ISO-IEC 17799

The New International

Standard for Information
Security Management

Caroline Hamilton
RiskWatch, Inc.
With assistance from:
Mike Nash, Gamma Secure Systems Ltd
Camberley, United Kingdom
1
 IMPORTANCE OF
STANDARDS
Examples from Americas past include

Railroad Tracks

Shoe Sizing

2
 FOUNDING OF NIST - 1901
At that time, the United States had few, if any,
authoritative national standards for any quantities or
products. What it had was a patchwork of locally and
regionally applied standards, often arbitrary, that
were a source of confusion in commerce. It was
difficult for Americans to conduct fair transactions or
get parts to fit together properly. Construction
materials were of uneven quality, and household
products were unreliable. Few Americans worked as
scientists, because most scientific work was based
overseas.

3
 The Baltimore Fire of 1904
The need for standards was dramatized in 1904,
when more than 1,500 buildings burned down in
Baltimore, Md., because of a lack of standard fire-
hose couplings. When firefighters from Washington
and as far away as New York arrived to help douse
the fire, few of their hoses fit the hydrants. NIST had
collected more than 600 sizes and variations in fire-
hose couplings in a previous investigation and, after
the Baltimore fire, participated in the selection of a
national standard.

4
 Competing Standards
US-Government - -NIST Standards

BS 7799 -- ISO-IEC 17799 Standard

5
International Standards
International Standards in Information
Security are developed by Security
Techniques Committee ISO/IEC
JTC 1 SC 27
Three Areas
WG 1 - Security Management
WG 2 - Security Algorithms/Techniques
WG 3 - Security Assessment/Evaluation
Includes responsibility for ISO/IEC 17799
(BS 7799), the main topic for today. 6
 History
SC 27 formed in 1990
Replaced previous ISO/IEC security committee
which was failing to make progress
Scope excluded standardisation of algorithms
(now relaxed)

7
 Membership
Members of SC 27 are National Standards
Bodies
Participating or Observing
Also liaisons from other standards making
bodies or committees
Working Groups are composed of experts
nominated by National Bodies
Up to 200 participating experts

8
 Participating Members
SAI Australia KATS Korea, Rep of
IBN Belgium DSM Malaysia
ABNT Brazil NEN Netherlands
SCC Canada NTS/IT Norway
CSBTS/CESI China PKN Poland
CSNI Czech Rep GOST R Russian Fed
DS Denmark SABS South Africa
SFS Finland AENOR Spain
AFNOR France SIS Sweden
DIN Germany SNV Switzerland
MSZT Hungary BSI UK
BIS India DSTU Ukraine
UNINFO Italy ANSI USA 9
 Adoption of New Standard
Australia/New Zealand
AS/NZS ISO/IEC 17799:2000
The primary information security standard
in Australia was AS4444, and in New
Zealand was NZS4444. These have been
replaced with a new international standard,
17799. See Standards Australia OnLine at
http://www.standards.com.au.
10
 Observers
ASRO Romania ON Austria
DSN Indonesia PSB Singapore
EVS Estonia SII Israel
IPQ Portugal SNZ New Zealand
IRAM Argentina SUTN Slovakia
NSAI Ireland SZS Yugoslavia

11
WG 2 Security Techniques
There are International Standards for:
Encryption (WD 18033)
Modes of Operation (IS 8372)
Message Authentication Codes (IS 9797)
Entity Authentication (IS 9798)
Non-repudiation Techniques (IS 13888)
Digital Signatures (IS 9796, IS 14888))
Hash Functions (IS 10118)
Key Management (IS 11770)
Elliptic Curve Cryptography (WD 15946)
Time Stamping Services (WD 18014) 12
Other Standards
US Government Standards
Data Encryption Standard (DES) (FIPS 46)
Advanced Encryption Standard (AES)
(FIPS 197) (FIPS - Federal Information
Processing Standard)
Proprietary Standards
e.g. RSA (The Rivest Shamir Adleman
algorithm)

13
WG 3 Security Evaluation
Third Party Evaluation
Criteria for an independent body to form an
impartial and repeatable assessment of the
presence, correctness and effectiveness of
security functionality
Common Criteria (CC) (IS 15408)

14
Common Criteria
Produced by a consortium of Government
bodies in North America / European Union
Mainly National Security Agencies
Influenced by International Standardisation
committee
Adopted as International Standard 15408
Adopted and recognised by other major
Governments
All EU, Australia, Japan, Russia
Replaces Orange Book (US) and ITSEC
(EU) 15
Content of CC
Part 1 Introduction and General Model
Part 2 Functional Components
Part 3 Assurance Components
Related standards:
Protection Profile Registration Procedures (IS
15292)
Framework for Assurance (WD 15443)
Guide on Production of Protection Profiles
(WD 15446)
Security Evaluation Methodology (WD 18045)16
Relevance of CC
The Common Criteria and its predecessors
(Orange Book, ITSEC) raised the level and
reliability of security functionality found in
standard products
Operating Systems, Databases, Firewalls
Important for major product vendors
Important for high-risk Government
systems
Important for Smart Cards
Irrelevant to everyone else
17
Why?
Common Criteria is complex
Evaluation is complex and time consuming
Limited number of approved Evaluation
Facilities
Expensive
Inflexible
Money is usually better spent improving
security
18
WG 1 Security Management
Two key standards:
Guidelines for Information Security Management
(GMITS) (TR 13335)
Code of Practice for Information Security Management
(IS 17799)
Other standards:
Guidelines on the use and management of trusted third
parties (TR 14516)
Guidelines for implementation, operation and
management of Intrusion Detection Systems (WD
18043)
Guidelines for security incident management (WD19
18044)
GMITS and 17799
GMITS developed by ISO/IEC JTC 1 SC
27 (standards committee)
IS 17799 is (almost) identical to BS 7799-1
BS 7799-1 was the most widely purchased security
standard worldwide
Officially, no overlap
This is rubbish
GMITS is dying
Scope is IT security, not Information Security
Only a TR (Technical Report)
Editors of GMITS are moving to work on 17799 20
 ISO/IEC 17799 and BS7799-2

IS 17799 is a catalogue of good things to do

BS 7799 Part 2 is a specification for an ISMS
(Information Security Management System)
ISMS compliance can be independently
assessed

21
What is an ISMS?

22
 ISO/IEC 17799 Layout
10 Major Headings
36 Objectives
127 Major Controls
Several Thousand Pieces of Guidance

23
 The 10 Major Headings
Security Policy
Security Organisation
Asset Classification and Control
Personnel Security
Physical and Environmental Security
Comms and Operational Management
Access Control
Systems Development and Maintenance
Business Continuity Management
Compliance
24
 Security Objectives
Security Policy
Security Organisation
Secure
Asset Classification Areas
and Control
Equipment Security
Personnel Security
Physical and Environmental Security
General Controls
Comms and Operational Management
Access Control
Systems Development and Maintenance
Business Continuity Management
Compliance
25
 Security Controls

Secure Areas
Security Policy
Security Organisation
Equipment Security
Asset Classification and Control
General Controls
Personnel Security
Physical and Environmental Security
Siting
Comms and Operational Management
Access Control Power Supplies
Cabling
Systems Development and Maintenance
Maintenance
Business Continuity Management
Compliance Off-premises
Disposal/reuse26
 ISO/IEC 17799
A standard for Information Security
Management
Very wide acceptance
Based on British Standard BS 7799
Replaced Part 1 of BS 7799
Part 2 of BS 7799 still exists and is current
Part 2 describes how to build and assess a security
management system
National equivalents to BS 7799-2 exist in most
developed countries
Except North America 27
 BS 7799-2
ISMS Requirements
Scope
Security Policy
Risk Assessment
Statement of Applicability
Develop./maintain ISMS
Documentation
ISO/IEC 17799 Controls (in imperative
format)
28
 Complying with BS 7799-2
Security Policy
Risk Assessment
Statement of Applicability
Management System

29
 Security Policy
Scope
Confidentiality
Integrity
Availability
Accountability
Assets
Risk Assessment
Regulatory/Legal

30
 Risk Assessment

Asset Threat Vulnerability

RISK

31
 Statement of Applicability
Identifies actual security controls
Must consider all 7799-2 listed controls
include or exclude with justification
Select applicable controls by business and
risk analysis

32
33
34
 Security Management
The means by which Management Monitors
and Controls security
Requires regular checks that:
Controls are still in place and effective
Residual risks are still acceptable
Assumptions about threats etc. remain valid

35
 Revision of IS 17799
ISO/IEC 17799 was identical in technical
content to BS 7799-1:1999
Part of the negotiations for adoption was the
initiation of an immediate major revision
process
Revision started April 2002
First meeting in Berlin failed to finish its agenda
Lot of fuss over philosophy and definitions
e.g. What is security?
Editors sent away to finish the job
Having difficulties finding enough changes to justify a 36
major revision
 Revision of BS 7799-2
BS 7799-2:2002 issued as draft for
comment in March 2002
Aligned with other continuous review standards (Plan-
Do-Check-Act)
Comment period now closed
Final text agreed 10th June 2002
Publication as a British Standard in July
2002

37
 In closing
Information Security Standards matter
Many standards are for a specialist audience
ISO/IEC 17799 is relevant to every security
professional

38
For more info about ISO
17799
Gamma Secure Systems Ltd
http://www.gammassl.co.uk/

Caroline Hamilton
RiskWatch, Inc.
Chamilton@riskwatch.com
39