1 / 24

Chapter 11

Chapter 11. Standards and Compliance. Objectives. In this chapter, you will: Learn the differences between auditing and policy verification Learn the various information security standards Recognize types of audits Understand the audit process Develop ways to address audit exposures.

arista
Download Presentation

Chapter 11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 11 Standards and Compliance

  2. Objectives In this chapter, you will: • Learn the differences between auditing and policy verification • Learn the various information security standards • Recognize types of audits • Understand the audit process • Develop ways to address audit exposures

  3. Introduction

  4. Policy Verification • Policy verification is similar to audits, but: • Carries less weight • Is performed more frequently • Is used for more internal purposes • Can be performed using automated tools

  5. Policy Verification

  6. Security Standards • Internal security policies • Industry standards • Governmental standards • Commercial standards

  7. Security Standards • TCSEC (Orange Book) • Developed by US DoD • Requires: • Security policy • Marking • Identification • Accountability • Assurance • Continuous protection • Other DoD standards are contained within the Rainbow Series

  8. Security Standards

  9. Security Standards • TCSEC Divisions and Classes • Division D – Minimal protection • Class C1 – Discretionary access protection • Class C2 – Controlled access protection • Class B1 – Labeled security protection • Class B2 – Structured protection • Class B3 – Security domains • Class A1 – Verified design

  10. Security Standards • ITSEC • Developed by UK, Germany, France, and Netherlands • Contains 10 functionality classes and 7 assurance levels • Measures the confidentiality, integrity, and availability of the system

  11. Security Standards

  12. Security Standards • Common Criteria • Developed to combine TCSEC, ITSEC, and other standards • Adopted as ISO 15408 • Three main sections: • Part I: Introduction • Part II: Security Requirements • Part III: Classification Requirements

  13. Security Standards • Common Criteria Evaluation Assurance Levels (EAL) • EAL1: Functionally tested • EAL2: Structurally tested • EAL3: Methodically tested and checked • EAL4: Methodically designed, tested, and reviewed • EAL5: Semi-formally designed and tested • EAL6: Semi-formally verified, designed, and tested • EAL7: Formally verified, designed, and tested

  14. Preventive System Security

  15. Security Standards • ISO 17799 • Based on BS 7799 • More comprehensive information security controls • Commercial standards • SAS 70 • ICSA verification

  16. Security Audits • Types of reviews: • Compliance – check against internal policy • Security – check against industry security standards or best practices • Governmental – check against governmental regulations

  17. Audit Process • Discovery • Contacts • Scope of review • Applicable security policies and processes • Target environment • Network diagrams • Hours of operation • Map of location • Waivers

  18. Audit Process • Interviews • Explain processes • Explain IT environment • Test knowledge of security controls

  19. Audit Process • Assessments • Logs • Documentation of security tests • Vulnerability scanning • Policy verification tools

  20. Audit Process • Audit Reports • Preliminary report • Rebuttal • Final report

  21. Translating Findings into Action • Issue management • Education • Security policy review

  22. Summary • Audits are formal reviews of the security posture of the organization. Policy verification is less formal and simply compares security controls to existing security policies. • Audits require a security policy or standard against which to compare the target environment. • TCSEC was developed by NCSC to establish IT security standards for U.S. DoD systems. The standard offers the following classes: D, C1, C2, B1, B2, B3, and A1.

  23. Summary • ITSEC was developed by several European countries to establish common IT security standards. ITSEC is similar to TCSEC except that it also measures the assurance that security controls are implemented. • The Common Criteria (also published as ISO standard 15408) combines TCSEC and ITSEC into a global standard for IT security. The standard offers seven levels of security and assurance: EAL1 (least secure) to EAL7 (most secure). • ISO 17799 standard governs the protection of information in a variety of forms: printed, stored digitally, or transmitted over networks.

  24. Summary • Compliance reviews determine whether the IT environment adheres to security policies or standards. Security reviews determine whether security best practices are implemented. Government reviews check whether governmental standards have been implemented. • The phases of the audit process include discovery, interviews, assessments, testing, and assessment reports. • Based on the findings of the audit, the audited organization should be diligent in quickly and efficiently resolving issues. Education and policy reviews should also be initiated to address shortcomings.

More Related