5 Standards And Recommendations For Information Security On Internet

If you don’t want to help yourself,

no one can

Standards and recommendation

for information security

on internet

ELSA ConferenceStrumica, 27.11.2008

[email protected]


no one can

How to protect ourselves from internet insecurity ?


no one can

Internet Global Village

• By default “open & insecure”

• Internet for ALL ( good gays & bad gays)

• Bad gays for : pleasure and/or business

• Internet in-security : all for one / one for all


no one can

There are “Bad gays” in “our Village”

So we have to protect ourselves- but how ?


no one can

Do not forget what Information System consists of !

• Information/Data

• Equipment ( HW)

• Communications ( Internet)

• Applications ( SW)

• Procedures and processes

• People (users, performers/operators)


no one can

“The chain is only as strong as its weakest link!”

• Every single member in any Information System must be “good” and secure !

• The ONLY questions are :

– “what means good” and

– “who guaranty that something is good”?

Here is where the standards come !


no one can

What is a Standard ? Who define it? (1/3)

• Standard is collection of specifications describing minimal requirements for security .

• Security standards include as minimum :

– Physically limit access to

• computers,

• network and

• Internet

to only those who will not compromise security.

– Hardware mechanisms that impose rules on computer programs, thus avoiding depending on computer programs for computer security.

– Operating system mechanisms that impose rules on programs to avoid trusting computer programs.

– Programming strategies to make computer programs dependable and resist subversion

– And …..


no one can

What is a Standard ? Who define it? (2/3)

• Security Provisions what Organizations should/shall have– Information System services Service providers ( Banks, Health organizations,

Government, Telecom operators, Electricity providers)

– Client s

• Competence of Information System professionals

• Competence/Awareness of End-user in Client organizations

• End users – citizens ( Awareness, PKI )

– And …..


no one can

What is a Standard ? Who define it? (3/3)– And …..

– Standards are developed by professional association not the Government !

– Standards are voluntary ( unless someone required them as compulsory)

– “Hierarchy of standards”

• “good practice”

• “best practice”

• “world wide best practice”

• Recommendations

• National standard

• International standard

– There are ALSO :

• International declarations and resolutions ( UN, OECD, NATO)

• International Conventions ( UN , International Agencies,…)


no one can

Certification (From Wikipedia )

Certification refers to the confirmation of certain characteristics of an

– object,

– Product,

– person, or

– organization.

This confirmation is often, but not always, provided by some form of external review, education, or assessment.

Licence :Certification does not refer to the state of legally being able to practice or work in a profession. That is licensure. Usually, licensure is administered by a governmental entity for public protection purposes and certification by a professional association. However, they are similar in that they both require the demonstration of a certain level of knowledge or ability.

Product certification :The other most common type of certification in modern society is product certification. This refers to processes intended to determine if a product meets minimum standards, similar to quality assurance.

Organizational certification, such as the ISO 9000 Quality Management System environmental and sustainability certification, is usually referred to as accreditation.


no one can

Cyber security standards (From Wikipedia)

Cyber security standards are security standards which enable organizations to practice safe security techniques in order to minimize the number of successful cyber security attacks.

These guides provide general outlines as well as specific techniques for implementing cyber security.

For certain specific standards, cyber security certification by an accredited body can be obtained. There are many advantages to obtaining certification including the ability to get cyber security insurance.


no one can

Specific Information security related standards

For Citizens :

PKI (Personnel key Identifier, Electronic Signature)

For Organizations / Companies :ISO 27001 Information Security Management System

For Information SystemsISO

For Information Security professionalsCISA, CISM, CSSP,


no one can

HOW TO LIVE WITH STANDARDS


no one can

Process Success Factors

1. Put policy and standards in place


no one can

Assess current security state

Update policies

Develop and document"baseline" security standard

Translate standards intosecurity guidelines

Implement guidelineson systems

Ensure compliance with standards

Security Life Cycle Steps


no one can

Policy Standards Guidelines Procedures Practice

Top-level Policy

• Broad statement of intent

• Sets the expectations for compliance

• Must acknowledge individual accountability

• Culture-dependent

• Must cover appropriate use

• Must be enforced


no one can


Standards

• Describe what to do, not how to do it

• Explain the application of policy

• Cover all elements of information security

• Use existing models (I4 & ISF)

• Provide the cornerstone for compliance


no one can


Guidelines

• Tell how to meet standards

• Are platform- or technology-specific

• Provide examples and configuration recommendations

• Must be kept up to date


no one can

What about the Laws ?

Macedonian Information security related Framework

1. Law for Personnel Data Protection

2. Law for Classified Information

3. Law for free public access

4. Law for crime( relevant articles for Cyber crime )

Documents

5 Standards And Recommendations For Information Security On Internet