CMM: • Risk—Identifying and prioritising dangers • Engineering—Determining and implementing solutions that address the risks • Assurance—Being able to give customers confidence in the solutions A number of practices are used in each of these areas. Practices are split into base practices and generic practices. The generic practices are those that indicate process management, whilst base practices are those that collectively define security engineering. One performs generic practices as a part of performing a base practice. This is most easily explained using the example provided by the guide.

Extract From 3.3 SSE-CMM Architecture Description
A fundamental part of security engineering is the identification of security vulnerabilities. This activity is captured in the SSE-CMM in Base Practice 05.02, “Identify System Security Vulnerabilities. ” One way to determine an organization’s ability to do something is to check whether it has a process for allocating resources to the activities it claims to be doing. This “characteristic” of mature organizations is reflected in the SSECMM in Generic Practice 2.1.1, “Allocate Resources. ” Putting the base practice and generic practice together provides a way to check an organisation’s capability to perform a particular activity. Here an interested party might ask, “does your organization allocate resources for identifying system security vulnerabilities?” If the answer is “yes, the interviewer learns ” a little about the organization’s capability, additional information is gained from the supporting documentation or artefacts. The SSE-CMM has 61 base practices within 11 process areas that cover security engineering. As security engineering must integrate with so many other areas, the guide also includes for context 68 base practices and 11 process areas that address project and organisation (drawn from both the Systems Engineering CMM and the Software CMM).

29

Information Security Harmonisation—Classification of Global Guidance

The 11 security processes are numbered for reference and are purposely referred to in alphabetical order to discourage thoughts that the process areas are ordered by life cycle. The 11 security process areas are: • PA01 Administer Security Controls—The intended security for the system is achieved in its operational state. • PA02 Assess Impact—Identify impacts (tangible and intangible) and the likelihood of the impacts occurring. • PA03 Assess Security Risk—Identify and assess the likelihood of exposures. • PA04 Assess Threat—Identify and characterise security threats. • PA05 Assess Vulnerability—Identify and characterise security vulnerabilities. • PA06 Build Assurance Argument—Clearly convey that security requirements are met (evidential activities). • PA07 Co-ordinate Security—Ensure open communications between security engineering and all other involved parties (e.g., project personnel). • PA08 Monitor Security Posture—Identify and report all breaches or attempted breaches of security as well as mistakes that could lead to breaches. • PA09 Provide Security Input—Provide security information needed by interested parties (e.g., system architects, designers). • PA10 Specify Security Needs—Explicitly identify security needs for the system. • PA11 Verify and Validate Security—Verify and validate throughout design and development and against the customer’s operational security needs.

Extract of a Security Practice from Process Area PA02 Assess Impact
BP.02.03 Select Impact Metric(s) Select the impact metric(s) to be used for this assessment. Description A number of metrics can be used to measure the impact of an event. It is advantageous to predetermine which metrics will be used for the particular system under consideration, i.e., example work products, selected impact metrics. Notes A limited set of consistent metrics minimizes the difficulty in dealing with divergent metrics. Quantitative and qualitative measurements of impact can be achieved in a number of ways, such as: • Establishing the financial cost • Assigning an empirical scale of severity, e.g., 1 through 10 • The use of adjectives selected from a predefined list, e.g., low, medium, high

30

SSE-CMM Systems Security Engineering—Capability Maturity Model 3.0

Generic practices are grouped into five capability levels and reflect the maturity of the capability. Each has common features that describe an organisation’s characteristic manner of performing a work process, as follows: • Level 1 Performed Informally—Base practices. “You have to do it before you can manage it” is how SSE-CMM characterises this level. • Level 2 Planned and Tracked—Project-level definition, planning and performance, characterised by SSE-CMM as understanding what is happening on the project before defining organisationwide processes. • Level 3 Well Defined—Disciplined tailoring, characterised as “using the best of what is learned from projects to create organisationwide processes”. • Level 4 Quantitatively Controlled—Measurements tied to organisational business goals, characterised by “you cannot measure it until you know what ‘it’ is” and “managing with measurement is only meaningful when you’re measuring the right things”. • Level 5 Continuously Improving—Sustaining gains and improvements, characterised by “a culture of continuous improvement (that) requires a foundation of sound management practice, defined processes, and measurable goals”.

Extract of a Generic Practice Performed at Capability Level 2
GP 2.1.5 Ensure Training Description Ensure that the individuals performing the process area are appropriately trained in how to perform the process. Notes Training, and how it is delivered, will change with process capability due to changes in how the process(es) is performed and managed. Relationships Training and training management is described in PA21 Provide Ongoing Skills and Knowledge. The guide also contains advice on how to use the SSE-CMM separately addressing process improvement, capability evaluation and gaining assurance.

31

or increase consumer confidence that security needs are adequately addressed. provide an alternate means to formal evaluations for customers. Regardless of the catalyst for change.sse-cmm. a clear understanding of the purpose of examining existing processes in light of security is vital to the success of a systems security engineering process improvement effort.org 32 .iso. Acquisition organizations may require certain practices to be in place for a particular program. References www. or they may define a capability level as the minimally accepted standard for potential contractors. Organizations may have realized certain processes would allow them to more quickly and efficiently produce quality evidence in support of evaluation and certification efforts.issea.Information Security Harmonisation—Classification of Global Guidance Extract from 4.2 Using the SSE-CMM for Process Improvement Stimulus for Change The first step in any process improvement is to identify the business reasons for changing the organization’s practices.org www. There are many potential catalysts for an organization to understand and improve its processes.org www.

broad.0 Issuer Generally Accepted Information Security Principles (GAISP) is being produced by the Information Systems Security Association (ISSA).GAISP Version 3. GAISP Version 3. Information Security Drivers for Implementing the Guidance—Why GAISP represents a good foundation of principles that have been developed by experienced security practitioners. confidentiality.0 4. 33 . functional and detailed GAISP in a comprehensive framework of emergent principles. and integrity of information”. Document Taxonomy GAISP is a collection of security principles that is being defined and produced as a collective effort by members of the organisations involved. The current draft version of GAISP appeared as of August 2003 as a merged effort between Generally Accepted System Security Principles (GASSP). and Commonly Accepted Security Practices and Recommendations (CASPR). conventions. standards. a not-for-profit international organisation of information security practitioners. and mechanisms that will preserve the availability. produced by the CASPR Working Group. Circulation GAISP is known to the wider information security community. produced by International Information Security Foundation (IISF) in the early 1990s. but particularly so by members of ISSA and within North America. Goal of the Standard or Guidance Publication The major goal of ISSA’s GAISP Committee is to “Identify and develop pervasive.

it has not yet been updated or finalised.org.gaisp. many of the references provided are well out of date and it is likely that much of the document in its current form was written in the early to mid 1990s. Timeliness Version 3 of GAISP is described on the Internet as a draft document. Completeness GAISP provides a good set of general principles that addresses the necessary areas of information security management and should be relevant for an organisation of any type.Information Security Harmonisation—Classification of Global Guidance Related Risks of Noncompliance—What Could Happen There are no specific risks from noncompliance. It is undated but has obviously been altered as recently as August 2003. 34 . As of the date of this publication. but it would appear to be most suited to the information security practitioner and is flexible enough to serve most types and sizes of organisation. Target Audience This is not stated explicitly in GAISP. Certification Opportunities There is no certification process for adhering to GAISP principles. Availability GAISP is currently in draft mode and can be downloaded without cost from www. It does not contain any level of detail below information security principles. However. size or geographic location.

CISM Domain Alignment Information Security Governance. 35 . However. 2 GAISP contains a good set of principles upon which an information security programme can be created. 1 GAISP addresses risk management as a principle. Information Security Programme Management.0 Recognition/Reputation Based on data gathered from the global CISM survey (described in this document’s Introduction). not found elsewhere. but does not supply great detail. but no great detail. but it provides very little in the way of detailed guidance. particularly in Europe/Africa (40 percent). Usage Usage of GAISP is very low (less than 18 percent). Overall. 0 Response management is briefly addressed as a principle. even in North America where it is well known. Acceptance of GAISP as a standard is rather limited (90 percent feel it has either limited or no acceptance).GAISP Version 3. Risk Management. 2 GAISP addresses only lightly some of the tasks within the governance domain but it does contain some useful principles that would be helpful in establishing highlevel security policies. a view expressed in all geographic regions. Response Management. Information Security Management. it is thought to be reasonably comprehensive and effective in what it addresses by all regions except Europe/Africa. GAISP is generally well known in North America (67 percent) but is less known elsewhere. 1 It provides a set of principles. 1 GAISP provides a set of principles. is examples to support each of the principles. What it does provide. but not in great depth.

Rationale: Information security is achieved by the combined efforts of information owners. are met in the way security is defined and applied • Proportionality principle—Ensuring that the costs of security are practical and appropriate to the risk • Integration principle—Ensuring that security complements and integrates with other organisational compliance requirements • Timeliness principle—Ensuring that the response to threats and events is timely • Assessment principle—Ensuring that risks are assessed on a regular basis • Equity principle—Ensuring that the rights and dignity of individuals are respected Extract of 2. The document also contains a number of appendices. standards. conventions. GAISP’s nine pervasive principles are: • Accountability principle—Ensuring that responsibilities and accountability are clearly defined and accepted • Awareness principle—Ensuring that everyone. and information security personnel. There is a chapter heading for detailed security principles that has not yet been written. and mechanisms for the security of information and information systems should address the considerations and viewpoints of all interested parties. has the required security knowledge • Ethics principle—Ensuring that the application and administration of security practices are undertaken in an ethical manner • Multidisciplinary principle—Ensuring that everyone’s needs. 36 . each is still valid in the way in which it is described.4 Multidisciplinary Principle Principles. Decisions made with due consideration of all relevant viewpoints and technical capabilities can enhance information security and receive better acceptance. custodians. across all disciplines. users. The nine principles were founded on those contained within the Guidelines for Security of Information Systems published by the OECD in 1992. Although GAISP is in line with the original nine that were issued in 1992. The OECD reissued its guidelines in 2002 with a different set of principles. There are nine pervasive principles and each is briefly described in GAISP along with a rationale for the principle and an example of application. Pervasive principles form the basis of the broad functional principles and detailed principles. regardless of organisational role.Information Security Harmonisation—Classification of Global Guidance Description and Guidance on Use GAISP is a document of 54 pages covering what it describes as “pervasive principles” and “broad functional principles”. Pervasive principles are described as those that provide general governance-level guidance to establish and maintain the security of information.

representatives from facilities management. regulatory and contractual requirements of information security • Ethical practices Extract from 3. technology management. 37 .GAISP Version 3. In the absence of this clarity. and how much risk each individual or organizational entity is authorized to assume. the organization can establish a contingency planning team of information owners. Broad functional principles are described as the building blocks that provide guidance for operational accomplishment of pervasive principles. and guidelines are developed and maintained to address all aspects of information security. management must clearly articulate its security strategy and associated expectations. other resources will be over-secured—that is. baselines.1 Information Security Policy Management shall ensure that policy and supporting standards. Rationale: In order to assure that information assets are effectively and uniformly secured consistent with their value and associated risk factors. Each of the 14 broad functional principles is described in a brief paragraph and is accompanied by a longer rationale and example of the principle in practice. procedures.0 Example: When developing contingency plans. The 14 broad functional principles are generally self-explanatory and are: • Information security policy • Education and awareness • Accountability • Information asset management • Environmental mmanagement • Personnel qualifications • Incident management • Information systems life cycle • Access control • Operational continuity and contingency planning • Information risk management • Network and Internet security • Legal. inefficient. There are 14 broad functional principles and GAISP contains a table showing how they address the nine pervasive principles. Such guidance must assign responsibility. the level of discretion. ineffective. some resources will be under-secured—that is. and other functional areas in order to better identify the various expectations and viewpoints from across the organization and other recognized parties.

Dr. published by OECD in 1992. Computers at Risk. committee chair.org www.Information Security Harmonisation—Classification of Global Guidance Appendix A provides a page-long list of major recommendations contained within Computers at Risk5 which are addressed by GAISP.org 5 National Research Council.gaisp. Appendix B contains the entirety of the OECD Guidelines for the Security of Information Systems. 1991 38 . National Academy Press. David Clark (MIT).issa. References www.

The Standard of Good Practice for Information Security 5. but it was made publicly available a few years ago and since has begun to build a wider recognition. assist in the development of standards that are practical. Circulation The standard was previously known and available only to ISF members. Related Risks of Noncompliance—What Could Happen There is no direct risk from not complying unless the organisation has an inherent need to comply with this standard. The precursor to ISF was the European Security Forum (ESF). Information Security Drivers for Implementing the Guidance—Why This guidance is for those who want to improve their security benchmark against other major organisations. Goals of the Standard or Guidance Publication The stated goals of the standard are to “promote good practice in information security in all organisations world-wide. help organisations improve their level of security and to reduce their information risk to acceptable levels. Document Taxonomy The standard is a collection of information security principles and control practices that was generated by members of ISF. focussed on the right areas and effective in reducing information risk”. a large percentage based in Europe with global operations. The Standard of Good Practice for Information Security Issuer Information Security Forum is a corporate member-based organisation currently compromised of more than 250 organisations. 39 .

Certification Opportunities No certification is available. However. ISF (corporate) members can benchmark their performance against the standard through ISF’s biannual information security status survey. the majority (55 percent) of CISMs familiar with the publication feel it has only limited acceptance as a standard. geographic location or size. It is also likely to be of practical use to information security practitioners.000 CISMs (described in this document’s Introduction) revealed that this standard is generally well recognised (approximately two-thirds of surveyed CISMs) although slightly less so in the Oceania region. Availability The standard is publicly available as a free download at www. However. it needs to be applied by an experienced security practitioner or in combination with other guidance publications. The ISF produced version 4 of the Standard of Good Practice for Information Security in March 2003.com. Timeliness It is planned to be updated every two to three years and a specific aim is to ensure that the latest security “hot topics” are addressed. The standard does not deal with security management concepts nor provide guidance on how to select appropriate controls.isfsecuritystandard. control objectives and security practices. 40 . It is particularly aimed at large organisations of any industry type in any geographic location.Information Security Harmonisation—Classification of Global Guidance Target Audience The standard is specifically aimed at major national and international organisations although the ISF believes it is also likely to be of use to any organisation regardless of industry. IT management and assurance professionals. Recognition/Reputation Results from the ISACA global survey of 5. If it is to be used. Completeness The standard provides a broad and detailed range of security principles.

2 The standard provides implicitly (through its controls listings) some of the activities an information security manager should address in this domain. implemented. but it does not provide any real guidance and direction on how to set up and maintain an information security governance framework.e. 41 . 2 It provides a good list of risk analysis requirements throughout the organisation. This is clearly the best part of this guidance document. 3 The standard is an excellent source of controls and practices that should help an organisation establish its security baselines and integrate them within the various parts of the organisation. It does not describe approaches and methods of risk management.The Standard of Good Practice for Information Security Usage Of those familiar with the standard. Information Security Management. it does not provide any guidance on how to establish or carry out these activities. at least one-fifth are actively using it in some form or another (i. A good majority (73 percent) of surveyed CISMs familiar with its contents believe the standard has a good level of comprehensiveness and it is also generally considered to be effective in use. nor advice on establishment of metrics. used as best practice or used for assessment) within their organisation. it contains nothing about how to develop and maintain security plans. project management methods and techniques.. Response Management. However. 2 The guidance provides implicitly (through its controls listings) some of the activities an information security manager should address within this domain with particularly good lists on security awareness. However. Risk Management. Usage is practised by almost one-third in Europe/Africa. CISM Domain Alignment Information Security Governance. 1 It defines the requirement for response management but provides very little that would help an information security manager develop and maintain a response management capability. Information Security Programme Management.

usually between four and six statements per section. The structure of the standard is shown in figure 5. An introductory section within the document explains the background to the development of the standard and provides drivers and benefits for its use. The standard is comprehensive in its coverage and depth of practices and should be used by security managers experienced in determining whether the cost of applying the security practices provides adequate benefits. As each of the five aspects is designed to be complete within its own right. some sections (e. risk analysis) are repeated.Information Security Harmonisation—Classification of Global Guidance Overall. which are then further broken into sections containing a principle and objective. 2 This is a good source of controls and detailed control practices for the experienced information security practitioner. Description and Guidance on Use ISF’s Standard of Good Practice (the standard) is a document of 248 pages covering a range of principles and practice statements for the management of information security. are also provided. Suggested practice statements advising on how each principle and objective can be met. The standard’s framework splits information security management into five distinct aspects. each of which covers a particular type of environment: • Security management (enterprisewide)—High-level direction and control • Critical business applications—Risks and protection of applications • Computer installations—Requirements for the setup and running of computer services • Networks—Requirements for the setup and running of networks • Systems development—Incorporation of security requirements into new systems The five aspects are broken into a number of supporting areas. Those with less experience may find it overwhelming and have difficulty deciding which control practices are appropriate for their own organisation.. A detailed second index addressing a wide range of security-related topics provides easy reference to every practice statement. with the practice statements being varied accordingly.g. 42 .

The Standard of Good Practice for Information Security.3 (i.g.2 Statement of Good Practice Section 1.2—Security Policy Principle—A comprehensive.1.2.3 Statement of Good Practice Section 2. a critical business application ? Area 3 Area 1 Area 2 Section 1. the third practice statement for this section) The information security policy should require: a) Critical information and systems to be subjected to a risk analysis on a regular basis b) That an ‘owner’—typically the person in charge of a particular business application.The Standard of Good Practice for Information Security Figure 5—Structure of the Standard Aspect e..1 Statement of Good Practice Section 1.1 Statement of Good Practice Section 3. Objective—To document top management’s direction on and commitment to information security. January 2005 Extract From Area 1 “High-Level Direction” from the Security Management Aspect Section SM1. and communicate it to all relevant individuals.e.2 Statement of Good Practice Source: Information Security Forum. Version 4. SM1.1 Statement of Good Practice Section 3. computer installation or network—is assigned for all critical information and systems c) That information and systems are classified in a way that indicates their criticality to the enterprise d) That staff are made aware of information security 43 .. documented information security policy should be produced and communicated to all individuals with access to the enterprise’s information and systems.

classification. including roles and responsibilities. documenting and communicating direction and commitment for information security – Making the organisational arrangements necessary for managing and applying security throughout the enterprise – Establishing classification and ownership schemes for information assets – Defining arrangements for a secure environment – Taking steps for protection from and response to malicious attacks – Including special topics: e-mail. regulatory and contractual obligations f) Breaches of the security policy and suspected security weaknesses to be reported g) Information to be protected in terms of its requirements for confidentiality. risk analysis and review – Developing. maintaining and validating contingency plans • Networks – Designing and running computer networks to a desired level – Ensuring that unauthorised network traffic is prevented – Managing and monitoring network performance and resilience – Addressing practices for network security co-ordination. change management. integrity and availability The standard addresses the following major topic areas under each aspect: • Security management – Establishing. classification. environment and staff 44 . risk analysis and review – Ensuring the security of voice networks • Systems development – Managing the systems development process. review and monitoring of the security environment • Critical business applications – Assessing the security requirements of an application – Managing applications. PKI and outsourcing – Ensuring adequate audit. key management and web-enabled applications • Computer installations – Running and monitoring the computer installations to a desired level – Designing and configuring the live environment – Ensuring basic controls over the operations of systems – Controlling access to information and systems in the computer installation – Addressing practices for computer installation security co-ordination. cryptography. internal controls.Information Security Harmonisation—Classification of Global Guidance e) Compliance with software licenses and with legal. and continuity planning – Controlling access to applications – Ensuring that applications are adequately supported and backed up – Addressing practices for application security co-ordination. classification. risk analysis and review – Including special topics: third-party agreements.

com 45 .The Standard of Good Practice for Information Security – Addessing practices for systems development security co-ordination and review – Ensuring arrangements for specification of security requirements – Addressing security during design.isfsecuritystandard. acquisition and build – Addressing practices for system testing and implementation Reference www.

Information Security Harmonisation—Classification of Global Guidance 46 .

Document Taxonomy ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security is a collection of five technical documents that provide guidance on aspects of information security management. ISO/IEC 13335 Information Technology— Guidelines for the Management of IT Security Issuer The International Organisation for Standardisation and International Electrotechnical Commission established a joint technical committee. the ISO/IEC JTC1. These parts discuss implementation and management aspects and techniques of IT security management. Circulation The guidance is known and recognised globally by the information security community..ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security 6. This portion contains information on identifying and analysing communicationrelated factors that should be taken into account when introducing network security.g. considering the type of IT systems as well as security concerns and threats. The management tasks of IT security are outlined. 47 . 2-3. providing an introduction to security concepts and models. design and testing. Parts of it have been in existence since 1996. and is divided into five parts: 1. such as planning. This section provides guidance on the selection of safeguards. 4. 5. which is tasked with publishing international standards (e. ISO/IEC 17799:2000). Subcommittee SC27 (IT security techniques). Goals of the Standard or Guidance Publication The goal of ISO was to create a document that provides guidance on aspects of IT security management.

Parts 3 and 4 are at an early stage of redevelopment and will be made into a new part 2 titled “Techniques for Information Security Risk Management”. whereas the other parts target individuals responsible for the implementation of security measures. however. regulatory and legal expectations Related Risks of Noncompliance—What Could Happen There is no direct risk from not complying unless the organisation has an inherent need to comply with this guidance. which is to be published in 2006. Timeliness Dates of publication range from 1996 (part 1) to 2001 (part 5). Part 1. this does not detract from its general validity or usefulness. IT managers and IT security staff. explicitly addresses senior management and information security managers. for instance. size and geographic location. Part 5 is also in the early stages of redevelopment. 48 . Target Audience The guidance is applicable to organisations of all types. Certification Opportunities There is no specific certification available.Information Security Harmonisation—Classification of Global Guidance Information Security Drivers for Implementing the Guidance—Why ISO/IEC 13335: • Provides guidance for information security management • Provides a structured approach • Offers internationally recognised security practices • Enables the enterprise to meet audit. Completeness ISO/IEC 13335 contains comprehensive guidance on managing IT security. containing the management aspects of IT. although small organisations may find the level of detail overwhelming. The guidance could be used by organisations of any type or size. Parts 1 and 2 have been revised into a new part 1 titled “Concepts and Models for ICT Security Management”.

ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security

There is a good list of safeguards provided in part 4, although purely due to its age (part 4 was published in 2000), these may not fully address all of today’s technical risks.

Availability
The documents can be purchased from ISO at www.iso.org (where prices range between Swiss CHF 73.00 and 158.00 depending on the portion ordered), and from the American National Standards Institute (ANSI) at http://webstore.ansi.org (prices from US $58.00 to US $125.00 depending on the part ordered).

Recognition/Reputation
Results of the ISACA global survey of 5,000 CISM holders (described in this document’s Introduction) indicated that the guidance is known to at least 60 percent of surveyed CISMs, with recognition levels in Oceania particularly high at 85 percent. Figures for North America and Asia are surprisingly low for such a longestablished international standard. The majority (60 percent) of those CISMs familiar with the guidance felt it has only limited acceptance within the information security community.

Usage
More than one-quarter of surveyed CISMs in Oceania actively use the guidance (i.e., implemented, used as best practice or used for assessment). The level of usage is much lower in other areas (as low as 11 percent in Central/South America). Of those CISMs familiar with it, at least half consider it both comprehensive in its coverage and effective in use.

CISM Domain Alignment
Information Security Governance, 4
By far, this is the best aspect of the guidance. It provides sound guidance for the information security manager covering most of the tasks in this domain, even though some of the documents and information provided within are somewhat dated.

Risk Management, 3
The guidance provides good fundamentals for information security risk management but it stops short of providing the detail that would be required for an appropriate methodology to be developed and used within an organisation.
49

Information Security Harmonisation—Classification of Global Guidance

Information Security Programme Management, 4
ISO/IEC 13335 provides sound guidance for the information security manager, covering most of the tasks in this domain even though some of the documents are somewhat dated. No guidance is provided on project management.

Information Security Management, 4
It provides sound guidance for the information security manager, covering most of the tasks in this domain even though some of the documents are somewhat dated.

Response Management, 1
Response management is referenced but not in any detail.

Overall, 4
The guidance is recommended as an excellent source of guidance for those involved in the management of information security.

Description and Guidance on Use
The current version of the report consists of five parts that have been written and published over the period of 1996 to 2001.

Part 1—Concepts and Models for IT Security
The first part (23 pages) was published in 1996 with the objective of providing an introduction to the management of IT security. Whilst it purposely does not suggest a particular IT security management approach, it does provide a general discussion of concepts, models, tools and techniques. The requirements for the definition of a policy, the identification of roles and responsibilities, systematic risk management, configuration and change management, contingency/disaster recovery planning, selecting and implementing safeguards, and follow-up activities are all described at a high level that is suitable for senior managers not involved in IT security or those just beginning to work in IT security. Part 1 identifies how corporate objectives, strategies and policies influence the organisation’s general security objectives, strategies and policies, which in themselves form the basis for the narrower set of IT security objectives, strategies and policies. IT system security objectives, strategies and policies are derived from the more general level of overall IT security.

50

ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security

The major elements involved in the security management process are: • Assets (physical assets, information, software, people and intangibles) • Threats (human and environmental) • Vulnerabilities • Impact • Risk • Safeguards • Residual risk • Constraints The ongoing process of IT security management consists of the subprocesses: • Configuration management—Changes in the configuration may not lead to a reduction of the security level. Furthermore, tracking of changes is available, and changes to the systems are reflected in various types of documentation (e.g., disaster recovery plan). • Change management—This is the process of identifying security requirements when systems change. • Risk management—Risk management is to be performed throughout the system’s life cycle. A risk management process compares risks with benefits and costs of different types of safeguards. • Risk analysis—Risks are identified by the analysis of asset values, threats and vulnerabilities, resulting in a statement of the likelihood of risks to previously mentioned assets. • Accountability—Responsibility for security is to be assigned explicitly. Ownership is assigned to assets. • Security awareness—This explains the security objectives, strategies and policies and the need to comply with them. • Monitoring—A periodic review of the safeguards is needed to assure their effectiveness. • Contingency plans and disaster recovery—Contingency plans describe how to maintain core business processes in the case of system outages. Disaster recovery contains information on restoration of systems affected by an unintended outage.

Part 2—Managing and Planning IT Security
Part 2 (19 pages), published in 1997, contains guidelines that address essential topics on the management of IT security. Establishing and maintaining an IT security programme is the main task of IT security management. It consists of a planning and management process, risk management, implementation, follow-up (maintenance and monitoring) and integration throughout the organisation. A sound corporate IT security policy should address the following questions: • Objectives—What is to be achieved? How are these objectives to be achieved? What are the rules for achieving these objectives?
51

their interdependency and recommendations for selecting and maintaining them as well as the need for acceptance of residual risk and its classification into “acceptable” and “unacceptable”. The security recommendations section addresses different types of safeguards. • Detailed risk analysis—A detailed analysis begins with the identification and valuation of assets. • Informal approach—A pragmatic risk analysis for all systems. the threats to those assets. the initiation of a security forum and the nomination of security. The other systems are appropriate for a baseline protection approach. as is the importance of following a consistent approach throughout the organisation and to all systems. The approaches are: • Baseline approach—By selecting a set of safeguards to all systems. marketing policy. • Combined approach—Using the detailed approach at a high level identifies systems with a high risk. including security training • Security awareness—Passing the knowledge from the security officer to all levels of the organisation • Follow-up—Activities such as maintenance of safeguards and policies.Information Security Harmonisation—Classification of Global Guidance • Management commitment—What are the commitment and support of senior management? • Policy relationships—What are the relationships amongst corporate strategy. monitoring and incident handling 52 . are discussed. Strategic options for a risk management strategy are presented thereafter. The specific advantages and disadvantages are addressed. which are analysed in a more comprehensive manner. Following the discussion of risk management. security compliance checking. security policy. it requires experience of individuals and seems to be suitable for small organisations. IT policy. The need for support by all levels of management is outlined. a baseline protection level is achieved. other issues briefly mentioned are: • IT system security policy—Contents and endorsement • IT security plan—Documentation of actions to be taken for implementing the IT security policy • Implementation of safeguards—Implementing the safeguards as defined in the plan. a selection of appropriate safeguards and the identification of an acceptable level of residual risk. project and system security officers. IT security policy and system-specific policies? • Policy elements—Is there a comprehensive list of topics that are to be covered? Organisational aspects of IT security. such as roles and responsibilities.

The implementation of safeguards and a security awareness programme follows the methodology-based identification of security needs. and recommended parts are listed. The high-level result is the identification of systems requiring a detailed risk analysis and the need for baseline protection. Baseline protection can come in two flavours: selection of safeguards according to the type of IT system and safeguards according to security concern and threats. which was published in 1998 and is 54 pages. In addition to general information.ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security Part 3—Techniques for the Management of IT Security Management techniques are described and recommended in this part. change management. compliance checking. Its major activities are: • Analysis of security requirements—The definition of security objectives. after the aforementioned table of contents of a security policy. During the implementation phase. including security awareness and security training • Follow-up—Checking of compliance. change management practices and incident handling The importance of a corporate IT security policy is discussed. Part 3 concludes with a discussion of follow-up activities. A detailed table of contents is provided in the annex of the report. The method for detailed risk analysis is discussed in part 3. strategy and the development of a corporate IT security policy • Selection of a corporate risk analysis strategy—Identification and assessment of risks and their reduction to an acceptable level based on security requirements of different systems • Implementation of the IT security plan—Implementation of safeguards. Part 4—Selection of Safeguards Part 4 (70 pages) was published in 2000 and promotes the selection of safeguards based on a high-level risk analysis. monitoring and incident handling. an overview of the IT security management process is provided. monitoring. In the annex. a comprehensive list of possible threat types and vulnerabilities and a description of a risk analysis method are provided. a security awareness programme is used to increase the level of awareness within the organisation. A sound awareness programme consists of: • Needs analysis—Existing and targeted levels of awareness within different target groups and identification of necessary methods • Programme delivery—Interactive and promotional techniques • Monitoring—Periodic performance evaluation to determine the level of awareness and comprehensive change management to ensure that skills and awareness reflect modifications to systems Internal or external experts ensure the achievement of the objectives by closing the implementation phase with an approval of the implemented systems. 53 . such as maintenance.

). a check with responsible personnel. accountability. Safeguards can be classified into organisational/physical and system-specific safeguards: • Organisational and physical safeguards – IT security management and policies – Security compliance checking – Incident handling – Personnel – Operational issues – Business continuity planning – Physical security • System-specific safeguards – Identification and authentication – Logical access control and audit – Protection against malicious code – Network management – Cryptography The organisational/physical safeguard categories are applicable to all IT systems. reselection of safeguards should be prevented. When selecting safeguards. temperature and humidity controls. etc. windows. Each of these categories faces several threats. the security concerns—the loss of confidentiality. Thus all safeguards from this category should be considered first when following the baseline approach. information about other occupants.) or the protection in place (protection of rooms. single occupant or multi-occupied. identification of sensitive/critical areas). 54 . protection level of doors. or a walk through of the building. access control (access to the building. The identification is done by a review of documentation. integrity. physical access controls. etc. a workstation connected to a network or a server/workstation sharing resources via a network. IT system-specific safeguards require an in-depth consideration of the needs of the type and characteristics of the system. UPS. such as perimeter and building (physical situation. authenticity or reliability—should be considered. water leakage detection. robustness and structure of the building.Information Security Harmonisation—Classification of Global Guidance The basic assessments of the safeguard selection process are: • Identification of the type of system—IT systems can be a standalone workstation. • Identification of physical/environmental conditions—In addition to general considerations concerning the environment of the organisation. more specific concerns are to be taken into account. fire detection/suppression facilities. It has to be borne in mind that existing safeguards may exceed the current needs. availability. • Assessment of existing/planned safeguards—By identifying existing safeguards.

During the selection of a specific safeguard. availability. or a weak authentication of identity. nonrepudiation. data and applications. These aspects are: • Threat—Reduction of the likelihood • Vulnerability—Removal of the vulnerability or making it less serious • Impact—Reduction or avoidance of the impact During the implementation of an organisationwide baseline. The annexes contain a short description of several sources of information concerning baseline protection and IT security. published in 2001. lack of traceability. it must be decided whether the organisation can be protected by the same baseline or if different levels have to be identified. masquerading user identity. integrity. • Identify types of network connections—Networks are usually connected in different topologies and at different organisational levels: – A single controlled location within an organisation – Connection amongst different geographical parts but within an organisation – Connection between an organisation site and personnel working in locations away from the organisation – Connection amongst different organisations with a closed community – Connections with other organisations – Connections with the Internet 55 . the protocols used. Examples of countermeasures to the previously mentioned threats are provided in the report. It also provides an introduction to safeguard areas. The following series of activities is recommended for the process of identification and analysis of communications-related factors: • Review corporate IT security requirements—The IT security policy states the requirements for confidentiality. different safeguard areas may be identified. the applications installed and other considerations such as trust relationships. authenticity and reliability of information. deals with network security and provides guidance for identification and analysis of communication and networks. unauthorised access to computers. only such exemplary threats as account sharing.ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security No specific threats are listed in the report. it has to be decided which basic aspect should be addressed by the safeguard. software failure. Part 5—Management Guidance on Network Security Part 5 (38 pages). accountability. • Review network architectures and applications—Depending on the types of networks.

The trust relationship is—depending on its environment— classified into low. The combination of the two classes of publicity of the network connection (private or public) and trust environment (low. characteristic safeguards are nominated.ansi.org 56 . medium or high) provides basic information for identification of safeguards. • Identify appropriate potential safeguard areas—On the basis of the security risks. References www. They are grouped into disciplines. in accordance with a documented security gateway service access policy. medium and high. design.) and the previous combination of characteristics and trust.Information Security Harmonisation—Classification of Global Guidance • Review networking characteristics and related trust relationships—The characteristics can be classified into public or private networks and data and/or voice networks. • Determine the types of security risks—Depending on the type of security risk (loss of confidentiality. A suitable security gateway arrangement will protect the organisation’s internal systems and securely manage and control the traffic flowing across them. implementation and maintenance of the safeguard. such as: – Secure service management – Identification and authentication – Audit trails – Intrusion detection – Protection against malicious code – Network security management – Security gateways – Data confidentiality over networks – Data integrity over networks – Nonrepudiation – Virtual private networks – Business continuity and disaster recovery • Document and review security options—The documentation of the intended architecture allows a final analysis of its design. loss of integrity. • Prepare for the allocation of safeguard selection. several safeguards can be identified.org http://webstore. implementation and maintenance—An organisation can be set up and specific tasks defined for selection.iso. etc. Another distinction can be made between packet (using hubs) or switched network.

ISO/TR 13569:1997 Banking and Related Financial Services— Information Security Guidelines 7. but more so by the banking and financial services industry at which it is specifically aimed. Circulation This guidance is recognised internationally. 57 . • Conformance enables the organisation to meet regulatory. • Conformance to the standard may improve trust relationships with other financial organisations. which develops financial services security standards and guides. Document Taxonomy The guidance Banking and Related Financial Services—Information Security Guidelines is a technical report containing guidelines on security concepts and suggested control objectives and solutions for financial sector organisations. ISO/TR 13569:1997 Banking and Related Financial Services—Information Security Guidelines Issuer ISO/TR 13569:1997 is published by the International Organisation for Standardisation (ISO). Goals of the Standard or Guidance Publication The guidance states three objectives: • To present an information security programme structure • To present a selection guide to security and control that represents accepted prudent business practice • To be consistent with existing standards. audit and legal expectations. as well as emerging work in objective and accreditable security criteria Information Security Drivers for Implementing the Guidance—Why Amongst the reasons for implementing ISO/TR 13569:1997 are: • Financial services organisations are expected to conform to internationally accepted standards. It was prepared by ISO Technical Committee ISO/TC68/SC2.

However. most of the controls remain appropriate as a source of commonly accepted security practices. networking of trusted third parties (TTPs) was a new concept at the time of issue in 1996.g.00. although it is aimed toward the financial services sector. A new version of the standard is currently under development with no date given for expected completion. Availability The documents can be acquired from the ISO web site. www. for instance. automated teller machines). at a cost of Swiss CHF 184. Certification Opportunities There is no certification associated with the guidance.iso.. Target Audience The guidance is intended for use by financial institutions of all sizes and types and by providers of service to financial institutions. The section on information security programme components is detailed enough for management briefing purposes and. Timeliness The first edition of ISO/TR 13569:1997 was issued in 1996 and then reissued in 1998. many of which are specific to financial services (e.Information Security Harmonisation—Classification of Global Guidance Related Risks of Noncompliance—What Could Happen There is no direct risk from not complying unless the organisation has an inherent need to comply with this standard. Its age means that the controls are light for many technical areas. due to technology changes. 58 . parts of the document are either stale or outdated.org. and there is no mention of Internet banking. it is generally applicable to all organisations. Completeness The majority of the guidance is concerned with documenting control objectives and controls for the financial services sector and in this it covers a broad range of areas. Most of its content is still valid and relevant but it should be noted that. It has not been updated since.

it provides a good set of baseline controls over a wide range of topics although some controls contain insufficient detail due to technology changes. 3 The guidance provides a simple risk assessment methodology that could easily be used and adapted by anyone. Information Security Management. the majority (59 percent) of those CISMs familiar with the guidance believe it has only limited acceptance as a standard.e. Risk Management. However. Usage The IT guideline is being put to practical use (i. 2 The guidance addresses many of the tasks in this domain implicitly through the controls practices. but that could be due to its emphasis on financial institutions.. It may not provide the level of detail required for evaluating very high-risk systems and it does not address all the aspects of risk management. 59 . Over half of CISMs familiar with the guidance found it effective in use (rising to almost 90 percent in Oceania). CISM Domain Alignment Information Security Governance. 2 ISO/TR 13569:1997 provides good descriptions of the components for establishing and maintaining information security. implemented. However. but it does not provide guidance on how to undertake the various tasks required.5 percent in Central/South America). the ISO standard still scored a reasonable 60 percent recognition level amongst surveyed CISMs (only 50 percent in Asia). this figure fell to only 36 percent in Oceania. 3 Overall.ISO/TR 13569:1997 Banking and Related Financial Services— Information Security Guidelines Recognition/Reputation Results of the global CISM survey that was conducted by ISACA in 2004 (described in this document’s Introduction) indicate that the document is less known than some of the others reviewed for this research. used as best practice or used for assessment) by less than 15 percent of CISMs (only 2. Information Security Programme Management. It does not provide guidance on security programme planning or project management. Whilst more than half also found it comprehensive. but there is limited guidance on establishing and carrying out the tasks.

2 Red-Teams The use of a red-team. security will become increasingly harder to maintain. references. is a method of deriving assurance for the security programme. Description and Guidance on Use The ISO/TR 13569:1997 guidance is a 97-page document that briefly describes the components of an information security programme and provides a range of control objectives and suggested solutions. Overall. including directors. it is dated. but only limited guidance is provided. employees. Section 6 of the guideline describes the components of an information security programme: • General duties—Responsibilities for a range of roles within the organisation. but since it was last published in early 1998. Use of red-teams can help in finding specific points of weakness in an institutions system. 1 Response management is referenced in the guideline.8. The first sections deal with introductions. legal and security • Risk acceptance—Process for accepting risks that fall outside the organisation’s policies. to test system security by attempting system penetration with the knowledge and consent of an appropriate official of the institution. As computer systems become more and more complex. managers. red-teams (penetration testers) and electronic money token providers • Cryptographic operations—Benefits and issues in selecting and using cryptographic controls • Privacy—Areas that should be addressed through policies and procedures Extract From 6. executive summary. The guidance is split into nine sections and a number of annexes. 60 .Information Security Harmonisation—Classification of Global Guidance Response Management. etc. 2 ISO/TR 13569:1997 is a valuable reference source of control practices. and insurance premiums are kept to a minimum • Audit—Describes the activities of audit in the area of information security • Regulatory compliance—Liaising with others to ensure that the information security requirements of regulations are understood and implemented • Disaster recovery planning—Activities within a disaster recovery plan to recover information and information processing facilities • Information security awareness—Ensuring that the awareness programme achieves a balance of control and accessibility • External services providers—Including Internet service providers. usually a contractor. standards and directives • Insurance—Liaising with others to ensure that insurance conditions are understood and can be dealt with. particularly for financial organisations.

PINS. including suggested labels and descriptions for criticality and sensitivity • Logical access control. In this part of the guideline. fraud prevention. etc. one-page document that can be easily amended • Employee awareness form—Which can be signed by the employee and his/her manager • Sign-on warning screen—Alerting users that they must be authorised to use the system • Risk acceptance form—Detailing all relevant facts about the risk. etc) • Automated teller machines (user identification. audit.) • Financial transaction cards (physical security.ISO/TR 13569:1997 Banking and Related Financial Services— Information Security Guidelines Section 7 addresses control objectives and suggested solutions.) • Electronic fund transfers • Checks • Electronic commerce • Steganography • Electronic money Appendix A contains a number of sample forms including: • Information security policy—A simple. destruction.org 61 . many broken down into further topics. abuse. etc. with spaces for signatures of the relevant management • Telecommuting agreement—Describing the duties and obligations of the employee and company Appendix E contains a simple risk assessment process that includes step-by-step instructions and guidance along with a number of useful tables. further broken into a number of topics • Audit trails • Change control (including emergency procedures) • Computers • Networks • Software • Human factors • Voice. telephone and related equipment • Facsimile and image • Electronic mail • Paper documents • Microform and other media storage (disclosure. maintenance. as follows: • Information classification. Reference www. there are 20 main topic areas.iso.

Information Security Harmonisation—Classification of Global Guidance 62 .

0 (referred to as Common Criteria or CC). Common Criteria succeeds Information Technology Security Evaluation Criteria (ITSEC). ISO/IEC 15408:1999 and Common Criteria The international standard ISO/IEC 15408:1999 Security Techniques—Evaluation Criteria for IT Security is based on Common Criteria for Information Technology Security Evaluation 2. The naming of those documents is synonymous. thus they are treated in one chapter. Members of this organisation are: • Canada—Communications Security Establishment • France—Service Central de la Sécurité des Systèmes d’Information • Germany—Bundesamt für Sicherheit in der Informationstechnik • Netherlands—Netherlands National Communications Security Agency • United Kingdom—Communications-Electronics Security Group • United States—National Institute of Standards and Technology and National Security Agency From a historical point of view. Figure 6—Standards Influences US Orange Book TCSEC (1985) Canadian Criteria (1993) UK Confidence Levels (1989) Federal Criteria Draft (1993) German Criteria Common Criteria v2. the various standards/guidance issued by some of the member bodies were influenced by other standards/guidance.2 (2004) ISO/IEC 15408 (1999) Common Criteria v1. published by the European Commission in 1991.0 (1996) 63 . which published Common Criteria.0 (1998) French Criteria ITSEC (1991) Common Criteria v2.ISO/IEC 15408:1999 and Common Criteria 8.1 (1999) Common Criteria v2. as shown in figure 6. Issuer ISO/IEC 15408:1999 was published in 1999 by the ISO/IEC JTC1 working group in collaboration with the Common Criteria Project Sponsoring Organisation.

Information Security Harmonisation—Classification of Global Guidance

Document Taxonomy
ISO/IEC 15408:1999 is an international standard. Common Criteria is labelled as a multipart standard.

Circulation
Because it was developed by an international committee and published as an international standard, Common Criteria has gained worldwide recognition.

Goal of the Standard or Guidance Publication
Common Criteria was issued to define criteria as the basis for a common and comparable evaluation of IT security, focussing on the security of systems and products.

Information Security Drivers for Implementing the Guidance—Why
ISO/IEC 15408:1999 is especially suited for: • Implementation of security products or systems that shall be certified • Security that is imperative to the development of semifinished products (e.g., control systems)

Related Risks of Noncompliance—What Could Happen
There is no direct risk for not complying unless the organisation has an inherent need to comply with this standard.

Target Audience
CC describes three specific target audiences, with a fourth having some tangential targeting. They are: • Consumers—The needs of consumers are considered throughout the evaluation process. The level of security provided by an evaluated product is comprehensible for consumers. • Developers—Developers have a guideline to prepare the evaluation of their systems. On the other hand, CC helps in identifying security requirements. CC can be useful as a source of security functions that may be implemented into a system.

64

ISO/IEC 15408:1999 and Common Criteria

• Evaluators—Evaluators have clear and agreed criteria to assess the security of a system. Steps necessary for an evaluation are included, but the standard does not stipulate procedures to be followed. • Others—CC may be seen as a useful source of information by others, such as security and assurance professionals.

Timeliness
ISO/IEC 15408:1999 was first published in 1999 and is now somewhat out of step with the latest Common Criteria version 2.2, published in 2004 (CC2.2) If the past serves as an indicator, it seems likely that CC2.2 (following some minor editorial changes) will be accepted as the new version of ISO/IEC 15408, perhaps by 2006.

Certification Opportunities
The purpose of the document is to provide common criteria for the certification of security products and systems.

Completeness
There is a detailed description of the criteria that must be fulfilled to obtain certification of security products and systems. It does not describe the full role and responsibilities of an information security manager for establishing, implementing and maintaining an enterprisewide information security programme. Whilst the document contains security controls, they are not in a format that would make them easy to find and use by the average organisation defining security controls for itself.

Availability
The international standard can be purchased from ISO at www.iso.org for Swiss CHF 142.00, 294.00 and 230.00 for parts 1, 2 and 3 respectively. Common Criteria is freely available for public use from www.nist.gov and www.commoncriteriaportal.org.

Recognition/Reputation
Referring to the global survey of CISMs conducted in 2004 (described in this document’s Introduction), two-thirds of surveyed CISMs are aware of the Common Criteria, slightly more in the Europe/Africa and Oceania regions. Well over half of all CISMs familiar with the CC felt it had only limited acceptance in the

65

Information Security Harmonisation—Classification of Global Guidance

information security community. This is a rather surprisingly high figure considering its background; however, this may be a reflection of its more narrow focus primarily on security products and systems rather than a specific criticism of the standard.

Usage
CC is being used (mostly as best practice or for assessment) by approximately onefifth of surveyed CISMs except in Central/South America and Asia where usage is quite low (5 and 11 percent, respectively). It is considered by more than half of CISMs familiar with the standard to be comprehensive. At the same time, however, half the CISMs in Europe/Africa and Central/South America felt it had only limited effectiveness—again, most likely due to the focus on security products.

CISM Domain Alignment
Information Security Governance, 0
Information security governance is not addressed at all in the guidance.

Risk Management, 0
Risk management is not addressed at all in the guidance.

Information Security Programme Management, 2
CC provides detailed descriptions for identifying, designing and developing security requirements of security products and systems, but it is aimed at the security engineer rather than the information security manager.

Information Security Management, 0
Information security management is not addressed at all in this guidance.

Response Management, 0
Response management is not addressed at all in this guidance.

Overall, 2
This guidance would mostly be of use to a security engineer as the level of technical detail is much greater than that of normal interest to an information security manager with enterprisewide responsibilities. The exception may be in organisations developing security products.

66

e. and behaviour defined at the lower level of abstraction that are not required by the higher level). Instructions for writing high-level specifications for products and systems are provided in two annexes. A security target contains the IT security requirements of an identified TOE and specifies the functional and assurance security measures offered by that TOE to meet stated requirements. Identification of threats. risks and countermeasures are addressed conceptually. all target of evaluation (TOE) security functions. general concepts and the principles to be considered when evaluating IT security. there should be no TOE security functions.2 is supplied in three parts. in particular as they pertain to the development of products. vulnerabilities. A protection profile defines an implementation-independent set of IT security requirements for a category of TOEs. and behaviour defined at the higher level of abstraction must be demonstrably present in the lower level). – that the claim is justified that the stated assurance measures are compliant with the assurance requirements. Extract From Paragraph 234 Rationale for the Security Target c) The TOE summary specification rationale shall show that the TOE security functions and assurance measures are suitable to meet the TOE security requirements. Annex A addresses security targets and annex B addresses protection profiles. The CC requirement is that there should be sufficient design representations presented at a sufficient level of granularity to demonstrate where required: a) that each refinement level is a complete instantiation of the higher levels (i.ISO/IEC 15408:1999 and Common Criteria Description and Guidance on Use Common Criteria 2. software and firmware. The following shall be demonstrated: – that the combination of specified TOE IT security functions works together so as to satisfy the TOE security functional requirements. or that assertions that such claims are unnecessary are valid. Guidance is also provided on activities that need to be addressed as part of the development process. This is done in a general manner without specific development methodologies being recommended or preferred. – that the strength of TOE function claims made are valid. 67 ..e. b) that each refinement level is an accurate instantiation of the higher levels (i. properties. Extract of Paragraph 129 The CC does not mandate a specific set of design representations. Part 1—Introduction and General Model Part 1 is a document of 64 pages and explains the general model. properties. It is primarily focussed on applicable IT security measures implemented in hardware..

families and classes. but rather all of those that were known and agreed to be of value by the CC part 2 authors at the time of release. Extract of Paragraph 1051 From Annex H Security Attribute Expiration (FMT_SAE) 1051 For FMT_SAE.1. It is structured into sets of functional components.Information Security Harmonisation—Classification of Global Guidance The statement of rationale shall be presented at a level of detail that matches the level of detail of the definition of the security functions. It is noted within the document that not all security functional requirements can be assumed to be included. The security classes—the highest level in the catalogue structure—are: • FAU—Security audit • FCO—Communication • FCS—Cryptographic support • FDP—User data protection • FIA—Identification and authentication • FMT—Security management • FPR—Privacy • FPT—Protection of the TOE security function • FRU—Resource utilisation • FTA—TOE access • FTP—Trusted path/channels Extract of Paragraphs 319 and 320 of Security Attribute Expiration of the Security Management Class (FMT_SAE) 319 FMT_SAE. 320 The following actions could be considered for the management functions in FMT Management: a) managing the list of security attributes for which expiration is to be supported b) the actions to be taken if the expiration time has passed There are a number of annexes providing explanatory information for potential users of the functional components and classes including a complete crossreference table of the functional component dependencies. An example of such an attribute might be a user’s security clearance. Part 2—Security Functional Requirements Part 2 is a document of 365 pages and contains functional components that are used for expressing the security requirements of TOEs in a standardised manner.1 Time-limited authorisation provides the capability for an authorised user to specify an expiration time on specified security attributes.1. 68 . the PP/ST author should provide the list of security attributes for which expiration is to be supported.

enabling a standardised approach for defining assurance requirements for IT products and services. families and classes. The evaluation criteria tasks for PPs are: • APE_DES—TOE description • APE_ENV—Security environment • APE_INT—PP introduction • APE_OBJ—Security objectives • APE_REQ—IT security requirements • APE_SRE—Explicitly stated IT security requirements (applicable only for an extended evaluation) The ST evaluation tasks are: • ASE_DES—TOE description • ASE_ENV—Security environment • ASE_INT—ST introduction • ASE_OBJ—Security objectives • ASE_PPC—PP claims • ASE_REQ—IT security requirements • ASE_SRE—Explicitly stated IT security requirements (applicable only when evaluating extended requirements) • ASE_TSS—TOE summary specification Detailed requirements of each of seven assurance components. The structure of the catalogue is similar to the one in part 2 in that it is subdivided into components. grouped by class and family. Evaluation criteria for protection profiles (PPs) and security targets (STs) are also included in part 3. are provided. generation and start-up • ADV—Development – ADV_FSP—Functional specification – ADV_HLD—High-level design – ADV_IMP—Implementation representation – ADV_INT—TSF internals – ADV_LLD—Low-level design – ADV_RCR—Representation correspondence – ADV_SPM—Security policy modelling 69 . The evaluation of PP and ST is to be performed before evaluating the TOE.ISO/IEC 15408:1999 and Common Criteria Part 3—Security Assurance Requirements A set of assurance components is included in part 3 (171 pages). The seven assurance classes with their respective families are: • ACM—Configuration management – ACM_AUT—Automation – ACM_CAP—Capabilities – ACM_SCP—Scope • ADO—Delivery and operation – ADO_DEL—Delivery – ADO_IGS—Installation.

1. These EALs allow the IT security rating of products and services.4C The administrator guidance shall describe all assumptions regarding user behaviour that are relevant to secure operation of the TOE.2C The administrator guidance shall describe how to administer the TOE in a secure manner.1. The EALs identified within Common Criteria are as follows: • EAL1—Functionally tested • EAL2—Structurally tested • EAL3—Methodically tested and checked • EAL4—Methodically designed. Seven evaluation assurance levels (EALs) are presented. AGD_ADM. tested and reviewed • EAL5—Semiformally designed and tested • EAL6—Semiformally verified design and tested • EAL7—Formally verified design and tested 70 . AGD_ADM.1 Administrator Guidance AGD_ADM.1.Information Security Harmonisation—Classification of Global Guidance • AGD—Guidance documents – AGD_ADM—Administrator guidance – AGD_USR—User guidance • ALC—Life cycle support – ALC_DVS—Development security – ALC_FLR—Flaw remediation – ALC_LCD—Life cycle definition – ALC_TAT—Tools and techniques • ATE—Tests – ATE_COV—Coverage – ATE_DPT—Depth – ATE_FUN—Functional tests – ATE_IND—Independent testing • AVA—Vulnerability assessment – AVA_CCA—Covert channel analysis – AVA_MSU—Misuse – AVA_SOF—Strength of TOE security functions – AVA_VLA—Vulnerability analysis Extract from AGD_ADM. representing packages of assurance components.1.1C The administrator guidance shall describe the administrative functions and interfaces available to the administrator of the TOE. For each EAL a description of its objectives and minimal assurance components is provided.3C The administrator guidance shall contain warnings about functions and privileges that should be controlled in a secure processing environment. AGD_ADM.

org www.iso.org 71 .ISO/IEC 15408:1999 and Common Criteria References www.commoncriteriaportal.iec.gov www.nist.org www.

Information Security Harmonisation—Classification of Global Guidance 72 .

Danish. Goal of the Standard or Guidance Publication ISO/IEC 17799:2000 provides information to parties responsible for implementing information security within an organisation. It can be seen as a basis for developing security standards and management practices within an organisation to improve reliability on information security in interorganisational relationships. The technical committee identified as ISO/IEC JTC1/SC27 WG1 is responsible for its maintenance. 73 . Portuguese and Swedish. Finnish. Code of Practice for Information Security Management. Information Security Drivers for Implementing the Guidance—Why ISO/IEC 17799:2000 offers internationally recognised security practices that enable an organisation to meet audit. Japanese. Compliance can help promote an organisation as trusted and can be used as part of the basis for certification to BS 7799-2:2002. and is based on British Standard BS 7799-1:1999. Icelandic. Norwegian. ISO/IEC 17799:2000 Information Technology—Code of Practice for Information Security Management Issuer ISO/IEC 17799 Information Technology—Code of Practice for Information Security Management was published by the International Organisation for Standardisation and International Electrotechnical Commission. It has been published in several languages including Chinese.ISO/IEC 17799:2000 Information Technology—Code of Practice for Information Security Management 9. regulatory and legal expectations. Dutch. Czech. Korean. Document Taxonomy ISO/IEC 17799:2000 is a collection of information security practices. Circulation ISO/IEC 17799:2000 is available and used internationally. French. German.

A new version has already been developed and is expected for publication within 2005. As all of the contents are considered guidance as opposed to mandatory requirements. Completeness ISO/IEC 17799:2000 is designed to be comprehensive to a level that meets the needs of the majority of organisations.00.Information Security Harmonisation—Classification of Global Guidance Related Risks of Noncompliance—What Could Happen There is no direct risk from not complying unless the organisation has an inherent need to comply with this standard. Target Audience During the drafting of ISO/IEC 17799:2000 it was assumed that the execution of its provisions would be entrusted to appropriately qualified and experienced people. it can be used as guidance for those wishing to achieve certification to BS 7799-2:2002. Availability ISO/IEC 17799:2000 can be purchased from ISO at www. it is assumed that the individual implementing ISO/IEC 17799:2000 will have the experience needed to evaluate and apply controls as they relate to the specific risks and needs of their organisation. changes in IT inevitably have meant that some of the guidance may be dated or incomplete. and across industry sectors. However. as well as from many national standards bodies. Timeliness ISO/IEC 17799:2000 is a first edition.iso. Certification Opportunities There is no certification available for ISO/IEC 17799:2000. 74 . from small to large. Whilst the majority of its contents remain valid. Security management concepts are only briefly addressed.org for Swiss CHF 172. As a set of control objectives and security practices it has good coverage although it does not deal with technology changes that have taken place over the last four or five years. currently being reviewed as part of the normal three-to-five-year ISO revision process.

implemented. and was recognised by more than 97 percent of the surveyed CISMs. whilst most of the remaining CISMs thought it has at least limited acceptance. but it does not fully address all areas of this domain nor provide guidance on how to establish and manage a response management function. 1 Some aspects of information security governance are referenced in the introduction. No further detail is present. 2 ISO/IEC 17799:2000 addresses implicitly through its guidance many of the activities undertaken in information security management. 3 It provides a very good set of general security controls. 2 The guidance provides a good list of important control practices for business continuity. 1 Some references are made to risk management in the introduction. Information Security Management. 75 . with a large majority of surveyed CISMs (in excess of 80 percent) finding it comprehensive.e. Response Management. active usage (i. Usage As the survey indicated. Risk Management. CISM Domain Alignment Information Security Governance.ISO/IEC 17799:2000 Information Technology—Code of Practice for Information Security Management Recognition/Reputation Findings from the global CISM survey that was conducted by ISACA in 2004 (described in this document’s Introduction) indicate that ISO/IEC 17799:2000 has made a significant impact on the information security community. used as best practice or used for assessment) of the standard is very high at greater than 58 percent. Information Security Programme Management.. No further detail is present. Acceptance levels of the standard are also very high: more than 85 percent of the surveyed CISMs (falling to 65 percent in North America) believed it to be an acceptable standard. It does not provide any guidance on how to establish or carry out these activities. although it does not address some of the latest technology areas. No guidance is provided on security planning or project management.

2 This is a good source of controls and control practices designed to be used by an experienced information security practitioner. • The security policy and security measures are communicated to contracted third parties. is available. implementing and maintaining information security. which supports continuous improvement by giving feedback. 76 . its objectives and its activities reflect the business objectives. guidance is presented for initiating. This guidance is structured into 10 sections. • Effective marketing of security targets is to all personnel. Measures based on legal requirements are (amongst others): • Protection and nondisclosure of personal data • Protection of internal information • Protection of intellectual property rights Best practices mentioned are: • Information security policy • Assignment of responsibility for information security • Problem escalation • Business continuity management When implementing a system for information security management. • Thorough knowledge of security requirements.Information Security Harmonisation—Classification of Global Guidance Overall. Suggestions are provided on how each control can be met. several critical success factors should be considered: • The security policy. • The implementation considers cultural aspects of the organisation. • A comprehensive and balanced system for performance measurement. which contain 36 objectives and 127 controls. However. After the introductory information (scope. terms and definitions). those with less experience may find it difficult to decide which control practices are necessary. Description and Guidance on Use ISO/IEC 17799:2000 (94 pages) describes guiding principles as the initial point when implementing information security. • Security meets requirements of agreements and contracts. including members of management. • Users are trained in an adequate manner. risk assessment and risk management is required. • Open support and engagement of senior management are required. They rely on either legal requirements or generally accepted best practices.

There is also a need for special attention to delivery and loading areas. • Personnel security – Security responsibilities. weaknesses and software malfunctions should be defined. N N N N N N N 77 .ISO/IEC 17799:2000 Information Technology—Code of Practice for Information Security Management Information security should at least consider the following parts: • Security policy – An information security policy should define the direction and contain the commitment and the support of management. – Information should be classified following a generally accepted system. • Physical and environmental security – Central equipment should be installed only within a secure area. – Equipment installed off-premises and disposal or reuse of information should be considered. rooms and facilities. where adequate access controls and damage prevention are implemented. thus ensuring an appropriate level of protection. damage or compromise by being sited and protected in an appropriate manner. These areas include offices. – Information security education and training should increase users’ security awareness. • Asset classification and control – The inventory of assets and the assignment of the responsibility should be seen as a prerequisite to sound accountability for assets. – Risks caused by outsourcing contracts should be managed. – Adequate controls for personnel screening should be in place. – The policy should be communicated throughout the organisation. confidentiality agreements and the contract of employment should be part of the job responsibility. This should include the assessment of the adequacy of the controls implemented by a permanent process of learning from incidents. – Equipment should be protected against loss. – The process of reporting security incidents. an adequate level of cabling security and correct maintenance of the equipment should be in place. Power supplies. • Organisational security – The definition of adequate organisation structures for the management of information security within the organisation should include: An information security management forum A forum for co-ordination Assignment of responsibility for information security to individuals Definition of responsibility areas for managers Definition of an authorisation process for IT facilities Definition of responsibility for investigation of security-relevant know-how Defined range for co-operation with third parties as well as independent security reviews – Comprehensive measures should exist for management of third-party services (definition or risks and security requirements).

electronic mail. 78 . – Duties should be segregated. publicly available systems and other forms of information interchange. – Media with sensitive information should be disposed of in a secure manner. – Acceptance criteria for new systems should be defined.g. – Networked services. – All changes to equipment should be documented. – Damage caused by malicious software should be prevented. – Networks should be set up and managed with a view to ensuring the necessary level of security. • Communications and operations management – Operations should follow documented procedures. • Systems development and maintenance – Security issues should be considered when implementing systems. – Mobile computing and teleworking should be performed in a secure manner. • Access control – Access to information should be granted in accordance with business and security requirements. – System documentation should be protected. ensuring completeness of inputs. using preventive and detective controls. as it may contain sensitive information. following defined requirements. password management. review of user access rights) should follow a formal process. formal policies. electronic office systems. electronic commerce transactions. labelling of media.. – User access management (registration. – System access and use should be monitored constantly. – Agreements for the exchange of information and software should be established. – Risks caused by contracted external facilities organisations should be covered. including media in transit. – Responsibilities of users should be clearly defined. – Access control rules should be specified. – Information should be backed up and the backup files tested regularly.Information Security Harmonisation—Classification of Global Guidance – General controls (such as a clear desk and clear screen policy) to protect information processing facilities or to prevent damage caused by unauthorised offsite usage of equipment should be in place. – Capacity demands should be observed and future demands should be projected. and defined recovery procedures. privilege management. – Adequate controls in information handling procedures (e. – Development and operational facilities should be separated. – Activities performed by operational staff and errors should be logged. – A formal access control policy should be in place. storage of media) should be considered. – Procedures for sound incident management should be defined. operating systems and applications should be protected appropriately. ensuring that no individual can both initiate and authorise an event. – Removable media should be handled with special care.

g. Extract From 3.iso. • Compliance – Any unlawful act (e. – Access to system files (including test data and source libraries) should be controlled.bsi-global... • Business continuity management – A comprehensive business continuity management process should permit prevention of interruptions to business processes. The process should ensure that a review takes place in response to any changes affecting the basis of the original risk assessment. number and impact of recorded security incidents b) Cost and impact of controls on business efficiency c) Effects of changes to technology References www. significant security incidents. adequate controls of internal processing. new vulnerabilities or changes to the organisational or technical infrastructure. maintained and reassessed continuously.2 Security Policy Review and Evaluation The policy should have an owner who is responsible for its maintenance and review according to a defined review process. demonstrated by the nature. data protection acts) should be avoided. change management procedures.org www. – Business continuity plans should be developed following a single framework. – Use of cryptographic systems should follow a defined policy.uk 79 ..org www. – Project and support environments should allow for security by being rigorously controlled (e.g. There should also be scheduled.iec. e.g. – The business continuity management process should not be restricted to ITrelated areas and activities. periodic reviews of the following: a) The policy’s effectiveness. arrangements for outsourced development).1.co.ISO/IEC 17799:2000 Information Technology—Code of Practice for Information Security Management – Security in application systems should take into account the validation of input data. – An impact analysis should be executed that results in a strategy plan. – Business continuity plans should be tested. message authentication and output data validation. – Compliance with the security policy should be ensured by periodic reviews.

Information Security Harmonisation—Classification of Global Guidance 80 .

e. which is based on ITIL.Security Management 10. Information Security Drivers for Implementing the Guidance—Why An important part of the ITIL library.. Security Management Issuer IT Infrastructure Library (ITIL) is a collection of best practices and guidelines for IT service management and comprises a series of books on the quality provision of IT-related services. Circulation Although developed by the UK government. 81 . published in 1999. Document Taxonomy ITIL Security Management. Goal of the Standard or Guidance Publication ITIL was designed to provide a foundation for the management of the IT infrastructure. ITIL is used internationally. Security Management is included as comprising one of many activities that must be addressed by IT management. is a methodology describing how ’s IT security management processes link into other IT infrastructure management processes.g. It formalises the relationships between IT security management processes and other IT management processes and can be used as part of the process for conformance with BS 15000 Specification for IT Service Management. service level management and business continuity planning. They are published and copyrighted by the UK’s Office of Government Commerce (OGC). organisations implementing ITIL would benefit from also including ITIL Security Management.

security management processes are well covered and are suitable for any type of organisation with a large or complex IT infrastructure. which was published much later than ITIL Security Management. meaning this is not an ideal publication for establishing an enterprisewide security function. The document includes a number of control practices but not to great depth. ITIL does not extend outside the management of the IT infrastructure. instead referring the reader to ISO/IEC 17799:20006 for more detailed information. There are some plans that call for ITIL to begin a scoping process for change in 2005. Completeness Within the scope of ITIL Security Management. Timeliness ITIL Security Management has not been updated since 1999. 82 . However. Certification Opportunities There is no certification for ITIL Security Management.Information Security Harmonisation—Classification of Global Guidance Related Risks of Noncompliance—What Could Happen Organisations implementing ITIL but not including ITIL Security Management may find critical processes fragmented or incomplete. but it is suggested that by following its guidance (along with that provided in the other ITIL IT services publications). No mention is made by ITIL of BS 7799-2:2002. an organisation would be well placed to obtain certification to BS 15000 Specification for IT Service Management. Target Audience The stated audience of Security Management is “anyone responsible for critical IT processes as well as business managers who may find it helpful in defining their requirements for security”. 6 ITIL actually uses the term “BS 7799” and refers to the 1995 and draft 1999 versions of the Code of Practice that eventually evolved into BS 7799-1:1999 and then ISO/IEC17799:2000. No further details were available at the time of publication.

implemented. Recognition/Reputation Based on the ISACA global survey of CISMs (described in this document’s Introduction).uk).tso. ITIL has wide international recognition (around 85 percent of the surveyed CISMs) although slightly less so in North America (68 percent).e. It is considered by most to be effective in use (except for Oceania with half feeling it has only limited effectiveness). Usage The CISM survey results showed that ITIL is actively used (i. Information Security Programme Management. More than half of all CISMs felt the standard has only limited acceptance. 1 There are several references to the activities within this domain. 83 . 0 Risk management is rarely addressed within this document. Risk Management. It does not cover all areas of an information security programme and provides controls at only a high level.Security Management Availability ITIL Security Management can be purchased from The Stationery Office (TSO) in the UK (online at www. but they are not addressed in any great detail and are focussed on security management only as it relates to the operation of the IT infrastructure.. Usage is also strong (more than 23 percent) in other regions.95. More than half of those familiar with ITIL felt it is either “somewhat comprehensive” or “comprehensive”.co. 2 The guidance provides a good model for planning and establishment of information security services within the IT infrastructure. CISM Domain Alignment Information Security Governance. although 35 percent felt it has wide acceptance. The cost is GB Sterling £44. used as best practice or used for assessment) by 40 percent in the Oceania and Europe/Africa regions.

In simple terms. A control process is then used to manage four major activity areas: • Plan (includes policy statement. Chapter 1 provides a brief introduction to the document. but acknowledgement is made of the wider role for security. but not to any great level. control of access rights. and chapter 2 describes the basics of security management. It is designed to be used somewhat like a workbook to be of practical assistance. 84 . Response Management. etc. etc. Chapter 4 covers measures and chapter 5 provides guidelines for implementing the security management function. 2 This is most likely to be of interest to an information security manager if the organisation is implementing ITIL or plans to apply for BS 15000 certification. Description and Guidance on Use Security Management is a document of 94 pages devoted to processes of integrating IT security management into the overall IT services management framework. It does not cover all areas of an information security programme. Overall. The third chapter describes the links to other ITIL processes. classification.) • Evaluate (includes internal and external audits) • Maintain (includes learning and improvement) Reporting is then used to link back to the customer. 2 Security Management provides a good model for the delivery and monitoring of information security services within the IT infrastructure. The majority of the emphasis is placed on the IT security management process as that is within the scope of ITIL. contracts. Its main audience is likely to be IT managers.Information Security Harmonisation—Classification of Global Guidance Information Security Management. There are also five useful annexes. a customer defines requirements for security and these are reflected in a service level agreement (SLA).) • Implement (includes awareness. 1 References are made to security incident registration and problem management. confirming that security arrangements within SLAs have been met. Chapter 2—Fundamentals of Information Security Information security is explained from a business perspective and that of the IT infrastructure management.

The general security profiles are often used.1. so these areas that are also of concern to the security manager are not addressed. and management (including user management and the management of rights). However. Other processes that link with security management are: – Service level management – Availability management – Performance and capacity management (including workload. This chapter puts security management into context with other ITIL processes. ITIL is not specifically concerned with system development nor strategic and tactical processes for developing the IT architecture and infrastructure. Change Management and Security Management Security proposals also form part of the RFC (request for change). resource and demand management) – Business continuity planning – Financial management and costing • Service support set—The operational layer that provides beneficial processes for service delivery and includes links to: – Configuration and asset management – Incident control/help desk – Problem management – Change management – Release management Extract from 3. which specify which security measures have to be implemented for which types of products.4. ITIL defines its processes under “sets” and the relationship with security management is described in each case in varying detail. access control. the following have to be specified for each operating system: identification and authentication. The starting point here is again the agreements contained in the SLA. Security proposals therefore consist of a collection of security measures that are often combined in a procedure laid down in documentation. authorisation. 85 .3. audit/logging.Security Management Chapter 3—ITIL and Security Management ITIL is concerned with best practice and exploitation of the IT infrastructure and managing an existing working environment. There are three sets: • Manager’s set—The strategic layer that is important with regard to the organisation of information security activities of the IT service provider • Service delivery set—Represents the tactical processes where SLAs are drawn up and service provided. For example. as well as the security baseline chosen by the IT service provider.

the guidelines provided in ISO/IEC 17799:2000.Information Security Harmonisation—Classification of Global Guidance Chapter 4—Security Management Measures This chapter provides a general overview of security measures (controls rather than metrics) that are implemented through the security management process. Chapter 5—Guidelines for Implementing Security Management Five areas are covered in this chapter: • Awareness—The types of activities that can be taken to improve awareness across the organisation • Organisation of security management—The choices available in how to organise security and the characteristics that one may look for in a security manager • Documentation—The types of documentation that should be produced and their corporate placement • Security management for small and medium enterprises—A brief description of minimum security requirements (based on the original 10 key controls contained within ISO/IEC 17799:2000) • Pitfall and success factors—A few ideas on what not to do 86 . etc. per process. maintenance and reporting. They have been based on. Included are: • Organisation of information security • Asset classification and control • Personnel security • Communication and operations management • Access control Control measures are also defined for the auditing and evaluation of security in IT systems. Annex A provides a cross-reference table providing an easy reference to the areas covered and not covered by ITIL. Extract of Some of the Possible Reports a Security Manager May Provide into the Service Level Management Process • Reports on the Plan activity: – Reports on conformance to the SLA including the agreed upon KPIs for security – Reports on underpinning contracts and any disconformities in their fulfilment – Reports on operation level agreements and policy statements • Regular reports on the Implementation activity: – Status of information (such as) implemented measures. but do not approach the depth or detail of. per department. education and reviews including self-assessments and risk analyses – Overview of security incidents and the reaction to these incidents—this compared to a previous time frame – Status of awareness programmes – Trends on incidents per system.

Reference www. • Annex B provides a specimen security section in the SLA.tsoonline. potentially useful web sites and a list of other ITIL books.Security Management Annexes • Annex A provides a cross-reference table showing the relationship between ITIL and ISO/IEC 17799:2000.co.uk 87 . • Annex D is a reference showing the various documents that were referred to in drawing up Security Management. Annex A recommends the use of ISO/IEC 17799:2000 when implementing Security Management. • Annex C describes a framework that can be used in drawing up a security plan.

Information Security Harmonisation—Classification of Global Guidance 88 .

it focusses on the benefits that good security promotes. Goal of the Standard or Guidance Publication The guidance is designed to provide a broad overview of computer security and assistance to the reader in developing and implementing a computer security programme. Document Taxonomy NIST 800-12 An Introduction to Computer Security—The NIST Handbook describes the common requirements for managing and implementing a computer security programme and some guidance on the types of controls that are required. It does not intend to provide detailed guidance on implementation of the computer security programme nor to specify control requirements in detail. a department of the US Department of Commerce. Rather. 89 . the NIST series of security publications is internationally known by the information security industry. NIST is also the US representative in Common Criteria guidance. It is part of NIST’s 800 series (computer security) and was published in October 1995. However. thus it is more commonly used by US organisations. published the document.NIST 800-12 An Introduction to Computer Security—The NIST Handbook 11. NIST 800-12 An Introduction to Computer Security—The NIST Handbook Issuer The Computer Security Resource Centre (CSRC) of the National Institute of Standards and Technology (NIST). It is the first in a NIST series of three and is followed by: • NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems (September 1996) • NIST 800-18 Guide for Developing Security Plans for Information Technology Systems (December 1998) Circulation The guidance is published by a US government department.

gov. Availability The guidance is posted for complimentary download electronically from the CSRC web site. 90 . Many of the references are US-specific.nist. particularly those in US government organisations. the majority of its contents could be applicable to any individual with information security responsibilities.csrc.Information Security Harmonisation—Classification of Global Guidance Information Security Drivers for Implementing the Guidance—Why Compliance with NIST 800-12 is often driven by a need to comply with principles and criteria for US government organisations. it does a good job of meeting its stated objectives. Target Audience The guidance states that it is aimed at those with responsibilities for computer security. Certification Opportunities No certification is available for NIST 800-12. its overall guidance on a computer security programme remains valid. but this should not be a major problem for non-US readers. Printed versions are not available. However. Completeness Although it was designed primarily for US government agencies. Timeliness The guidance is somewhat dated on the controls side. No updates have been published. it is also considered appropriate for organisations of any type or size. Despite this. www. Related Risks of Noncompliance—What Could Happen There is no direct risk from not complying unless the organisation has an inherent need to comply with this guidance. However. having been produced in 1995. The controls are somewhat dated and are provided at a relatively high level compared with guidance available in other publications.

but it does not provide direction on how to carry out risk assessments. covering most of the tasks in this domain even though the content is somewhat dated and focussed on US government requirements.. Usage The guidance is actively used (i.NIST 800-12 An Introduction to Computer Security—The NIST Handbook Recognition/Reputation Based on the results of the global CISM survey conducted in 2004 (described in this document’s Introduction). Despite this low usage outside the Americas.e. 4 NIST 800-12 provides sound guidance for the information security manager. Information Security Management. Information Security Programme Management. covering most of the tasks in this domain even though some of the documents are somewhat dated. 3 It provides good guidance on the components of contingency planning. CISM Domain Alignment Information Security Governance. particularly in North America (85 percent). 4 NIST 800-12 provides sound guidance for the information security manager. Response Management. the guidance is well recognised by more than 60 percent of surveyed CISMs globally. The application levels are quite low (less than 14 percent) in other areas. 91 . implemented. 4 It provides good guidance on setting up and managing an information security programme although aspects of project management are not addressed. Around half of the surveyed CISMs felt the guidance has only limited acceptance although responses from North America were much more positive. but it does not go fully into response management nor cover forensics. more than half of all CISMs familiar with the publication considered it to be comprehensive and effective. 3 The guidance provides good descriptions of risk management concepts. used as best practice or used for assessment) by one-third of all North American CISMs and also by many in Central/South America. Risk Management.

reassessment and democracy. not an end in itself. Direct and indirect costs should be considered when analysing the costs. hardware and software) is essential to achieve the goals of the organisation. and they are responsible for incidence response in a timely and coordinated manner. multidisciplinary. management needs to understand the mission of the organisation and how this mission is supported by IT systems. ethics. should document responsibilities and accountabilities of owners. programmers and software development managers.g. should also have these responsibilities documented. 4 NIST 800-12 is a good guideline that covers many aspects of information security management. This requires that the cost and benefits of security be examined in monetary and nonmonetary terms. timeliness. but overall it is a valuable source of guidance. Security is a means to an end. Description and Guidance on Use The NIST Handbook is a document of 290 pages split into a number of sections. The principles are based on those published by the Organisation for Economic Co-operation and Development in 1992.Information Security Harmonisation—Classification of Global Guidance Overall. • Computer security responsibilities and accountability should be made explicit— Every organisation. regardless of size. Thus. Those with specific responsibilities for IT security. proportionality. It is focussed on the US government and may be somewhat cumbersome for small. awareness. e. • System owners have security responsibilities outside their own organisations— System owners have to inform external users of the security measures of their systems. 92 . The 1992 OECD principles are accountability. and imply the premise of being generally accepted and applied when developing or maintaining IT systems. providers and users.. integration. commercial organisations. Section I provides an introduction to the handbook and also includes the foundations upon which the chapters on controls are based. (The OECD published new principles in 2002. • Computer security is an integral element of sound management—Management must accept the fact that harm to assets can be caused even though security provisions are in place. The handbook’s general approach to computer security is based on eight major principles. security is frequently seen as inconsistent with the business objectives. • Computer security should be cost-effective—The cost for securing systems has to be aligned with the security need. further divided into chapters. It would benefit from being updated as it was last published in 1995. the handbook’s eight principles are: • Computer security supports the mission of the organisation—Even though the protection of assets (information.) Taking these into account. Management has to commit to the level of risk it is willing to accept.

help desk.NIST 800-12 An Introduction to Computer Security—The NIST Handbook • Computer security requires a comprehensive and integrated approach—Computer security and areas outside computer security should be considered. employee sabotage. for instance. system management and administration. Programme policy is assumed to be broad-based and relatively stable. scope. keeping in mind that different systems may need different levels of protection. Examples given include Internet and e-mail. and espionage. legal issues. A distinction is drawn between security objectives (explicitly defined requirements based on the confidentiality. Those conflicts must be solved. including senior management. responsibilities and compliance. what and when). • Computer security is constrained by societal factors—Security measures may come into conflict with other limitations. • Issue-specific policy is related to consideration of areas that are new or more likely to need change. Section II contains management controls and these are divided into a number of chapters. operational and technical controls applied to enable an adequate and stable level of security. audit. malicious hackers. Another chapter within section I provides ideas on how roles and responsibilities for security may be allocated within an organisation. • System-specific policy relates to the detailed attention that must be given to an individual system. III and IV address controls that have been divided into three areas: management. resulting from dynamics in technology. technical and operational. Examples are given for 18 typical roles. Common threats to information are explained under nine headings. including fraud and theft. and it is recognised within the handbook that they will vary depending on many factors. • Computer security should be periodically reassessed—The need for re-evaluation of security measures is obvious in the wake of permanent changes to organisations. each addressing a specific area. including size of organisation. quality assurance. Computer Security Policy Chapter This chapter breaks policy into three types: • Programme policy is defined as that which is “used to create an organisation’s computer security programme”. threats or technologies. business environments. such as workplace privacy. Guidance is provided on defining programme purpose. 93 . integrity and availability needs) and operational security rules (documenting the who. These roles and responsibilities are nonprescriptive. Sections II. The interdependence of security controls and other controls must be understood and a mix of managerial. malicious code. errors and omissions.

• Disposal includes discarding information. • Risk mitigation covers the selection and implementation of additional safeguards (to the point where residual risk is acceptable) and the process of monitoring them for effectiveness. the accuracy of the valuation of assets) to enable management to use the analysis results effectively. • Operation and maintenance covers operations and administration of safeguards. • Implementation includes security testing and accreditation (the formal authorization by the accrediting management official for system operation and an explicit acceptance of risk). Asset valuation and threat. system-level computer security programmes and how the two approaches can be used and work together.. methodology to be used. assurance that they are being followed and working. Security and Planning in the Computer System Life Cycle Chapter Five basic phases are described for life cycle planning: • Initiation is when the sensitivity of the system and the information it will process are determined to provide an early indication of the likely security safeguards and their costs. and reanalysis of safeguards with reaccreditation as necessary. hardware and software using appropriate methods. standards and cost). Within this activity area are determination of scope. Detailed guidance is also provided on the benefits of centralised computer security programmes vs. 94 . incorporated into designs and either built or acquired. • Development and acquisition is when security requirements are defined in more detail (including consideration of legal requirements.g. analysis and interpretation of results. collection of data. with an emphasis on the fact that organisations differ and there is no single solution that will work for everyone. policies.Information Security Harmonisation—Classification of Global Guidance Computer Security Programme Management Chapter This chapter provides suggestions on how the computer security programme should be structured. Examples provided reflect common structures found in US federal organisations. Computer Security Risk Management Chapter This chapter goes into detail on explaining risk management by breaking it down into three main areas: • Risk assessment is defined as “the process of analyzing and interpreting risk”. vulnerability and safeguard assessment are defined. • Uncertainty analysis is described as the need to understand how accurate and reliable the risk analysis has been (e.

Many tools and methods for obtaining assurance (e. penetration testing and automated tools) are described.1. For example. segregation of duties. steps need to be taken to limit information gathering and analysis.e. both technical and operational. safeguards.. implementation and operations of systems. review of authorisations. This process is called screening. Section III on operational controls also contains a number of chapters describing controls requirements for specific areas.NIST 800-12 An Introduction to Computer Security—The NIST Handbook Assurance Chapter The handbook defines computer security assurance as “the degree of confidence one has that the security measures. User account management is also covered. processes for tracking usage. with guidance provided on the creation/maintenance/deletion of user accounts. Extract From 7. Because it is possible to collect much more information than can be analyzed. Preparing for Contingencies and Disasters Chapter This chapter describes the six main activities for contingency planning as: • Identifying business critical functions • Identifying required resources • Anticipating disasters • Selecting a strategy • Implementing the strategy • Testing/revising the plan 95 . This can be done by ranking threats and assets. A risk management methodology does not necessarily need to analyze each of the components of risk separately. This examination normally includes gathering data about the threatened area and synthesizing and analyzing the information to make it useful. methods and when assurance is required within planning. consequences. vulnerabilities. This chapter examines both accreditation and assurance. describing objectives. and dealing with staff transfers and departures. Personnel/User Issues Chapter Staffing issues include consideration of the sensitivity of positions. work as intended to protect the system and the information it processes”. can cause the most harm).2 Collecting and Analyzing Data Risk has many different components: assets. design. A risk management effort should focus on those areas that result in the greatest consequence to the organization (i.. and likelihood.g. threats. assets/consequences or threats/likelihoods may be analyzed together. screening before employment and the requirements for training.

documentation and maintenance. • Administer the programme. logging. • Identify target audiences. training and education as: • Improving awareness of the need to protect system resources • Developing skills and knowledge so computer users can perform their jobs more securely • Building in-depth knowledge. It addresses this in the context of three areas—the type of facility. Security Considerations in Computer Support and Operations Chapter This chapter describes seven main areas that need addressing to run a computer system: user support.Information Security Harmonisation—Classification of Global Guidance Resources addressed include human. implement or operate security programmes for organisations and systems It describes the different objectives. Also included are guidelines on the types of technical. data. • Evaluate the programme. the 96 . physical safety. Suggestions are also provided on the types of backup sites that may be considered. depending on requirements. mechanical information security management system that will help ensure rapid communication and response in the event of an incident. • Motivate management and employees. configuration management. suggested teaching methods and impacts for awareness. Media controls include those for marking. • Maintain the programme. • Identify training staff. education and training and provides a seven-step approach to implementing a programme to address all three: • Identify programme scope. Physical and Environmental Security Chapter This chapter considers the controls necessary to protect buildings and infrastructure. goal and objectives. Some examples are provided on the different types of questions that may arise in planning. software support. integrity verification. backups. media controls. Awareness. infrastructure and documentary. as needed. Computer Security Incident Handling Chapter The chapter describes the benefits of having an incident handling capability and describes the common characteristics that are most likely to lead to success. computer-based. to design. Training and Education Chapter This chapter defines the three main purposes for security awareness. although not in much detail. given different scenarios. movement and disposal.

time restrictions. system support and operations staff need to be able to identify security problems. including ACLs. A wide range of possible security problems exists. locations. encryption and firewalls. along with comparisons made for centralised and decentralised administration functions. There is also guidance on implementing and protecting audit logs. 97 . Additionally.NIST 800-12 An Introduction to Computer Security—The NIST Handbook geographic location and the services supporting facilities (human and technical)— and recognises that variations mean that the likelihood of some threats will differ. It also considers implementation and maintenance of the identification and authentication system. while others apply to off-the-shelf products. again. It includes consideration of roles. Extract from 14. problems can be software.1 User Support An important security consideration for user support personnel is being able to recognize which problems (brought to their attention by users) are securityrelated. problems and suggestions on how they should be used. Amongst the internal controls described are passwords. In general. what you have and what you are) and provides the different methods used for each. reviewing logs and the types of tools that can be used for log analysis. port protection devices and host-based authentication. security labels. Amongst the threats considered are physical damage to buildings. and inform appropriate individuals.or hardware-based. read and execute). Section IV addresses technical controls and is. encryption. along with associated benefits. service constraints and common types of access modes (e. Some will be internal to custom applications. split into a number of chapters. event reconstruction.g. Logical Access Control Chapter This chapter addresses access criteria and control mechanisms. Audit Trails Chapter This chapter considers the benefits of audit trails under the four areas of accountability. intrusion detection and problem analysis. Administration of access control is also considered. respond appropriately. intruders (physical) and physical theft. For example. This could indicate the presence of hackers trying to guess users’ passwords. users’ inability to log onto a computer system may result from disabling their accounts due to too many failed access attempts. Identification and Authentication Chapter This chapter describes the three means of authentication (what you know. Types of auditing are also discussed with examples provided of system logs and application logs..

References www.nist. Chapter 20 of the handbook provides a detailed example of how computer security may be addressed. key management and export controls. provides details and outcome of risk assessment. using a hypothetical government agency.Information Security Harmonisation—Classification of Global Guidance Cryptography Chapter This chapter explains the differences between secret and public key cryptography. The example describes an environment.csrc. and common applications for their use. Guidance is also provided on selection and implementation issues such as hardware vs. identifies threats. defines existing security measures and existing vulnerabilities. software.gov 98 . including integrity checking and digital signatures.gov www. and finishes with recommendations for mitigation.nist.

It is part of NIST’s 800 series (computer security). a department of the US Department of Commerce. Document Taxonomy NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems is a collection of principles and practices to establish and maintain system security. It not only focusses on security practices. Goal of the Standard or Guidance Publication NIST 800-14 intends to provide a baseline for establishing or reviewing IT security programmes. However. The other two are: • NIST 800-12 An Introduction to Computer Security—The NIST Handbook (October 1995) • NIST 800-18 Guide for Developing Security Plans for Information Technology Systems (December 1998) Circulation The NIST 800-14 guidance was published by a US government department. the NIST series of security publications is internationally known by the information security industry. published the document. thus it is more commonly used by US organisations.NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems 12. It is labelled as a special publication and is one of a series of three produced by NIST. it also describes the intrinsic expectations of security provisions from a high viewpoint in the form of principles. 99 . NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems Issuer The Computer Security Resource Centre of the National Institute of Standards and Technology. It should help in gaining an understanding of basic security requirements of IT systems. and was published in 1996.

It provides a good foundation for those new to information security management albeit more ITfocussed than many modern approaches to the subject. When following the document. the majority of contents are high-level and still relevant. particularly for systems of e-governance.nist. Thus. system developers and internal auditors. Timeliness The document was published in September 1996. It does not provide the level of detail an organisation would need in deciding on appropriate security controls and practices.csrc. instead providing more of a framework.Information Security Harmonisation—Classification of Global Guidance Information Security Drivers for Implementing the Guidance—Why Compliance with NIST 800-14 is often driven by the need to comply with the principles and criteria for US government organisations. Completeness NIST 800-14 describes at a high level the issues that must be considered in selecting appropriate policy and controls for an organisation. Related Risks of Noncompliance—What Could Happen There is no direct risk from not complying unless the organisation has an inherent need to comply with this standard. users. Availability The guidance is posted for complimentary download electronically from the CSRC web site at www. the security principle and practices are to be applied for governmental IT systems. Target Audience NIST 800-14 targets management. security practitioners. and no subsequent revision is available. it explicitly addresses all parties responsible for IT security. However. 100 .gov. Certification Opportunities Certification to these principles is not available.

2 NIST 800-14 addresses through its guidance many of the activities undertaken in information security management. CISM Domain Alignment Information Security Governance. it is considered by more than half of all CISMs familiar with it to be comprehensive and effective. 2 It provides guidance for creating a security plan to implement the governance framework and offers high-level controls. again. used as best practice or used for assessment) by more than one-third of North American CISMs but levels in Oceania. Despite this low usage. it does not provide any guidance on how to establish or carry out these activities.NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems Recognition/Reputation The results produced by a global CISM survey conducted in 2004 (described in this document’s Introduction) showed that NIST 800-14 is highly recognised in North America (80 percent).e. but not in sufficient detail to undertake risk assessments or make risk-based decisions. but it does not fully address all areas of this domain nor provide guidance on how to establish or carry out the practices. in North America where acceptance levels are higher but still are not overwhelming. Information Security Management. it scored only slightly more than half (55 percent) in Europe/Africa and Asia. 101 . The guidance was also considered to have only limited or no acceptance by a huge majority (88 percent) of CISMs except. Response Management. 2 It provides a good list of important control practices for business continuity. Usage The global CISM survey showed that NIST 800-14 is being actively used (i.. 2 NIST 800-14 contains a useful set of information security principles that can be used as a foundation for an information security policy and gives high-level descriptions of activities needed for an information security governance framework. Europe/Africa and Asia show very low usage. However. However. 1 The guidance describes a risk management framework. Information Security Programme Management. at less than 15 percent. implemented. Risk Management.

proportionality.” with NIST 800-12 providing the “what” and “why to” and a template for deriving the practices. multidisciplinary. which was used as a reference during the development of the practices in NIST 800-14 and is recommended as further reading. The principles are based on those published by the Organisation for Economic Cooperation and Development in 1992. Each of the 14 practices is to a level that would allow a security manager to put together an information security programme framework.Information Security Harmonisation—Classification of Global Guidance Overall. • Computer security is an integral element of sound management. • Computer security should be periodically reassessed. integration. and imply the premise of being generally accepted and applied when developing or maintaining IT systems. • System owners have security responsibilities outside their own organisations. 102 . (The OECD published new principles in 2002. • Computer security should be cost-effective. Description and Guidance on Use NIST 800-14 (56 pages) describes eight principles and fourteen practices. The 1992 OECD principles provided by the guideline are accountability. Most of the practices provided in the guideline are quite common and the style is similar to the international standard ISO/IEC 17799:2000.) Similar to NIST 800-12. the eight principles are: • Computer security supports the mission of the organisation. Each type of policy has seven or eight recommended activities. 2 NIST 800-14 is good as an introduction for those new to information security and/or for briefing and educating IT and business managers. described as programme. It would be particularly useful for smaller organisations or those that have never addressed information security. awareness. reassessment and democracy. NIST 800-14 describes itself as the “broad overview of computer security and an excellent primer. The 14 common practices in IT security are meant as a companion to the NIST Special Publication 800-12 An Introduction to Computer Security—The NIST Handbook. • Computer security is constrained by societal factors. and these practices are also considered the minimum required for any organisation. timeliness. Each of the principles applies to each of the practices although their relationship varies. The 14 practices are: • Policy—Policy is further broken down into different types. ethics. • Computer security responsibilities and accountability should be made explicit. • Computer security requires a comprehensive and integrated approach. issue-specific and system-specific.

• Awareness and training—The practice describes seven steps: identify programme scope. including ACLs. • Personnel/user issues—These activities address staffing and user administration. and evaluate the programme. including steps for dealing with terminations. 103 . • Security considerations in computer support and operations—This practice describes eight considerations. the risk to human life. development/acquisition phase. maintain the programme. • Computer security incident handling—This is split into descriptions of how the incident response capability can be used and suggestions on its common characteristics. configuration management. • Preparing for contingencies and disasters—Five main activities in this practice are business plan. and high humidity from a localized fire can damage systems throughout an entire building. which is concerned with typical systems life cycle activities.10 Physical and Environmental Security. • Identification and authentication—This includes practices for identification. Consequently. Fire Safety Factors Building fires are a particularly important security threat because of the potential for complete destruction of both hardware and data. corrosive gases. identify target audiences. with common aspects such as limited logon attempts being addressed. motivate management and employees. risk mitigation and uncertainty analysis and also provides a number of common definitions and explanations. described as security plan. • Audit trails—This practice is split into four areas covering audit trail content. scenario development.NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems • Programme management—Programme management includes a central security programme that applies to the enterprise and system-level programme. initiation phase. flood and interception of data. strategy development and test/revision of plan. goal and objectives. encryption and firewalls. media controls and standardised logon banner. administer the programme. including user support. audit trail reviews and keystroke monitoring. operation/maintenance phase and disposal phase. authentication and password. • Cryptography—This practice includes consideration of selection. • Risk management—This practice addresses risk assessment. Smoke. and the pervasiveness of the damage. implementation phase. identify training staff. • Logical access control—The practice addresses access criteria and control mechanisms. • Life cycle planning—Life cycle planning has six phases. fire. identification of resources. • Physical and environmental security—This practice includes consideration of physical access controls. it is important to evaluate the fire safety of buildings that house systems. Extract From 3. design and key management. audit trail security.

gov www.csrc.nist.Information Security Harmonisation—Classification of Global Guidance References www.gov 104 .nist.

It is part of NIST’s 800 series (computer security) and was published in December 1998. 105 . Document Taxonomy NIST 800-18 Guide for Developing Security Plans for Information Technology Systems is the third in a trilogy of NIST publications on IT security and provides a format and guidance for developing a system security plan. However. this guide was created to provide a format and guidance for developing a system security plan (which is a requirement for US federal offices).NIST 800-18 Guide for Developing Security Plans for Information Technology Systems 13. NIST 800-18 Guide for Developing Security Plans for Information Technology Systems Issuer The Computer Security Resource Centre (CSRC) of the National Institute of Standards and Technology (NIST). published the document. a department of the US Department of Commerce. Information Security Drivers for Implementing the Guidance—Why Implementation of NIST 800-18 is generally driven by the need to comply with the principles and criteria for US government organisations. Goal of the Standard or Guidance Publication Following on from the previous two NIST publications describing the “why” and the “what” of computer security. the NIST series of security publications is internationally known by the information security industry. The first publications are: • NIST 800-12 An Introduction to Computer Security—The NIST Handbook (October 1995) • NIST 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems (September 1996) Circulation The publication is from a US government department. so it is more commonly used by US organisations.

csrc. does not describe all of the responsibilities and activities that are likely to be performed by an information security manager. Target Audience The guideline is directed at those with little or no computer security expertise. The guideline can also be used as an auditing tool. No subsequent revision of the document is available. but it falls to a bit more than 50 percent in 106 . It needs to be used in combination with other reference material and. by itself. Certification Opportunities There is no certification for this guideline. The concepts are intended to be generic and as such could be used by the private or public sector. Completeness NIST 800-18 provides a comprehensive template and instruction for completing a security plan.nist. Recognition/Reputation The results of the global CISM survey (described in this document’s Introduction) indicate that the recognition of the guideline is very high in North America.gov. www. Timeliness The guideline was published in 1998 but still remains valid and appropriate. but who are responsible for IT security at the system or organisational level. at nearly 85 percent of CISMs.Information Security Harmonisation—Classification of Global Guidance Related Risks of Noncompliance—What Could Happen There is no direct risk from not complying unless the organisation has an inherent need to comply with this standard. Availability The guidance is posted for complimentary download electronically from the CSRC web site.

. 1 The guidance implicitly addresses some of the activities in this domain but only as part of the process of creating a security plan. 3 It provides an excellent model for building an information plan for a system. CISM Domain Alignment Information Security Governance. Response Management. Usage The CISM survey results indicate that the guideline is actively used (i. Information Security Management. used as best practice or used for assessment) by one-third of North America CISMs. 1 The guide implicitly addresses some of the activities in this domain but only as part of the process of creating a security plan. Information Security Programme Management. Overall. 2 This publication was designed to provide guidance on developing a security plan for a system and it does so very well. implemented.e. At least half of CISMs in all regions feel it has at least limited or wide acceptance as a guideline. it is considered by more than half of those familiar with it to be both comprehensive and effective. Risk Management. 107 . It could be a valuable tool but should be used by an experienced information security practitioner alongside other tools and methodologies. 1 NIST 800-18 implicitly addresses some of the activities in this domain but only as part of the process of creating a security plan. It does not address programme management or project management. However. but usage is less than 17 percent elsewhere.NIST 800-18 Guide for Developing Security Plans for Information Technology Systems Europe/Africa and Asia. 1 It implicitly addresses some of the activities in this domain but only as part of the process of creating a security plan.

system boundaries are defined (e. Each is nine pages long and contains probing questions that may be asked to complete the template. such as: • The system is connected to the Internet • It is located in a harsh or overseas environment • Software is rapidly implemented • The software resides on an open network used by the general public or with overseas access • The application is processed at a facility outside of the organization’s control • The general support mainframe has dial-up lines 108 . System analysis is concerned with understanding and defining a system in enough detail to know what type of security plan will be needed. Within this step. The guideline has two categories: major application or general support system.g. whether the system includes PCs using the application even when they are not directly connected) and the system is categorised. one for major applications and one for general support systems. whilst general support systems are for less tangible systems. Within appendix C of the guideline are security plan templates. It describes the purpose of a security plan as “to provide an overview of the security requirements of the system and describes the controls in place or planned for meeting those requirements. Extract From 3. what to consider and what level of detail may be appropriate. Several examples are provided. The remaining chapters of the guideline provide further guidance on completing the plan. Major application is used for systems performing functions that can be clearly defined.Information Security Harmonisation—Classification of Global Guidance Description and Guidance on Use The guideline is a document of 101 pages providing guidance on how a security plan should be devised.. Plan Development Chapter This chapter provides guidance on how to complete the first parts of the templates. such as LANs and backbones. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system”. The guideline describes the process of system analysis as the first step in creating a security plan. Include any environmental or technical factors that raise special security concerns.5 System Environment Provide a brief (one-three paragraphs) general description of the technical system.

The rules should be in writing and form the basis for security awareness and training.3 Rules of Behavior Chapter The rules of behavior should clearly delineate responsibilities and expected behavior of all individuals with access to the system. 109 . Operational Controls The guideline discusses operational controls for major applications separately from those for general support systems. state the planned date for completion of position sensitivity analysis.NIST 800-18 Guide for Developing Security Plans for Information Technology Systems Management Controls The guideline explains how to complete the management controls section of the template. Guidance is provided under the headings of: • Major applications – Personnel – Physical and environment protection – Input/output controls – Contingency planning – Application software maintenance controls – Data integrity/validation control – Documentation – Security awareness and training • General support systems – Personnel – Physical and environment protection – Input/output controls – Contingency planning – Hardware and system software maintenance controls – Integrity control – Documentation – Security awareness and training – Incident response capability Extract From 5. issues to consider and guidance on decision-making factors are provided. In each case.1 Personnel Security • Have all positions been reviewed for sensitivity level? If all positions have not been reviewed. The rules should state the consequences of inconsistent behavior or noncompliance. Reference is also made to the five-phase security life cycle (initiation.MA. disposal) and what aspects of the security plan can be considered and documented through each phase. operation/maintenance. what types of security reviews the system has had (or are planned) and rules of behaviour for using the system. implementation. development/acquisition. Extract From 4. This includes the results of a risk assessment.

or special characters. Extract From 6. • Procedures for training users and the materials covered. include the date by which such screening will be completed. – Number of generations of expired passwords disallowed for use. • Indicate the frequency of password changes. If all individuals have not had appropriate background screening. numeric. Major applications also considers control for public access. or to peripherals and type of access (e. In addition to the template plans.gov 110 . • If individuals are permitted system access prior to completion of appropriate background screening.gov www. and biometrics). • Is user access restricted (least privilege) to data files. read. by the software or system administrator). – Password length (minimum. – Procedures for password changes.nist. – Password aging time frames and enforcement approach. or the system administrator).Information Security Harmonisation—Classification of Global Guidance • A statement as to whether individuals have received the background screening appropriate for the position to which they are assigned. provide the following specific information: – Allowable character set. in each case. execute.. Again.1. and identify who changes the passwords (the user. token. to processing capability. write. • If a password system is used. delete) to the minimum necessary to perform the job? Technical Controls Technical controls are also addressed differently in the guide for major applications and general support systems.GSS. Each considers controls under the headings of identification and authentication.. Note: The recommended minimum number of characters for a password is six to eight characters in a combination of alpha.csrc. and – Procedures for handling password compromise.nist.g.g. the system. describe the conditions under which this is allowed and any compensating controls to mitigate the associated risk. logical access control and audit trails. the appendix also has examples of rules of behaviour (one for major applications and one for general support systems) in the form of a document designed to be read and signed by the relevant users. maximum). describe how password changes are enforced (e.2 Authentication • Describe the method of user authentication (password. – Procedures for handling lost passwords. References www. issues to consider and guidance on decision-making factors are provided.

the NIST series of security publications is internationally known and used by the information security industry. 111 . Goal(s) of the Standard or Guidance Publication NIST 800-53 is designed “to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal [US] government”. The 800 series contains a number of security-related guides. it is expected to have a wide audience amongst businesses. Although written for US federal agencies. so it is likely to be more commonly used by US organisations. NIST 800-53 Recommended Security Controls for Federal Information Systems. It is one of a series of documents published and planned on security for US federal information systems to be finalised in the first quarter of 2005. The ultimate aim of the US government is to ensure that day-to-day government operations are undertaken with “adequate security”. NIST 800-53 Recommended Security Controls for Federal Information Systems was published as a first draft in October 2003 and followed by a second draft in September 2004. which will be the mandatory standard for US federal agencies. it is also likely to already have been considered by a wide audience. many of which are designed to be suitable for the private as well as the public sectors. Second Public Draft Issuer The National Institute of Standards and Technology is a US-based organisation responsible for providing US agencies with standards and guidelines for information security. Document Taxonomy NIST 800-53 Recommended Security Controls for Federal Information Systems is a public draft document containing baseline security controls.NIST 800-53 Recommended Security Controls for Federal Information Systems. However. NIST 800-53 will be replaced in 2005 by FIPS Publication 200 Minimum Security Controls for Federal Information Systems. Second Public Draft 14. Although a relatively new document. Circulation The publication is from a US government department.

actions to enhance the control for higher risk systems. with the final version due in the first quarter of 2005. NIST 800-53 will be of specific interest to any individual who has security responsibilities and works in a US federal agency. Timeliness NIST 800-53 is in final drafting. Target Audience The NIST 800-53 draft dated October 2003 was incomplete when issued for reviewers to comment. NIST Special Publication 37 provides guidance on security certification and accreditation of information systems. extensive feedback was received and the second draft issued in September 2004 was a shorter but complete version. The set of controls within draft 2 is shorter and in less detail than those provided in draft 1. with guidance and. it would be of interest to information security practitioners. However. therefore. Completeness NIST 800-53 is focussed on providing security controls. implementing and maintaining an enterprisewide information security programme. it does not describe in any detail the role of the information security manager or the requirements for establishing. Certification Opportunities There is no certification to this guide. 112 . IT managers and auditors in any type or size of organisation.Information Security Harmonisation—Classification of Global Guidance Information Security Drivers for Implementing the Guidance—Why This will become a mandatory standard for US federal agencies in 2005. Draft 2 was also open to comment until November 2004. with the final version expected to be published in 2005. in many cases. Related Risks of Noncompliance—What Could Happen There is no direct risk from not complying unless the organisation has an inherent need to comply with this standard. A total of 154 security controls are described. however. Despite this.

1 The domain is addressed only lightly in its description of security fundamentals. CISM Domain Alignment Information Security Governance. even there more than 50 percent feel it has only limited acceptance. 113 .gov.nist. used as best practice or used for assessment) by almost one-third of North American CISMs. with suggestions on additional controls for higher risk systems.. implemented. The vast majority (90 percent) of those familiar with it feel it has only limited or no acceptance. CISMs familiar with NIST 800-53 also generally feel it is (or will be) comprehensive and effective. 1 This domain is addressed only lightly in NIST 800-53’s description of security fundamentals. Second Public Draft Availability The draft is posted for complimentary download (as will be the final version) from the CSRC web site.NIST 800-53 Recommended Security Controls for Federal Information Systems. but. No guidance is provided on security planning or project management. Risk Management. 3 NIST 800-53 provides a good set of basic security controls. The exception to this is in North America.e. One can assume this will change when the final document is published in 2005 and becomes a US government agency mandatory standard. NIST 800-53 is already being actively used (i. www. Information Security Programme Management. Recognition/Reputation The global survey of CISMs (described in this document’s Introduction) shows that NIST 800-53 is already known to 80 percent of North American CISMs but recognition falls to around half in Europe/Africa and Asia. Usage Surprising for a new and still draft document.crsc. However. usage figures for other areas are less than 15 percent.

There are three initial chapters covering introduction and security fundamentals. It also points out the need for a practical implementation plan for any controls that have been selected. 1 This domain is addressed only lightly in the document’s description of security fundamentals. 1 This domain is addressed only lightly in its description of security fundamentals. NIST 800-53 identifies the need for an organisation to consider not only which controls are necessary to protect assets and fulfil legal responsibilities. Description and Guidance on Use NIST 800-53 is a document of 94 pages. Overall. NIST 800-53 describes an effective security programme as including the following eight important areas: • Periodic assessment of risk—Taking into account the needs of the organisation and potential impacts of incidents • Policies and procedures—Ensuring that these are based on the organisation’s risk assessment and are integrated throughout the life cycle • Security plans—For every part of the IT infrastructure or organisation as necessary • Security awareness training—To be tailored to the needs of each individual’s activities • Periodic testing and evaluation—To ensure that policies and procedures remain effective • Remedial processes—To ensure that deficiencies are dealt with formally and effectively • Incident response—To ensure that problems are detected and dealt with effectively • Continuity planning—To ensure that information systems continue to operate at the required levels 114 .Information Security Harmonisation—Classification of Global Guidance Information Security Management. but also which can be maintained on a day-to-day basis. Response Management. It provides a good source of basic security controls and will be even more useful when completed in 2005. 2 This is a good source of controls and control practices designed to be used by US government agencies. primarily describing recommended security controls.

Controls are numbered within each family and each control has three components: • The control section gives the specific security-related activity or action that is required to be undertaken. There are 154 controls categorised over 17 families. It describes common security controls as those that can be applied across one or more organisational information systems. for instance. • Controls enhancements provide the additional steps necessary to strengthen the basic controls when a risk assessment has determined that this is necessary.NIST 800-53 Recommended Security Controls for Federal Information Systems. For instance. A selection may provide. four or five possible actions. of which the organisation must implement at least two. NIST 800-53 differentiates between common security controls and system-specific controls. directives. an assignment may enable the organisation to define its own frequency or time period for reviews. Accreditation and Security Assessments Configuration Management Contingency Planning Identification and Authentication Incident Response Maintenance Media Protection Physical and Environmental Protection Planning Personnel Security Risk Assessment System and Services Acquisition System and Communications Protection System and Information Integrity Number of Controls 18 4 10 7 6 10 7 7 6 8 20 5 8 4 9 18 7 A major objective of NIST 800-53 is to provide a set of controls for selection and implementation. Second Public Draft Figure 7—NIST Control Families Identifier AC AT AU CA CM CP IA IR MA MP PE PL PS RA SA SC SI Family Access Control Awareness and Training Audit and Accountability Certification. • Supplemental guidance gives addition detail that an organisation may need to consider. as shown in figure 7. etc. each of which is given a two-character identifier. implementation and assessment to be assigned to responsible 115 . including applicable federal legislation. There may be some flexibility for the organisation in applying the control and this is indicated by assignment and selection options. and as having properties that allow their development.

(Author’s note: Such an approach may not meet the needs of every organisation. integrity and availability and is expressed as: SC = {(confidentiality. Control Enhancements: (1) The organization employs automated mechanisms to provide centralized notification of failed security tests. It goes on to contend that information system owners are not responsible for the common security controls protecting their systems. it is of course based on US federal standards for categorising the system for security. The full controls catalogue is provided in appendix F. or high impact). where the acceptable values for potential impact are low. (integrity. appendix D can be referenced to determine which are the minimum security (baseline) controls required (i. Extract From Appendix F of System and Information Integrity— Control Number SI-6 SI-6 SECURITY FUNCTIONALITY VERIFICATION Control: The information system verifies the correct operation of security functions [Selection (one or more): upon system start-up and restart. shuts the system down. upon command by the user with appropriate privilege. and how to go about selecting baseline controls.Information Security Harmonisation—Classification of Global Guidance organisational officials or organisational elements. only those that are system-specific issues. corresponding to low. impact).. (2) The organization employs automated mechanisms to support centralized management of distributed security testing. impact)}. System-specific controls are simply described as the responsibility of the system owner. 116 . Having determined the security category. periodically every (Assignment: organization-defined time-period)] and [Selection (one or more): notifies system administrator. impact). This system derives the security category as being the triple of the associated potential impacts for confidentiality. Supplemental Guidance: None.e. restarts the system] when anomalies are discovered. Categories are low. moderate. (availability. or high. NIST 800-53 points out the need to ensure clarity in differentiating which controls are common and which are system-specific.) As this piece of security guidance is aimed at US federal systems. moderate and high and selection is based on the highest value. NIST 800-53 requires the highest value to be ascertained using the “FIPS Publication 199 security category of the system”. integrity and availability. given the potential impacts on confidentiality. moderate. Common security controls are those that can be centrally managed to ensure consistency and reduce costs.

The draft of appendix G conveniently provides a mapping of the 154 NIST 800-53 controls against ISO/IEC 17799:2000 Code of Practice for Information Security Management.nist. Second Public Draft Security assurance requirements are provided via appendix E. • Monitor controls on a continuous basis. • Implement the controls. • Determine risk from the continued operation of the system. • Assess to ensure that the implemented controls are working as expected. • Adjust controls based on specific organisational requirements.NIST 800-53 Recommended Security Controls for Federal Information Systems. consistent operation and continuous improvement. and the US Government Accountability Office (GAO) Federal Information System Controls Audit Manual. low baseline controls are generally expected to have no obvious errors and should be corrected. • Select baseline controls. • Document the agreed list of controls including justifications for changes made. in a timely manner.crsc.com 117 . as necessary. Nine activities are described as: • Categorise the information system based on the FIPS 199 impact assessment.nist. The activities relating to management of organisational risk are described within NIST 800-53 in the context of the system development life cycle. References www. High baseline controls continue this theme with a requirement for capabilities that support ongoing.gov www. NIST Special Publication 800-26 Security Self-assessment Guide for Information Technology Systems. In general. • Authorise that this level of risk is acceptable. Moderate baseline controls require a higher level of correctness and should be designed in a manner such that correctness is incorporated into its design.

Information Security Harmonisation—Classification of Global Guidance 118 .

g. Introduction to the OCTAVE Approach has also been published. The Software Engineering Institute is a federally funded research and development centre sponsored by the US Department of Defence. OCTAVE defines criteria for operationally critical threat. attributes and outputs.0 Networked Systems Survivability Program Issuer Operationally Critical Threat. Document Taxonomy The OCTAVE criteria are a set of principles. OCTAVE Method (18 volumes) and OCTAVE-S (10 volumes) provide a full methodology for applying the criteria. Asset. which is internationally well known in the information security industry. OCTAVE Criteria Version 2. The OCTAVE approach provides a method to use the criteria for large organisations (e. Circulation OCTAVE is available and promoted through the CERT organisation of SEI.0 Networked Systems Survivability Program was published by the Carnegie Mellon Software Engineering Institute (SEI) in December 2001. worksheets. security practices and presentation slides. asset and vulnerability evaluations with the goal of defining a general approach for evaluating and managing information security risks.. 300-plus employees). whilst OCTAVE-S is an abridged version of the method for smaller organisations. Goal of the Standard or Guidance Publication OCTAVE’s purpose was to provide a risk-based strategic assessment and planning technique for security. 119 . and Vulnerability Evaluation (OCTAVE) Criteria Version 2.OCTAVE Criteria Version 2. including detailed process guidelines.0 Networked Systems Survivability Program 15.

and since then. the SEI has continued to improve and develop the approach and method.org/octave. Timeliness The OCTAVE framework was first published in 1999.Information Security Harmonisation—Classification of Global Guidance Information Security Drivers for Implementing the Guidance—Why OCTAVE is a recognised methodology for risk management that allows an organisation to take ownership and accountability for risks. setting priorities and selecting controls.cert. Related Risks of Noncompliance—What Could Happen There are no risks associated with not complying unless an organisation has decided to make it mandatory. OCTAVE covers only activities relating to evaluating risks. Availability OCTAVE documents are freely available from www. Completeness OCTAVE provides a complete methodology. with supporting documents. for the evaluation of security risks and selection of practices for the management of these risks. 120 . The latest issuance occurred in 2001. Certification Opportunities No certification exists for OCTAVE. Target Audience OCTAVE is aimed at the individuals within an organisation responsible for evaluating risks and ensuring appropriate protection strategies are developed and implemented. size or geographic location. It does not address the full role and responsibilities of information security management. It has been designed to be suitable for organisations of any type.

Risk Management. 4 OCTAVE includes a detailed and well-explained methodology for risk management that can be applied to large and small organisations. 121 .OCTAVE Criteria Version 2. CISM Domain Alignment Information Security Governance. OCTAVE has fairly low recognition amongst surveyed CISMs compared to many other standards (50 percent. Europe/Africa and Central/South America coming out at more than 50 percent in favour of its coverage. Oceania.0 Networked Systems Survivability Program Recognition/Reputation According to the global survey of CISMs that was conducted in 2004 (described in this document’s Introduction). 2 OCTAVE includes many governance activities within its model but it does not provide any real guidance on how to set up and maintain an information security governance framework. Central/South America and Asia find it most effective (60 to 80 percent). Information Security Management. Usage Usage (i. Information Security Programme Management. Following the methodology inherently helps in the planning.e. project management and ongoing review of an information security programme. with less than 10 percent in all regions believing the method to be widely accepted and more than half believing it has no acceptance whatsoever. used as best practice or used for assessment) of OCTAVE is highest in North America and Asia. but still is at only 14 percent.. Acceptance levels are also very low. 4 The OCTAVE catalogue of practices contains a good set of security practices. with North America. with only 40 percent in Europe/Africa). There are varying opinions on how comprehensive it is considered. This seems to be a very low figure for such a comprehensive methodology. It does not provide any guidance on how to establish or carry out these activities. implemented. 1 OCTAVE addresses implicitly through its guidance many of the activities undertaken in information security management.

The OCTAVE approach is designed to be self-directed and takes into account operational risks and security practices.Information Security Harmonisation—Classification of Global Guidance Response Management. and may be best suited to implementation and integration of security management. based on self-determination. Introduction to the OCTAVE Approach This document (37 pages) provides an excellent overview of the OCTAVE approach. Build asset-based threat profiles—The identification of information assets. for those firms needing a combination of the two. when followed. Description and Guidance on Use OCTAVE is an approach. It is a bit detailed. their security needs and their specific threat profiles • Phase 2. 3 OCTAVE is an excellent methodology designed to involve management and staff at all levels in selecting and implementing information security controls. 122 . 1 It provides a list of important control practices for response. Develop security strategy and plans—Identification of risks to critical assets and decision and protection strategies for mitigation OCTAVE Criteria This document (143 pages) contains an introduction and background to OCTAVE along with a more detailed description of the OCTAVE approach’s three phases and how they fit into an ongoing process or continuum. including the process for identifying the assets and determining criticality. evaluation of existing controls. A three-phased process is described that. There are a number of documents. including an overview of the criteria and brief descriptions of the OCTAVE method for large companies and OCTAVE-S for smaller firms. It also provides guidance on how to choose the two methods and. Overall. information on which method suits which organisational attribute. for undertaking an evaluation of the threats and vulnerabilities of operationally critical assets. and selection of the most critical assets. but does not fully address all areas of this domain or provide guidance on how to establish and manage a response management function. Identify infrastructure vulnerabilities—The evaluation of IT infrastructure including the identification of key components and their resistance to network attacks • Phase 3. the main ones are described below. should provide a comprehensive picture of an organisation’s information security needs: • Phase 1.

attributes and outputs. 10. Teamwork—An interdisciplinary approach.4 Generic threat profile—Assessment of threats.3 Catalogue of practices—The requirement for a set of practices that address strategic and operational security. • Organisational and cultural principles 8. 9.1 Analysis team—Describes a multidisciplinary team of employees and their responsibilities – RA. 3. each of which has a primary relationship with one or more of the principles. including consideration of business goals when deriving security policy. – RA. 7. Focus on the critical few—The majority of effort should focus on the most critical areas to ensure efficient use of resources.2 Augment analysis team skills—Enables the primary analysis team to find. including business and technical employees. Each of the attributes is described and an explanation of its importance is provided: • Self-direction – RA. 4. Integrated management—Security should be integrated into other organisation strategies. physical security. Global perspective—A common view of security should be ensured throughout the organisation. There are 10 principles that are grouped into three areas: • Information security risk evaluation principles 1.OCTAVE Criteria Version 2.0 Networked Systems Survivability Program The criteria are built on a foundation of principles. technical security. Defined process—Standardised procedures for evaluation should be used to ensure consistency in results. 2. when needed. including system. Forward-looking view—Strategic thinking should identify the impacts of risks on the organisation’s mission and business objectives. There are 15 attributes. including management practices. specialist skills from other parts of the organisation or externally • Adaptable measures – RA.5 Catalogue of vulnerabilities—Technological vulnerabilities and tools for their identification and evaluation 123 . Open communication—Collaborative approaches should be used in determining risks and communicating them in an open manner. 6. Adaptable measures—Evaluations must be done through a flexible process to enable changes in the organisation and technology to be reflected. Self-direction—People within an organisation should manage and direct their own evaluations and make their own decisions on risk. • Risk management principles 5. should be undertaken. etc. human and environmental – RA. Foundation for a continuous process—Good practices should be adopted and a continuous improvement process should be introduced.

11 Focussed activities—Ensuring that evaluation activities focus on critical assets for efficient use of resources • Integrated management – RA.10 Focus on risk—Examining interrelationships amongst assets.15 Collaborative approach—Using workshops or other interactive approaches to ensure interdisciplinary knowledge and skills • Global perspective – RA.6 Defined evaluation activities—Documented procedures for every step of the evaluation process – RA.14 Senior management participation—Active sponsorship. and their effect on the organisation’s business objectives • Focus on the critical few – RA.13 Business and information technology participation—Ensuring participation from all areas of the business and from all levels (senior management to junior staff) – RA.3 Catalogue of practices—As above • Forward-looking view – RA. involvement in and review of the output of evaluations • Open communication – RA.12) Requirements The evaluation process must examine both organizational and technological issues.8 Evaluation scope—As above – RA.12 Organisational and technological issues—Ensuring that technology is considered alongside existing practices used by staff – RA.13 Business and information technology participation—As above Extract of Organisational and Technological Issues (RA.8 Evaluation scope—Clearly documenting what has been included or not within the scope of the evaluation • Foundation for a continuous process – RA.and vulnerability-related information: • Current security practices used by staff members • Missing or inadequate security practices (also called organizational vulnerabilities) • Technological weaknesses present in key information technology systems and components 124 .Information Security Harmonisation—Classification of Global Guidance • Defined process – RA.7 Documented evaluation results—Documented risks to the organisation and strategies for mitigation – RA. Information security risk evaluations typically include the following practice.12 Organisational and technological issues—As above – RA.9 Next steps—The activity of documenting next steps and assigning ownership for their progression – RA. threats to assets and vulnerabilities.

An organization’s protection strategy defines its direction with respect to efforts to improve information security. OCTAVE Method Included within this 18-volume set of documentation is an introduction on how to use the method and guidelines on how to prepare for an OCTAVE assessment.3 Protection Strategy Output Requirements A protection strategy must be an output of the evaluation process.3. implementing.3 Protection strategy • RO3.3 Threats to critical assets • RO1. Volumes 3 to 12 contain all of the information for the three phases and eight processes of the method. it is important that an evaluation surface both organizational and technological issues.4 Risk mitigation plans Extract of RO3.2 Security requirements for critical assets • RO1. worksheets. the team is able to address security by creating a global picture of the information security risks with which the organization must deal. The analysis team analyzes both types of issues in relation to the mission and business objectives of the organization when creating the organization’s protection strategy and risk mitigation plans. The criteria also describe the various outputs required from each of the three phases: • RO1.1 Risks to critical assets • RO3.5 Current organisation vulnerabilities • RO2.) Importance Creating a protection strategy is important because it charts a course for organizational improvement with respect to information security activities. (See Attribute RA. A protection strategy tends to incorporate long-term organizationwide initiatives and is structured using the practice areas defined in the catalog of practices. It includes approaches for enabling.2 Technology vulnerabilities • RO3. including detailed processes.0 Networked Systems Survivability Program Importance Because security has both organizational and technological components. 125 . By doing this.1 Critical assets • RO1. slides for presentations with notes and examples results. including selection of the team. and maintaining security practices in an organization.OCTAVE Criteria Version 2.1 Key components • RO2.2 Risk measures • RO3.4 Current security practices • RO1.

Regardless of workshop roles. the OCTAVE Catalogue of Practices (48 pages).2 General staff practices 126 . Other members of the analysis team will support the lead facilitator.Information Security Harmonisation—Classification of Global Guidance Extract of Guidance for Running a Workshop to Capture Senior Management Knowledge/Views Prior to the workshop. Volume 15: Appendix.1 Physical security plans and procedures – OP1.1 Incident management – OP3.4 Authentication and authorisation – OP2. provides a good range of practices defined as either strategic or operational that organisations can use when creating their own practices. observe all activities. and take general notes.3 Monitoring and auditing physical security – OP2. The process guidelines for Process 1 are written primarily for the lead facilitator of the workshop. you should review the following types of information: • The organization’s security policies and procedures • An organizational chart • Any laws and regulations with which your organization must comply An understanding of the information contained in the above items will be useful as you facilitate this workshop and as you analyze information in later workshops.7 Security architecture and design – OP3.2 Physical access control – OP1.1 System and network management – OP2.4 Vulnerability management – OP2. which include flow diagrams and more examples.2 System administration tools – OP2.6 Encryption – OP2. These practices include: • Strategic practices – SP1 Security awareness and training – SP2 Security strategy – SP3 Security management – SP4 Security policies and regulations – SP5 Collaborative security management – SP6 Contingency planning/disaster recovery • Operational practices – OP1.3 Monitoring and auditing IT security – OP2. All guidance for the scribe is specifically noted in these guidelines. all members of the analysis team should read and understand these guidelines. The volumes also include a number of appendices. You should use the slides provided to explain the concepts and activities of this workshop to the participants as you conduct the workshop.

along with suggestions on where the various security statements could apply.org/octave 127 . including: • Selecting vulnerability evaluation tools. Extract of One of the Survey Questions on Vulnerability Management (OP2. and notices • Identifying infrastructure components to be evaluated • Scheduling of vulnerability evaluations • Interpreting and responding to the results • Maintaining secure storage and disposition of vulnerability data Reference www. and scripts • Keeping up to date with known vulnerability types and attack methods • Reviewing sources of information on vulnerability announcements.5) There is a documented set of procedures for managing vulnerabilities.5 The organization manages information security risks.cert. internal/external threats. security alerts. or the organization’s systems and operations • Taking steps to mitigate risks to an acceptable level • Maintaining an acceptable level of risk using information security risk assessments to help select cost-effective security/control measures.OCTAVE Criteria Version 2. checklists.0 Networked Systems Survivability Program Extract of One of the SP3 Security Management Practices SP3. balancing implementation costs against potential losses The catalogue of practices also contains a survey that can be used to obtain a view on the existing security posture. including: • Assessing risks to information security both periodically and in response to major changes in technology.

Information Security Harmonisation—Classification of Global Guidance 128 .

Goals of the Standard or Guidance Publication OECD was first established in 1960 predominately to help achieve sustainable economic growth and financial stability in member countries and to contribute to economic expansion and world trade. its profile within the information security industry remains low. In progressing these aims. The guidelines are meant to provide a framework of principles to promote better understanding of how participants (in OECD) may benefit from. Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan Issuer The Organisation for Economic Co-operation and Development is a member organisation of 30 countries and has active relationships with another 70 countries. Circulation Although OECD is internationally known to those working in government economic departments and corporate finance and law. The associated Implementation Plan describes the responsibilities of government.Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan 16. The Implementation Plan is aimed predominately at government responsibilities but also refers to the roles of business and civil society. The Implementation Plan was released as a second draft in July 2003 and is still under review. Document Taxonomy Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security provides a set of nine principles aimed at fostering a “culture of security”. 129 . The OECD’s Guidelines for the Security of Information Systems and Networks was first produced in 1992 and the latest update was issued in July 2002. OECD takes a prominent role in fostering good governance in public services and corporate activity. business and civil society in implementing the guidelines. the development of a culture of security. and contribute to.

Information Security Harmonisation—Classification of Global Guidance Information Security Drivers for Implementing the Guidance—Why OECD guidelines are taken seriously by a number of countries and have formed the foundation for security principles defined in other standards and guidance documents. Completeness The guidelines are intended to be high-level and in this context are complete in the coverage they provide relating to information security principles. these guidelines would need to be heavily complemented with other publications for an information security manager as they do not begin to cover the full range of issues that must be addressed for enterprisewide information security management. They are broadbased enough to relate to any type of organisation. Timeliness The guidelines are high-level and have been reviewed at least twice since first issued to ensure that they reflect changes in world economics. Target Audience The guidelines are aimed at senior persons within organisations responsible for governance. No security or technical knowledge is assumed or required. Corporate social responsibility is becoming an important business driver for many large international organisations. a number of governments have produced publicly available plans on how they are implementing the principles. 130 . The principles are in keeping with many of the current and planned legislative changes being made by OECD member countries. However. Certification Opportunities Unlike conventions. However. the guidelines are nonbinding and governments are not legally bound to their use. may lead to breaches of local law or regulation. Related Risks of Noncompliance—What Could Happen Noncompliance with the principles. ethics (corporate social responsibility) and development of IT systems. of any size or geographic location. technology and events. No certification is available. whether defined in the same manner or not.

131 .e. it is likely that many CISMs are applying the principles but with different wording. CISM Domain Alignment Information Security Governance. both positive and negative..Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan Availability The guidelines are publicly available as a complimentary download at www. NIST). used as best practice or used for assessment) by only 8 percent or fewer of surveyed CISMs. Usage The guidelines are actively used (i. or they are just not aware of them as OECD principles. There are mixed opinions on the level of comprehensiveness and effectiveness. 1 Risk assessment is one of the nine principles. implemented. with almost 50 percent giving them no acceptance at all..org. with the highest in Oceania at just slightly more than 60 percent and Central/South America the lowest at 32 percent. Recognition/Reputation The results of the 2004 global survey of CISMs (described in this document’s Introduction) revealed that recognition is very low.oecd. They will also be of value to organisations with a business ethics or corporate social responsibility function. The guidelines are felt to have very low acceptance across all regions. Bearing in mind that the principles within the guidelines are used in other security-related publications (e.g. Risk Management. 2 OECD’s guidelines contain a useful set of information security principles that have been adopted by many governments and are slowly being built into law within some countries. 1 The guidelines are of limited interest to those working in government as they define the expectations of government. but it is not addressed in a comprehensive manner. Information Security Programme Management.

1 One of the principles deals with response management. Risk assessment identifies threats and vulnerabilities and should be sufficiently broad-based to encompass key internal and external factors. Perhaps uniquely. including a history of the document’s development. but not in a comprehensive manner. Description and Guidance on Use OECD Guidelines for the Security of Information Systems and Networks is a short document of just 16 pages. the principles include ethics and democracy. 0 This domain is not addressed at all by the guidance. Overall. Each principle is briefly explained. such as 132 . introduction and references. And. Response Management. to incidents) • Ethics • Democracy • Risk assessment • Security design and implementation • Security management • Reassessment Extract of Principle 6 Risk Assessment Participants should conduct risk assessments. The guidelines provide nine principles that are designed to be complementary and are aimed at promoting a culture of security. The nine principles address: • Awareness • Responsibility • Response (i. unusually. The guidelines should be of particular interest to an organisation with a business ethics or corporate social responsibility function. the risk assessment principle identifies the need to consider risks to others as well as to oneself. although knowledge of the OECD and its nine security principles is highly recommended as they are referenced in many other information security standards and guides..Information Security Harmonisation—Classification of Global Guidance Information Security Management.e. 1 The document does not provide much in the way of guidance for the information security manager.

the government should facilitate awareness and appropriate responses by other participants through programmes and initiatives. Reference www. policies and third-party services with security implications.Guidelines for the Security of Information Systems and Networks and Associated Implementation Plan technology. Beyond this. The majority of the document is aimed at defining the roles and responsibility of government in promoting a culture of security. The Implementation Plan for the Guidelines for the Security of Information Systems and Networks is a brief document of six pages. risk assessment should include consideration of the potential harm that may originate from others or be caused to others.oecd. physical and human factors. but there are a couple of references to business and civil societies. Because of the growing interconnectivity of information systems. In the first instance government action should raise awareness of law and policy that address cybersecurity. Risk assessment will allow determination of the acceptable level of risk and assist the selection of appropriate controls to manage the risk of potential harm to information systems and networks in light of the nature and importance of the information to be protected.org 133 . A second aspect of the government’s public policy role is to conduct outreach and support efforts by all participants to address security. Extract of Paragraph Nine Describing One of the Government Responsibilities for Public Policy 9.

Information Security Harmonisation—Classification of Global Guidance 134 .

issued in July 2002. Information Security Drivers for Implementing the Guidance—Why There are no specific drivers for this guidance. reliable and timely manner”.Manager’s Guide to Information Security 17. Circulation The Open Group is internationally recognised. The booklet itself was written by members of the Open Group Security Forum. Target Audience The booklet is aimed primarily at business managers responsible for some aspect of IT systems or those who evaluate or approve information security purchases. Manager’s Guide to Information Security Issuer The Open Group is a vendor-neutral technology consortium with a vision to create “boundaryless information flow achieved through global interoperability in a secure. provides general guidance on acquiring secure IT products and systems. Document Taxonomy Manager’s Guide to Information Security. However. 135 . no information is available on circulation of the booklet. a forum established for more than 10 years. Related Risks of Noncompliance—What Could Happen No risks of noncompliance were identified by the authors of this document. Goal of the Standard or Guidance Publication The booklet has been produced to help nonsecurity business managers understand what to look for when purchasing security products and services.

0 Risk management is not addressed. 136 . 1 The booklet may be of some use for identifying some security questions before purchasing IT products. it does not begin to cover the full range of issues that must be addressed for enterprisewide information security management. it does provide some simple explanations of. Certification Opportunities No certification exists.Information Security Harmonisation—Classification of Global Guidance Timeliness The booklet was published in 2002 as a simple guide to business managers. Completeness As this is not directed at the information security manager. Risk Management.95. Availability This booklet is available for purchase from the Open Group at www. information security managers. Recognition/Reputation and Usage Since this publication is not designed for. 0 Information security governance is not addressed. However. and arguments for. nor aimed at. CISM Domain Alignment Information Security Governance.org for US $9. Information Security Programme Management.opengroup. security that information security managers may find useful when discussing information security with business managers. It is nontechnical and remains valid in its content. CISM usage has not been surveyed.

Response Management. this is provided in a simple and easy-to-understand manner. Included are: 137 . Technical risks evaluation is up to trained security practitioners. Information security systems should monitor your systems to identify anomalous patterns of activity. it may be of some use in educating business managers with purchasing power for IT products and services. This monitoring. including looking at information security from a business perspective. a completely secure system is impossible. However. It also talks about IT security as a service to the organisation. 1 This publication is designed for business managers. It is not aimed at information security managers. The booklet describes the types of things to expect from security solutions. and in each case. including: • How much security do you need? • What are the risks? • What sort of protection do you need? The booklet makes clear that it is the business manager who responsible for identifying and valuing the risks significant to the business. will also help you (or your auditors) to determine that those responsible for setting up and maintaining the system have done the job correctly. Detection and Response Remember.Manager’s Guide to Information Security Information Security Management. This naturally leads to explanations on the reality of how much security is already present in IT systems and whether or not it is properly enabled to meet the organisation’s acceptance of risks. together with the logging and audit functions described above. Overall. 1 It may be of some use for educating business managers with purchasing power for IT products and services. You must be able to detect and respond to failures in the enforcement of your policies. Simple explanations are given to a number of common queries that are made by business managers. The need for activity logging and detection and response processes is briefly addressed as is the need for security awareness and training. Extract from Security from a Business Perspective. 0 Response management is not addressed. Description and Guidance on Use This 50-page booklet provides a brief introduction to the importance of security. helping it to run more effectively.

the fingerprint inside the signature will reveal the fact. A digital signature contains a “fingerprint” of the document! While it can be physically separated from the document. for example • What to allow—Simple concepts of authorisation services • Confidence in documents—Digital signatures in simple terms • Keeping trust—Reasons for cryptography and PKI • Extend your reach—The use of VPNs • Smell and detect trouble—Scanning and intrusion detection explained Extract from 4.opengroup.org 138 .Information Security Harmonisation—Classification of Global Guidance • Administration—Explaining how access policies need to be enforced by the security system • Assurance and audit—Describing the reasons and benefits of logging and monitoring • Protection—Very general concepts from passwords to firewalls • Know who is who and proving who is who—Simple concepts of identification and authentication • Managing the list—Registering with LDAP. in some ways. Because of this odd property. What to expect from Security Solutions Digital signatures have a curious property that “real” signatures don’t. a digital signature can help prove that a document hasn’t been changed since it was signed. If the document is changed. Finally. A “real” signature is placed on the document it goes with. more powerful that “real” signatures. it is always possible to tell which document a signature was attached to. the booklet addresses what to do next by explaining the options of handling security in-house or outsourcing. Reference www. It can’t be separated from the document without leaving a mark or a tear. So digital signatures are.

network security. responsibilities and organisational structure • Knowledge of areas of governance (for example. • Obtain senior management commitment and support for information security throughout the enterprise. • Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise. Knowledge Statements • Knowledge of information security concepts • Knowledge of the relationship between information security and business operations • Knowledge of techniques used to secure senior management commitment and support of information security management • Knowledge of methods of integrating information security governance into the overall enterprise governance framework • Knowledge of practices associated with an overall policy directive that captures senior management level direction and expectations for information security in laying the foundation for information security management within an organisation • Knowledge of an information security steering group function • Knowledge of information security management roles. risk management. data classification management. • Establish and maintain information security policies that support business goals and objectives. system access) 139 . • Develop business case and enterprise value analysis that support information security programme investments. Tasks • Develop the information security strategy in support of business strategy and direction. • Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities.Annex—CISM Job Domains Annex—CISM Job Domains Information Security Governance Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations. • Establish reporting and communication channels that support information security governance activities. • Ensure the development of procedures and guidelines that support information security policies.

140 . privacy. tax laws and tariffs. organisational positioning. data import/export restrictions. crime or fidelity insurance. procedures and guidelines) • Knowledge of techniques for developing an information security process improvement model for sustainable and repeatable information security policies and procedures • Knowledge of information security process improvement and its relationship to traditional process management • Knowledge of information security process improvement and its relationship to security architecture development and modelling • Knowledge of information security process improvement and its relationship to security infrastructure • Knowledge of generally accepted international standards for information security management and related process improvement models • Knowledge of the key components of cost-benefit analysis and enterprise transformation/migration plans (for example. trade secrets. restrictions on cryptography. warranties. benchmarking. copyrights. analytical and continuous risk management process. • Apply risk identification and analysis methods. business interruptions) • Knowledge of the requirements for the content and retention of business records and compliance • Knowledge of the process for linking policies to enterprise business objectives • Knowledge of the function and content of essential elements of an information security programme (for example. market/competitive analysis) • Knowledge of methodology for business case development and computing enterprise value proposition Risk Management Identify and manage information security risks to achieve business objectives. • Ensure that risk identification. architectural alignment. policy statements. global transmissions and transborder data flows (for example. • Define strategies and prioritise options to mitigate risk to levels acceptable to the enterprise. • Report significant changes in risk to appropriate levels of management on a periodic and event-driven basis. analysis and mitigation activities are integrated into life cycle processes.Information Security Harmonisation—Classification of Global Guidance • Knowledge of centralised and decentralised approaches to co-ordinating information security • Knowledge of legal and regulatory issues associated with Internet businesses. patents. national security) • Knowledge of common insurance policies and imposed conditions (for example. Tasks • Develop a systematic. change management.

threats and exposures to acceptable levels • Knowledge of managing and reporting status of identified risks Information Security Programme Management Design. • Develop procedures and guidelines to ensure that business processes address information security risk. Tasks • Create and maintain plans to implement the information security governance framework. • Develop methods of meeting information security policy requirements that recognise the impact on end users. • Ensure that internal and external resources for information security are identified. integrity and availability of information resources • Knowledge of quantitative and qualitative methods used to determine sensitivity and criticality of information resources and the impact of adverse events • Knowledge of use of gap analysis to assess generally accepted standards of good practice for information security management against current state • Knowledge of recovery time objectives (RTO) for information resources and how to determine RTO • Knowledge of RTO and how it relates to business continuity and contingency planning objectives and processes • Knowledge of risk mitigation strategies used in defining security requirements for information resources supporting business applications • Knowledge of cost-benefit analysis techniques in assessing options for mitigating risks. vulnerabilities and exposures associated with confidentiality. • Develop information security baseline(s). • Establish metrics to manage the information security governance framework. • Develop procedures and guidelines for IT infrastructure activities to ensure compliance with information security policies. 141 . develop and manage an information security programme to implement the information security governance framework. • Promote accountability by business process owners and other stakeholders in managing information security risks. appropriated and managed.Annex—CISM Job Domains Knowledge Statements • Knowledge of information resources used in support of business processes • Knowledge of information resource valuation methodologies • Knowledge of information classification • Knowledge of the principles of development of baselines and their relationship to risk-based assessments of control requirements • Knowledge of life cycle-based risk management principles and practices • Knowledge of threats. • Integrate information security programme requirements into the organisation’s life cycle activities.

• Ensure that the administrative procedures for information systems comply with the enterprise’s information security policies. development and implementation • Knowledge of acquisition management methods and techniques (for example. preparation of contracts) Information Security Management Oversee and direct information security activities to execute the information security programme. Tasks • Ensure that the rules of use for information systems comply with the enterprise’s information security policies. traditional SDLC. evaluation of vendor service level agreements. are consistent with established information security policies. designing. developing.Information Security Harmonisation—Classification of Global Guidance Knowledge Statements • Knowledge of methods to develop an implementation plan that meets security requirements identified in risk analyses • Knowledge of project management methods and techniques • Knowledge of the components of an information security governance framework for integrating security principles. single sign-on. limited points of systems administration) • Knowledge of information security technologies (for example. to enable management to select appropriate controls) • Knowledge of security procedures and guidelines for business processes and infrastructure activities • Knowledge of the systems development life cycle methodologies (for example. monitor and report on the effectiveness and efficiency of information security controls and compliance with information security policies. administrative and technical controls • Knowledge of planning. 142 . testing and implementing information security requirements into an enterprise’s business processes • Knowledge of security metrics design. • Use metrics to measure. cryptographic techniques and digital signatures. including outsourced providers. • Ensure that services provided by other enterprises. benefits and costs of physical. conducting. management and awareness into all aspects and all levels of the enterprise • Knowledge of security baselines and configuration management in the design and management of business applications and the infrastructure • Knowledge of information security architectures (for example. reporting and follow-up of security testing • Knowledge of certifying and accrediting the compliance of business applications and infrastructure to the enterprise’s information security governance framework • Knowledge of types. prototyping) • Knowledge of planning. practices. rules-based as opposed to list-based system access control for systems.

including trading partners and security services providers • Knowledge of continuous monitoring of security activities in the enterprise’s infrastructure and business applications • Knowledge of methods used to manage success/failure in information security investments through data collection and periodic review of key performance indicators • Knowledge of change and configuration management activities • Knowledge of information security management due diligence activities and reviews of the infrastructure • Knowledge of liaison activities with internal/external assurance providers performing information security reviews • Knowledge of due diligence activities. test plans and reperformance • Knowledge of information security problem management practices • Knowledge of information security manager facilitative roles as change agents. educators and consultants • Knowledge of the ways in which culture and cultural differences affect the behaviour of staff • Knowledge of the activities that can change the culture and behaviour of staff • Knowledge of methods and techniques for security awareness training and education 143 . reviews and related standards for managing and controlling access to information resources • Knowledge of external vulnerability reporting sources. • Ensure that noncompliance issues and other variances are resolved in a timely manner. including information security education and awareness. • Ensure the development and delivery of the activities that can influence culture and behaviour of staff.Annex—CISM Job Domains • Ensure that information security is not compromised throughout the change management process. which provide information that may require changes to the information security in applications and infrastructure • Knowledge of events affecting security baselines that may require risk reassessments and changes to information security requirements in security plans. Knowledge Statements • Knowledge of how to interpret information security policies into operational use • Knowledge of information security administration process and procedures • Knowledge of methods for managing the implementation of the enterprise’s information security programme through third parties. • Ensure that vulnerability assessments are performed to evaluate effectiveness of existing controls.

development of computer emergency response team) • Knowledge of disaster recovery planning and business recovery processes • Knowledge of disaster recovery testing for infrastructure and critical business applications • Knowledge of escalation processes for effective security management • Knowledge of intrusion detection policies and processes • Knowledge of help desk processes for identifying security incidents reported by users and distinguishing them from other issues dealt with by the help desks • Knowledge of the notification process in managing security incidents and recovery (for example. rules for evidence. in response to virus alerts in a real-time fashion) • Knowledge of the requirements for collecting and presenting evidence. automated notice and recovery mechanisms. • Develop response and recovery plans. production change control activities. identifying and analysing security-related events. quality and completeness of evidence • Knowledge of post-incident reviews and follow-up procedures 144 . including organising. • Manage post-event reviews to identify causes and corrective actions. • Ensure periodic testing of the response and recovery plans where appropriate. • Ensure the execution of response and recovery plans as required. training and equipping the teams. • Establish procedures for documenting an event as a basis for subsequent action.Information Security Harmonisation—Classification of Global Guidance Response Management Develop and manage a capability to respond to and recover from disruptive and destructive information security events. admissibility of evidence. Tasks • Develop and implement processes for detecting. Knowledge Statements • Knowledge of the components of an incident response capability • Knowledge of information security emergency management practices (for example. including forensics when necessary.

org/bookstore. providing key controls • Six information security survival kits.org/bookstore or e-mail bookstore@isaca. In an increasingly dynamic global environment. All of the control practices are individually integrated into COBIT Online. business requirements and control objectives define what needs to be done to implement an effective control structure. end users and control professionals.isaca. COBIT Security Baseline provides: • Useful background reading: – An introduction to information security—What does it mean and what does it cover? – An explanation of why security is important. Managing Enterprise Information Integrity The Centre for IS Assurance conducted this project to define the key elements of enterprise information integrity. It is available through the ISACA Bookstore at www.isaca. For further information. IT organisations must address complex solutions and operating environments to provide assurance of the dependability and trustworthiness of information across the enterprise. to help them justify and design the specific controls needed to address IT project and operational risks and improve IT performance by providing guidance on why controls are needed.org. The COBIT IT processes. offering essential awareness messages • An appendix containing a summary of technical security risks 2004 Control Practices Control Practices extends the capabilities of the COBIT framework with an additional level of detail. with examples of the most common things that can go wrong – Thought-provoking questions to help determine the risks • The COBIT-based security baseline. service providers. is available in the ISACA Bookstore. as well as benefits criteria associated with them. Using the COBIT framework. please visit www.ITGI Publications Other Publications All publications come with detailed assessment questionnaires and work programmes. 2004 COBIT Security Baseline Control Objectives for Information and related Technology covers security in addition to other risks that can occur with the use of IT. This publication. which contains control practices for all of the 34 high-level COBIT control objectives. 2004 145 . executives and board members of larger organisations. and to present a framework and process for management. and what the best practices are for meeting specific control objectives. this guide focusses on the specific risks of IT security in a way that is simple to follow and implement for all users—small to medium enterprises. The control practices provide the more detailed how and why needed by management. and home users.

Information Security Harmonisation—Classification of Global Guidance

IT Control Objectives for Sarbanes-Oxley
The publication explains, step-by-step in a road map approach, the current focus on enhancing corporate accountability, the audit committee’s responsibility, the need to adopt and use an internal control framework (COSO), the need to consider fraud in an audit or review of internal control, the necessary but unique challenge of focussing on IT controls and using a compatible IT governance framework (COBIT), and how to seize the opportunity of turning compliance into a competitive challenge. The document provides IT professionals and organisations with assessment ideas and approaches, IT control objectives mapped into COSO for disclosure and financial reporting purposes, and a clear road map to deal with the murkiness of these regulatory times. 2004

COBIT Mapping: Mapping ISO/IEC 17799:2000 With COBIT
The mapping document is a profound source of information for all stakeholders responsible for, and interested in, IT governance and information security management and their respective controls. It provides clear insights as to how COBIT and ISO/IEC 17799:2000 interrelate and fit together. This paper is a valuable source and useful guideline for implementation of these standards in an organisation, independent of its size, geography or industry. It will help improve completeness and quality and reduce the cost of such implementations. ISACA member download posted at www.isaca.org/research. 2004

COBIT Mapping: Overview of International IT Governance
A global overview of the most important standards relative to control and security of IT and how they relate to each other on a high level. The research includes: • An overview of the most important standards relative to control and security of IT • A demonstration of the possible integration of COBIT with other standards into live IT processes • A high-level overview of COBIT, COSO, ITIL, ISO/IEC 17799:2000, ISO/IEC 13335, ANSI, TickIT and the Common Criteria—ISO/IEC 15408:1999 The publication is posted at www.isaca.org/cobitmapping. 2004

Board Briefing on IT Governance, 2nd Edition
The Board Briefing on IT Governance, 2nd Edition is addressed to boards of directors, supervisory boards, audit committees, chief executive officers, chief information officers and other executive management, and is designed to help these individuals understand why IT governance is important, what its issues are and what their responsibility is for managing it. The document is posted at www.itgi.org. The document covers: • A summarised background on governance • Where IT governance fits in the larger context of enterprise governance • A simple framework with which to think about IT governance

146

ITGI Publications

• Questions board members should ask • Good practices and critical success factors • Performance measures board members can track • A maturity model against which to benchmark organisations 2003

Other Titles
Oracle® Database Security, Audit and Control Features (2004) OS/390—z/OS: Security, Control and Audit Features (2003) IT Governance Implementation Guide (2003) COBIT Quickstart (2003) Risks of Customer Relationship Management: A Security, Control and Audit Approach (2003) Security Provisioning: Managing Access in Extended Enterprises (2002) Electronic and Digital Signatures: A Global Status Report (2002) Virtual Private Network—New Issues for Network Security (2001) COBIT 3rd Edition® (2000) Control Objectives for Net Centric Technology (CONCT©) (1999) Digital Signatures—Security and Controls (1999) ERP Series: Security, Audit and Control Features PeopleSoft®: A Technical and Risk Management Reference Guide (2004) Security, Audit and Control Features Oracle® Applications: A Technical and Risk Management Reference Guide (2003) Security, Audit and Control Features SAP®R/3®: A Technical and Risk Management Reference Guide (2002) E-commerce Security Series: Securing the Network Perimeter (2002) Business Continuity Planning (2002) Trading Partner Authentication, Registration and Enrollment (2000) Public Key Infrastructure (2001) A Global Status Report (2000) Enterprise Best Practices (2000)

Web Postings (www.isaca.org/research)
Enterprise Identity Management: Managing Secure and Controllable Access in the Extended Enterprise Environment (2004) Introduction to Voice-over IP Technology (2004) Peer-to-peer Networking Security and Control (2003)

147

Information Security Harmonisation—Classification of Global Guidance

Future Publications
Cybercrime: Incident Response and Digital Forensics
The research describes the threat posed by cybercrime and discuss the increase in incidents. The publication will also provide an analysis of the type of risks and guidelines to prevent, detect and respond appropriately. It will highlight the new partnership and initiatives between the US government and the IT industry, and the strategy that could mitigate the potential risks.

Linux Security and Control Requirements
The project studies the Linux security issues for one of the more popular versions of Linux: Redhat 7.2. A technical security configuration table will be included, which could be used as a standard reference by security administrators, security professionals and IS auditors. The publication will provide guidance to IT management in the areas of identification of vulnerabilities of the Linux operating system, a detailed checklist giving the best practices to be followed, deployment of Linux on different hardware platforms, and comparison of the security features of major Linux implementations. The publication will address risk management issues with an action-oriented perspective.

Security Awareness—Best Practice to Serve Your Enterprise
Today, from the most senior executive to junior staff, all have a role to play in the protection of the enterprise’s information assets. Awareness of the risks and available safeguards is the first line of defence. Information systems and networks can be affected by internal and external risks, and everyone must understand that security failures may significantly harm those systems and the information under their control, as well as interdependencies. Additionally, the increased regulatory pressure of the European Data Protection Directive, Sarbanes-Oxley, HIPAA and others is requiring organisations to implement formal security policies. The education of employees is certainly a frontline defence for adherence and proper implementation. This research publication will provide the steps needed to implement an awareness effort and how to build concurrence of other departments, and provides baselines, maturity levels and control objectives. A security awareness self-assessment programme and a case study will be included.

148

An in-depth personal interview is being held with 200 IT directors and managers for feedback on the following five domains: • Value delivery—Obtaining a return on IT investments • Performance measurement • Risk management • IT alignment—IT strategy committees • Managing IT resources—Outsourcing 149 . Information Security Governance: Top Actions for Security Managers furthers that research by taking the list of questions and creating specific actions for information security managers and CISOs. published by ITGI in 2001. Its focus is on what the board and senior management should do to fit information security within the governance framework.ITGI Publications Information Security Governance: Top Actions for Security Managers Information Security Governance: Guidance for Boards of Directors and Executive Management. It will address: • Uncovering the information security issues in an enterprise from a business and management perspective • Dealing with management’s perception of information security and security risk management issues • Positioning information security as a component of IT and business governance • Establishing what is required to ensure that information security governance is successfully implemented within the enterprise IT Governance Domains—Practices and Competencies The IT Governance Institute is conducting a survey of executives around the globe. provides a background as to why information security is important.

Information Security Harmonisation—Classification of Global Guidance 150 .

ITGI Publications 151 .