ISO 17799

Provides common basis and practical guideline for IS

Each section includes 4 categories
Objectives
Controls to achieve objective
Implementation guidelines
Other information
Some believe model is flawed
No justification for specified code of practice
Model can’t measure precisely enough
No reason why model is better than others
Model not as complete as other models
Perceived as being hurriedly prepared
Measure how well a company adheres use SANS SCORE audit checklist
11 sections
Security policy
Organization of InfoSec
Asset Management
HR Security
Physical and Environmental security
Com and Operations management
Access Control
InfoSys Acquisition, Development and maintain
IS Incident Management
Business Continuity management
Compliance
With legal standards
Security policies and standards
Technical compliance with information systems audit considerations

ISO 27001
Provides implementation details using plan do check act
Major sections include
Introduction
Scope
Terms and definitions
ISMS
Management responsibility
Management review
ISMS improvement

Proposed use
Use in company to get security requirements and objectives
Manage risks cost effectively
Ensure compliance with laws
Use to implement and maintain controls to achieve security objectives

NIST Security Models

NIST has 2 advantages
No charge
Available for long so broadly reviewed by government and industry professionals

5 books
SP800-12
Computer security handbook
Reference guide routine management if IS
Controls in 3 categories:
Management Controls
Operation Controls
Technical Controls

SP800-14
Best Practises of security
Key points
Security support mission of company
Security is integral to sound management
Security should be cost effective
Systems owners’ responsibilities out of company
Accountability and responsibility should be made explicit
Security needs comprehensive and integrated approach
Security periodically assessed
Security constrained by social factor
Principles
Establish security policy as foundation for design
Treat security as integral part of system design
Clearly define physical and logical boundaries
Reduce risk to acceptable level
Assume external systems are insecure

SP800 – 18
Guide to develop security plans
Has methods for controls and plans
Has templates for major security plans

SP800-26
Security self assessment guide – IT systems

SP800-30
Risk Management foundation for IT systems
Has definitions and practical guides

Site Security Handbook has discussion of security issues and development and
implementation details
Covers security policies, technical security architecture, services and incident
handling
COBIT provides control objectives and control advice
Plan organise – recommendations to achieve goals via IT
Acquire implement – focuses on specific requirements
Acquire needed components
Integrate components
Examine maintenance and change requirements
Deliver support
System functionality and use to end users
Examine system applications input processing and output
Examine efficiency of processes
Monitor and Evaluate
Compare IT system usage and organizational strategy
Identify regulatory controls that need IT systems
How efficient IT systems are against organizations control processes
IT resources managed by IT processes to achieve IT goals that respond to business
requirements

Baselining is comparing security activities and events against company’s future

performance
Can provide foundation for internal benchmarking

Metrics enables company to measure effort needed to meet infosec objective

Participants in C&A Process

Designated Approving Authority
Authority to approve the system
Conducts independent evaluation of system
Program manager
Represents the interest of the system
Responsible for day to day security systems
Ensures system compliance

Security Management Practices

2 categories benchmarks:
Standards of due care/diligence
Best Practices
Gold Standard
Balances access needs with protection
Selecting Best Practices can be challenging
Industries regulated by government, government guidelines often requirements

When choosing a best practise:

Business resemble target business
In similar industry as target
Face similar challenges
Business structure the same
Expended resources similar
 Similar threat environment
Microsoft Best Practises
Use antivirus
Strong passwords
Verify software security settings
Update product security
Personal firewalls
Back up early and often
Protect against power surges and loss

Problem with benchmarking

Companies keep successful attacks secret

Benefits of Certification and accreditation

More consistent, repeatable and comparable certification
More complete, reliable information
Better understanding of IT systems and risk – better decisions
Greater availability of competent security assessment services
More secure IT systems with the federal government
3 step control selection
Characterize system
Select minimum security controls
Adjust controls based on system exposure and risk decision
Planned Certificates
Lvl1 entry level, low priority
Chapter 7

Compile Inventory
Once inventory is compiled, decide if asset categories are meaningful

Threat Identification and Vulnerability identification process

Identify and Prioritse threats