Information Security Standards
239
The final two chapters provide best-practice processes for some key information
security areas including:
• Asset classification
• Personnel security
• Communications and operations management
• Access control
• Auditing and evaluation
The list above closely resembles sections of the ISO 17799 (BS 7799) standard.
For each of the areas listed above, the ITIL book contains best-practice processes.
In the first annex, there is also a table that maps the processes covered by ITIL to
the BS 7799 standard.
U
SE
IN
A
S
ECURITY
A
SSESSMENT
The ITIL Security Management standard is a good resource where there is a heavy
focus on process, and the customer wants suggestions on ways to make security-
related processes more efficient. The ITIL processes can be used in conjunction with
the ISO 17799 standard to do a very thorough analysis, with the ISO standard
focusing on the security requirements themselves and ITIL focusing on the process
of implementing those requirements.
SAS (S
TATEMENT
ON
A
UDITING
S
TANDARDS
) 70
The SAS 70 standard was developed by the AICPA (American Institute of Certified
Public Accountants) and is used for auditing service organizations. A service orga-
nization for purposes of the SAS 70 is an organization that provides IT services to
another company. The SAS 70 audit is an in-depth examination of the service
organization’s internal control environment related to information technology and
any related processes. It must be conducted by a Certified Public Accountant (CPA)
with the relevant skill sets to perform such an audit and used to support the internal
control requirements related to financial statement audits.
With the SAS 70, there are no defined standards per se. It is up to the service
organization to determine what the control objectives are and the steps to take to
meet those control objectives. It is the job of the auditor to determine whether the
control objectives documented by the service provider are accurate and whether the
control processes achieve those objectives. Typically, a SAS 70 is done is to support
a financial statement audit for a company that receives services from a third party.
For example, a manufacturing company might have its entire IT infrastructure
outsourced to a third party — i.e., all of the company’s systems are being managed
by
a third party. For the financial statement audit, the auditors need some assurance
that those systems are properly controlled because the numbers in the financial
statements come from those systems. To gain this assurance, the outsourcer would
provide a copy of the SAS 70 report to the auditors of the manufacturing company.
The SAS 70 report becomes particularly useful if the outsourcer provides similar
AU1706_book.fm Page 239 Tuesday, August 17, 2004 11:02 AM
240
A Practical Guide to Security Assessments
services for multiple companies because the same report could be used to support
financial statement audits for the other customers.
U
SE
IN
A
S
ECURITY
A
SSESSMENT
The SAS 70 report can be useful in a security assessment primarily in the initial
information gathering process. Although a SAS 70 report is not necessarily going
to point out security weaknesses, the report can give clues of where the company
might have security weaknesses. If the opinion on a SAS 70 report is that internal
controls are inadequate, this should immediately raise questions about the internal
control and security environment. At the same time, a favorable opinion on a SAS
70 report should not give confidence that no security weaknesses are present.
AICPA SYSTRUST
SysTrust was designed jointly by the AICPA and the CICA (Canadian Institute of
Chartered Accountants) to help CPAs determine the reliability of information sys-
tems. As with the SAS 70, only licensed CPAs with the appropriate skill set can
perform a SysTrust audit.
With the SysTrust methodology, the reliability of a system is based on four
principles (defined by the AICPA/CICA),
7
which focus on ensuring controls are in
place to ensure:
•
Availability
— availability of systems and whether it meets SLAs (if they
exist)
•
Security
— security measures to prevent unauthorized access
•
Integrity
— completeness and accuracy of system processing
•
Maintainability
— ability to update systems without affecting the avail-
ability, security, or integrity of the systems
The SysTrust principles, like the other standards discussed so far, are also
technology neutral. For each of the principles listed above, the SysTrust standards
contain more granular principles, which can be used almost like a checklist when
conducting a SysTrust engagement. The specific questions in the checklist are broad
in nature and thus, significant room for interpretation exists. The questions are
somewhat open-ended and can spark discussions to provide significant information
regarding the security and internal control environment.
U
SE
IN A SECURITY ASSESSMENT
SysTrust can be useful in the context of a security assessment in two ways. First, if
your customer has gone through a SysTrust audit, you can have a high degree of
confidence that it is secure. Second, the SysTrust criteria and questions, which are
freely available on the Internet, can be incorporated into your question sets for a
security assessment.
AU1706_book.fm Page 240 Tuesday, August 17, 2004 11:02 AM
Information Security Standards 241
AICPA WEBTRUST
WebTrust is similar to SysTrust except that WebTrust is focused on business-to-
consumer electronic commerce conducted over the Web. The main principles in the
WebTrust criteria include:
• Business and information privacy practices
•Transaction integrity
• Information protection
As with SysTrust, for each of the principles listed above, more specific criteria are
used when conducting the audit.
As stated, WebTrust is focused on business-to-consumer electronic commerce
processes. One of the obstacles to growth for companies conducting business over
the Internet is consumers’ concern about security. To give some confidence, compa-
nies can have a WebTrust audit done and if favorable, can have a WebTrust seal on
their Web sites. The WebTrust seal means that a qualified person audited the e-com-
merce processes and gave a favorable opinion on the internal control environment.
USE IN A SECURITY ASSESSMENT
WebTrust is useful in the same way as SysTrust but for companies engaging in
business-to-consumer activities. The WebTrust questions can be leveraged when
conducting a security assessment for business-to-consumer companies.
RFC 2196 — SITE SECURITY HANDBOOK
RFC 2196 was published in September 1997 and is a security guide to help IT
personnel protect their information assets. Although RFC 2196 is technology neutral,
the security aspects of many technical concepts related to networking, systems
administration, and IT infrastructure are discussed to help develop computer security
policies. RFC 2196 takes a holistic approach to security in that its methodology
starts with conducting a risk assessment and determining risks and then implement-
ing appropriate security measures. The basic approach as defined in RFC 2196
(Section 1.5) includes the following steps:
8
1. Identify what you are trying to protect.
2. Determine what you are trying to protect it from.
3. Determine how likely the threats are.
4. Implement measures that will protect your assets in a cost-effective manner.
5. Review the process continuously and make improvements each time a
weakness is found.
RFC 2196 discusses methodology as well as providing detailed recommendations
on key security topics including the following (listed are the chapter headings from
RFC 2196):
AU1706_book.fm Page 241 Tuesday, August 17, 2004 11:02 AM
242 A Practical Guide to Security Assessments
• Security Policies — e.g., value of security policies
• Architecture — e.g., network, firewalls
• Security Services and Procedures — e.g., authentication, access, confi-
dentiality
• Security Incident Handling — e.g., preparing and handling an incident,
roles and responsibilities
• Tools — a list of tools that might be useful for security purposes
In each of the areas listed above, RFC 2196 provides best-practice requirements
that can be incorporated into an information security program. The requirements
range from high-level to fairly technical areas. For example, there are nontechnical
sections such as legal considerations related to collection of audit data or the use of
one-time passwords.
USE IN A SECURITY ASSESSMENT
RFC 2196 is a good resource for understanding some of the technical aspects of
security architecture and key security processes without getting into the specifics of
any one vendor’s technology. As most security assessments have a technical com-
ponent, some elements of RFC 2196 can be particularly useful when developing
questions and actually conducting a security assessment. The RFC 2196 is a good
complement to standards such as the ISO 17799 and the ITIL Security Management
standards to achieve a good mix between technical and nontechnical aspects of
security.
OTHER RESOURCES
Besides the standards discussed in this chapter, some other resources are worth
consulting during the course of a security assessment. Although these are not nec-
essarily standards, they provide good current information and are worth taking into
account when conducting a security assessment.
SANS (SYSADMIN, AUDIT, NETWORK, SECURITY)/FBI
(F
EDERAL BUREAU OF INVESTIGATION) TOP 20 LIST
SANS, a premier provider of security training for security professionals, collaborates
with the Federal Bureau of Investigation (FBI) to develop and maintain a list of the
top 20 vulnerabilities based on information these organizations receive from a
number of resources. This list, located at http://www.sans.org/top20/ on the Internet
and updated on a regular basis, contains the top 10 vulnerabilities for both Windows
and Unix systems that can be deemed critical, requiring that they be addressed
immediately. The list includes information about the nature of the vulnerabilities
and step-by-step instructions on how to fix them. The step-by-step instructions
contain actual commands as well as links to other Web sites where relevant service
packs and patches might be located.
AU1706_book.fm Page 242 Tuesday, August 17, 2004 11:02 AM
Information Security Standards 243
In situations where you have a limited amount of time, this list is an excellent
resource in helping to uncover and address significant vulnerabilities. Just ensuring
that an organization has addressed these vulnerabilities mitigates a significant
amount of risk. This list should be referenced in a security assessment, and customers
should be advised to review this list on a regular basis as part of their system
administration efforts.
VENDOR BEST PRACTICES
Many of the major vendors, such as Microsoft and Cisco, publish white papers or
best-practice guidelines regarding their particular products. From a technical per-
spective, these guides are excellent resources to use as benchmarks. As an example,
the checklists made available by Microsoft on its Technet Web site are excellent
technical documents that can be used in the Technology Evaluation portion of a
security assessment.
NOTES
1. International Standards Organization Web site — http://www.iso.org/iso/en/prods-
services/popstds/informationsecurity.html
2. Information Security magazine, March 2002 — Other Security Standards —
http://infosecuritymag.techtarget.com/2002/mar/othersecuritystandard.shtml
3. Common Criteria — Part 1 — Introduction and General Model, Page 1 of 56
http://commoncriteria.org/docs/PDF/CCPART1V21.PDF
4. COBIT Framework — Executive Summary, page 5 — http://www.isaca.org/
Template.cfm?Section=Obtain_COBIT&CONTENTFILEID=1396&TEMPLATE=/
MembersOnly.cfm
5. COBIT Framework document — page 13 — http://www.isaca.org
6. ITIL and Security Management, 1999 — page 41
7. AICPA.Org Web site — SysTrust principles — http://www.aicpa.org/assurance/
systrust/princip.htm
8. RFC 2196 — Site Security Handbook, B. Fraser — Editor, SEI/CMU — http://www.cis.
ohio-state.edu/cgi-bin/rfc/rfc2196.html
AU1706_book.fm Page 243 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.