Information security management standards: Compliance, governance and risk management

Managing information security as opposed to the IT security is an area that is now eventually coming of age. For many years the focus has been mainly on IT security and with the implementation of such security left to the IT department and technical experts. Early in the 90s things started to change with the first draft of an information security management standard BS 7799 focusing in on security related to people, processes, information as well as IT. Since then there has been many developments taking us to where we are today with these early security management standards being transformed in international standards published by ISO/IEC. These standards are being used by hundreds of thousands of organisations using these standards worldwide. Based on the authors previously copyrighted writings, this article explores what these standards have got to offer organisations, what benefits are to be gained and how such standards have helped with compliance. In particular it focuses in on the insider threat as an example of one of the growing problems that organisations need to deal with and how these international standards are useful in helping to solve the insider threat problem.     

Preparing for ISO 17799

Abstract

The information security industry has finally developed and published standards. This article examines each of the ten areas identified in the standards document, ISO 17799, and identifies key points the security professional should address in his or her security program. While there are other standards (BS 7799, ISO/TR 15369), this article concentrates on the recommendations of the International Standard ISO/IEC 17799:2000, “Information Security Management, Code of Practice for Information Security Management.” The International Organization for Standardization (ISO)¹ and the International Electrotechnical Commission (IEC) form a specialized system on worldwide standardization. National bodies that are members of ISO and IEC participate in the development of international standards through technical committees. The United States, through the American National Standards Institute (ANSI), is the secretariat. Twenty-four other nations (Brazil, France, United Kingdom, China, Democratic People's Republic of Korea, Czech Republic, Germany, Denmark, Belgium, Portugal, Japan, Republic of Korea, the Netherlands, Ireland, Norway, South Africa, Australia, Canada, Finland, Sweden, Slovenia, Switzerland, New Zealand, and Italy) have participant status and 40 other nations are observers.     

Standardization in information security management

The paper describes the state of the art in the standardization in information security management. The requirements to the standards being developed, the types of standards, and the principles to adhere to are discussed. The study is based on the documents adopted within the subcommittee 27 “IT Security techniques” of the joint technical committee ISO/IEC JTC 1 “Information technology”.     

Information security management standards: Problems and solutions

International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.     

The diffusion of anticipatory standards with particular reference to the ISO/IEC information resource dictionary system framework standard

In the late 1980s, traditional standards development organisations (SDOs) were moving toward creating anticipatory standards as a way of coping with the fast growth in new technology in the computing industry. The development of anticipatory standards (standards developed ahead of the technology) was seen as a possible way for the formal standards bodies to keep abreast of these rapid changes. By creating standards ahead of the technology, the standards would act as “change agents” and guide the market. Anticipatory standards were seen as one way of addressing the problem of arriving at suboptimal de facto standards. If the industry can be guided before the technology develops, this will encourage the use of optimal products. This paper considers the diffusion pattern of the ISO/IEC Information Resource Dictionary System (IRDS) Framework standard that fits into the category of an anticipatory standard. Comparisons are made between the diffusion patterns of the ISO/IEC IRDS standard and the ISO/IEC Open Standards Interconnection (OSI) Reference Model as they were both anticipatory in nature, both framework/reference standards, both originated at approximately the same time and were both developed in traditional standards development organisations.     

IEEE 1220: for practical systems engineering

IEEE 1220 guides enterprises or projects to a well-engineered solution for product-oriented systems. Annex C describes how to success fully use IEEE 1220 together with ISO/IEC 15288, but there are still gaps to bridge to fully harmonize the two standards. Although a "fast-track" ballot of IEEE Std 1220-2005 is currently under way in JTC1, planning joint committee activities to produce a coordinated IEEE-ISO/IEC version of IEEE 1220 should allow for completion of the ISO/IEC 15288:2002.     

机载系统安保风险评估方法

针对影响民用飞机机载系统安全的信息安保威胁问题,通过研究ISO27005和航空工业标准,提出了一种适用于机载系统的安保风险评估方法。该方法基于威胁条件和威胁场景进行系统脆弱性分析,并结合传统的飞机安全性分析方法与安保风险评估方法,提出一套可量化的风险值计算方法。通过关系矩阵在安全性与安保等级间建立了相关性,为系统需求和架构设计提供了依据。实例验证结果表明,该方法能提供正确与可信的机载系统安保风险评估数据。     

Standardization in Information Technology Security

The author overviews the international standards developed by SC 27 “IT Security techniques” of the ISO/IEC Joint Technical Committee “Information technologies.” The standards include cryptographic mechanisms, evaluation and testing of products and information systems, countermeasures, and security services. Both published standards and those under development are considered.     

Security and Control in the Cloud

ABSTRACT

Cloud computing is a new IT delivery paradigm that offers computing resources as on-demand services over the Internet. Like all forms of outsourcing, cloud computing raises serious concerns about the security of the data assets that are outsourced to providers of cloud services. To address these security concerns, we show how today's generation of information security management systems (ISMSs), as specified in the ISO/IEC 27001:2005, must be extended to address the transfer of security controls into cloud environments. The resulting virtual ISMS is a standards-compliant management approach for developing a sound control environment while supporting the various modalities of cloud computing.

This article addresses chief security and/or information officers of cloud client and cloud provider organizations. Cloud clients will benefit from our exposition of how to manage risk when corporate assets are outsourced to cloud providers. Providers of cloud services will learn what processes and controls they can offer in order to provide superior security that differentiates their offerings in the market.     

基于AHP度量模型的安全管理度量方法

本文以GB17859、ISO/IEC17799等相关标准作为指导依据,针对信息安全管理绩效的度量问题提出了一套基于AHP模型的安全管理度量方法,并重点阐述了度量模型中度量要素、度量指标的权重计算问题.     

Defining stakeholder relationships

Jointly developed by the ISO and IEC in 1995, the ISO/IEC 12207 standard, Software Life Cycle Processes, provides specific guidance in defining the roles and responsibilities of various stakeholders in the life cycle of a software project, product, or service. And the software community is beginning to take heed. The standard itself is relatively brief, detailing 17 processes in less than 40 pages. The 17 processes are divided into three main process groups: primary processes include acquisition, supply, development, operation, and maintenance; supporting processes include documentation, configuration management, quality assurance, verification, validation, joint review, audit, and problem resolution; organizational processes include management, infrastructure, improvement, and training. Each process breaks down into relevant activities and tasks that reflect a clear plan-do-check-act cycle. One further process, tailoring, specifies the activities and tasks to follow in adapting the standard to a particular situation or application. But just how useful is this standard? Based upon personal mentoring experiences, the author describes two case studies that demonstrate the standard's importance and versatility: Haldex Traction AB of Landskrona, Sweden, the supplier of a safety-critical automotive component; and Cambiot Healthcare Systems AB of Linkoping, Sweden, the supplier of a medical information system for hospitals and clinics. In these two cases, ISO/IEC 12207 has provided important value-added guidance in both systems and software engineering     

Assurance and IT Development Paces and Challenges

ISO/IEC 15408, “Evaluation criteria for IT security”, was initially published almost twenty years ago. Originating from a number of governmental certification bodies, the standard has gained international acceptance. However, the needs for IT security certification are evolving and at the same time there is more demand than ever before. ISO/IEC 15408 is currently under revision, and many of the current needs are being taken into account in the new design of the standard that is expected to be published in 2020.     

浅谈软件质量度量和软件产品评价

软件质量度量和软件产品评价系列标准是国际标准化组织ISO／IEC JTC1近年来在软件工程标准方面的研究重点之一,对于通过量化手段进行软件产品的度量和评价,规范软件产品的质量管理,这两个系列标准提供了一条可以参考的实施途径。本文在多年跟踪研究国际上软件工程标准和制定软件工程国家标准的基础上,对ISO／IEC JTC1近年推出的ISO／IEC 9126和ISO／IEC 14598系列,以及正在研制的ISO／IEC 25000系列标准进行综合介绍。     

Transitioning international software engineering standards to academia: Analyzing the results of the adoption of ISO/IEC 29110 in four Mexican universities

Software standards, targeted for the software industry, were developed to contribute to the development of quality products within budget and schedule, by optimizing efforts and resources. For small companies, the largest percentage of software companies in Mexico, they are fundamental for their growth and survival. However, academic programs do not always match industry requirements. In previous studies, the curricula in Computer Science and Informatics, and Software Engineering, of 4 Mexican universities, were compared with two software industry standards: the MoProSoft standard, a Mexican standard designed for organizations having up to 50 people and the Basic profile of the ISO/IEC 29110 developed specifically for organizations having up to 25 people. The analysis of the academic programs showed a better coverage of ISO/IEC 29110 than MoProSoft. In this paper, these two standards are mapped to understand the results of the analysis in detail and provide recommendations regarding academic programs. The analysis provides an evidence that the processes of the Basic profile of ISO/IEC 29110 are better covered by the universities curricula because the processes provides the minimal set of practices to be performed while a project is executed from the beginning until the delivery of a software. In addition, this mapping presents a clear differentiation between these two standards that might help Software Development Centers to understand where to start in the implementation of one of them.     

云计算的安全管理探析

随着云计算在各领域的应用,云计算的安全问题不容忽视,本文依据现有安全管理标准(ITIL、ISO/IEC 27001和ISO/IEC 27002),对云计算的安全管理和监测进行了深入的探析。     

Standards-HyTime: a standard for structured hypermedia interchange

Some of the key concepts and features of HyTime, which is being developed as an American and an international standard (ISO/IEC 10744) for structured representation of hypermedia information, are introduced. HyTime is an application of ISO 8879 and is interchanged using ASN.1 (ISO 8824) for OSI compatibility. HyTime complements and enhances the utility of standards for individual multimedia objects, such as motion video and still pictures. HyTime is not a complete hyperdocument architecture. Its functions will be incorporated into architectures and applications designed by standards committees, industry groups, and others     

一种有效的风险评估模型、算法及流程

风险评估作为信息安全管理流程中最关键的步骤之一,需要一套科学的模型来保证其有效实施。研究和制定风险评估的模型、算法和流程成为当前研究的热点问题。该文依据ISO/IEC通用标准及一些商用标准,提出了一种较为科学且行之有效的风险评估模型和算法,并且描述了风险评估的流程,对组织自评估有很好的参考意义。     

基于ISO/IEC 14443标准的CPU卡读卡器设计

CPU射频卡凭借其可靠的安全机制越来越受到重视,逐渐进入各个领域并发挥着不可或缺的作用。在研究ISO/IEC14443标准的基础上进行CPU卡读卡器的开发设计;并从理论上讨论了13.56MHz近耦合天线电路的简化设计,从软件上进行了ISO-7816指令测试,验证了射频模块访问CPU射频卡的操作流程,实现了CPU射频卡主目录的选取以及随机数的获取,完成了对1208M01CPU射频卡的读写操作。     

A serious game for teaching the fundamentals of ISO/IEC/IEEE 29148 systems and software engineering – Lifecycle processes – Requirements engineering at undergraduate level

In the context of software engineering education, there is a recurrent demand for new approaches and techniques that support the application and transfer of knowledge to real-life situations with the aim of encouraging a more active learning among students. In particular, serious games have recently become an important learning resource for teaching the fundamentals of software process standards at undergraduate level. However, poor effort has been made to create a serious game that supports the teaching of the ISO/IEC/IEEE 29148:2011 Systems and Software Engineering – Lifecycle Processes – Requirements Engineering, an international standard that specifies the required processes that are to be implemented by requirements engineering for systems and software products (including services) throughout the lifecycle. With this in mind, a serious game called “Requengin” has been developed to provide undergraduate students with an interactive learning environment to facilitate the introduction of ISO/IEC/IEEE 29148:2011. The main objective of the game is to strengthen the comprehension and application of the main processes of the standard and some related requirements engineering techniques. Requengin was designed to simulate an academic library where players must apply the requirements engineering processes with the aim of changing the traditional management system by a software system while they receive, at the same time, preliminary training in ISO/IEC/IEEE 29148:2011. The results obtained by empirical evaluation indicate that Requengin could potentially contribute to an improvement in students’ acquisition of knowledge about ISO/IEC/IEEE 29148:2011, while also improving levels of motivation.