3. Security Standards & Security Management Flashcards
What should information security standards offer?
Coherent approach (to information security)
Pragmatic & flexible (i.e. appropriate controls)
Guidance (to security)
Best practice (& sensible approach)
Help with compliance (regulatory / customers / business / government etc)
What are the problems associated with security standards?
Lack of awareness (several business surveys show this)
Lack of acceptance?
Cost & time (possibly easier to become assessor that gets certified (as with other standards))
Accreditation or good practice (being accredited doesn’t necessarily mean every area is secure & not being accredited doesn’t necessarily mean things aren’t secure)
What are the formal security standards?
Lots of ‘red tape’ and bureaucracy!
Long process (6 months to 1 year, plus continual process)
Not a one-off fix
Expensive, needs support mechanisms (e.g. teams, committees, focus groups, consultants, audit functions / facilities (and to take actions from these))
Needs top management support - or will not work or be adopted
Probably affects all of the organisation
What are the other security standards?
Technical standards / schemes for products:
TCSEC - Trusted Computer Security Evaluation Criteria
ITSEC - IT Security Evaluation Certification Scheme
Less formal information security standards - business certification schemes - e.g. webtrust
What are webtrust’s principles?
Security Availability Processing integrity Online privacy Confidentiality
What is required for a security strategy to be consistent?
Threat vulnerability assessment
Comprehensive security plan
Other strategies (general / overall business, marketing, operational)
What are the possible security strategy threats that need to be identified?
System unavailable Unauthorised disclosure / modification of information Malware affecting systems Unauthorised access (local & remote) Fraud (by staff) Errors & omissions Privacy & confidentiality Repudiation & accountability Non-compliance
What is the process required for a security strategy?
Implement the strategy (allocate people, resources, equipment, set policies, tasks, processes)
Monitor (what things should you monitor? how regular?)
Evaluation (costs, effectiveness, responsiveness)
Update (policy, plans, resources)