Security Compliance:
Which Standard?
NIST800, ISO17799, AS/NZS4360, OCTAVE, ITIL, etc
Executive Summary
Reports of identity theft, exposed social security numbers and compromised credit card make regular headlines. It seems that almost every week a laptop somewhere that contains sensitive data for thousands of people goes missing. Businesses are now forced to focus on the problems confronting computer data. Personnel from the CEO down to the Help Desk technicians are bearing responsibility for data breaches.. As business tries to lash up its security posture it casts about for a “Common Denominator”, a definitive set of standards relating to computer security. There is no shortage of contenders for the title because the field of competing security methodologies becomes more crowded every year. However, there still lacks the one universally accepted standard, the Gold Standard of Data Security This paper’s goal is to help the user navigate through some of the choices currently available and to choose the methodology that best suits a particular business's needs.
Introduction
The field of Security Methodologies is a fairly new one and prior to the early 1990’s there were only 2 products in this space: NIST and BS7799. Both these standard bearers were created by government agencies, NIST from the National Institute of Standards and Technology in the US and BS from the British Standards Institute in the UK. While NIST had remained mostly a standard in government agencies, and is the basis for yearly Certification and Accreditation reviews, the BS standard took steps toward becoming the accepted international standard. In 2000 the BSI gave the International Standards Organization of Geneva (the ISO) BS7799. In December of that same year, the ISO accepted the standard for information security and renamed it ISO17799. Even though the ISO standard had the backing of only one G7 country, was popular with many smaller countries and was “fast-tracked” through the approval process. Reluctant to throw out their own standards, large industrial nations such as Japan, the US and Germany continued using their own set of rules. All the while ISO17799 gained "grass roots" momentum, and continues to do so even today.
As the market now stands there are close to a dozen competing efforts to standardize business practices. Generally these products can be categorized into two groups: Business Frameworks and Risk Methodologies. The borders between the categories continue to blur as Methodologies are re-written to include high level management goals and vice versa. This paper focuses entirely on the former classification, Security Methodologies (also called Best Practices).
Security Methodologies/Best Practices
IT Managers and Directors are charged with making their shops more secure but are faced with a daunting task. In addition to the daily discovery of vulnerabilities, the market is full of competing Best Practice products. While the names ISO17799, and NIST800 are probably familiar to IT professionals, there are at least a dozen other “security standards” in this space. While the names ITIL, ISM³, SS, FIPS, PAS, ISF, OCTAVE, AS/NZS, and GAISP are not so well known, they are nonetheless competing for the same market. The names alone are enough to strike fear into the heart of even the most intrepid IT professional. However, despite some apparent differences (these products come from such far flung locations as Singapore, the UK, New Zealand and European Union), they all have remarkably similar underpinnings. The standards are based on computer security “best practices” and while implementation of best practices varies from industry to industry, the basic concepts are remarkably similar. So similar in fact that NIST 800-53 includes an appendix which maps their methodology to ISO17799.
For an organization without a formal IT Framework, or for that matter, without even a Risk Methodology, a good starting place would be the NIST guidelines. The major advantage of NIST 800 also happens to be its major drawback. NIST regulations are mandatory for government agencies but they are simply “guidelines” and recommendations for commercial enterprises. There currently exists no manner of certification, authentication or audit for other than governmental bodies. This shortcoming may in and of itself be the deciding factor for organizations looking for certification. ISO17799 and most of the other methodologies offer some type of accreditation or certification. However, on the plus side, NIST publications are easily obtainable, fairly easy to read, updated more frequently than most others, and perhaps most importantly, available for free. The costs for the publications from the other methodologies can easily run into thousands of dollars.
If an organization is looking for a slightly more robust option, then ISO 17799 is the answer. Any businesses subject to regulatory compliance, whether US based or International, should implement the ISO17799 methodology. Former criticisms of the regulations being too vague or off target were met with a major rewrite of the methodology in June of 2005. The new standards are very precise, giving information managers actual advice to “do this and don’t do that”. These additions brought the standards current and actually make it one of the best documents for A to Z security implementations.
Additional concerns about certification and authentication were also recently addressed in the ISO methodology. Prior to 2005, organizations wishing to become certified had to certify against the BS7799 standard. This caused problems on a number of fronts. However, these problems were resolved with the release of a new standard, ISO27001, which includes provisions for becoming certified. Certification is a concern for businesses in many different industries, both public and private. International businesses find themselves in a particularly difficult position since there is no one “de facto” standard, with almost each different country mandating compliance with its own security regulations. ISO17799 represents a good compromise choice in this area and has the additional advantage that dozens of countries have already accepted this standard. It should be noted that ISO17799 certification is relatively new and that there are only 2509 registered organizations worldwide, with well over half (1516) coming from Japan alone. The remainder of the G8 nations (US, UK, Germany, Italy, France, Russia and Canada) together total only 325, and not all of these countries have adopted the 2005 standard. These numbers show the high level of uncertainty in the security methodology field and also the grass roots nature of the ISO standard. Organizations considering an ISO certification should consider this in their decision.
Businesses with a more mature IT infrastructure may be better served by one of the “hybrid” standards. These standards attempt to specify the “nuts and bolts” approach common in the security methodologies while introducing a broader business framework. Examples in this category include the Australian and New Zealand Standards (AS/NZS 4360), work from the Carnegie Mellon Software Engineering Institute (OCTAVE), and standards from the English Office of Government and Commerce (ITIL). OCTAVE represents the newest information standard while ITIL claims to have “the most widely accepted approach to IT service management in the world”. Each of these hybrid solutions has strengths and weaknesses and the unique needs of the individual business should drive the decision which to choose.
Organizations at the top end of IT department organization should consider aligning their business to one of the frameworks that exist. While examination of these Business frameworks is beyond the scope of this paper, any organization that standardizes on COBIT, Common Criteria, COSO, etc will be well served by the process that results.
Summary
There currently exist a bewildering array of computer security methodologies in the market with more appearing all the time. For organizations trying to improve the structure and security of their computer network the choice of a product is very important. While all the Security Methodologies in this report provide an excellent start on the road to ‘computer security best practices”, no one solution is right for every business. The decision as to which solution to implement can be critical because the future direction of the organization’s IT infrastructure depends on it. It has been the purpose of this paper to give the reader a brief primer about the variety of security methodologies that exist and to present in an unbiased way the strengths and weaknesses of each.
Links
NIST: http://csrc.nist.gov/
ISO17799 http://www.iso.org/iso/en/ISOOnline.frontpage
AS/NZS4360 http://www.saiglobal.com/shop/script/search.asp
OCTAVE http://www.sei.cmu.edu/programs/nss/surv-net-mgt.html
ITIL http://www.itil.co.uk/
Frameworks graphic http://www.software.org/quagmire/
17799 in plain English http://praxiom.com/iso-17799-intro.htm
ISO27000 User Group http://www.xisec.com/
ISO27000 Certification http://www.xisec.com/certPortal.htm#CertAuditor
Bibliography
http://informationsecurity.techtarget.com/magPrintFriendly/0,293813,sid42_gci1175862,00.html
http://www.csoonline.com/read/030103/lite.html
http://www.lanfaxlabs.com.au/papers/P61-B-P-D-Cairns-final.PDF
http://www.sei.cmu.edu/publications/documents/99.reports/99tr017/99tr017chap01.html
http://www.cert.org/octave/approach_intro.pdf
http://72.14.203.104/search?q=cache:GE_bZQ0OF9kJ:www.sis.pitt.edu/~jjoshi/IS2820/Spring06/chapter06.doc+security+framework+iso+17799+nist+800&hl=en&gl=us&ct=clnk&cd=21&client=firefox-a
http://www.iso27001security.com/html/others.html
http://www.iso-17799.com/
http://72.14.203.104/search?q=cache:ORy7nD_HN20J:www1.netsec.net/content/securitybrief/archive/2004-03_NISTand17799.pdf+nist+800+formal+accreditation+commercial&hl=en&gl=us&ct=clnk&cd=3&client=firefox-a
http://itgovernance.politicalinformation.com/17799.htm
http://www.itil.co.uk/
http://www.itilcommunity.com/
http://www.get-best-practice.co.uk/home.aspx
http://www.get-best-practice.co.uk/securityManagementInformation.aspx
http://www.software.org/quagmire/
http://praxiom.com/iso-17799-intro.htm
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=42103&ICS1=35&ICS2=40&ICS3=
http://www.xisec.com/
http://www.xisec.com/certPortal.htm#CertAuditor
Which Standard?
NIST800, ISO17799, AS/NZS4360, OCTAVE, ITIL, etc
Executive Summary
Reports of identity theft, exposed social security numbers and compromised credit card make regular headlines. It seems that almost every week a laptop somewhere that contains sensitive data for thousands of people goes missing. Businesses are now forced to focus on the problems confronting computer data. Personnel from the CEO down to the Help Desk technicians are bearing responsibility for data breaches.. As business tries to lash up its security posture it casts about for a “Common Denominator”, a definitive set of standards relating to computer security. There is no shortage of contenders for the title because the field of competing security methodologies becomes more crowded every year. However, there still lacks the one universally accepted standard, the Gold Standard of Data Security This paper’s goal is to help the user navigate through some of the choices currently available and to choose the methodology that best suits a particular business's needs.
Introduction
The field of Security Methodologies is a fairly new one and prior to the early 1990’s there were only 2 products in this space: NIST and BS7799. Both these standard bearers were created by government agencies, NIST from the National Institute of Standards and Technology in the US and BS from the British Standards Institute in the UK. While NIST had remained mostly a standard in government agencies, and is the basis for yearly Certification and Accreditation reviews, the BS standard took steps toward becoming the accepted international standard. In 2000 the BSI gave the International Standards Organization of Geneva (the ISO) BS7799. In December of that same year, the ISO accepted the standard for information security and renamed it ISO17799. Even though the ISO standard had the backing of only one G7 country, was popular with many smaller countries and was “fast-tracked” through the approval process. Reluctant to throw out their own standards, large industrial nations such as Japan, the US and Germany continued using their own set of rules. All the while ISO17799 gained "grass roots" momentum, and continues to do so even today.
As the market now stands there are close to a dozen competing efforts to standardize business practices. Generally these products can be categorized into two groups: Business Frameworks and Risk Methodologies. The borders between the categories continue to blur as Methodologies are re-written to include high level management goals and vice versa. This paper focuses entirely on the former classification, Security Methodologies (also called Best Practices).
Security Methodologies/Best Practices
IT Managers and Directors are charged with making their shops more secure but are faced with a daunting task. In addition to the daily discovery of vulnerabilities, the market is full of competing Best Practice products. While the names ISO17799, and NIST800 are probably familiar to IT professionals, there are at least a dozen other “security standards” in this space. While the names ITIL, ISM³, SS, FIPS, PAS, ISF, OCTAVE, AS/NZS, and GAISP are not so well known, they are nonetheless competing for the same market. The names alone are enough to strike fear into the heart of even the most intrepid IT professional. However, despite some apparent differences (these products come from such far flung locations as Singapore, the UK, New Zealand and European Union), they all have remarkably similar underpinnings. The standards are based on computer security “best practices” and while implementation of best practices varies from industry to industry, the basic concepts are remarkably similar. So similar in fact that NIST 800-53 includes an appendix which maps their methodology to ISO17799.
For an organization without a formal IT Framework, or for that matter, without even a Risk Methodology, a good starting place would be the NIST guidelines. The major advantage of NIST 800 also happens to be its major drawback. NIST regulations are mandatory for government agencies but they are simply “guidelines” and recommendations for commercial enterprises. There currently exists no manner of certification, authentication or audit for other than governmental bodies. This shortcoming may in and of itself be the deciding factor for organizations looking for certification. ISO17799 and most of the other methodologies offer some type of accreditation or certification. However, on the plus side, NIST publications are easily obtainable, fairly easy to read, updated more frequently than most others, and perhaps most importantly, available for free. The costs for the publications from the other methodologies can easily run into thousands of dollars.
If an organization is looking for a slightly more robust option, then ISO 17799 is the answer. Any businesses subject to regulatory compliance, whether US based or International, should implement the ISO17799 methodology. Former criticisms of the regulations being too vague or off target were met with a major rewrite of the methodology in June of 2005. The new standards are very precise, giving information managers actual advice to “do this and don’t do that”. These additions brought the standards current and actually make it one of the best documents for A to Z security implementations.
Additional concerns about certification and authentication were also recently addressed in the ISO methodology. Prior to 2005, organizations wishing to become certified had to certify against the BS7799 standard. This caused problems on a number of fronts. However, these problems were resolved with the release of a new standard, ISO27001, which includes provisions for becoming certified. Certification is a concern for businesses in many different industries, both public and private. International businesses find themselves in a particularly difficult position since there is no one “de facto” standard, with almost each different country mandating compliance with its own security regulations. ISO17799 represents a good compromise choice in this area and has the additional advantage that dozens of countries have already accepted this standard. It should be noted that ISO17799 certification is relatively new and that there are only 2509 registered organizations worldwide, with well over half (1516) coming from Japan alone. The remainder of the G8 nations (US, UK, Germany, Italy, France, Russia and Canada) together total only 325, and not all of these countries have adopted the 2005 standard. These numbers show the high level of uncertainty in the security methodology field and also the grass roots nature of the ISO standard. Organizations considering an ISO certification should consider this in their decision.
Businesses with a more mature IT infrastructure may be better served by one of the “hybrid” standards. These standards attempt to specify the “nuts and bolts” approach common in the security methodologies while introducing a broader business framework. Examples in this category include the Australian and New Zealand Standards (AS/NZS 4360), work from the Carnegie Mellon Software Engineering Institute (OCTAVE), and standards from the English Office of Government and Commerce (ITIL). OCTAVE represents the newest information standard while ITIL claims to have “the most widely accepted approach to IT service management in the world”. Each of these hybrid solutions has strengths and weaknesses and the unique needs of the individual business should drive the decision which to choose.
Organizations at the top end of IT department organization should consider aligning their business to one of the frameworks that exist. While examination of these Business frameworks is beyond the scope of this paper, any organization that standardizes on COBIT, Common Criteria, COSO, etc will be well served by the process that results.
Summary
There currently exist a bewildering array of computer security methodologies in the market with more appearing all the time. For organizations trying to improve the structure and security of their computer network the choice of a product is very important. While all the Security Methodologies in this report provide an excellent start on the road to ‘computer security best practices”, no one solution is right for every business. The decision as to which solution to implement can be critical because the future direction of the organization’s IT infrastructure depends on it. It has been the purpose of this paper to give the reader a brief primer about the variety of security methodologies that exist and to present in an unbiased way the strengths and weaknesses of each.
Links
NIST: http://csrc.nist.gov/
ISO17799 http://www.iso.org/iso/en/ISOOnline.frontpage
AS/NZS4360 http://www.saiglobal.com/shop/script/search.asp
OCTAVE http://www.sei.cmu.edu/programs/nss/surv-net-mgt.html
ITIL http://www.itil.co.uk/
Frameworks graphic http://www.software.org/quagmire/
17799 in plain English http://praxiom.com/iso-17799-intro.htm
ISO27000 User Group http://www.xisec.com/
ISO27000 Certification http://www.xisec.com/certPortal.htm#CertAuditor
Bibliography
http://informationsecurity.techtarget.com/magPrintFriendly/0,293813,sid42_gci1175862,00.html
http://www.csoonline.com/read/030103/lite.html
http://www.lanfaxlabs.com.au/papers/P61-B-P-D-Cairns-final.PDF
http://www.sei.cmu.edu/publications/documents/99.reports/99tr017/99tr017chap01.html
http://www.cert.org/octave/approach_intro.pdf
http://72.14.203.104/search?q=cache:GE_bZQ0OF9kJ:www.sis.pitt.edu/~jjoshi/IS2820/Spring06/chapter06.doc+security+framework+iso+17799+nist+800&hl=en&gl=us&ct=clnk&cd=21&client=firefox-a
http://www.iso27001security.com/html/others.html
http://www.iso-17799.com/
http://72.14.203.104/search?q=cache:ORy7nD_HN20J:www1.netsec.net/content/securitybrief/archive/2004-03_NISTand17799.pdf+nist+800+formal+accreditation+commercial&hl=en&gl=us&ct=clnk&cd=3&client=firefox-a
http://itgovernance.politicalinformation.com/17799.htm
http://www.itil.co.uk/
http://www.itilcommunity.com/
http://www.get-best-practice.co.uk/home.aspx
http://www.get-best-practice.co.uk/securityManagementInformation.aspx
http://www.software.org/quagmire/
http://praxiom.com/iso-17799-intro.htm
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=42103&ICS1=35&ICS2=40&ICS3=
http://www.xisec.com/
http://www.xisec.com/certPortal.htm#CertAuditor
61133-060505-528465-31
© 2006 All Rights Reserved.
posted by Chaz at 8:52 AM
<< Home