ISO-IEC 17799 The New International Standard for Information Security Management

Caroline Hamilton RiskWatch, Inc.
With assistance from:

Mike Nash, Gamma Secure Systems Ltd Camberley, United Kingdom
1

IMPORTANCE OF STANDARDS

Examples from America’s past include

Railroad Tracks
Shoe Sizing

2

FOUNDING OF NIST - 1901

At that time, the United States had few, if any, authoritative national standards for any quantities or products. What it had was a patchwork of locally and regionally applied standards, often arbitrary, that were a source of confusion in commerce. It was difficult for Americans to conduct fair transactions or get parts to fit together properly. Construction materials were of uneven quality, and household products were unreliable. Few Americans worked as scientists, because most scientific work was based overseas.
3

after the Baltimore fire.. NIST had collected more than 600 sizes and variations in firehose couplings in a previous investigation and. few of their hoses fit the hydrants.The Baltimore Fire of 1904  The need for standards was dramatized in 1904. 4 .500 buildings burned down in Baltimore. because of a lack of standard firehose couplings. participated in the selection of a national standard. When firefighters from Washington and as far away as New York arrived to help douse the fire. Md. when more than 1.

Competing Standards  US-Government .-NIST Standards  BS 7799 -.ISO-IEC 17799 Standard 5 .

International Standards International Standards in Information Security are developed by Security Techniques Committee ISO/IEC JTC 1 SC 27  Three Areas  – WG 1 . 6 .Security Management – WG 2 . the main topic for today.Security Algorithms/Techniques – WG 3 .Security Assessment/Evaluation  Includes responsibility for ISO/IEC 17799 (BS 7799).

History  SC 27 formed in 1990 – Replaced previous ISO/IEC security committee which was failing to make progress – Scope excluded standardisation of algorithms » (now relaxed) 7 .

Membership  Members of SC 27 are National Standards Bodies – Participating or Observing – Also liaisons from other standards making bodies or committees  Working Groups are composed of experts nominated by National Bodies – Up to 200 participating experts 8 .

Participating Members              SAI Australia IBN Belgium ABNT Brazil SCC Canada CSBTS/CESI China CSNI Czech Rep DS Denmark SFS Finland AFNOR France DIN Germany MSZT Hungary BIS India UNINFO Italy              KATS Korea. Rep of DSM Malaysia NEN Netherlands NTS/IT Norway PKN Poland GOST R Russian Fed SABS South Africa AENOR Spain SIS Sweden SNV Switzerland BSI UK DSTU Ukraine ANSI USA 9 .

au.Adoption of New Standard Australia/New Zealand  AS/NZS ISO/IEC 17799:2000  The primary information security standard in Australia was AS4444. See Standards Australia OnLine at http://www. These have been replaced with a new international standard. and in New Zealand was NZS4444.standards.com. 17799.  10 .

Observers       ASRO Romania DSN Indonesia EVS Estonia IPQ Portugal IRAM Argentina NSAI Ireland       ON Austria PSB Singapore SII Israel SNZ New Zealand SUTN Slovakia SZS Yugoslavia 11 .

IS 14888)) Hash Functions (IS 10118) Key Management (IS 11770) Elliptic Curve Cryptography (WD 15946) Time Stamping Services (WD 18014) 12 .WG 2 Security Techniques  There are International Standards for: – – – – – – – – – – Encryption (WD 18033) Modes of Operation (IS 8372) Message Authentication Codes (IS 9797) Entity Authentication (IS 9798) Non-repudiation Techniques (IS 13888) Digital Signatures (IS 9796.

RSA (The Rivest Shamir Adleman algorithm) 13 .Other Standards  US Government Standards – Data Encryption Standard (DES) (FIPS 46) – Advanced Encryption Standard (AES) (FIPS 197) (FIPS .Federal Information Processing Standard)  Proprietary Standards – e.g.

WG 3 Security Evaluation  Third Party Evaluation – Criteria for an independent body to form an impartial and repeatable assessment of the presence. correctness and effectiveness of security functionality  “Common Criteria” (CC) (IS 15408) 14 .

Japan.Common Criteria  Produced by a consortium of Government bodies in North America / European Union – Mainly National Security Agencies  Influenced by International Standardisation committee – Adopted as International Standard 15408  Adopted and recognised by other major Governments – All EU. Russia  Replaces “Orange Book” (US) and ITSEC 15 (EU) . Australia.

Content of CC Part 1 – Introduction and General Model  Part 2 – Functional Components  Part 3 – Assurance Components  Related standards:  – Protection Profile Registration Procedures (IS 15292) – Framework for Assurance (WD 15443) – Guide on Production of Protection Profiles (WD 15446) – Security Evaluation Methodology (WD 18045)16 .

Firewalls Important for major product vendors  Important for high-risk Government systems  Important for Smart Cards  Irrelevant to everyone else 17  . ITSEC) raised the level and reliability of security functionality found in standard products – Operating Systems. Databases.Relevance of CC  The Common Criteria and its predecessors (Orange Book.

Why? Common Criteria is complex  Evaluation is complex and time consuming  Limited number of approved Evaluation Facilities  – Expensive – Inflexible  Money is usually better spent improving security 18 .

operation and management of Intrusion Detection Systems (WD 18043) – Guidelines for security incident management (WD 19 18044) .WG 1 Security Management  Two key standards: – Guidelines for Information Security Management (GMITS) (TR 13335) – Code of Practice for Information Security Management (IS 17799)  Other standards: – Guidelines on the use and management of trusted third parties (TR 14516) – Guidelines for implementation.

no overlap – This is rubbish GMITS is dying – Scope is IT security. not Information Security – Only a TR (Technical Report) – Editors of GMITS are moving to work on 17799 20 .GMITS and 17799 GMITS developed by ISO/IEC JTC 1 SC 27 (standards committee)  IS 17799 is (almost) identical to BS 7799-1  – BS 7799-1 was the most widely purchased security standard worldwide   Officially.

ISO/IEC 17799 and BS7799-2 IS 17799 is a catalogue of good things to do  BS 7799 Part 2 is a specification for an ISMS (Information Security Management System)  ISMS compliance can be independently assessed  21 .

What is an ISMS? 22 .

ISO/IEC 17799 Layout 10 Major Headings  36 Objectives  127 Major Controls  Several Thousand Pieces of Guidance  23 .

The 10 Major Headings Security Policy  Security Organisation  Asset Classification and Control  Personnel Security  Physical and Environmental Security  Comms and Operational Management  Access Control  Systems Development and Maintenance  Business Continuity Management  Compliance  24 .

Security Objectives Security Policy  Security Organisation • Secure Areas  Asset Classification and Control  Personnel Security • Equipment Security  Physical and Environmental Security • General Controls  Comms and Operational Management  Access Control  Systems Development and Maintenance  Business Continuity Management  Compliance  25 .

Security Controls Security Policy Secure Areas •  Security Organisation • Equipment Security  Asset Classification and Control • General Controls  Personnel Security  Physical and Environmental Security • Siting  Comms and Operational Management • Power Supplies  Access Control • Cabling  Systems Development and Maintenance • Maintenance  Business Continuity Management • Off-premises  Compliance 26 • Disposal/reuse  .

ISO/IEC 17799  A standard for Information Security Management – Very wide acceptance  Based on British Standard BS 7799 – Replaced Part 1 of BS 7799 – Part 2 of BS 7799 still exists and is current – Part 2 describes how to build and assess a security management system – National equivalents to BS 7799-2 exist in most developed countries – Except North America 27 .

BS 7799-2  ISMS Requirements – – – – – – Scope Security Policy Risk Assessment Statement of Applicability Develop./maintain ISMS Documentation  ISO/IEC 17799 Controls (in imperative format) 28 .

Complying with BS 7799-2 Security Policy  Risk Assessment  Statement of Applicability  Management System  29 .

Security Policy         Scope Confidentiality Integrity Availability Accountability Assets Risk Assessment Regulatory/Legal 30 .

Risk Assessment Asset Threat Vulnerability RISK 31 .

Statement of Applicability Identifies actual security controls  Must consider all 7799-2 listed controls  – include or exclude with justification  Select applicable controls by business and risk analysis 32 .

33 .

34 .

remain valid 35 .Security Management The means by which Management Monitors and Controls security  Requires regular checks that:  – Controls are still in place and effective – Residual risks are still acceptable – Assumptions about threats etc.

g. “What is security?” – Editors sent away to finish the job – Having difficulties finding enough changes to justify a36 major revision .Revision of IS 17799 ISO/IEC 17799 was identical in technical content to BS 7799-1:1999  Part of the negotiations for adoption was the initiation of an immediate major revision process  Revision started April 2002  – First meeting in Berlin failed to finish its agenda – Lot of fuss over philosophy and definitions e.

Revision of BS 7799-2  BS 7799-2:2002 issued as draft for comment in March 2002 – Aligned with other continuous review standards (“PlanDo-Check-Act”) – Comment period now closed Final text agreed 10th June 2002  Publication as a British Standard in July 2002  37 .

In closing Information Security Standards matter  Many standards are for a specialist audience  ISO/IEC 17799 is relevant to every security professional  38 .

Chamilton@riskwatch.uk/ Caroline Hamilton RiskWatch. Inc.gammassl.com 39 .For more info about ISO 17799 Gamma Secure Systems Ltd http://www.co.