SlideShare a Scribd company logo

Standards

Download as PPT, PDF
Conferencias FIST
Conferencias FIST
Technology
1 of 21
Information Security Standards Gary Gaskell © 2001 1
Contents Overview of security standards Type of standards List of standards Quick insight to each standard Conclusions Gary Gaskell, 3 May 2001 2
Types of Standards Risk based System-wide focus Management Product focus Technical Assurance based Lightweight Prescriptive controls Thorough Checklists Gary Gaskell, 3 May 2001 3
Security Standards - Pick One! AS/NZS 4444 (BS 7799, ISO 17799) US TCSEC (Rainbow series) ITSEC (Europe) Common Criteria (ISO 15408) IETF Site Security Handbook (RFC 2196) Vendor handbooks and checklists, B.S.I., SANS Website certification services Gary Gaskell, 3 May 2001 4 SAS-70
AS/NZS 4444 Information Security Management Standard Part 1 - 1999 Part 2 - 2000 JANZAS Based BS7799 BS7799 based on industry - Shell Oil etc Gary Gaskell, 3 May 2001 5
AS 4444 Good internal security management Information Security Management System Explicit Target - trusted interconnection Catalogue of controls Recommended baselines Risk based assessments Gary Gaskell, 3 May 2001 6
AS4444 Controls Security policy Security organisation Asset classification Personnel security and control Communications and Physical and operations environmental management security Systems Access control development and Business continuity maintenance management Gary Gaskell, 3 May Compliance 2001 7
TCSEC Trusted Computer Security Evaluation Criteria - 1983 US Government specification “Orange book” and “Raindbow series” Origin of C2, B1, B3 etc Functionality & Assurance tightly coupled Superceded by still in use Gary Gaskell, 3 May 2001 8
ITSEC Information Technology Security Evaluation Criteria - 1991 UK, France, Germany & The Netherlands Used by Australia System and product use http://www.dsd.gov.au/infosec/aisep/EPL/ prod.html Superceded but still in 3 May Gary Gaskell, use 2001 9
Common Criteria Common Criteria for Information Technology Security Evaluation - 1999 ISO 15408 (CC v 2.1) Merge of TCSEC & ITSEC Emerging standard Assurance level separate from functionality level Mutual recognition agreement - 13 Gary Gaskell, 3 May 2001 10 countries
RFC 2196 IETF Site Security Handbook Developed by CERT/CC of the CMU Response oriented Good practical advice Explicit about system hardening and patch installation Gary Gaskell, 3 May 2001 11
Vendor Checklists SGI Compaq/Digital Sun Microsystems (Blue prints) AIX (redbooks) Microsoft Apache Oracle Gary Gaskell, 3 May 2001 12
Vendor Checklists - Continued Explicit and specific Good for specification in designs or outsourcing “how to” oriented Sometimes too light Gary Gaskell, 3 May 2001 13
Third Party Vendor Checklists AusCERT/CERT Unix security checklist Windows NT 4 NSA/Trusted Systems checklist (http://www.trustedsystems.com) Windows 2000 security checklist (http://www.systemexperts.com) Books - e.g. Practical Unix and Internet Security - Spafford & Garfinkel Gary Gaskell, 3 May 2001 14
BSI Bundesamt fuer Sicherheit in der Informationstechnik http://www.bsi.de/gshb/english/etc/inhalt.h tm IT Baseline Protection Manual More practical than other government attempts Gary Gaskell, 3 May 2001 15
SANS System and Network Security http://www.sans.org Advice on policy and controls training (& certification ?) Checklists Vulnerability service Gary Gaskell, 3 May 2001 16
Website Certification Programs TruSecure (ICSA/TruSecure) Web trust beTRUSTed (PwC) SysTrust (AICPA) Others? Gary Gaskell, 3 May 2001 17
SAS-70 Statement on Auditing Standards American Institute of Certified Public Accountants Formal Audit Standard - background of financial audits Two levels Type I - inspections of key area Type II - testing of effective of controls Gary Gaskell, 3 May 2001 18
Miscellaneous IS 18 - Qld Government VISA - security for merchants sites NIST - FIPS 102 US - HIPAA OECD - Guidelines for the Security of Information Systems ISO 13335 - Guidelines for the ManagementGaryIT Security of Gaskell, 3 May 2001 19
Miscellaneous - continued System Security Engineering Capability Maturity Model (SSE-CMM) - International Systems Security Engineering Association (ISSEA) CoBIT - “IT Governance” - AICPA Gary Gaskell, 3 May 2001 20
Conclusions Great choice of standards None are a full solution Gary Gaskell, 3 May 2001 21

Recommended

Friday Forum ISO 27001: 2013
Friday Forum ISO 27001: 2013Friday Forum ISO 27001: 2013
Friday Forum ISO 27001: 2013APEXMarCom
 
Demystifying the Cyber NISTs
Demystifying the Cyber NISTsDemystifying the Cyber NISTs
Demystifying the Cyber NISTsSchellman & Company
 
Integrating Multiple IT Security Standards
Integrating Multiple IT Security StandardsIntegrating Multiple IT Security Standards
Integrating Multiple IT Security StandardsMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Iso iec 27000_2018
Iso iec 27000_2018Iso iec 27000_2018
Iso iec 27000_2018newbie2019
 
Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Schellman & Company
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
UNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - GuasconiUNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - GuasconiBL4CKSWAN Srl
 
Infosecforce security services
Infosecforce security servicesInfosecforce security services
Infosecforce security servicesBill Ross
 

Recommended

Friday Forum ISO 27001: 2013
Friday Forum ISO 27001: 2013Friday Forum ISO 27001: 2013
Friday Forum ISO 27001: 2013APEXMarCom
 
Demystifying the Cyber NISTs
Demystifying the Cyber NISTsDemystifying the Cyber NISTs
Demystifying the Cyber NISTsSchellman & Company
 
Integrating Multiple IT Security Standards
Integrating Multiple IT Security StandardsIntegrating Multiple IT Security Standards
Integrating Multiple IT Security StandardsMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Iso iec 27000_2018
Iso iec 27000_2018Iso iec 27000_2018
Iso iec 27000_2018newbie2019
 
Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Schellman & Company
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
UNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - GuasconiUNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - GuasconiBL4CKSWAN Srl
 
Infosecforce security services
Infosecforce security servicesInfosecforce security services
Infosecforce security servicesBill Ross
 
CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...
CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...
CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...TI Safe
 
27001 2015(+a1)
27001 2015(+a1)27001 2015(+a1)
27001 2015(+a1)Carlos Ayil
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security servicesBill Ross
 
ISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 ImplementationISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 Implementationhimalya sharma
 
Deep secure holistic protection for ICS
Deep secure holistic protection for ICSDeep secure holistic protection for ICS
Deep secure holistic protection for ICSjohnsdeepsecure
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
Guide on ISO 27001 Controls
Guide on ISO 27001 ControlsGuide on ISO 27001 Controls
Guide on ISO 27001 ControlsVISTA InfoSec
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...himalya sharma
 
Tata Kelola Keamanan Informasi
Tata Kelola Keamanan InformasiTata Kelola Keamanan Informasi
Tata Kelola Keamanan InformasiDirectorate of Information Security | Ditjen Aptika
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013Ramiro Cid
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
CLASS 2016 - Palestra Vitor Eduardo Lace Maganha
CLASS 2016 - Palestra Vitor Eduardo Lace MaganhaCLASS 2016 - Palestra Vitor Eduardo Lace Maganha
CLASS 2016 - Palestra Vitor Eduardo Lace MaganhaTI Safe
 
第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンス第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンスchomchana trevai
 
ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018Wervyan Shalannanda
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
PuppetConf 2016: Application Centric Automation with Puppet & Cisco – Farid J...
PuppetConf 2016: Application Centric Automation with Puppet & Cisco – Farid J...PuppetConf 2016: Application Centric Automation with Puppet & Cisco – Farid J...
PuppetConf 2016: Application Centric Automation with Puppet & Cisco – Farid J...Puppet
 
ISO/IEC 27001:2005
ISO/IEC 27001:2005ISO/IEC 27001:2005
ISO/IEC 27001:2005Fuangwith Sopharath
 
Cisco Equipment Security
Cisco Equipment SecurityCisco Equipment Security
Cisco Equipment SecurityConferencias FIST
 
GoriFederica 2012-2013_es4a
GoriFederica 2012-2013_es4aGoriFederica 2012-2013_es4a
GoriFederica 2012-2013_es4aFedericafuz
 

More Related Content

What's hot

CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...
CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...
CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...TI Safe
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security servicesBill Ross
 
ISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 ImplementationISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 Implementationhimalya sharma
 
Deep secure holistic protection for ICS
Deep secure holistic protection for ICSDeep secure holistic protection for ICS
Deep secure holistic protection for ICSjohnsdeepsecure
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB
 
Guide on ISO 27001 Controls
Guide on ISO 27001 ControlsGuide on ISO 27001 Controls
Guide on ISO 27001 ControlsVISTA InfoSec
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...himalya sharma
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013Ramiro Cid
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
CLASS 2016 - Palestra Vitor Eduardo Lace Maganha
CLASS 2016 - Palestra Vitor Eduardo Lace MaganhaCLASS 2016 - Palestra Vitor Eduardo Lace Maganha
CLASS 2016 - Palestra Vitor Eduardo Lace MaganhaTI Safe
 
第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンス第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンスchomchana trevai
 
ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018Wervyan Shalannanda
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
PuppetConf 2016: Application Centric Automation with Puppet & Cisco – Farid J...
PuppetConf 2016: Application Centric Automation with Puppet & Cisco – Farid J...PuppetConf 2016: Application Centric Automation with Puppet & Cisco – Farid J...
PuppetConf 2016: Application Centric Automation with Puppet & Cisco – Farid J...Puppet
 

What's hot (20)

CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...
CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...
CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...
 
27001 2015(+a1)
27001 2015(+a1)27001 2015(+a1)
27001 2015(+a1)
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security services
 
ISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 ImplementationISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 Implementation
 
Deep secure holistic protection for ICS
Deep secure holistic protection for ICSDeep secure holistic protection for ICS
Deep secure holistic protection for ICS
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
Guide on ISO 27001 Controls
Guide on ISO 27001 ControlsGuide on ISO 27001 Controls
Guide on ISO 27001 Controls
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
 
Tata Kelola Keamanan Informasi
Tata Kelola Keamanan InformasiTata Kelola Keamanan Informasi
Tata Kelola Keamanan Informasi
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 
CLASS 2016 - Palestra Vitor Eduardo Lace Maganha
CLASS 2016 - Palestra Vitor Eduardo Lace MaganhaCLASS 2016 - Palestra Vitor Eduardo Lace Maganha
CLASS 2016 - Palestra Vitor Eduardo Lace Maganha
 
第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンス第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンス
 
ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 
PuppetConf 2016: Application Centric Automation with Puppet & Cisco – Farid J...
PuppetConf 2016: Application Centric Automation with Puppet & Cisco – Farid J...PuppetConf 2016: Application Centric Automation with Puppet & Cisco – Farid J...
PuppetConf 2016: Application Centric Automation with Puppet & Cisco – Farid J...
 
ISO/IEC 27001:2005
ISO/IEC 27001:2005ISO/IEC 27001:2005
ISO/IEC 27001:2005
 

Viewers also liked

GoriFederica 2012-2013_es4a
GoriFederica 2012-2013_es4aGoriFederica 2012-2013_es4a
GoriFederica 2012-2013_es4aFedericafuz
 
Ataque a un sistema en entorno wireless fist
Ataque a un sistema en entorno wireless fistAtaque a un sistema en entorno wireless fist
Ataque a un sistema en entorno wireless fistConferencias FIST
 
Implantación y Control de un Modelo de Gestión
Implantación y Control de un Modelo de GestiónImplantación y Control de un Modelo de Gestión
Implantación y Control de un Modelo de GestiónConferencias FIST
 
как формировался характер юрия гагарина в семье
как формировался характер юрия гагарина в семьекак формировался характер юрия гагарина в семье
как формировался характер юрия гагарина в семьеSvetlana Chucha
 
Forensics of a Windows Systems
Forensics of a Windows SystemsForensics of a Windows Systems
Forensics of a Windows SystemsConferencias FIST
 
Proteccion Contra Hacking con Google
Proteccion Contra Hacking con GoogleProteccion Contra Hacking con Google
Proteccion Contra Hacking con GoogleConferencias FIST
 
Challenges and Benefits of Information Security Management
Challenges and Benefits of Information Security ManagementChallenges and Benefits of Information Security Management
Challenges and Benefits of Information Security ManagementConferencias FIST
 
Events Logging Markup Language
Events Logging Markup LanguageEvents Logging Markup Language
Events Logging Markup LanguageConferencias FIST
 
Type of speeches
Type of speechesType of speeches
Type of speechescarlostunon
 

Viewers also liked (19)

Cisco Equipment Security
Cisco Equipment SecurityCisco Equipment Security
Cisco Equipment Security
 
GoriFederica 2012-2013_es4a
GoriFederica 2012-2013_es4aGoriFederica 2012-2013_es4a
GoriFederica 2012-2013_es4a
 
Malware RADA
Malware RADAMalware RADA
Malware RADA
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Ataque a un sistema en entorno wireless fist
Ataque a un sistema en entorno wireless fistAtaque a un sistema en entorno wireless fist
Ataque a un sistema en entorno wireless fist
 
Implantación y Control de un Modelo de Gestión
Implantación y Control de un Modelo de GestiónImplantación y Control de un Modelo de Gestión
Implantación y Control de un Modelo de Gestión
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
как формировался характер юрия гагарина в семье
как формировался характер юрия гагарина в семьекак формировался характер юрия гагарина в семье
как формировался характер юрия гагарина в семье
 
La jungla de las redes Wifi
La jungla de las redes WifiLa jungla de las redes Wifi
La jungla de las redes Wifi
 
Google as a Hacking Tool
Google as a Hacking ToolGoogle as a Hacking Tool
Google as a Hacking Tool
 
Forensics of a Windows Systems
Forensics of a Windows SystemsForensics of a Windows Systems
Forensics of a Windows Systems
 
Proteccion Contra Hacking con Google
Proteccion Contra Hacking con GoogleProteccion Contra Hacking con Google
Proteccion Contra Hacking con Google
 
Challenges and Benefits of Information Security Management
Challenges and Benefits of Information Security ManagementChallenges and Benefits of Information Security Management
Challenges and Benefits of Information Security Management
 
Events Logging Markup Language
Events Logging Markup LanguageEvents Logging Markup Language
Events Logging Markup Language
 
WAFEC
WAFECWAFEC
WAFEC
 
Access Control Management
Access Control ManagementAccess Control Management
Access Control Management
 
CERT Certification
CERT CertificationCERT Certification
CERT Certification
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Type of speeches
Type of speechesType of speeches
Type of speeches
 

Similar to Standards

IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security StandardsConferencias FIST
 
DojoSec FISMA Presentation
DojoSec FISMA PresentationDojoSec FISMA Presentation
DojoSec FISMA Presentationdanphilpott
 
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010SGSB Webcast 4: Smart Grid Security Standards in Mid 2010
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010Andy Bochman
 
Project Topics on Network Security
Project Topics on Network SecurityProject Topics on Network Security
Project Topics on Network SecurityPhdtopiccom
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonPatricia M Watson
 
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxstilliegeorgiana
 
4 - Keeping your website comfy and secure.pdf
4 - Keeping your website comfy and secure.pdf4 - Keeping your website comfy and secure.pdf
4 - Keeping your website comfy and secure.pdfAdmin621695
 
Security In The Supply Chain
Security In The Supply ChainSecurity In The Supply Chain
Security In The Supply ChainJohn Gilligan
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical ReviewISA Interchange
 
Towards a certification scheme for IoT security evaluation
Towards a certification scheme for IoT security evaluationTowards a certification scheme for IoT security evaluation
Towards a certification scheme for IoT security evaluationAxel Rennoch
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4CrispnCrunch
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?PECB
 
六合彩,香港六合彩
六合彩,香港六合彩六合彩,香港六合彩
六合彩,香港六合彩bwsibh
 
香港六合彩
香港六合彩香港六合彩
香港六合彩dsageg
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShareirglygks
 
六合彩-香港六合彩
六合彩-香港六合彩六合彩-香港六合彩
六合彩-香港六合彩dscvsj
 
香港六合彩|六合彩
香港六合彩|六合彩香港六合彩|六合彩
香港六合彩|六合彩twieat
 

Similar to Standards (20)

IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security Standards
 
DojoSec FISMA Presentation
DojoSec FISMA PresentationDojoSec FISMA Presentation
DojoSec FISMA Presentation
 
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010SGSB Webcast 4: Smart Grid Security Standards in Mid 2010
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010
 
Nist.sp.800 82r2
Nist.sp.800 82r2Nist.sp.800 82r2
Nist.sp.800 82r2
 
Project Topics on Network Security
Project Topics on Network SecurityProject Topics on Network Security
Project Topics on Network Security
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
 
4 - Keeping your website comfy and secure.pdf
4 - Keeping your website comfy and secure.pdf4 - Keeping your website comfy and secure.pdf
4 - Keeping your website comfy and secure.pdf
 
Security In The Supply Chain
Security In The Supply ChainSecurity In The Supply Chain
Security In The Supply Chain
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical Review
 
Towards a certification scheme for IoT security evaluation
Towards a certification scheme for IoT security evaluationTowards a certification scheme for IoT security evaluation
Towards a certification scheme for IoT security evaluation
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
 
Security Open Science Grid Doug Olson
Security Open Science Grid Doug OlsonSecurity Open Science Grid Doug Olson
Security Open Science Grid Doug Olson
 
六合彩,香港六合彩
六合彩,香港六合彩六合彩,香港六合彩
六合彩,香港六合彩
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
六合彩-香港六合彩
六合彩-香港六合彩六合彩-香港六合彩
六合彩-香港六合彩
 
香港六合彩|六合彩
香港六合彩|六合彩香港六合彩|六合彩
香港六合彩|六合彩
 

More from Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 
IDS with Artificial Intelligence
IDS with Artificial IntelligenceIDS with Artificial Intelligence
IDS with Artificial IntelligenceConferencias FIST
 

More from Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 
IDS with Artificial Intelligence
IDS with Artificial IntelligenceIDS with Artificial Intelligence
IDS with Artificial Intelligence
 
Continuidad de Negocio
Continuidad de NegocioContinuidad de Negocio
Continuidad de Negocio
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 

Recently uploaded

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Standards

  • 1. Information Security Standards Gary Gaskell © 2001 1
  • 2. Contents Overview of security standards Type of standards List of standards Quick insight to each standard Conclusions Gary Gaskell, 3 May 2001 2
  • 3. Types of Standards Risk based System-wide focus Management Product focus Technical Assurance based Lightweight Prescriptive controls Thorough Checklists Gary Gaskell, 3 May 2001 3
  • 4. Security Standards - Pick One! AS/NZS 4444 (BS 7799, ISO 17799) US TCSEC (Rainbow series) ITSEC (Europe) Common Criteria (ISO 15408) IETF Site Security Handbook (RFC 2196) Vendor handbooks and checklists, B.S.I., SANS Website certification services Gary Gaskell, 3 May 2001 4 SAS-70
  • 5. AS/NZS 4444 Information Security Management Standard Part 1 - 1999 Part 2 - 2000 JANZAS Based BS7799 BS7799 based on industry - Shell Oil etc Gary Gaskell, 3 May 2001 5
  • 6. AS 4444 Good internal security management Information Security Management System Explicit Target - trusted interconnection Catalogue of controls Recommended baselines Risk based assessments Gary Gaskell, 3 May 2001 6
  • 7. AS4444 Controls Security policy Security organisation Asset classification Personnel security and control Communications and Physical and operations environmental management security Systems Access control development and Business continuity maintenance management Gary Gaskell, 3 May Compliance 2001 7
  • 8. TCSEC Trusted Computer Security Evaluation Criteria - 1983 US Government specification “Orange book” and “Raindbow series” Origin of C2, B1, B3 etc Functionality & Assurance tightly coupled Superceded by still in use Gary Gaskell, 3 May 2001 8
  • 9. ITSEC Information Technology Security Evaluation Criteria - 1991 UK, France, Germany & The Netherlands Used by Australia System and product use http://www.dsd.gov.au/infosec/aisep/EPL/ prod.html Superceded but still in 3 May Gary Gaskell, use 2001 9
  • 10. Common Criteria Common Criteria for Information Technology Security Evaluation - 1999 ISO 15408 (CC v 2.1) Merge of TCSEC & ITSEC Emerging standard Assurance level separate from functionality level Mutual recognition agreement - 13 Gary Gaskell, 3 May 2001 10 countries
  • 11. RFC 2196 IETF Site Security Handbook Developed by CERT/CC of the CMU Response oriented Good practical advice Explicit about system hardening and patch installation Gary Gaskell, 3 May 2001 11
  • 12. Vendor Checklists SGI Compaq/Digital Sun Microsystems (Blue prints) AIX (redbooks) Microsoft Apache Oracle Gary Gaskell, 3 May 2001 12
  • 13. Vendor Checklists - Continued Explicit and specific Good for specification in designs or outsourcing “how to” oriented Sometimes too light Gary Gaskell, 3 May 2001 13
  • 14. Third Party Vendor Checklists AusCERT/CERT Unix security checklist Windows NT 4 NSA/Trusted Systems checklist (http://www.trustedsystems.com) Windows 2000 security checklist (http://www.systemexperts.com) Books - e.g. Practical Unix and Internet Security - Spafford & Garfinkel Gary Gaskell, 3 May 2001 14
  • 15. BSI Bundesamt fuer Sicherheit in der Informationstechnik http://www.bsi.de/gshb/english/etc/inhalt.h tm IT Baseline Protection Manual More practical than other government attempts Gary Gaskell, 3 May 2001 15
  • 16. SANS System and Network Security http://www.sans.org Advice on policy and controls training (& certification ?) Checklists Vulnerability service Gary Gaskell, 3 May 2001 16
  • 17. Website Certification Programs TruSecure (ICSA/TruSecure) Web trust beTRUSTed (PwC) SysTrust (AICPA) Others? Gary Gaskell, 3 May 2001 17
  • 18. SAS-70 Statement on Auditing Standards American Institute of Certified Public Accountants Formal Audit Standard - background of financial audits Two levels Type I - inspections of key area Type II - testing of effective of controls Gary Gaskell, 3 May 2001 18
  • 19. Miscellaneous IS 18 - Qld Government VISA - security for merchants sites NIST - FIPS 102 US - HIPAA OECD - Guidelines for the Security of Information Systems ISO 13335 - Guidelines for the ManagementGaryIT Security of Gaskell, 3 May 2001 19
  • 20. Miscellaneous - continued System Security Engineering Capability Maturity Model (SSE-CMM) - International Systems Security Engineering Association (ISSEA) CoBIT - “IT Governance” - AICPA Gary Gaskell, 3 May 2001 20
  • 21. Conclusions Great choice of standards None are a full solution Gary Gaskell, 3 May 2001 21