2. Contents
Overview of security standards
Type of standards
List of standards
Quick insight to each standard
Conclusions
Gary Gaskell, 3 May
2001 2
3. Types of Standards
Risk based System-wide focus
Management Product focus
Technical Assurance based
Lightweight Prescriptive controls
Thorough Checklists
Gary Gaskell, 3 May
2001 3
4. Security Standards - Pick
One!
AS/NZS 4444 (BS 7799, ISO 17799)
US TCSEC (Rainbow series)
ITSEC (Europe)
Common Criteria (ISO 15408)
IETF Site Security Handbook (RFC 2196)
Vendor handbooks and checklists, B.S.I.,
SANS
Website certification services
Gary Gaskell, 3 May
2001 4
SAS-70
5. AS/NZS 4444
Information Security Management
Standard
Part 1 - 1999
Part 2 - 2000
JANZAS
Based BS7799
BS7799 based on industry - Shell Oil etc
Gary Gaskell, 3 May
2001 5
6. AS 4444
Good internal security management
Information Security Management System
Explicit Target - trusted interconnection
Catalogue of controls
Recommended baselines
Risk based assessments
Gary Gaskell, 3 May
2001 6
7. AS4444 Controls
Security policy Security organisation
Asset classification Personnel security
and control Communications and
Physical and operations
environmental management
security Systems
Access control development and
Business continuity maintenance
management Gary Gaskell, 3 May
Compliance
2001 7
8. TCSEC
Trusted Computer Security Evaluation
Criteria - 1983
US Government specification
“Orange book” and “Raindbow series”
Origin of C2, B1, B3 etc
Functionality & Assurance tightly coupled
Superceded by still in use
Gary Gaskell, 3 May
2001 8
9. ITSEC
Information Technology Security
Evaluation Criteria - 1991
UK, France, Germany & The Netherlands
Used by Australia
System and product use
http://www.dsd.gov.au/infosec/aisep/EPL/
prod.html
Superceded but still in 3 May
Gary Gaskell, use
2001 9
10. Common Criteria
Common Criteria for Information
Technology Security Evaluation - 1999
ISO 15408 (CC v 2.1)
Merge of TCSEC & ITSEC
Emerging standard
Assurance level separate from
functionality level
Mutual recognition agreement - 13
Gary Gaskell, 3 May
2001 10
countries
11. RFC 2196
IETF Site Security Handbook
Developed by CERT/CC of the CMU
Response oriented
Good practical advice
Explicit about system hardening and
patch installation
Gary Gaskell, 3 May
2001 11
12. Vendor Checklists
SGI
Compaq/Digital
Sun Microsystems (Blue prints)
AIX (redbooks)
Microsoft
Apache
Oracle
Gary Gaskell, 3 May
2001 12
13. Vendor Checklists -
Continued
Explicit and specific
Good for specification in designs or
outsourcing
“how to” oriented
Sometimes too light
Gary Gaskell, 3 May
2001 13
14. Third Party Vendor
Checklists
AusCERT/CERT Unix security checklist
Windows NT 4 NSA/Trusted Systems
checklist (http://www.trustedsystems.com)
Windows 2000 security checklist
(http://www.systemexperts.com)
Books - e.g. Practical Unix and Internet
Security - Spafford & Garfinkel
Gary Gaskell, 3 May
2001 14
15. BSI
Bundesamt fuer Sicherheit in der
Informationstechnik
http://www.bsi.de/gshb/english/etc/inhalt.h
tm
IT Baseline Protection Manual
More practical than other government
attempts
Gary Gaskell, 3 May
2001 15
16. SANS
System and Network Security
http://www.sans.org
Advice on policy and controls
training (& certification ?)
Checklists
Vulnerability service
Gary Gaskell, 3 May
2001 16
18. SAS-70
Statement on Auditing Standards
American Institute of Certified Public
Accountants
Formal Audit Standard - background of
financial audits
Two levels
Type I - inspections of key area
Type II - testing of effective of controls
Gary Gaskell, 3 May
2001 18
19. Miscellaneous
IS 18 - Qld Government
VISA - security for merchants sites
NIST - FIPS 102
US - HIPAA
OECD - Guidelines for the Security of
Information Systems
ISO 13335 - Guidelines for the
ManagementGaryIT Security
of Gaskell, 3 May
2001 19
20. Miscellaneous - continued
System Security Engineering Capability
Maturity Model (SSE-CMM) - International
Systems Security Engineering Association
(ISSEA)
CoBIT - “IT Governance” - AICPA
Gary Gaskell, 3 May
2001 20