IT Controls:
Which Standard?
NIST800, ISO17799, OCTAVE, ITIL
Executive Summary
Reports of identity theft, exposed social security numbers and compromised credit card make regular headlines, not to mention keeping executives and IT managers awake at night. Businesses are now forced to focus on the problems confronting computer data. Personnel from the CEO down to the Help Desk technicians are bearing responsibility for data breaches.. As business tries to lash up its security posture it casts about for a “Common Denominator”, a definitive set of standards relating to computer security. There is no shortage of contenders for the title because the field of competing security methodologies becomes more crowded every year. However, there still lacks the one universally accepted standard, the Gold Standard of Data Security This paper’s goal is to help the user navigate through some of the choices currently available and to choose the IT Control Methodology that best fits. The figure in Appendix 1 graphically illustrates the Frameworks Quagmire as it relates to the software development industry.
Introduction
The field of Security Methodologies is a fairly new one and prior to the early 1990’s there were only 2 products in this space: NIST and BS7799. Both these standard bearers were created by government agencies, NIST from the National Institute of Standards and Technology in the US and BS from the British Standards Institute in the UK. While NIST has remained a standard in government agencies, and is the basis for yearly Certification and Accreditation reviews, the BSI took steps toward becoming the international business standard. In 2000 the BSI gave the International Standards Organization of Geneva (the ISO) BS7799. In December of that same year, the ISO accepted the standard for information security and renamed it ISO17799 . Even though the ISO standard had the backing of only one G7 country (the UK), it was popular with smaller countries and was “fast-tracked” through the approval process. Reluctant to throw out their own standards, large industrial nations such as Japan, the US and Germany continued using their own set of IT Controls. All the while ISO17799 gained "grass roots" momentum, and continues to do so even today.
As the market now stands there are close to a dozen competing efforts to standardize business's IT practices. Generally these products can be categorized into two groups: Business Frameworks and Risk Methodologies. The borders between the categories continue to blur as Methodologies are re-written to include high level management goals and vice versa. This paper focuses entirely on the former classification, Security Methodologies (also called IT Controls).
Security Methodologies/Best Practices
IT Managers and Directors are charged with making their shops more secure but are faced with a daunting task. In addition to the daily discovery of vulnerabilities, the market is full of competing Security Methodologies. While the names ISO17799, and NIST800 are probably familiar to IT professionals, there are at least a dozen other “security standards” in this space. The names ITIL, ISM³, SS, FIPS, PAS, ISF, OCTAVE, AS/NZS, and GAISP are not so well known, they are nonetheless competing for the same market. And new IT security methodologies appear monthly. However, despite the apparent differences (these products come from such far flung locations as Singapore, the UK, New Zealand and European Union), they all have remarkably similar underpinnings. The standards are based on computer security “best practices” and while implementation of best practices varies from industry to industry, the basic concepts are remarkably similar. So similar in fact that NIST 800-53 includes an appendix which maps their methodology to ISO17799.
For an organization without a formal IT Framework, or for that matter, without even a Risk Methodology, a good starting place would be the NIST guidelines. The major advantage of NIST 800 also happens to be its major drawback. NIST regulations, while mandatory for government agencies, are simply “guidelines” and recommendations for commercial enterprises. There currently exists no manner of certification, authentication or audit for commercial entities. This shortcoming may in and of itself be the deciding factor for organizations looking for certification. ISO17799 and most of the other methodologies offer some type of accreditation or certification. However, on the plus side, NIST publications are easily obtainable, fairly easy to read, updated much more frequently than most others. Perhaps most important, all of the publications are available free. The costs of the publications from other methodologies can easily run into thousands of dollars.
If an organization is looking for a mature commercially available framework, then ISO 17799 is the answer. Any business subject to regulatory compliance, whether US or International, should implement the ISO17799 methodology. Former criticisms of the regulations being too vague or off target were met with a major rewrite of the methodology in June of 2005. The new standards are very precise, giving information managers actual advice to “do this and don’t do that”. These additions brought the standards current and actually make it one of the best documents for A to Z security implementations.
Additional concerns about certification and authentication were also recently addressed in the ISO methodology. Prior to 2005, organizations wishing to become certified had to certify against the BS7799 standard. This caused problems on a number of fronts. However, these problems were resolved with the release of a new standard, ISO27001, which includes provisions for becoming certified. Certification is a concern for businesses in many different industries, both public and private. Multi-national businesses find themselves in a particularly difficult position since there is no one “de facto” international standard, with each different country mandating compliance with their own security regulations. ISO17799 represents a good compromise choice in this area and has the additional advantage that dozens of countries have already accepted it as the national standard. It should be noted that ISO17799 certification is relatively new and that there are only 2509 registered organizations worldwide, with well over half (1516) coming from Japan alone . The remainder of the G8 nations (US, UK, Germany, Italy, France, Russia and Canada) together total only 325, and not all of these countries have adopted the 2005 standard. These numbers show the high level of uncertainty in the security methodology field and also the grass roots nature of the ISO standard. Organizations considering an ISO certification should consider this in their decision.
Of the remaining dozen or so standards, the top candidates for US companies are OCTAVE, ISM3 and perhaps ITIL. These IT methodologies represent “hybrid” standards, meaning that they attempt to specify the “nuts and bolts” approach common in security methodologies while introducing a broader business framework. The ISM3 maturity model, from the Institute for Secure and Open Methodologies (ISECOM) is the newest of the entries. Its current version was released in March of 2006. The very currency of the topics in the methodology may be enticing, especially in regards to current threats (and recommended countermeasures). However, care must be taken to weigh the fact that very few international bodies (and no major corporations) have adopted this security standard.
The Carnegie Mellon Software Engineering Institute (SEI) has produced a work called OCTAVE. The pedigree of this IT methodology comes from the same bloodline which gave us CERT and the CMMI standard for software development. The "OCTAVE Criteria" is a very broad and easy to read document. The current version, Version 2, has been modified by the addition of individual papers relating to specific areas of concern (Malware for example) . But even this most recent document dates from December 2004 and nowhere in it are today's most virulent threats mentioned (rootkits and spyware). With the original version dating from the last century (June 1999) and the latest full version only marginally more recent (December 2001), we question the support that CMU has for the OCTAVE framework.
The last "hybrid" IT methodology is ITIL. This standard hails from the English Office of Government and Commerce (OCG). The British Standard BS15000 was commercialized and the result is ITIL. Originating in the late 1980's this IT methodology dealt with best practices for IT service management. However, in the ensuing decades the standard has been broadened to include: Service Management, Infrastructure Management, Application Management, Security Management, Software Asset Management and Business Perspectives. The ITIL approach is to divide these different domains of IT control into separate standards, complete with separate certificate processes. While ITIL is fairly new on this side of the Atlantic, it is a mature and very well established IT framework in the UK and Europe. Some of the major adopters of the framework include Microsoft, British Airways, IBM, Barclays, Proctor & Gamble and HSBC. of particular interest is the fact that the OCG has just published (January 2006) a book helping smaller organizations adopt the ITIL Best Practice IT Framework.
Summary
There currently exists a bewildering array of computer security methodologies in the market with more appearing all the time. For organizations trying to improve the structure and security of their computer network the choice of a product is very important. While all the Security Methodologies in this report provide an excellent start on the road to "computer security best practices”, no one solution is right for every business. The decision as to which solution to implement can be critical because the future direction of the organization’s IT infrastructure depends on it. Fortunately there is great deal of overlap between all the products in this field and a standard in one is easily transferred into an appropriate category in another.
It has been the purpose of this paper to give the reader a brief primer about the variety of security methodologies that exist and to present in an unbiased way the strengths and weaknesses of some of the most popular.
The next paper in this series deals with a popular implementation of IT Controls, aligning CobiT, ITIL and ISO17799.
Links
NIST: http://csrc.nist.gov/
ISO17799 http://www.iso.org/iso/en/ISOOnline.frontpage
AS/NZS4360 http://www.saiglobal.com/shop/script/search.asp
OCTAVE http://www.sei.cmu.edu/programs/nss/surv-net-mgt.html
ITIL http://www.itil.co.uk/
Frameworks graphic http://www.software.org/quagmire/
17799 in plain English http://praxiom.com/iso-17799-intro.htm
ISO27000 User Group http://www.xisec.com/
ISO27000 Certification http://www.xisec.com/certPortal.htm#CertAuditor
Bibliography
http://informationsecurity.techtarget.com/magPrintFriendly/0,293813,sid42_gci1175862,00.html
http://www.csoonline.com/read/030103/lite.html
http://www.lanfaxlabs.com.au/papers/P61-B-P-D-Cairns-final.PDF
http://www.sei.cmu.edu/publications/documents/99.reports/99tr017/99tr017chap01.html
http://www.cert.org/octave/approach_intro.pdf
http://72.14.203.104/search?q=cache:GE_bZQ0OF9kJ:www.sis.pitt.edu/~jjoshi/IS2820/Spring06/chapter06.doc+security+framework+iso+17799+nist+800&hl=en&gl=us&ct=clnk&cd=21&client=firefox-a
http://www.iso27001security.com/html/others.html
http://www.iso-17799.com/
http://72.14.203.104/search?q=cache:ORy7nD_HN20J:www1.netsec.net/content/securitybrief/archive/2004-03_NISTand17799.pdf+nist+800+formal+accreditation+commercial&hl=en&gl=us&ct=clnk&cd=3&client=firefox-a
http://itgovernance.politicalinformation.com/17799.htm
http://www.itil.co.uk/
http://www.itilcommunity.com/
http://www.get-best-practice.co.uk/home.aspx
http://www.get-best-practice.co.uk/securityManagementInformation.aspx
http://www.software.org/quagmire/
http://praxiom.com/iso-17799-intro.htm
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=42103&ICS1=35&ICS2=40&ICS3=
http://www.xisec.com/
http://www.xisec.com/certPortal.htm#CertAuditor
Which Standard?
NIST800, ISO17799, OCTAVE, ITIL
Executive Summary
Reports of identity theft, exposed social security numbers and compromised credit card make regular headlines, not to mention keeping executives and IT managers awake at night. Businesses are now forced to focus on the problems confronting computer data. Personnel from the CEO down to the Help Desk technicians are bearing responsibility for data breaches.. As business tries to lash up its security posture it casts about for a “Common Denominator”, a definitive set of standards relating to computer security. There is no shortage of contenders for the title because the field of competing security methodologies becomes more crowded every year. However, there still lacks the one universally accepted standard, the Gold Standard of Data Security This paper’s goal is to help the user navigate through some of the choices currently available and to choose the IT Control Methodology that best fits. The figure in Appendix 1 graphically illustrates the Frameworks Quagmire as it relates to the software development industry.
Introduction
The field of Security Methodologies is a fairly new one and prior to the early 1990’s there were only 2 products in this space: NIST and BS7799. Both these standard bearers were created by government agencies, NIST from the National Institute of Standards and Technology in the US and BS from the British Standards Institute in the UK. While NIST has remained a standard in government agencies, and is the basis for yearly Certification and Accreditation reviews, the BSI took steps toward becoming the international business standard. In 2000 the BSI gave the International Standards Organization of Geneva (the ISO) BS7799. In December of that same year, the ISO accepted the standard for information security and renamed it ISO17799 . Even though the ISO standard had the backing of only one G7 country (the UK), it was popular with smaller countries and was “fast-tracked” through the approval process. Reluctant to throw out their own standards, large industrial nations such as Japan, the US and Germany continued using their own set of IT Controls. All the while ISO17799 gained "grass roots" momentum, and continues to do so even today.
As the market now stands there are close to a dozen competing efforts to standardize business's IT practices. Generally these products can be categorized into two groups: Business Frameworks and Risk Methodologies. The borders between the categories continue to blur as Methodologies are re-written to include high level management goals and vice versa. This paper focuses entirely on the former classification, Security Methodologies (also called IT Controls).
Security Methodologies/Best Practices
IT Managers and Directors are charged with making their shops more secure but are faced with a daunting task. In addition to the daily discovery of vulnerabilities, the market is full of competing Security Methodologies. While the names ISO17799, and NIST800 are probably familiar to IT professionals, there are at least a dozen other “security standards” in this space. The names ITIL, ISM³, SS, FIPS, PAS, ISF, OCTAVE, AS/NZS, and GAISP are not so well known, they are nonetheless competing for the same market. And new IT security methodologies appear monthly. However, despite the apparent differences (these products come from such far flung locations as Singapore, the UK, New Zealand and European Union), they all have remarkably similar underpinnings. The standards are based on computer security “best practices” and while implementation of best practices varies from industry to industry, the basic concepts are remarkably similar. So similar in fact that NIST 800-53 includes an appendix which maps their methodology to ISO17799.
For an organization without a formal IT Framework, or for that matter, without even a Risk Methodology, a good starting place would be the NIST guidelines. The major advantage of NIST 800 also happens to be its major drawback. NIST regulations, while mandatory for government agencies, are simply “guidelines” and recommendations for commercial enterprises. There currently exists no manner of certification, authentication or audit for commercial entities. This shortcoming may in and of itself be the deciding factor for organizations looking for certification. ISO17799 and most of the other methodologies offer some type of accreditation or certification. However, on the plus side, NIST publications are easily obtainable, fairly easy to read, updated much more frequently than most others. Perhaps most important, all of the publications are available free. The costs of the publications from other methodologies can easily run into thousands of dollars.
If an organization is looking for a mature commercially available framework, then ISO 17799 is the answer. Any business subject to regulatory compliance, whether US or International, should implement the ISO17799 methodology. Former criticisms of the regulations being too vague or off target were met with a major rewrite of the methodology in June of 2005. The new standards are very precise, giving information managers actual advice to “do this and don’t do that”. These additions brought the standards current and actually make it one of the best documents for A to Z security implementations.
Additional concerns about certification and authentication were also recently addressed in the ISO methodology. Prior to 2005, organizations wishing to become certified had to certify against the BS7799 standard. This caused problems on a number of fronts. However, these problems were resolved with the release of a new standard, ISO27001, which includes provisions for becoming certified. Certification is a concern for businesses in many different industries, both public and private. Multi-national businesses find themselves in a particularly difficult position since there is no one “de facto” international standard, with each different country mandating compliance with their own security regulations. ISO17799 represents a good compromise choice in this area and has the additional advantage that dozens of countries have already accepted it as the national standard. It should be noted that ISO17799 certification is relatively new and that there are only 2509 registered organizations worldwide, with well over half (1516) coming from Japan alone . The remainder of the G8 nations (US, UK, Germany, Italy, France, Russia and Canada) together total only 325, and not all of these countries have adopted the 2005 standard. These numbers show the high level of uncertainty in the security methodology field and also the grass roots nature of the ISO standard. Organizations considering an ISO certification should consider this in their decision.
Of the remaining dozen or so standards, the top candidates for US companies are OCTAVE, ISM3 and perhaps ITIL. These IT methodologies represent “hybrid” standards, meaning that they attempt to specify the “nuts and bolts” approach common in security methodologies while introducing a broader business framework. The ISM3 maturity model, from the Institute for Secure and Open Methodologies (ISECOM) is the newest of the entries. Its current version was released in March of 2006. The very currency of the topics in the methodology may be enticing, especially in regards to current threats (and recommended countermeasures). However, care must be taken to weigh the fact that very few international bodies (and no major corporations) have adopted this security standard.
The Carnegie Mellon Software Engineering Institute (SEI) has produced a work called OCTAVE. The pedigree of this IT methodology comes from the same bloodline which gave us CERT and the CMMI standard for software development. The "OCTAVE Criteria" is a very broad and easy to read document. The current version, Version 2, has been modified by the addition of individual papers relating to specific areas of concern (Malware for example) . But even this most recent document dates from December 2004 and nowhere in it are today's most virulent threats mentioned (rootkits and spyware). With the original version dating from the last century (June 1999) and the latest full version only marginally more recent (December 2001), we question the support that CMU has for the OCTAVE framework.
The last "hybrid" IT methodology is ITIL. This standard hails from the English Office of Government and Commerce (OCG). The British Standard BS15000 was commercialized and the result is ITIL. Originating in the late 1980's this IT methodology dealt with best practices for IT service management. However, in the ensuing decades the standard has been broadened to include: Service Management, Infrastructure Management, Application Management, Security Management, Software Asset Management and Business Perspectives. The ITIL approach is to divide these different domains of IT control into separate standards, complete with separate certificate processes. While ITIL is fairly new on this side of the Atlantic, it is a mature and very well established IT framework in the UK and Europe. Some of the major adopters of the framework include Microsoft, British Airways, IBM, Barclays, Proctor & Gamble and HSBC. of particular interest is the fact that the OCG has just published (January 2006) a book helping smaller organizations adopt the ITIL Best Practice IT Framework.
Summary
There currently exists a bewildering array of computer security methodologies in the market with more appearing all the time. For organizations trying to improve the structure and security of their computer network the choice of a product is very important. While all the Security Methodologies in this report provide an excellent start on the road to "computer security best practices”, no one solution is right for every business. The decision as to which solution to implement can be critical because the future direction of the organization’s IT infrastructure depends on it. Fortunately there is great deal of overlap between all the products in this field and a standard in one is easily transferred into an appropriate category in another.
It has been the purpose of this paper to give the reader a brief primer about the variety of security methodologies that exist and to present in an unbiased way the strengths and weaknesses of some of the most popular.
The next paper in this series deals with a popular implementation of IT Controls, aligning CobiT, ITIL and ISO17799.
Links
NIST: http://csrc.nist.gov/
ISO17799 http://www.iso.org/iso/en/ISOOnline.frontpage
AS/NZS4360 http://www.saiglobal.com/shop/script/search.asp
OCTAVE http://www.sei.cmu.edu/programs/nss/surv-net-mgt.html
ITIL http://www.itil.co.uk/
Frameworks graphic http://www.software.org/quagmire/
17799 in plain English http://praxiom.com/iso-17799-intro.htm
ISO27000 User Group http://www.xisec.com/
ISO27000 Certification http://www.xisec.com/certPortal.htm#CertAuditor
Bibliography
http://informationsecurity.techtarget.com/magPrintFriendly/0,293813,sid42_gci1175862,00.html
http://www.csoonline.com/read/030103/lite.html
http://www.lanfaxlabs.com.au/papers/P61-B-P-D-Cairns-final.PDF
http://www.sei.cmu.edu/publications/documents/99.reports/99tr017/99tr017chap01.html
http://www.cert.org/octave/approach_intro.pdf
http://72.14.203.104/search?q=cache:GE_bZQ0OF9kJ:www.sis.pitt.edu/~jjoshi/IS2820/Spring06/chapter06.doc+security+framework+iso+17799+nist+800&hl=en&gl=us&ct=clnk&cd=21&client=firefox-a
http://www.iso27001security.com/html/others.html
http://www.iso-17799.com/
http://72.14.203.104/search?q=cache:ORy7nD_HN20J:www1.netsec.net/content/securitybrief/archive/2004-03_NISTand17799.pdf+nist+800+formal+accreditation+commercial&hl=en&gl=us&ct=clnk&cd=3&client=firefox-a
http://itgovernance.politicalinformation.com/17799.htm
http://www.itil.co.uk/
http://www.itilcommunity.com/
http://www.get-best-practice.co.uk/home.aspx
http://www.get-best-practice.co.uk/securityManagementInformation.aspx
http://www.software.org/quagmire/
http://praxiom.com/iso-17799-intro.htm
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=42103&ICS1=35&ICS2=40&ICS3=
http://www.xisec.com/
http://www.xisec.com/certPortal.htm#CertAuditor
48004-060524-397179-18
© 2006 All Rights Reserved.
posted by Chaz at 4:20 AM
0 Comments:
Post a Comment
<< Home