安全管理-國(guó)際信息安全技術(shù)標(biāo)準(zhǔn)發(fā)展( 20)

1、國(guó)際信息平安技術(shù)規(guī)范開展 ISO/IEC JTC 1/SC 27/WG 4江明灶 Meng-Chow Kang, CISSP, CISAConvener, Security Controls & Services Working Group (WG 4), ISO/IEC JTC 1 SC 27 (Security Techniques)Chief Security AdvisorMicrosoft Great China RegionWG1 ISMS StandardsChair Ted HumphreysVice-Chair Angelika PlateWG4 Security Contr

2、ols & ServicesChair Meng-Chow KangWG2Security TechniquesChair Prof. K NaemuraWG3Security EvaluationChair Mats OhlinWG5Privacy Technology, ID management and BiometricsChair Kai RannenbergISO/IEC JTC 1 SC 27Chair Walter FumyVice Chair Marijike de SoeteSecretary Krystyna Passia27000Fundamental & Vocabu

3、lary27004ISMS Measurement27005ISMS Risk Management27006Accreditation Requirements27001ISMS Requirements27003ISMS Implementation GuidanceInformation Security Management Systems (ISMS)27002Code of PracticeISMSFamilyRisk manage; Prevent occurrence; Reduce impact of occurrencePrepare to respond; elimina

4、te or reduce impactSC27 WG4 Roadmap FrameworkInvestigate to establish facts about breaches; identify who done it and what went wrongUnknown and emerging security issuesKnown security issuesSecurity breaches and compromisesNetwork Security (27033)TTP Services SecurityICT Readiness for Business Contin

5、uity (27031)SC27 WG4 RoadmapApplication Security (27034)Forensic InvestigationCybersecurity (27032)Includes ISO/IEC 24762, Vulnerability Mgmt, IDS, & Incident Response related standardsAnti-Spyware, Anti-SPAM, Anti-Phishing, Cybersecurity-event coordination & information sharingISO 18028 revision; W

6、D for new Part 1, 2 & 3; New Study Period on Home Network Security1st WD available for commentsFuture NPNew Study Period proposed; Includes outsourcing and off-shoring security6Gaps between Readiness & ResponseIT Security, BCP, and DRP Planning & ExecutionProtectDetectReact/ResponseIT Security Plann

7、ingActivateBCPActivate DCRPPlanPrepare & TestPlanPrepare & TestBusiness Continuity PlanningDisaster Contingency & Recovery PlanningDisasterEventsIT SystemsFailuresICT Readiness for Business ContinuityWhat is ICT Readiness?Prepare organization ICT technology (infrastructure, operation, applications),

8、 process, and people against unforeseeable focusing events that could change the risk environmentLeverage and streamline resources among traditional business continuity, disaster recovery, emergency response, and IT security incident response and managementWhy ICT Readiness focus on Business Continu

9、ity?ICT systems are prevalent in organizationsICT systems are necessary to support incident, business continuity, disaster, and emergency response and management needsBusiness continuity is incomplete without considering ICT systems readinessResponding to security incident, disasters, and emergency

10、situations are about business continuityImplications of ICT ReadinessOperational StatusTimeIncidentCurrent IHM, BCM and DRP focus on shortening period of disruption and reducing the impact of an incident by risk mitigation and recovery planning.T=0T=iT=kT=lT=j100%x%y%z%Early detection and response c

11、apabilities to prevent sudden and drastic failure, enable gradual deterioration of operational status and further shorten recovery time. Before implementation of IHM, BCM, and/or DRPAfter implementation of IHM, BCM, and/or DRPAfter implementation of ICT Readiness for BCICT Readiness for Business Con

12、tinuityRe-proposed as single-part standard (Nov 07)Structure (DRAFT, Document SC27N6274)IntroductionScopeNormative ReferencesTerms and DefinitionsOverview (of ICT Readiness for Business Continuity)ApproachBased on PDCA cyclical modelExtend BCP approach (using RA, and BIA)Introduce Failure Scenario A

13、ssessment (with FMEA)Focus on Triggering EventsManagement of IRBC ProgramP2P File SharingInstant MessagingBloggingWeb 2.0 Cybersecurity IssuesSplogs, SPAM,Search Engine PoisoningSpywareTrojansVirus/WormsSPAMExploit URLsPhishingTrojansVoIP/VideoPrivacy &Information BreachGlobal Threat LandscapePreval

14、ence of Malicious Software by CategoryWhat is CybersecurityDefinition of Cybersecurity overlaps Internet/network securityNature Cybersecurity issuesOccurs on the Internet (Cyberspace)Global nature, multiple countries, different policy and regulations, different focusMultiple entities, simple client

15、system to complex infrastructureWeakest link and lowest common denominator prevailHighly creative landscape always changingCybersecurityCybersecurity concerns the protection of assets belonging to both organizations and users in the cyber environment. The cyber environment in this context is defined

16、 as the public on-line environment (generally the Internet) as distinct from “enterprise cyberspace (closed internal networks specific to individual organizations or groups of organizations).Guidelines for Cybersecurity“Best practice guidance in achieving and maintaining security in the cyber enviro

17、nment for audiences as defined below.Address the requirement for a high level of co-operation, information-sharing and joint action in tackling the technical issues involved in cybersecurity. This needs to be achieved both between individuals and organizations at a national level and internationally

18、.The primary audiences for the standard are:Cyberspace service providers such as Internet Service Providers (ISPs), web service providers, outsourcing and data back-up service providers, on-line payment bureaux, on-line commerce operators, entertainment service providers and others.Enterprises inclu

19、ding not only commercial organizations but also non-profit bodies and other organizations in fields such as healthcare and education.Governments.End users, while highly important, are not seen as a key target audience as they are not in general direct users of international standards.The standard wi

20、ll not offer technical solutions to individual cybersecurity issues, which are already being developed by other bodies as described below.14Network SecurityRevision of ISO/IEC 18028Re-focus, re-scoping, and new partsPart 1 Guidelines (Overview, Concepts, Principles)Part 2 Guidelines for Design and I

21、mplementationPart 3 Reference Networking Scenarios: Risks, Design, Techniques, and Control IssuesPart 4 Security communications between networks using security gatewaysPart 5 Securing remote accessPart 6 Security communications between networks using Virtual private networkPart 7 to-be-named “techno

22、logy topicSoftware Vulnerability Disclosures OS versus application vulnerabilitiesApplication vulnerabilities continued to grow relative to operating system vulnerabilities as a percentage of all disclosures during 2006Supports the observation that security vulnerability researchers may be focusing

23、more on applications than in the pastGuidelines for Application SecurityReduce security problems at the application layersEliminate common weaknesses at code and process levelsStrengthen security of code base improve application security and reliabilityMulti-parts standards, includingCode Security C

24、ertificationProcess Security CertificationCode SecurityTesting and certification per major release of applicationProcess SecuritySecurity Development LifecycleAssure security of code from design to operation, including minor releases, patch development & releaseFocus on Web-based applications (major

25、 problem areas)Guidelines for Application SecuritySpecify an application security life cycle, incorporating the security activities and controls for use as part of an application life cycle, covering applications developed through internal development, external acquisition, outsourcing/offshoring1, or a hybrid of these approaches.Provide guidance to business and IT managers, developers, auditors, and end-users to ensure that the desired level of security is attained in business applications in line with the requirements of the organizations Information Security Management Syste