1 / 14

IT Security Requirements

IT Security Requirements. Protection requirements Safeguards Controls Preventive (before) Detective (during) Corrective (after). IT Security ”Catalogue” for Controls Suitable (reasonable) set of Security Requirements. Standard ISO/IEC 17799 (BS 7799-1) International Standard

olesia
Download Presentation

IT Security Requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Security Requirements • Protection requirements • Safeguards • Controls • Preventive (before) • Detective (during) • Corrective (after)

  2. IT Security ”Catalogue” for ControlsSuitable (reasonable) set of Security Requirements • Standard • ISO/IEC 17799 (BS 7799-1) • International Standard • ”De Facto” standard • ISF (Information Security Forum) • Standard of Good Practice (Information Security) • Guidelines • ISO/IEC TR 13335, 1-5 • International Technical Reports • Certification (a possibility) • BS 7799 – 2 • Specifies a necessary minimum of Security Requirements

  3. Level of requirement (Terminology) • Should (Shall) • Must • Ought • In reading or in writing?

  4. IT Security requirements • Law (invariable) • National and International • Regulation • Rules • Standard • Policy • Guidance - Guidelines • Procedure • Instruction (Manual operation)

  5. Who specifies the IT Security Requirements ? (Invariable demand or not …) • External (Requirement from outside) • Law (Legal aspect, Legislation) - ”Breaking the rule is punishable” • Departmental order • Requirements from business partners • Certification • Customer agreements • Internal • More or less related to Standards • ISO/IEC 17799, ISF, DS-484 (Danish Norm) - Instans • Management Team / business needs • Risk Assessment • IT Security Policy • IT Security Guidelines (hierarchy) • Informal • Ethics • Code of ethics • Valuable property

  6. IT Security Policy • Use for • Signal to business partners and employees • Responsible (Create, update, create awareness) • IT Security Manager • Approved • Board of directors • Relation to • Businesss Strategy • Characteristics • High abstract language, non technical and max 2 pages • Content • We shall …. Example follows ISF Standard of Good Practice • Apply to • IT Security Guidelines • Type of document • Official (should be) but can be kept secret from the public

  7. IT Security Guidelines • Use for • Directions of employees • Responsible (Create, update, create awareness) • IT Security Manager in co-operation with the people who need the guideline • Approved • Executive management • Relation to • IT Security Policy • Characteristics • More concrete language in use for users or technical part • Content • We shall for network dial-up solutions …. • Allways use strong authentication with one-time-password generator • Apply to • IT Instruction or procedure • Type of document • Keep secret for public

  8. Network Security Policy (Guideline) • Use for • Keep the focus on security in the network • Responsible (Create, update, create awareness) • IT Security Manager in co-operation with the network team • Approved • Executive management / IT management • Relation to • IT Security Policy • Characteristics • More concrete language use for technical part • Content • We shall protect our Intranet as if it is the Internet • We shall allways use Switch-to-the-desktop on the LANs • Apply to • Network instruction or procedure • Type of document • Keep secret for public

  9. Creating IT Security Guideline • Choose one guideline from ISF • Example CN23 • Just follow ”The One and only” • Choose three guidelines from ISF • Example CN23+CB53+SM54 • ”Shake up” the three guidelines an create your own • Make do the new guideline more concrete • Do something different ?

  10. In the ”real” world • Documentation use for • Quality arrangement • Homogeneity in the way of doing things • Priority • Written guidelines (Easy to see what the staff do) • Verbal guidelines to follow (Praxis should be in accordance with what the staff tell you) • Nothing (A problem) • State • Guidelines • Reality (the guidelines ”wont” be used ?) • Be granted an exemption from the IT Security department • Important to find a balance between what you create of paperworks, documentation and what will be used in the future

  11. IT Security level • Relative (?) • Choose a satisfactory level of IT Security (trust?) • A Company can choose to Live up to • Guidance • ISO/IEC 17799-1 • ISF • DS 484-1 • Certification • BS 7799-2 • DS 484-2 • Result • ISF - ”the solution” < Some point to be addressed (goal for the auditor) • ISF - ”the solution” = Satisfactory • ISF - ”the solution” > Better than ISF (maybe the company decision)

  12. Evolution (obsoleted and new) • Who should take care? • Standards • BS7799 will soon come in a new version • IT Security Policy • How to handle the relation to IT Security Guidelines?

  13. IT Security Organisation • Corporate level • IT Security Officier • Normally responsible for one or more IT Security Managers • Company • IT Security Manager • Normally refer to board of directors in the Compagny • Responsible for IT Security Department • IT Security Consultant • Staff in the IT Security Department • IT Security Co-ordinator • Replacement for IT Security Manager • Department • Line managers in general are responsible for security within their areas • IT Security Responsible • Example a staff in the Network Department responsible for the firewall system • Employees • To be trained for IT Security Awareness

  14. Auditing and the Auditors • Who controls the controls and why? • IT and financial auditors (Internal and External) • There is a need for current audit because the solutions will always ”sand up” • Who are using the auditors and why? • Board of directors • Prosecution if something is going wrong • The Company Accountants • Shareholders (Stockholders) • When convincing the Business Partners and Customers • Prove that the IT Security level is satisfactory • Declaration (Yearly Statement) • Business partners • The public

More Related