Module 6: Network and Information Security and Privacy. Session 3: Information Security Methodology. Presenter: Freddy Tan

Transcription

1 Module 6: Network and Information Security and Privacy Session 3: Information Security Methodology Presenter: Freddy Tan

2 Learning Objectives Understanding the administrative, physical, and technical aspects of Information Security Methodology Understanding the information security methods applied in advanced countries

3 Contents Information Security Methodology Administrative aspect Physical aspect Technical aspect ~ Common Criteria Examples by Country United States (NIST) United Kingdom (BS7799) Japan (ISMS Ver. 2.0 (BS7799 Part 2: 2002)) Republic of Korea (ISO/IEC27001 and/or KISA ISMS) Germany (IT Baseline Protection Qualification) Others

4 Administrative aspect ISO/IEC (BS7799) ISO27001 specifies requirements to implement and manage an Information Security Management System (ISMS) and common standards applied to security standards of various organizations and effective security management Domains A5. Security Policy A6. Organization of information security A7. Asset management A8. Human resources security items A9. Physical and environmental security A10. Communications and operations management A11. Access control A12. Information systems acquisition, development and maintenance A13. Information security incident management A14. Business continuity management A15. Compliance Controls in ISO/IEC27001 Source:

5 Administrative aspect ISO/IEC (BS7799) process model ISO/IEC27001 adopts the "Plan-Do-Check-Act" (PDCA) process model, which is applied to structure all ISMS processes PDCA model which is applied to ISMS processes Source: ISO/IEC JTC 1/SC 27

6 Administrative aspect ISO/IEC (BS7799) Gap Analysis The process of measuring the current information security level and establishing the future direction of information security Risk Assessment Risk assessment is divided into the assessment of asset value and assessment of threats and vulnerabilities Application of Controls Decisions are needed to apply the appropriate controls to the differently valued assets. Risks should be divided into acceptable risks and unacceptable risks according to the Degree of Assurance (DoA) criterion.

7 Administrative aspect ISO/IEC (BS7799) Certification Each country has a certification body for ISO/IEC27001 certification. The number of certificates by country is as follows: Number of Certificates per Country country number country number country number Japan 2351 Philippines 12 Vietnam 3 India 382 Switzerland 12 Argentina 2 UK 365 UAE 12 Belgium 2 Taiwan 170 Saudi Arabia 10 Bulgaria 2 China 102 France 10 Denmark 2 Germany 85 Iceland 8 Lithuania 2 Hungary 61 Pakistan 7 Oman 2 Korea 59 Sweden 7 Peru 2 USA 59 Thailand 7 Portugal 2 Australia 53 Greece 6 Qatar 2 Source:

8 Physical Aspect FEMA 426 in the United States FEMA (Federal Emergency Management Agency) 426 is one of the risk management series which is about physical security. FEMA 426 provides guidelines for protecting buildings against terrorist attacks. Related series: FEMA 427: about commercial building FEMA 428: about school FEMA 429: about insurance FEMA 430: about architect FEMA 438: about course

9 Technical Aspect CC (Common Criteria) The CC is an international standard to level security requirements between countries. The CC presents requirements for the IT security of a product or system in the categories of functional requirements and assurance requirements CC certification development process

10 Technical Aspect CC s Security Functional Requirements (SFRs) The SFRs specify all security functions for the TOE (Target of Evaluation) for acquiring CC certification Contents of classes in SFRs FAU FCO FCS FDP FIA Classes Security audit Communication Cryptographic support User data protection Identification and authentication Details Refer to functions that include audit data protection, record format, and event selection, as well as analysis tools, violation alarms, and real-time analysis. Describes requirements specifically of interest for TOEs that are used for the transport of information. Specify the use of Cryptographic key management (FCS_CKM) and Cryptographic operation (FCS_COP). Specifying requirements related to protecting user data Address the requirements for functions to establish and verify a claimed user identity

11 Technical Aspect CC s Security Functional Requirements (SFR) cont d FMT FPR FPT FRU FTA FTP Classes Security management Privacy Protection of the TSF Resource utilization TOE access Trusted path/channels Details Specify the management of several aspects of the TSF (TOE Security Functions): security attributes, TSF data and functions. Describes the requirements that could be levied to satisfy the users' privacy needs, while still allowing the system flexibility as far as possible to maintain sufficient control over the operation of the system. Contains families of functional requirements that relate to the integrity and management of the mechanisms that constitute the TSF and to the integrity of TSF data. Contains the availability of required resources such as processing capability and/or storage capacity Specifies functional requirements for controlling the establishment of a user's session. Provide requirements for a trusted communication path between users and the TSF

12 APE ASE ADV AGD Technical Aspect Security assurance Requirement (SAR) The SAR is that the threats to security and organizational security policy commitments should be clearly articulated and the proposed security measures be demonstrably sufficient for their intended purpose Classes Protection Profile evaluation Security Target evaluation Development Guidance documents Contents of classes in SARs Details Is required to demonstrate that the PP (Protection Profile) is sound and internally consistent, and, if the PP is based on one or more other PPs or on packages, that the PP is a correct instantiation of these PPs and packages. Is required to demonstrate that the ST (Security Target) is sound and internally consistent, and, if the ST is based on one or more PPs or packages, that the ST is a correct instantiation of these PPs and packages. Provide information about the TOE. The knowledge obtained by this information is used as the basis for conducting vulnerability analysis and testing upon the TOE, as described in the AVA and ATE classes (see next slide). For the secure preparation and operation of the TOE it is necessary to describe all relevant aspects for the secure handling of the TOE. The class also addresses the possibility of unintended incorrect configuration or handling of the TOE.

13 Technical Aspect Security Assurance Requirement (SAR) ALC ATE AVA ACO Classes Life-cycle support Tests Vulnerability assessment Composition Details In the product life-cycle (CM (Configuration Management) capabilities, CM scope, Delivery, Development security, Flaw remediation, Life-cycle definition, Tools and techniques) it is distinguished whether the TOE is under the responsibility of the developer or the user The emphasis in this class is on confirmation that the TSF operates according to its design descriptions. This class does not address penetration testing The vulnerability assessment activity covers various vulnerabilities in the development and operation of the TOE Specify assurance requirements that are designed to provide confidence that a composed TOE will operate securely when relying upon security functionality provided by previously evaluated software, firmware or hardware components.

14 Technical Aspect Evaluation method of CC includes two aspects: Evaluation of PP (Protection Profile) The PP describes implementation-independent sets of security requirements for categories of TOE (Target of Evaluation), and contains a statement of the security problem that a compliant product is intended to solve. Evaluation of ST (Security Target) The ST is the basis for the agreement between the TOE developers, consumers, evaluators and evaluation authorities regarding what security the TOE offers and the scope of the evaluation.

15 Technical Aspect CCRA CCRA (Common Criteria Recognition Arrangement) is organized for approving CC among nations CAPs and CCPs Qualification for CCRA : A nation to be a member of CCRA should submit a written application to the Management Committee (MC) CCRA members : 12 CAPs (Certificate Authorizing Participants) and 12 CCPs (Certificate Consuming Participants)

16 Case studies by country United States (NIST: National Institute of Standards and Technology) NIST has developed the related guidelines and standards for strengthening security of information/information systems that Federal institutes are able to use Security Planning Process Input/Output Related Guidelines : SP (special publication) FIPS (Federal Information Processing Standards Publications)

17 Case studies by country United Kingdom (BS7799) UKAS manages the market of conformity assessment holding the unique right of national accreditation and BSI analyzes the security activities of organizations in UK, distributes BS7799 (currently ISO27001) BS7799 certification process Similar system: IT Health Check Services (Certified by CESG)

18 Case studies by country Japan (ISMS Ver. 2.0 (BS7799 Part 2: 2002)) ISMS Ver. 2.0 of JIPDEC (Japan Information Processing Development Corporation) has been in operation in Japan since April 2002 and shifted to BS7799 Part 2: ISMS Certification in Japan

19 Case studies by country Republic of Korea (ISO/IEC27001 and/or KISA ISMS) KISA (Korea Information Security Agency) handled certification of KISA ISMS, which is a synthetic management system that includes a technical/physical security plan ISMS certification of KISA

20 Case studies by country Germany (IT Baseline Protection Qualification) BSI (Bundesamt for Sicherheit in der Informationstechnik) established the IT Baseline Protection Qualification based on international standards (ISO Guide 25 [GUI25] and the European standard, EN45001) The Certification type is as follows: IT Baseline Protection Certificate Self-declared (IT Baseline Protection higher level) Self-declared (IT Baseline Protection entry level)

21 Case studies by country Others ISMS Certification in other countries Canada Taiwan Certification Institutes CSE (Communications Security Establishment) BSMI (Bureau of Standards, Meteorology & Inspection) Standards MG-4 A Guide to Certification & Accreditation for Information Technology Systems CNS & CNS Singapore ITSC (Information Technology Standards Committee) SS493: Part 1 (IT Security Standard Framework) SS493: Part 2 (Security Services) under development

22 Summary Information Security Methodology Administrative aspect Physical aspect Technical aspect ~ Common Criteria Examples by Country United States (NIST) United Kingdom (BS7799) Japan (ISMS Ver. 2.0 (BS7799 Part 2: 2002)) Republic of Korea (ISO/IEC27001 and/or KISA ISMS) Germany (IT Baseline Protection Qualification) Others