Upload
ana-meskovska
View
1.466
Download
1
Embed Size (px)
Citation preview
If you don’t want to help yourself,
no one can
Standards and recommendation
for information security
on internet
ELSA ConferenceStrumica, 27.11.2008
If you don’t want to help yourself,
no one can
How to protect ourselves from internet insecurity ?
If you don’t want to help yourself,
no one can
Internet Global Village
• By default “open & insecure”
• Internet for ALL ( good gays & bad gays)
• Bad gays for : pleasure and/or business
• Internet in-security : all for one / one for all
If you don’t want to help yourself,
no one can
There are “Bad gays” in “our Village”
So we have to protect ourselves- but how ?
If you don’t want to help yourself,
no one can
Do not forget what Information System consists of !
• Information/Data
• Equipment ( HW)
• Communications ( Internet)
• Applications ( SW)
• Procedures and processes
• People (users, performers/operators)
If you don’t want to help yourself,
no one can
“The chain is only as strong as its weakest link!”
• Every single member in any Information System must be “good” and secure !
• The ONLY questions are :
– “what means good” and
– “who guaranty that something is good”?
Here is where the standards come !
If you don’t want to help yourself,
no one can
What is a Standard ? Who define it? (1/3)
• Standard is collection of specifications describing minimal requirements for security .
• Security standards include as minimum :
– Physically limit access to
• computers,
• network and
• Internet
to only those who will not compromise security.
– Hardware mechanisms that impose rules on computer programs, thus avoiding depending on computer programs for computer security.
– Operating system mechanisms that impose rules on programs to avoid trusting computer programs.
– Programming strategies to make computer programs dependable and resist subversion
– And …..
If you don’t want to help yourself,
no one can
What is a Standard ? Who define it? (2/3)
• Security Provisions what Organizations should/shall have– Information System services Service providers ( Banks, Health organizations,
Government, Telecom operators, Electricity providers)
– Client s
• Competence of Information System professionals
• Competence/Awareness of End-user in Client organizations
• End users – citizens ( Awareness, PKI )
– And …..
If you don’t want to help yourself,
no one can
What is a Standard ? Who define it? (3/3)– And …..
– Standards are developed by professional association not the Government !
– Standards are voluntary ( unless someone required them as compulsory)
– “Hierarchy of standards”
• “good practice”
• “best practice”
• “world wide best practice”
• Recommendations
• National standard
• International standard
– There are ALSO :
• International declarations and resolutions ( UN, OECD, NATO)
• International Conventions ( UN , International Agencies,…)
If you don’t want to help yourself,
no one can
Certification (From Wikipedia )
Certification refers to the confirmation of certain characteristics of an
– object,
– Product,
– person, or
– organization.
This confirmation is often, but not always, provided by some form of external review, education, or assessment.
Licence :Certification does not refer to the state of legally being able to practice or work in a profession. That is licensure. Usually, licensure is administered by a governmental entity for public protection purposes and certification by a professional association. However, they are similar in that they both require the demonstration of a certain level of knowledge or ability.
Product certification :The other most common type of certification in modern society is product certification. This refers to processes intended to determine if a product meets minimum standards, similar to quality assurance.
Organizational certification, such as the ISO 9000 Quality Management System environmental and sustainability certification, is usually referred to as accreditation.
If you don’t want to help yourself,
no one can
Cyber security standards (From Wikipedia)
Cyber security standards are security standards which enable organizations to practice safe security techniques in order to minimize the number of successful cyber security attacks.
These guides provide general outlines as well as specific techniques for implementing cyber security.
For certain specific standards, cyber security certification by an accredited body can be obtained. There are many advantages to obtaining certification including the ability to get cyber security insurance.
If you don’t want to help yourself,
no one can
Specific Information security related standards
For Citizens :
PKI (Personnel key Identifier, Electronic Signature)
For Organizations / Companies :ISO 27001 Information Security Management System
For Information SystemsISO
For Information Security professionalsCISA, CISM, CSSP,
If you don’t want to help yourself,
no one can
HOW TO LIVE WITH STANDARDS
If you don’t want to help yourself,
no one can
Process Success Factors
1. Put policy and standards in place
If you don’t want to help yourself,
no one can
Assess current security state
Update policies
Develop and document"baseline" security standard
Translate standards intosecurity guidelines
Implement guidelineson systems
Ensure compliance with standards
Security Life Cycle Steps
If you don’t want to help yourself,
no one can
Policy Standards Guidelines Procedures Practice
Top-level Policy
• Broad statement of intent
• Sets the expectations for compliance
• Must acknowledge individual accountability
• Culture-dependent
• Must cover appropriate use
• Must be enforced
If you don’t want to help yourself,
no one can
Policy Standards Guidelines Procedures Practice
Standards
• Describe what to do, not how to do it
• Explain the application of policy
• Cover all elements of information security
• Use existing models (I4 & ISF)
• Provide the cornerstone for compliance
If you don’t want to help yourself,
no one can
Policy Standards Guidelines Procedures Practice
Guidelines
• Tell how to meet standards
• Are platform- or technology-specific
• Provide examples and configuration recommendations
• Must be kept up to date
If you don’t want to help yourself,
no one can
What about the Laws ?
Macedonian Information security related Framework
1. Law for Personnel Data Protection
2. Law for Classified Information
3. Law for free public access
4. Law for crime( relevant articles for Cyber crime )