Fundamentals of Information Systems Security Chapter 12 Information Security Standards
Learning Objective • Apply international and domestic information security standards to real-world applications in both the public and private sectors.
Key Concepts • International information security standards and their impact on IT infrastructures • ISO 17799 • ISO/IEC 27002 • Payment Card Industry Data Security Standard (PCI DSS) requirements
National Institute of Standards and Technology (NIST) • Federal agency within the U.S. Department of Commerce • Maintains a list of standards and publications for computer security • 800 series by the name NIST SP
International Organization for Standardization (ISO) • Publishes many standards, such as: • International Standard Book Number (ISBN) • Open Systems Interconnection (OSI) reference model
International Electrotechnical Commission (IEC) • Standards organization that often works with ISO • Standards address: • Power generation • Power transmission and distribution • Commercial and consumer electrical appliances • Semiconductors • Electromagnetics • Batteries • Solar energy • Telecommunications
World Wide Web Consortium (W3C) • The main international standards organization for the World Wide Web • Has developed or endorsed include the following: • Cascading Style Sheets (CSS) • Common Gateway Interface (CGI) • Hypertext Markup Language (HTML) • Simple Object Access Protocol (SOAP) • Web Services DescriptionLanguage (WSDL) • Extensible Markup Language (XML)
Internet Engineering Task Force (IETF) • Develops and promotes Internet standards • Produces Requests for Comments (RFCs) • Internet Architecture Board (IAB) is a subcommittee of the IETF
IEEE • An international nonprofit organization • Focuses on developing and distributing standards that relate to electricity and electronics
Other Standards Organizations • International Telecommunication Union Telecommunication Sector (ITU-T) • American National Standards Institute (ANSI)
ISO 17799 • An international security standard • Documents a comprehensive set of controls that represent best practices in information systems • Consists of two parts: • ISO 17799 code of practice • BS 17799-2 specification for an information security management system
ISO/IEC 27002 • Provides organizations with best-practice recommendations on information security management • Appeared in 2005 as an update to the ISO 17799 standard
Payment Card Industry Data Security Standard (PCI DSS) • An international set of standards for handling payment card transactions • Helps organizations that process card payments to prevent fraud by having increased control over data and its exposure • Requires a security assessment by a Qualified Security Assessor (QSA) to check compliance
PCI DSS Security Assessment Steps • Principle #1: Build and maintain a secure network. • Requirement 1: Install and maintain a firewall configuration to protect cardholder data. • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
PCI DSS Security Assessment Steps (Continued) • Principle #2: Protect cardholder data. • Requirement 3: Protect stored cardholder data. • Requirement 4: Encrypt transmission of cardholder data across open, public networks.
PCI DSS Security Assessment Steps (Continued) • Principle #3: Maintain a vulnerability management program. • Requirement 5: Use and regularly update antivirus software or programs. • Requirement 6: Develop and maintain secure systems and applications.
PCI DSS Security Assessment Steps (Continued) • Principle #4: Implement strong access control measures. • Requirement 7: Restrict access to cardholder data by business need to know. • Requirement 8: Assign a unique ID to each person with computer access. • Requirement 9: Restrict physical access to cardholder data.
PCI DSS Security Assessment Steps (Continued) • Principle #5: Regularly monitor and test networks. • Requirement 10: Track and monitor all access to network resources and cardholder data. • Requirement 11: Regularly test security systems and processes.
PCI DSS Security Assessment Steps (Continued) • Principle #6: Maintain an information security policy. • Requirement 12: Maintain a policy that addresses information security for employees and contractors.
Impact of Standards on Business • Standards ensure that products and services are consistent • Standards enable different products from different organizations to work well together
Summary • International information security standards and their impact on IT infrastructures • ISO 17799 • ISO/IEC 27002 • Payment Card Industry Data Security Standard (PCI DSS) requirements