standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in

Transcription

1 ISO/IEC JTC 1/SC 27/WG 4 IT Security Controls and Services M. De Soete, ISO/IEC JTC 1 SC27 Vice Chair copyright ISO/IEC JTC 1/SC 27, This is an SC27 public document and is distributed as is for the sole purpose of awareness and promotion of SC 27 standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in other documents / presentations requires prior permission of the ISO/IEC JTC 1 SC27 Secretariat (krystyna.passia@din.de)

2 Mission i (1) Security controls o and services Developing and maintaining International Standards, Technical Specifications and Technical Reports for information security in the area of Security Controls and Services Assist organizations in the implementation of the ISO/IEC series of Information Security Management Systems (ISMS) International Standards and Technical Reports copyright ISO/IEC JTC 1/SC 27, This is an SC27 public document and is distributed as is for the sole purpose of awareness and promotion of SC 27 standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in other documents / presentations requires prior permission of the ISO/IEC JTC 1 SC27 Secretariat (krystyna.passia@din.de)

3 Mission i (2) Security controls and services The scope of WG4 also includes evaluating and developing International Standards for addressing existing and emerging information security issues and needs and other security aspects that resulted from the proliferation and use of ICT and Internet related technology in organizations (such as multi-nationals corporations, SMEs, government departments, and non-profit organisations) copyright ISO/IEC JTC 1/SC 27, This is an SC27 public document and is distributed as is for the sole purpose of awareness and promotion of SC 27 standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in other documents / presentations requires prior permission of the ISO/IEC JTC 1 SC27 Secretariat (krystyna.passia@din.de)

4 Security and Privacy Topic Areas Information security and privacy governance WG 1 WG 2 WG 3 WG 4 WG 5 Econo omics of inform mation securit y and privacy Information security management system (ISMS) requirements, methods and processes Security controls (including application and sector specific e.g. Cloud, Telecoms, Energy, FInance), codes of practice, frameworks Security controls & services (including application specific e.g. Cloud), IT network security, 3 rd party services, IDS, incident id management, cyber security, application security, disaster recovery, forensics Privacy controls and identity management methods (including application specific e.g. cloud), techniques, frameworks, biometric information protection, biometric i authentication Cryptographic and security mechanisms and technologies t nd auditing Management certification a d methods for Systems Accreditation, uirements and A requ es, vices ting, Processe (products, de roducts) valuation, Test Specification d system of pr Security Ev Methods and an copyright ISO/IEC JTC 1/SC 27, This is an SC27 public document and is distributed as is for the sole purpose of awareness and promotion of SC 27 standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in other documents / presentations requires prior permission of the ISO/IEC JTC 1 SC27 Secretariat (krystyna.passia@din.de)

5 Domains Security incidentsid System and system life cycle security

6 Security incidents Management Detection Investigation Recovery

7 System and system life cycle security Acquisition and supply Security related to storage Security related to processing Security related to communication

8 WG4 Published Standards Standard Title Status Abstract ISO/IEC TR Guidelines for the use and management of Trusted Third Party services ISO/IEC ISO/IEC Security information objects for access control Specification of TTP services to support the application of digital signatures ISO/IEC IT network security Part 4: Securing remote access ISO/IEC Selection, deployment and operations of intrusion detection systems 1 st Ed Provides guidance for the use and management of Trusted Third Party (TTP) services, a clear definition of the basic duties and services provided, their description and their purpose, and the roles and liabilities of TTPs and entities using their services. 1 st Ed Provides object definitions that are commonly needed in security standards to avoid multiple and different definitions of the same functionality. 1 st Ed Defines the services required to support the application of digital signatures for non repudiation of creation of a document. 1 st Ed Provides guidance for securely using remote access and its implication for IT security. In this it introduces the different types of remote access including the protocols in use, discusses the authentication issues related to remote access and provides support when setting up remote access securely. 1 st Ed (Being revised by ISO/IEC 27039) Provides guidelines to assist organizations in preparing to deploy Intrusion Detection System (IDS). In particular, it addresses the selection, deployment and operations of IDS. copyright ISO/IEC JTC 1/SC 27, This is an SC27 public document and is distributed as is for the sole purpose of awareness and promotion of SC 27 standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in other documents / presentations requires prior permission of the ISO/IEC JTC 1 SC27 Secretariat (krystyna.passia@din.de)

9 WG4 Published Standards Standard Title Status Abstract ISO/IEC ISO/IEC ISO/IEC ISO/IEC Guidelines for ICT readiness for business continuity Guidelines for cybersecurity Information security incident management Guidelines for the identification, collection, acquisition and preservation of digital evidence 1 st Ed Describes the concepts and principles ICT readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects for improving an organizationʹs ICT readiness e to ensure e business continuity. 1 st Ed Provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains. It covers the baseline security practices for stakeholders in the Cyberspace. 1 st Ed (Currently under revision) Provides a structured and planned approach to detect, report and assess information security incidents; respond to and manage information security incidents; detect, assess and manage information security vulnerabilities; and continuously improve information security and incident management. 1 st Ed Guidelines for specific activities in the handling of digital evidence that can be of evidential value. It provides guidance to individuals with respect to common situations encountered throughout the digital evidence handling process and assists organizations in their disciplinary procedures and in facilitating the exchange of potential digital evidence between jurisdictions.

10 WG4 Published Standards Standard Title Status Abstract ISO/IEC Network Security Part 1: Overview and concepts ISO/IEC Network Security Part 2: Guidelines for the design and implementation of network security ISO/IEC Network Security Part 3: Reference networking scenarios Risks, design techniques and control issues ISO/IEC Network security Part 4: Securing communications between networks using security gateways ISO/IEC Network security Part 5: Securing communications across networks using VPNs 1 st Ed (Currently under revision) Provides an overview of network security and related definitions. It defines and describes the concepts associated with, and provides management guidance on, network security. Overall, it provides an overview of the ISO/IEC series and a road map to all other parts. 1 st Ed Provides guidelines for organizations to plan, design, implement and document network security. 1 st Ed Describes the threats, design techniques and control issues associated with reference network scenarios. For each scenario, it provides detailed guidance on the security threats and the security design techniques and controls required to mitigate the associated risks. 1 st Ed. (To be published) Gives guidance for securing communications between networks using security gateways in accordance with a documented information security policy of the security gateways. 1 st Ed Gives guidelines for the selection, implementation and monitoring of the technical controls necessary to provide network security using VPN connections to interconnect networks and connect remote users to networks.

11 WG4 Published Standards Standard Title Status Abstract ISO/IEC Application security Part 1: Overview and concepts ISO/IEC ISO/IEC ISO/IEC ISO/IEC TR Information security for supplier relationships Part 1: Overview and concepts Information security for supplier relationships Part 3: Guidelines for ICT supply chain security Specification for digital redaction Best practice on the provision and use of time stamping services 1 st Ed ISO/IEC provides guidance to assist organizations in integrating security into the processes used for managing their applications. This International Standard presents an overview of application security. It introduces definitions, concepts, principles and processes involved in application security. 1 st Ed. (To be published) Provides an overview of the guidance intended to assist organizations in securing their information and information systems within the context of supplier relationships. It addresses perspectives of both acquirers and suppliers. 1 st Ed Provides product and service acquirers and suppliers in ICT supply chain. 1 st Ed. (To be published) Specifies characteristics of techniques for performing digital redaction on digital documents. It also specifies requirements for software redaction tools and methods of testing that digital redaction has been securely completed. ltd 1 st Ed This Technical Report explains how to provide and use timestamping services so that time stamp tokens are effective when used to provide timeliness and data integrity services, or nonrepudiation services (in conjunction with other mechanisms). It covers time stamp services, explaining how to generate, renew, and verify time stamp tokens.

12 Under development Security Incidents x - Information security incident management o Part 1 Principles, Part 2 Guidelines to plan and prepare for incident response, Part 3 Guidelines for incident response operations Guidelines for the analysis and interpretation of digital evidence Incident investigation principles and processes Guidelines for security information and event management (SIEM)

13 Under development System / System Life Cycle Security Storage Security Information security for supplier relationships Guidelines for security of cloud services Application security Application security management process Application security Protocols and application security controls data structure Network security Securing wireless IP network access

14 Collaboration with ETSI ISG ISI Liaison on standards under development o (guidelines for security information and event management (SIEM) o (information security incident management) Works are complementary o WG 4 is more focusing on policy and strategic aspects o ETSI ISG ISI more on operational aspects and detail indicators Establishment of a cat. C liaison o Jan de Meer is the liaison officer

15 Further information