fundamentals of information systems security chapter 12 information security standards n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Fundamentals of Information Systems Security Chapter 12 Information Security Standards PowerPoint Presentation
Download Presentation
Fundamentals of Information Systems Security Chapter 12 Information Security Standards

Loading in 2 Seconds...

play fullscreen
1 / 31
alika

Fundamentals of Information Systems Security Chapter 12 Information Security Standards - PowerPoint PPT Presentation

738 Views
Download Presentation
Fundamentals of Information Systems Security Chapter 12 Information Security Standards
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Fundamentals of Information Systems Security Chapter 12 Information Security Standards

  2. Learning Objective • Apply international and domestic information security standards to real-world applications in both the public and private sectors.

  3. Key Concepts • International information security standards and their impact on IT infrastructures • ISO 17799 • ISO/IEC 27002 • Payment Card Industry Data Security Standard (PCI DSS) requirements

  4. DISCOVER: CONCEPTS

  5. National Institute of Standards and Technology (NIST) • Federal agency within the U.S. Department of Commerce • Maintains a list of standards and publications for computer security • 800 series by the name NIST SP

  6. International Organization for Standardization (ISO) • Publishes many standards, such as: • International Standard Book Number (ISBN) • Open Systems Interconnection (OSI) reference model

  7. International Electrotechnical Commission (IEC) • Standards organization that often works with ISO • Standards address: • Power generation • Power transmission and distribution • Commercial and consumer electrical appliances • Semiconductors • Electromagnetics • Batteries • Solar energy • Telecommunications

  8. World Wide Web Consortium (W3C) • The main international standards organization for the World Wide Web • Has developed or endorsed include the following: • Cascading Style Sheets (CSS) • Common Gateway Interface (CGI) • Hypertext Markup Language (HTML) • Simple Object Access Protocol (SOAP) • Web Services DescriptionLanguage (WSDL) • Extensible Markup Language (XML)

  9. Internet Engineering Task Force (IETF) • Develops and promotes Internet standards • Produces Requests for Comments (RFCs) • Internet Architecture Board (IAB) is a subcommittee of the IETF

  10. IEEE • An international nonprofit organization • Focuses on developing and distributing standards that relate to electricity and electronics

  11. IEEE Working Groups

  12. Other Standards Organizations • International Telecommunication Union Telecommunication Sector (ITU-T) • American National Standards Institute (ANSI)

  13. ISO 17799 • An international security standard • Documents a comprehensive set of controls that represent best practices in information systems • Consists of two parts: • ISO 17799 code of practice • BS 17799-2 specification for an information security management system

  14. ISO 17799 Sections

  15. ISO 17799 Sections (Cont.)

  16. ISO/IEC 27002 • Provides organizations with best-practice recommendations on information security management • Appeared in 2005 as an update to the ISO 17799 standard

  17. ISO/IEC 27002 Sections

  18. ISO/IEC 27002 Sections (Cont.)

  19. DISCOVER: PROCESS

  20. Payment Card Industry Data Security Standard (PCI DSS) • An international set of standards for handling payment card transactions • Helps organizations that process card payments to prevent fraud by having increased control over data and its exposure • Requires a security assessment by a Qualified Security Assessor (QSA) to check compliance

  21. PCI DSS Security Assessment Steps • Principle #1: Build and maintain a secure network. • Requirement 1: Install and maintain a firewall configuration to protect cardholder data. • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

  22. PCI DSS Security Assessment Steps (Continued) • Principle #2: Protect cardholder data. • Requirement 3: Protect stored cardholder data. • Requirement 4: Encrypt transmission of cardholder data across open, public networks.

  23. PCI DSS Security Assessment Steps (Continued) • Principle #3: Maintain a vulnerability management program. • Requirement 5: Use and regularly update antivirus software or programs. • Requirement 6: Develop and maintain secure systems and applications.

  24. PCI DSS Security Assessment Steps (Continued) • Principle #4: Implement strong access control measures. • Requirement 7: Restrict access to cardholder data by business need to know. • Requirement 8: Assign a unique ID to each person with computer access. • Requirement 9: Restrict physical access to cardholder data.

  25. PCI DSS Security Assessment Steps (Continued) • Principle #5: Regularly monitor and test networks. • Requirement 10: Track and monitor all access to network resources and cardholder data. • Requirement 11: Regularly test security systems and processes.

  26. PCI DSS Security Assessment Steps (Continued) • Principle #6: Maintain an information security policy. • Requirement 12: Maintain a policy that addresses information security for employees and contractors.

  27. DISCOVER: ROLES

  28. PCI DSS Security Assessment Roles

  29. DISCOVER: RATIONALE

  30. Impact of Standards on Business • Standards ensure that products and services are consistent • Standards enable different products from different organizations to work well together

  31. Summary • International information security standards and their impact on IT infrastructures • ISO 17799 • ISO/IEC 27002 • Payment Card Industry Data Security Standard (PCI DSS) requirements