Information Security Harmonisation—Classification of Global Guidance

Information Systems Audit and Control Association®

With more than 35,000 members in more than 100 countries, the Information Systems Audit and
Control Association (ISACA®) (www.isaca.org) is a recognised worldwide leader in IT
governance, control, security and assurance. Founded in 1969, ISACA sponsors international
conferences, publishes the Information Systems Control Journal®, develops international
information systems auditing and control standards, and administers the globally respected
Certified Information Systems Auditor™ (CISA®) designation, earned by more than 38,000
professionals since inception, and the Certified Information Security Manager® (CISM®)
designation, a groundbreaking credential earned by 5,100 professionals in its first two years.

IT Governance Institute®
The IT Governance Institute (ITGI®) (www.itgi.org) was established in 1998 to advance
international thinking and standards in directing and controlling an enterprise’s information
technology. Effective IT governance helps ensure that IT supports business goals, optimises
business investment in IT, and appropriately manages IT-related risks and opportunities. The IT
Governance Institute offers symposia, original research and case studies to assist enterprise
leaders and boards of directors in their IT governance responsibilities.

Disclaimer
The Information Systems Audit and Control Association (the “Owner”) and the authors have
designed and created this publication, titled Information Security Harmonisation—
Classification of Global Guidance (the “Work”), primarily as an educational resource for
security professionals. The Owners make no claim that use of any of the Work will assure a
successful outcome. The Work should not be considered inclusive of any proper information,
procedures and tests or exclusive of other information, procedures and tests that are reasonably
directed to obtaining the same results. In determining the propriety of any specific information,
procedure or test, the security professional should apply his/her own professional judgement to
the specific circumstances presented by the particular systems or information technology
environment.

Disclosure
Copyright © 2005 by Information Systems Audit and Control Association. All rights reserved.
No part of this publication may be used, copied, reproduced, modified, distributed, displayed,
stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise), without the prior written authorisation of ITGI.

Information Systems Audit and Control Association

3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.590.7491
Fax: +1.847.253.1443
E-mail: [email protected]
Web site: www.isaca.org

ISBN 1-933284-05-6
Information Security Harmonisation—Classification of Global Guidance
Printed in the United States of America

ii
 Acknowledgements

Acknowledgements
From the Publisher
Information Systems Audit and Control Association wishes to recognise:

The author
Leslie Ann Macartney, CISA, CISM, UK

The Board of Directors

Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA,
International President
Abdul Hamid Bin Abdullah, CISA, CPA, Auditor General’s Office, Singapore, Vice President
William C. Boni, CISM, Motorola, USA, Vice President
Ricardo Bria, CISA, SAFE Consulting Group, Argentina, Vice President
Everett C. Johnson, CPA, Deloitte & Touche (retired), USA, Vice President
Howard Nicholson, CISA, City of Salisbury (South Australia), Australia, Vice President
Bent Poulsen, CISA, CISM, VP Securities Services, Denmark, Vice President
Frank Yam, CISA, CIA, CCP, CFE, Focus Strategic Group Inc., Hong Kong, Vice President
Robert S. Roussey, CPA, University of Southern California, USA, Past International President
Paul A. Williams, FCA, MBCS, Paul Williams Consulting, UK, Past International President

The expert reviewer

Robert G. Parker, CISA, CA, FCA, CMC, Deloitte & Touche LLP, Canada

The CISM Certification Board

Chair, Leslie Macartney, CISA, CISM, UK
Kent Anderson, CISM, Network Risk Management LLC, USA
Luis A. Capua, CISM, Sindicatura General de la Nación, Argentina
Robert Stephen Coles, Ph.D., CISA, CISM, FCCA, MBCS, Royal Bank of Scotland Group, UK
Arnold Dito, CISA, USA
Danny Q. Le, CISA, CISM, KPMG, USA
Kyeong-Hee Oh, CISA, CISM, CISSP, Green Soft, Korea
Ashok Shankar Pawar, CISA, CISM, CAIIB, State Bank of India, India
David Simpson, CISA, CISM, CISSP, CQR Consulting, Australia

The authors of COBIT Mapping—Overview of International IT Guidance

Jimmy Heschl, CISA, CISM
ISACA Austria Chapter

iii
Information Security Harmonisation—Classification of Global Guidance

iv
 Table of Contents

Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Purpose for Classification of the Guidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Security Guidance Included in This Research . . . . . . . . . . . . . . . . . . . . . . . . . 1
The Classification Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Document Taxonomy Chart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The CISM Domain Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
How to Use This Publication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
History and Role of ISACA and ITGI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Approach to the Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1. BS 7799 Part 2:2002 Information Security Management
Systems—Specification With Guidance for Use . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2. COBIT® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3. SSE-CMM® Systems Security Engineering—Capability
Maturity Model 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4. GAISP Version 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5. The Standard of Good Practice for Information Security . . . . . . . . . . . . . . . . . . 39
6. ISO/IEC 13335 Information Technology—Guidelines for
the Management of IT Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
7. ISO/TR 13569:1997 Banking and Related Financial
Services—Information Security Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
8. ISO/IEC 15408:1999 and Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
9. ISO/IEC 17799:2000 Information Technology—
Code of Practice for Information Security Management . . . . . . . . . . . . . . . . . . . 73
10. Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
11. NIST 800-12 An Introduction to Computer Security—The
NIST Handbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
12. NIST 800-14 Generally Accepted Principles and
Practices for Securing Information Technology Systems . . . . . . . . . . . . . . . . . . . 99
13. NIST 800-18 Guide for Developing Security Plans for Information
Technology Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
14. NIST 800-53 Recommended Security Controls for Federal
Information Systems, Second Public Draft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
15. OCTAVE® Criteria Version 2.0 Networked Systems
Survivability Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

v
Information Security Harmonisation—Classification of Global Guidance

16. Guidelines for the Security of Information Systems

and Networks and Associated Implementation Plan . . . . . . . . . . . . . . . . . . . . . 129
17. Manager’s Guide to Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Annex—CISM Job Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Note each of the chapters contains the following subsections:

• Issuer
• Document Taxonomy
• Circulation
• Goal(s) of the Standard or Guidance Publication
• Information Security Drivers for Implementing the Guidance—Why
• Related Risks of Noncompliance—What Could Happen
• Target Audience
• Timeliness
• Certification Opportunities
• Completeness
• Availability
• Recognition/Reputation
• Usage
• CISM Domain Alignment
• Description and Guidance on Use
• Reference

vi
 Introduction

Introduction
Purpose for Classification of the Guidance
The role of the information security manager has evolved over the past few years.
It has shifted from a position that focussed essentially on IT to one where business
acuity takes equal priority. At the same time, numerous security standards, codes of
practices, methodologies, etc., have been developed and published, all with the
purpose of providing some level of direction or support for security objectives. All
of them are focussed on one or more issues of importance. However, because there
are so many and a harmonisation framework did not exist, the perception has
existed that there is a standards quagmire. This is where this technical study from
ITGI intends to add some clarity to the picture.

The purpose of this document is to provide Certified Information Security Manager

(CISM) holders and all other information security managers with a road map to the
more recognised and widely available information security guidance documents.
Seventeen internationally accepted security-focussed guidance documents were
examined across 12 separate evaluative criteria, enabling information security
managers to identify those that may be of best use within their own organisation or
most appropriate for improving their own skills and knowledge.

This report will also be useful in presenting the concept of managing risk on an
enterprisewide basis, from the boardroom to the network. It helps link risk
management and the information presented to governance.

Despite the quantity and diversity of available security guidance worldwide, there
remain areas of information security management that do not appear to be
addressed to the level or detail required in today’s environments. ISACA/ITGI will
follow up this research with further work to define these gaps and produce
additional guidance as required. Additionally, this document will be updated
periodically to reflect additional guidance, changes to guidance and advice on how
the guidance can be used, based on best practice surveys.

Security Guidance Included in This Research

The scope of this first version of Information Security Harmonisation was defined
as identifying, classifying and reporting on the most commonly known and
accepted worldwide guidance. The author did not identify every piece of guidance
in all countries, but attempted to deal first with the most common and generally
accepted. The following were included in this research:
• BS 7799 Part 2:2002 Information Security Management Systems—Specification
With Guidance for Use is a specification for an information security management
system.

1
Information Security Harmonisation—Classification of Global Guidance

• Control Objectives for Information and related Technology (COBIT), published by

the IT Governance Institute, represents a collection of documents that can be
classified as generally accepted framework and standards for IT governance,
security, control and assurance.
• Systems Security Engineering—Capability Maturity Model (SSE-CMM) Model
Description Document 3.0 is a guide to the concepts and application of a model
to improve and assess security engineering capability.
• Generally Accepted Information Security Principles (GAISP) is a collection of
security principles that has been defined and produced as a collective effort by
members of the organisations involved.
• The Information Security Forum’s (ISF’s) Standard of Good Practice for
Information Security is a collection of information security principles and
practices.
• ISO/IEC 13335 Information Technology—Guidelines for the Management of IT
Security, released by the International Organisation for Standardisation and the
International Electrotechnical Commission, is technical guidance subdivided into
five parts which provide guidance on aspects of information security management.
• ISO/TR 13569: 1997 Banking and Related Financial Services—Information
Security Guidelines, released by the International Organisation for
Standardisation, is a grouping of security concepts and suggested control
objectives and solutions for financial sector organisations.
• ISO/IEC 15408:1999 Security Techniques—Evaluation Criteria for IT Security is
based on the Common Criteria for Information Technology Security Evaluation
2.0 (CC). ISO/IEC 15408:1999 is used as a reference to evaluate and certify the
security of IT products and systems.
• ISO/IEC 17799:2000 Information Technology—Code of Practice for Information
Security Management is a collection of information security practices.
• The IT Infrastructure Library’s (ITIL’s) Security Management is a methodology
describing how IT security management processes link into other IT infrastructure
management processes.
• NIST 800-12 An Introduction to Computer Security—The NIST Handbook,
released by the US National Institute of Standards and Technology (NIST),
describes the common requirements for managing and implementing a computer
security programme and some guidance on the types of controls that are required.
• NIST 800-14 Generally Accepted Principles and Practices for Securing
Information Technology Systems is a collection of principles and practices to
establish and maintain system security.
• NIST 800-18 Guide for Developing Security Plans for Information Technology
Systems provides a format and guidance for developing a system security plan.
• NIST 800-53 Recommended Security Controls for Federal Information Systems
provides a set of baseline security controls.
• Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE) is
a set of principles, attributes and outputs for risk assessment.
• Organisation for Economic Co-operation and Development (OECD) Guidelines
for the Security of Information Systems and Networks provides a set of nine
information security principles aimed at fostering a “culture of security”.

2
 Introduction

• Open Group’s Manager’s Guide to Information Security is a booklet providing

general guidance for IT managers on acquiring secure IT products and systems.

The Classification Framework

A goal of this project was to produce a comprehensive document that evaluated all
selected security guidance in the same manner, using the same criteria. The
following approach was used to evaluate the guidance:
• Issuer—Who issued the guidance and what organisation(s) are supporting it and
keeping it current?
• Document taxonomy—Is the guidance an international or a national standard, a
collection of best practices, or guidance?
• Circulation—Is the guidance used internationally or is it limited to a specific
geographical area?
• Goal(s) of the standard or guidance publication—What is the stated purpose of
the guidance? For example, the guidance may focus on information security
management or baseline protection, or it may provide a methodology or
framework.
• Information security drivers for implementing the guidance—What are some
specific reasons for considering the implementation of the guidance?
• Related risks of not using or implementing—What are some identified risks if the
guidance is not implemented?
• Target audience—What is the stated target audience of the guidance?
• Timeliness—How current is the publication and how frequently is it revised?
• Certification opportunities—Is there a certification for adherence to or knowledge
of the guidance, either at the organisation or the individual level?
• Completeness—How complete is the guidance in meeting its own stated purposes
and in terms of use for designing, implementing and managing an enterprisewide
information security management programme?
• Availability—Where and how can the security guidance be obtained?
• Recognition/reputation—What are the recognition levels of the guidance and
CISM holders’ opinions on its acceptability to the information security industry?
Conclusions represent a summary of results of a global survey of more than 5,000
CISMs conducted in the fourth quarter of 2004.
• Usage—How widely is it used by security practitioners, and is it considered
comprehensive and effective in this use? Conclusions represent a summary of
results of a global survey of more than 5,000 CISMs conducted in the fourth
quarter of 2004.
• CISM domain alignment—What level of coverage does the publication provide
when compared against the task/knowledge statements in the CISM job domains?
• Description—This section provides a brief, high-level description of the contents
of the respective guidance under review, including brief excerpts of all criteria
within the framework and conclusions that were reached. The conclusions result
from the author’s and others’ reading.

3
Information Security Harmonisation—Classification of Global Guidance

Document Taxonomy Chart

As a part of this research, ITGI wanted to present an analysis of the degree to which
the various security guidance documents fulfilled five principal areas of security.
The areas, and how they are presented in the taxonomy chart (figure 1), are:
• Information security management programme components—The respective
guidance contains suggestions for the types of activities an information security
manager would normally address within an information security programme,
including justifications, objectives and approaches.
• Security principles—The guidance suggests key security principles upon which
an information security programme should be based, including justifications that
can be interpreted to align with most, if not all, variations of business objectives.
• High-level information security controls—The guidance contains information
security controls, but not necessarily the detailed practices of how the control can
be applied.
• Detailed control practices—The guidance contains detailed information security
control practices.
• Model or methodology—The guidance describes a framework, model or
methodology for one or more activity in which an information security manager
may be engaged.

Figure 1—Document Taxonomy

Security Areas of Security Focus

Guidance Management High-level Detailed
Programme Security Security Control Model or
Components Principles Controls Practices Methodology
BS 7799 X X
COBIT1 X X X
SSE-CMM X
GAISP X
ISF X X X
ISO/IEC 13335 X X X X
ISO/TR 13569 X X
ISO/IEC 15408 X X
ISO/IEC 17799 X
ITIL X X
NIST 800-12 X X X
NIST 800-14 X X
NIST 800-18 X X
NIST 800-53 X
OCTAVE X X X X
OECD X
Open Group
1
COBIT provides detailed control practices for IT governance. Information security controls are also
included within its scope.

4
 Introduction

Note that BS 7799 and ISO/IEC 17799 have different qualifications because one is
a specification (or method) for information security management whilst the other is
a set of guidelines and recommended information security practices.

The CISM Domain Chart

CISM is ISACA’s groundbreaking credential earned by more than 5,100
professionals in its first two years. It is for the individual who must maintain a view
of the “big picture” by managing, designing, overseeing and assessing an
enterprise’s information security.

CISM is specifically geared toward experienced information security managers and

those who have information security management responsibilities. It helps provide
executive management with assurance that those earning the designation have the
required knowledge and ability to provide effective security management and
consulting. It is business-oriented and focusses on information risk management
whilst addressing management, design and technical security issues at a conceptual
level. Whilst its central focus is security management, all those in the IS profession
with security experience can find value in CISM.

The CISM domain chart in figure 3 provides a summary of how and to what level
of detail each of the 17 global guidance documents provides coverage of the task
and knowledge requirements within the five CISM domains. It suggests its likely
usefulness to the CISM who feels weak in the knowledge requirements of one or
more domains. Secondly, it provides to all security practitioners potentially new
approaches to common information security management activities.

This research has allocated each of the global guidance documents a ranking2 of 4,
3, 2, 1 or 0 for each of the five CISM domains. These rankings are not intended to
indicate the quality of the publication but are designed to indicate their
helpfulness to a CISM (or someone seeking to gain CISM certification) in
addressing the specific objectives of each CISM domain. The five levels are further
defined in figure 2.

2
The use of a ranking of 5 has been specifically excluded as none of the examined guidance documents
was found to provide full coverage of a CISM domain.

5
Information Security Harmonisation—Classification of Global Guidance

Figure 2—CISM Domain Rankings

Ranking Ranking Descriptions

4 The publication addresses many of the respective CISM domain’s tasks,
providing not only the “what” needs to be done but also suggestions on
“how” it can be achieved.
3 The publication contains detailed guidance on one or more of the CISM
domain tasks. Other tasks within the domain either are not addressed or
the level provided is inadequate for real learning purposes.
2 The publication should be considered a useful complement to other
resources, but on its own does not supply sufficient guidance for the
respective CISM domain.
1 The publication is unlikely to provide real benefit to the reader in
addressing this CISM domain. Any references are either incomplete or
very high level.
0 There are little or no references to this CISM domain.

The overall score uses the same definitions, but in relation to all five CISM
domains. In this context, the overall score is not necessarily an average of the
individual scores.

Figure 3—Security Guidance Coverage of CISM Domains

CISM Domains Coverage

Information Overall
Publication Information Security Information of
Security Risk Programme Security Response CISM
Governance Management Management Management Management Domains
BS 7799 2 1 2 2 1 2
COBIT 2 1 2 2 1 2
SSE-CMM 2 2 2 2 2 2
GAISP 2 1 1 1 0 2
ISF 2 2 3 2 1 2
ISO/IEC 13335 4 3 4 4 1 4
ISO/TR 13569 2 3 3 2 1 2
ISO/IEC 15408 0 0 2 0 0 2
ISO/IEC 17799 1 1 3 2 2 2
ITIL 1 0 2 2 1 2
NIST 800-12 4 3 4 4 3 4
NIST 800-14 2 1 2 2 2 2
NIST 800-18 1 1 3 1 1 2
NIST 800-53 1 1 3 1 1 2
OCTAVE 2 4 4 1 1 3
OECD 2 1 1 0 1 1
Open Group 0 0 1 1 0 1

6
 Introduction

A full description of the CISM job domains and the associated task and knowledge
statements is provided in the appendix of this document.

How to Use This Publication

Best use of this publication depends upon the reader’s familiarity with security
standards and guidance. Another factor is how the reader’s enterprise embraces
global standards, guidance and best practices. Therefore, the following suggested
approach may or may not fit the reader’s needs. One size does not fit all.

Consider the guidance currently used by the enterprise and then review the
document taxonomy in figure 1. Determine whether the guidance currently used is
adequate for the anticipated needs of the enterprise in the future across the five
areas mapped:
• Information security management programme component
• Security principles
• High-level information security controls
• Detailed control practices
• Model or methodology

Then consider the information security drivers for implementing each

standard/guidance described in this book. Review the related risks of not using or
implementing the guidance. Helpful information to arrive at the best practice for the
enterprise is presented in the CISM domain alignment section for each
standard/guidance and the recognition levels of the guidance and CISM holders’
opinions on its acceptability to the information security industry.

Remember that the standards/guidance reviewed in this publication do not include

every guidance available, only the more globally recognised and widely available
information security guidance documents. Each enterprise must analyse its unique
security needs in relation to the available guidance.

In the end, each enterprise must analyse its needs and evaluate its weaknesses and
strengths as they relate to information security.

History and Role of ISACA and ITGI

The Information Systems Audit and Control Association, established in 1969, is a
nonprofit member organisation which has for many years worked with security and
IT assurance professionals. It is globally recognised as the major provider of
standards and controls for the general IT environment. ISACA’s CISA certification
was developed in 1978 and remains the most successful and internationally
recognised IT auditor certification available, with more than 38,000 certified
globally since inception.

7
Information Security Harmonisation—Classification of Global Guidance

In 1996, ISACA’s affiliated foundation published the first version of COBIT as a

framework within which IT governance could be managed. COBIT, now in its third
edition, is published in several languages, including Dutch, French, German and
Spanish, amongst others, and is generally considered to be the leading governance,
security, control and assurance framework across the world.

ISACA reflected the growing awareness of the vital role of technology in helping
businesses achieve their corporate aims with the creation of the IT Governance
Institute in 1998. Effective IT governance helps ensure that IT supports business
goals, maximises business investment in IT, and appropriately manages IT-related
risks and opportunities.

In 2002, the CISM certification was launched. It was specifically developed to

reflect the increasing importance of the role of information security managers and,
in particular, to reflect their increased profile within organisations and their vital
role in corporate and IT governance.

Approach to the Classification

Descriptions of the guidance have been provided based on the author’s review.
Whilst attempts have been made to keep these descriptions factual, subjective
opinions of the author are unavoidable. All guidance was evaluated/classified using
the same approach and framework. The intent was to provide a comprehensive
solution for answering questions about how the various guidance documents
address the security space.

In completing this classification, information relating to the reputation, recognition,

acceptance and usage of the publications was obtained from a survey of holders of
the CISM certification. A comprehensive survey was sent to more than 5,000
CISMs. Nearly 1,900 completed and returned the survey for a 37 percent response
rate. Information was classified by geographic location3 to identify regional
differences.

CISM holders and other readers of this document are encouraged to provide ISACA
with feedback on their own specific experiences of using the referenced guidance
and to suggest others that should be included in this classification. The security
guidance included in this document undoubtedly will undergo change/modification
and, as mentioned previously, it is intended that this report will be updated regularly
to reflect changes and finalisation, in addition to new guidance that comes into
existence.

3
Five geographic locations were used: Asia, Central/South America, Europe/Africa, North America and
Oceania.

8
 BS 7799 Part 2:2002 Information Security Management
Systems—Specification With Guidance for Use

1. BS 7799 Part 2:2002 Information Security

Management Systems—Specification With
Guidance for Use
Issuer
The United Kingdom Standards Policy and Strategy Committee provides authority
for publication of documents as British Standards. BS 7799 has been adopted and
modified by several countries, for example, AS/NZS 7799-2 for Australia and New
Zealand.

Document Taxonomy
The original BS 7799 was issued as two parts:
• BS 7799-1: Information Technology—Code of Practice for Information Security
Management
• BS 7799-2: Information Security Management Systems—Specification with
Guidance for Use

BS 7799-1 no longer exists, having been replaced by ISO/IEC 17799, which is

discussed later in this research.

Circulation
BS 7799-2 is a British Standard that is widely known and used internationally.

Goal of the Standard or Guidance Publication

The purpose of this guidance was to specify the requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving a
documented information security management system. It has been designed to be
compatible with ISO/IEC 9001:2000 Quality Management Principles and ISO/IEC
14001:1996 Environmental Management.

Information Security Drivers for Implementing the

Guidance—Why
It may provide assurance to customers and trading partners that the organisation is
managing its information security risks to meet a recognised minimum standard.

9
Information Security Harmonisation—Classification of Global Guidance

Following the defined guidance for an information security management system,

regardless whether one is seeking certification, can be a good method of instilling
discipline into the security management process.

Related Risks of Noncompliance—What Could Happen

Whilst there is no specific risk in following the model defined by BS 7799-2,
organisations failing to address all of the process areas are unlikely to be managing
security to a satisfactory level.

Target Audience
The guidance is prepared for business managers and their staff as a model for an
information security management system. It can also be used by certification
bodies.

Timeliness
BS 7799-2 was first developed and issued in 1998 as a specification to complement
BS 7799-1 (now ISO/IEC 17799). It was revised in 1999 to reflect changes in part
1 and again in 2002 to harmonise with other ISO management standards. British
Standards are normally revised every three to five years. The next version of
ISO/IEC 17799 is due for release in April 2005 and it is anticipated that BS 7799-
2, updated to reflect the ISO/IEC 17799:2005, may very well become an ISO
standard by the end of 2006.

Certification Opportunities
A certification scheme exists to certify organisations toward compliance. Although
this is a British Standard, more than 9004 organisations in more than 40 countries
have been evaluated and certified to BS 7799-2.

Completeness
BS 7799-2 is a model that includes every activity required to “establish, implement,
operate, monitor, review, maintain and improve a documented information security
management system”. It is designed to be used by organisations of any size or type,
and is not geographically specific.

4
Figures obtained from the International Information Security Management System User Group web site
at www.xisec.com.

10
 BS 7799 Part 2:2002 Information Security Management
Systems—Specification With Guidance for Use

Unlike ISO/IEC 17799 Code of Practice for Information Security Management,

BS 7799 contains no guidance on how to undertake the activities it describes. It also
avoids describing specific control practices as these naturally vary across
organisations. However, it does recommend other documents that may be helpful to
organisations applying the guidance.

The appendix of BS 7799-2 contains a list of controls (summarised from ISO/IEC

17799) that organisations can use as the basis for identifying and setting their own
organisational security control frameworks. However, this list is not intended to be
exhaustive and the onus is on the organisation to supplement those provided.

Availability
The guidance is available for purchase from www.bsi-global.com (GB sterling
£28.00 for British Standard Institute members and £56.00 for nonmembers).

Recognition/Reputation
Based on the global survey of CISMs (described in this document’s Introduction),
BS 7799-2 is globally recognised and considered to be a widely accepted standard
by a large majority (74 percent) of the respondents.

Usage
BS 7799-2 is comprehensive and is being actively used (i.e., implemented, used as
best practice or used for assessment) by the majority (57 percent) of surveyed
CISMs in Europe/Africa, Central/South America and Oceania. Asia figures are
slightly below this (48 percent) and in North America the figure falls to 39 percent.
These are significant figures for an individual standard.

CISM Domain Alignment

When reviewing BS 7799-2 to see how it address the five domains of the CISM
certification, the following rankings are evident.

Information Security Governance, 2

The document provides a model that includes many of the tasks an information
security manager must undertake but it does not give detailed guidance on how the
information security manager should complete these tasks.

11
Information Security Harmonisation—Classification of Global Guidance

Risk Management, 1
BS 7799-2 contains references to and definitions of risk management activities but
it provides no guidance on development and application of risk management
methods.

Information Security Programme Management, 2

It is a good model for those wishing to design, develop and manage an information
security programme and a must for organisations intending to apply for BS 7799
certification. However, the guidance provides little direction on how to carry out the
activities, meaning the user of the model should already be experienced in
information security management.

Information Security Management, 2

This is a good model for the operational aspects of information security
management, but limited detail is provided on how to carry out the tasks.

Response Management, 1
The guidance contains only brief references to response management, and as a
whole is limited in this area and provides no direction.

Overall, 2
This is a useful model for those wishing to establish a framework for the
management of an information security management system and a must for those
seeking BS 7799 certification. It needs to be used by an experienced information
security manager and must be supplemented with other information security
standards and guidance.

Description and Guidance on Use

BS 7799-2 uses 33 pages to describe a model for setting up and managing an
information security management system. There are eight chapters and a number of
annexes and reference tables. It is a useful model but insufficient in itself for an
inexperienced information security manager. Even the experienced IT security
professional should, as is recommended within BS 7799-2, refer to other
publications for guidance on undertaking the activities described.

The guidance includes an introduction to the plan-do-check-act (PDCA) model that

is used in other management systems standards such as ISO/IEC 9001. The PDCA
model also reflects some of the principles set out in OECD’s Guidelines for the
Security of Information Systems and Networks—Towards a Culture of Security and
COBIT, which are reviewed later in this document.

12
 BS 7799 Part 2:2002 Information Security Management
Systems—Specification With Guidance for Use

Since the PDCA is an approach used in several globally respected standards, the
following is a brief description of the approach that would be used to manage a
comprehensive information security management system.

Plan activities address the establishment of the information security management

system and include:
• Definition of the information security management system coverage (e.g.,
location, assets, technology)
• Definition of an information security policy that reflects organisational needs
• Definition of a risk assessment methodology
• Identification and assessment of risks
• Identification and evaluation of options for the treatment of risks
• Selection of control objectives and controls
• Preparation of a statement of applicability (which gives the reasons for selection
and exclusion of controls)

Do activities are concerned with the implementation and operation of the

information security management system and include:
• Creation of plans to allocate responsibilities and priorities for risk treatment
• Implementation of controls
• Training and awareness programmes
• Operations and resource management
• Procedures for detecting and reacting to incidents

Check activities are concerned with monitoring and reviewing the information
security management system and include:
• Execution of monitoring and other control procedures
• Reviews of information security management system effectiveness
• Reviews of residual risks and acceptable risks

Act activities are concerned with maintaining and improving the information
security management system and include:
• Implementing improvements (including taking corrective and preventive actions
to eliminate the cause of nonconformities and guard against future
nonconformities)
• Learning from experiences (one’s own and those of other organisations)
• Ensuring that improvements meet the objectives

The standard describes the types of documentation needed to establish and manage
the information security management system as well as those needed to satisfy the
British Standard (and are therefore necessary for certification to the standard). It also
describes the procedures that need to be in place to control documents and records.

Management responsibilities are identified and include management commitment,

resource management and information security management system review. The
following provides the level of detail that is contained in BS 7799-2.

13
Information Security Harmonisation—Classification of Global Guidance

Extract from 4.3.1 General Documentation Requirements

The information security management system documentation shall include the
following:
a) Documented statement of the security policy (see 4.2.1b) and control
objectives.
b) The scope of the information security management system (see 4.2.1c) and
procedures and controls in support of the information security management
system.
c) Risk assessment report (see 4.2.1c to 4.2.1b).
d) Risk treatment plan (see 4.2.2b).
e) Documented procedures needed by the organisation to ensure the effective
planning, operation and control of its information security processes (see
6.1).
f) Records required by this British Standard (see 4.3.3).
g) Statement of applicability.
h) All documentation shall be made available as required by the information
security management system policy.

Annex A of the standard is a list of control objectives and controls that are directly
derived from those listed in ISO/IEC 17799:2000 and must be used as part of the
controls selection process identified in the plan stage.

Annex B provides guidance on the use of the standard, including details on what
should be documented in scope statements, risk assessments and risk treatment
plans. There is also guidance on what type of checking and self-policing procedures
may be applied, how to approach information security management system audits
and dealing with nonconformities. A table within annex B maps seven of the nine
OECD security principles against the PDCA model of BS 7799-2.

Extract from B.4.3 Self-policing Procedures

A self-policing procedure is a control that has been constructed so that any
error or failure perpetrated during execution is capable of prompt detection.
An example would be a device that monitors a network (e.g., for equipment
failures or errors) and raises an alarm. The alarm alerts the responsible people
to the problem, and they then have the task of diagnosing the cause of the
problem and fixing it. However, if the problem is not corrected within a defined
period of time, additional alarms are raised to more senior management, thus
escalating the problem automatically.

Reference
www.bsi-global.com

14
 COBIT

2. COBIT
Issuer
The IT Governance Institute is the copyright holder and issuer of the COBIT
guidance. COBIT is a worldwide de facto standard.

Document Taxonomy
COBIT represents a collection of documents and a framework that are classified as
generally accepted best practices for IT governance, control and assurance. Its use
reaches IT management, security, control and user management. The framework,
along with the Committee of Sponsoring Organisations of the Treadway
Commission (COSO), is considered to be critical to compliance with the US
Sarbanes-Oxley Act.

Circulation
COBIT is accepted worldwide. In addition to the English version, it has been
translated into several languages, including Dutch, French, German and Spanish.

Goals of the Standard or Guidance Publication

The COBIT mission is to research, develop, publicise and promote an authoritative,
up-to-date, international, generally accepted information technology control
framework for day-to-day use by business managers, IT professionals and security
assurance professionals.

Information Security Drivers for Implementing the

Guidance—Why
There would not generally be one specific security driver behind implementing
COBIT, as it is aimed at IT governance, of which security management is a part.

15
Information Security Harmonisation—Classification of Global Guidance

Related Risks of Noncompliance—What Could Happen

There is no direct security risk from not complying, although it is widely accepted
that security operates more effectively in an environment with good IT governance
and controls.

Target Audience
Within organisations, three levels are addressed: management, IT users, and control
and security professionals. Many types of organisations, public and private
companies and external assurance professionals form the relevant target group.

Timeliness
The first edition of COBIT was issued in 1996. In 1998 the second edition was
published with additional control objectives as well as the Implementation Tool Set.
The third edition was issued in 2000 and included the Management Guidelines as
well as an overall update. Management Guidelines includes a maturity model for IT
governance and each of the objectives, as well as key goal indicators, critical
success factors and key performance indicators. It is still relevant and up to date.
The latest enhancements to COBIT at the time of this publication in 2005 include:
• COBIT® Quickstart™
• COBIT Online®
• IT Governance Implementation Guide
• Control Practices
• COBIT® Security Baseline™

The next update to COBIT is targeted for release in late 2005.

Certification Opportunities
COBIT’s audit guidelines contain information for auditing and self-assessment
against the control objectives, but there is no certification programme available for
any part of COBIT. The COBIT framework is used frequently by Certified Public
Accountants (CPAs) and Chartered Accountants (CAs), for instance, when
performing an SAS 70 review, and has rapidly become the IT control framework of
choice for organisations addressing international regulatory issues, such as the US
Sarbanes-Oxley Act of 2002.

16
 COBIT

Completeness
COBIT addresses a broad spectrum of duties in IT management and can be of
significant interest and use to the security manager, particularly if the organisation
decides to build an IT governance framework using COBIT as its model. It does not
contain the full depth of security management activities contained in
ISO/IEC 17799.

Availability
COBIT is available in a variety of ways. First, the most dynamic and useful manner
is through COBIT Online. It can be purchased by going to
www.isaca.org/cobitonline. The approach allows users to customise a version of
COBIT to suit their own enterprise, then store and manipulate that version as desired.
It also offers full online access to all of COBIT, an editable Access database
download feature, real-time surveys, an active community forum and a robust
benchmarking feature.

Also, most parts of COBIT are readily accessible for complimentary electronic
download from the ISACA or ITGI web sites, www.isaca.org or www.itgi.org. The
audit guidelines are posted for complimentary download for ISACA members only.
Alternatively, a printed set and fully searchable CD-ROM can be purchased from
the ISACA Bookstore, [email protected].

Recognition/Reputation
Based on the global survey of CISMs (described in this document’s Introduction),
recognition of COBIT is extremely high, at over 98 percent. Of equal or more interest
is that a majority (58 percent) of surveyed CISMs (security professionals) felt that
COBIT is a well-accepted global standard.

Usage
COBIT is considered to be comprehensive and effective and is being actively used
(i.e., implemented, used as best practice or used for assessment) by more than 40
percent of surveyed information security managers globally (rising to in excess of
60 percent in Central/South America). These are significant figures for an
individual standard and are exceeded only by ISO/IEC 17799 and BS 7799.
Although this high level of use may be explained by the CISM population’s
relationship to ISACA, it should also be noted that security managers do not, in
general, make use of standards they hold in low esteem.

17
Information Security Harmonisation—Classification of Global Guidance

CISM Domain Alignment

Information Security Governance, 2
COBIT addresses a number of information security governance tasks as part of IT
governance, but most likely not in the level of detail required by an information
security manager.

Risk Management, 1
Risk management is referenced specifically in the PO9 process of COBIT. The
remaining areas address it, but not to any great detail.

Information Security Programme Management, 2

COBIT provides a simple model for planning and building an information security
programme, but it does not have sufficient detail nor does it address all the
responsibilities of an information security manager.

Information Security Management, 2

COBIT provides a straightforward model for supporting and monitoring an
information security programme, but it does not have sufficient detail nor does it
address all the responsibilities of an information security manager.

Response Management, 1
Response management is referenced, but not to any detail.

Overall, 2
This guidance, although comprehensive, would be useful to an information security
manager if his/her organisation is planning to implement COBIT and/or enhance the
broader IT governance concepts, including how security management fits into the
overall equation. Since much of the security material is aimed at educating IT
management in security matters rather than as guidance to security managers, its
use beyond overall governance is somewhat limited.

Description and Guidance on Use

Enterprise governance (the system, which includes the policies, procedures and
standards guidance, by which organisations are governed and controlled) and IT
governance (the system by which the organisation’s IT is governed and controlled)
are—from a COBIT point of view—highly interdependent. Enterprise governance is
inadequate without IT governance and vice versa. IT can extend and influence the
performance of the organisation, but it has to be subject to adequate governance. On
the other hand, business processes require information from the IT processes, and
this interrelationship has to be governed as well.

18
 COBIT

This theme can be taken further by considering information security governance. It,
too, has a highly interdependent relationship with enterprise governance and IT
governance. Whilst COBIT has not been developed specifically with the information
security manager as a primary target, a large amount of the material is relevant to
the information security programme. There are several publications that make up
COBIT. Of key interest to the information security manager are addressed in the
following subsections.

COBIT Framework
The COBIT Framework (65 pages) has been designed as a method of creating an IT
governance framework that bridges the “business control model” with a “focussed
IT control model”. In designing the framework, work performed by many
organisations was referenced, including ISO/IEC 17799 Code of Practice for
Information Security Management and several of the NIST publications. Also
considered were business control models by COSO in Internal Control—Integrated
Framework of 1992, Cadbury in the UK, CoCo in Canada and King in South Africa.

The framework identifies the need to satisfy the quality, fiduciary and security
requirements for information. These broad requirements are then broken into seven
distinct, but overlapping, categories:
• Quality:
1. Effectiveness—Information must be relevant and pertinent to the business
process as well as be delivered in a timely, correct, consistent and useable
manner.
2. Efficiency—This calls for provisioning information through the most optimal
(productive and economical) use of resources.
• Security:
3. Confidentiality—Sensitive information must be protected from unauthorised
disclosure.
4. Integrity—Information must be complete and accurate and in line with
business values and expectations.
5. Availability—Information, and associated resources and capabilities, must be
available when needed now and in the future.
• Fiduciary:
6. Compliance—This deals with laws, regulation and contractual arrangements to
which the business is subject.
7. Reliability of information—This category relates to provision of the
information needed by management to operate the entity and to exercise
financial and compliance reporting responsibilities.

19
Information Security Harmonisation—Classification of Global Guidance

The framework then describes the IT resources necessary to deliver on the

principles. There are five:
• Data—In its widest sense (i.e., internal and external), structured and
nonstructured, graphics, sound, etc.
• Application systems—The sum of manual and programmed procedures
• Technology—Includes hardware, operating systems, database management,
networking, etc.
• Facilities—Resources needed to house and support information systems
• People—Includes staff skills, awareness and production to plan, organise, acquire,
deliver, support and monitor information systems and services

The framework then provides 34 control objectives that are described within four
domains. The domains are designed to fit in with the same PDCA models used by
OECD security guidance, ISO/IEC 9000, 14000, 15000 and BS 7799-2:2002. The
four domains (see figure 4) are:
• Plan and Organise—11 objectives, numbered P01 to P11
• Acquire and Implement—6 objectives, numbered AI1 to AI6
• Deliver and Support—13 objectives, numbered DS1 to DS13
• Monitor and Evaluate—4 objectives, numbered M1 to M4

Figure 4—COBIT IT Processes Defined Within the Four Domains

BUSINESS OBJECTIVES

IT GOVERNANCE

M1 monitor the processes PO1 define a strategic IT plan

M2 assess internal control adequacy PO2 define the information architecture
M3 obtain independent assurance PO3 determine the technological direction
M4 provide for independent audit PO4 define the IT organisation and relationships
PO5 manage the IT investment
PO6 communicate management aims and direction
PO7 manage human resources
PO8 ensure compliance with external requirements
PO9 assess risks
PO10 manage projects
PO11 manage quality
INFORMATION

Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
MONITOR PLAN AND
AND EVALUATE ORGANISE
IT RESOURCES

People
Application systems
Technology
Facilities
Data

DELIVER AND
SUPPORT ACQUIRE AND
IMPLEMENT
DS1 define and manage service levels
DS2 manage third-party services
DS3 manage performance and capacity
DS4 ensure continuous service
DS5 ensure systems security
DS6 identify and allocate costs
DS7 educate and train users
DS8 assist and advise customers AI1 identify automated solutions
DS9 manage the configuration AI2 acquire and maintain application software
DS10 manage problems and incidents AI3 acquire and maintain technology infrastructure
DS11 manage data AI4 develop and maintain procedures
DS12 manage facilities AI5 install and accredit systems
DS13 manage operations AI6 manage changes

20
 COBIT

COBIT Control Objectives

The COBIT Control Objectives (148 pages) document takes the 34 high-level
control objectives and breaks them into more detailed control objectives, resulting
in a comprehensive list of 318 control objectives.

Extract of AI1.8 Risk Analysis Report

The organisation’s system development life cycle methodology should provide
for, in each proposed information system development, implementation or
modification project, an analysis and documentation of the security threats,
potential vulnerabilities and impacts, and the feasible security and internal
control safeguards for reducing or eliminating the identified risk. This should
be realised in line with the overall risk assessment framework.

Extract of DS2 Deliver and Support, Manage Third-party Services

Control over the IT process of managing third-party services that satisfies the
business requirement to ensure that roles and responsibilities of third parties
are clearly defined, adhered to and continue to satisfy requirements.

Is enabled by control measures aimed at the review and monitoring of existing

agreements and procedures for the effectiveness and compliance with
organisation policy.

And takes into consideration:

• Third-party service agreements
• Contract management
• Nondisclosure agreements
• Legal and regulatory requirements
• Service delivery monitoring and reporting
• Enterprise and IT risk assessments
• Performance rewards and penalties
• Internal and external organisational accountability
• Analysis of cost and service level variances

COBIT Management Guidelines

COBIT Management Guidelines (121 pages) provides a link between IT control and
IT governance. The guidelines are action-oriented and generic, and provide
management-specific guidance and direction for getting the enterprise’s
information and related processes under control, monitoring achievement of
organisational goals, monitoring and improving performance within each IT
process and benchmarking organisational achievement.

Management Guidelines includes for each of the 34 control objectives a maturity

model, key goal indicators, critical success factors and key performance indicators.

21
Information Security Harmonisation—Classification of Global Guidance

Extract from PO9 Maturity Model Level 2—Repeatable but Intuitive

There is an understanding that IT risks are important and need to be
considered. Some approach to risk assessment exists, but the process is still
immature and developing. The assessment is usually at a high level and is
typically applied only to major projects. The assessment of ongoing operations
depends mainly on IT managers raising it as an agenda item, which often
happens only when problems occur. IT management has not generally defined
procedures or job descriptions dealing with risk management.

COBIT Security Baseline

COBIT Security Baseline (38 pages) was developed primarily to help IT managers
understand the need for information security and to provide essential security
awareness messages for varying audiences including home users, professional
users, managers, executives and boards of directors. Information security is defined
within the document along with a list of 39 main steps that are needed to obtain a
security baseline. These are grouped under the four COBIT domains and cross-
referenced to the relevant control objectives from ISO/IEC 17799 and the 34 COBIT
control objectives.

Extract of Steps 17 and 18 of Managing Changes

Step 17
Evaluate all changes, including patches, to establish the impact on the integrity,
exposure or loss of sensitive data, availability of critical services, and validity of
important transactions. Based on this impact, perform adequate testing prior to
making the change.

Step 18
Record and authorise all changes, including patches (emergency changes
possibly after the fact).

COBIT Security Baseline also provides six survival kits, each aimed at a different
audience, consisting of a checklist of actions that need to be addressed to ensure
baseline security.

Extract of Questions From Information Security Survival Kit 5—

Senior Executives
How is the board kept informed of information security issues? When was the
last briefing made to the board on security risks and status of security
improvements?

Is the enterprise clear on its position relative to IT and security risks? Does it
tend toward risk avoidance or risk taking?

How much is being spent on information security? On what? How were the
expenditures justified? What projects were undertaken to improve security last
year? Have sufficient resources been allocated?
22
 COBIT

How many staff had security training last year? How many of the management
team (members) received security training?

Control Practices
Control Practices (226 pages) expands the capabilities of COBIT by providing the
practitioner with an additional level of detail. Whilst the COBIT IT processes,
business requirements and detailed control objectives define what needs to be done
to implement an effective control structure, Control Practices provides the more
detailed how and why. Each of the 318 control objectives is listed here along with
a brief rationale for why, and control practices for how.

Extract of AI6.4 Emergency Changes

Why Do It?
Controlling emergency changes by implementing the control practices will
ensure:
• Emergency procedures are used in declared emergencies only.
• Urgent changes can be implemented without compromising integrity,
availability, reliability, security, confidentiality or accuracy.

Control Practices
1. Management defines parameters, characteristics and procedures that
identify and declare emergencies.
2. All emergency changes are documented, if not before, then after
implementation.
3. All emergency changes are tested, if not before, then after implementation.
4. All emergency changes are formally authorised by system owners and
management before implementation.
5. Before and after images, as well as an intervention log, are retained for
subsequent review.

COBIT Quickstart
This special version (46 pages) is a baseline for many small to medium enterprises
(SMEs) and other entities where IT is not mission-critical or essential for survival.
It can also serve as a starting point for other enterprises in their move toward an
appropriate level of control and governance of IT.

COBIT Quickstart was developed in response to comments that COBIT, in its

complete form, can be a bit overwhelming. Those who operate with a small IT staff
often do not have the resources to implement all of COBIT. This version of COBIT
constitutes a subset of the entire COBIT volume. Only those control objectives that
are considered the most critical are included, so that implementation of COBIT
fundamental principles can take place easily, effectively and relatively quickly.

23
Information Security Harmonisation—Classification of Global Guidance

COBIT Online
This online version of COBIT allows users to customise a version of COBIT for their
own enterprise, then store and manipulate that version as desired. It offers online,
real-time surveys and benchmarking, as well as a discussion facility for sharing
experiences and questions.

References
www.isaca.org/cobit
www.itgi.org

24
 SSE-CMM Systems Security Engineering—Capability Maturity Model 3.0

3. SSE-CMM Systems Security Engineering—

Capability Maturity Model 3.0
Issuer
The International Systems Security Engineering Association (ISSEA) is a nonprofit
organisation formed in 1999 to continue development and promotion of SSE-
CMM. (SSE-CMM is copyrighted by Carnegie Mellon University.) Members may
be interested individuals or organisations.

Document Taxonomy
SSE-CMM Model Description Document 3.0 (SSE-CMM 3.0) is a guide to the
concepts and application of a model to improve and assess security engineering
capability. Version 2 was made ISO/IEC 21827 in 2002.

Circulation
The guidance is widely known and used internationally by organisations involved
in security engineering.

Goals of the Standard or Guidance Publication

The SSE-CMM 3.0 is intended to be used as a:
• Tool for engineering organisations to evaluate security engineering practices and
define improvements to them
• Standard mechanism for customers to evaluate a provider’s security engineering
capability
• Basis for security engineering evaluation organisations (e.g., system certifiers and
product evaluators) to establish organisation capability-based confidences (as an
ingredient to system or project security assurance)

Information Security Drivers for Implementing the

Guidance—Why
Customers want assurance of the level of security engineering in products and
services.

25
Information Security Harmonisation—Classification of Global Guidance

Related Risks of Noncompliance—What Could Happen

No specific noncompliance risks exist unless the act of compliance begins to
provide competitive advantage amongst suppliers that comply with the CMM.

Target Audience
The guidance is primarily aimed at organisations that practice security engineering
in the development of operating systems software, security managing and enforcing
functions, software and middleware of applications programmes. Specific users are
likely to be product developers, service providers, system integrators, system
administrators and security specialists. The guide will also be of use to evaluation
organisations or acquiring organisations (e.g., in Requests for Proposal).

Timeliness
Development of SSE-CMM began in 1995, with the first version published in 1996.
Version 2 followed and was made ISO/IEC 21827 in 2002. Version 3 was released
in 2003 and the ISSEA remains dedicated to improving the model.

Certification Opportunities
There is a documented SSE-CMM Appraisal Method that includes support
materials for an appraisal. It was designed primarily for internal process
improvement. An Appraiser Certification Programme is being developed.

Completeness
The document is an excellent capability maturity model for evaluating and
improving the quality of security engineering. However, it provides only limited
information on the full role and responsibilities of an information security manager
who is establishing, implementing and managing an enterprisewide information
security programme, so it should be supplemented with other security publications.

Availability
SSE-CMM 3.0 is available by free download from the SSE-CMM web site at
www.sse-cmm.org. Version 2, now published as ISO/IEC 21827, can be purchased
from www.iso.org for Swiss CHF 208.00.

26
 SSE-CMM Systems Security Engineering—Capability Maturity Model 3.0

Recognition/Reputation
Based on the global survey of CISMs in 2004 (described in this document’s
Introduction), SSE-CMM is well recognised (60 to 70 percent) in Asia, North
America and Central/South America, but much less so in Oceania and
Europe/Africa (more than 40 percent had no experience with the guidance). The
majority of CISMs (52 percent) in all regions felt it has only limited acceptance
amongst security professionals.

Usage
Active usage (i.e., implemented, used as best practice or used for assessment) of
SSE-CMM is disappointing at only 20 percent, although this rises to one-third in
Central/South America. The majority (69 percent) of all CISMs familiar with it
found it to be effective, but views on its level of comprehensiveness varied, with
Oceania in particular having reservations.

CISM Domain Alignment

Information Security Governance, 2

Following the SSE-CMM would improve information security governance
performance but it is best used by an experienced information security practitioner
with an information security governance framework already defined and in place.

Risk Management, 2
Following the SSE-CMM would improve performance in this domain, but it is best
used by an experienced information security manager who already has the domain
activities established.

Information Security Programme Management, 2

Following the SSE-CMM would improve performance in this domain, but it is best
used by an experienced information security manager who already has the domain
activities established.

Information Security Management, 2

Following the SSE-CMM would improve performance in this domain, but it is best
used by an experienced information security manager who already has the domain
activities established.

27
Information Security Harmonisation—Classification of Global Guidance

Response Management, 2
Following the SSE-CMM would improve performance in this domain, but it is best
used by an experienced information security manager who already has the domain
activities established.

Overall, 2
This is an excellent model for improving capabilities but it does not in itself provide
guidance to an information security manager on how to define and establish an
enterprisewide information security management programme. It would be most
effective in the hands of an experienced information security manager.

Description and Guidance on Use

The guidance (340 pages) describes SSE-CMM as a process reference model that
focuses on the requirements for implementing security engineering in a system(s).
It was designed with the IT domain in mind, but it can also be used for non-IT
security domains.

The guide describes security engineering in terms of the following goals (describes
rather than defines as the role is evolving and, it claims, there is no consensus in the
security community):
• Gain understanding of the security risks associated with an enterprise.
• Establish a balanced set of security needs in accordance with identified risks.
• Transform security needs into security guidance to be integrated into the activities
of other disciplines employed on a project and into descriptions of a system
configuration or operation.
• Establish confidence or assurance in the correctness and effectiveness of security
mechanisms.
• Determine that operational impacts due to residual security vulnerabilities in a
system or its operation are tolerable (acceptable risks).
• Integrate the efforts of all engineering disciplines and specialties into a combined
understanding of the trustworthiness of a system.

SSE-CMM was designed to fill a perceived gap between the existence of security
engineering principles and evaluation of practices by providing a framework within
which an evaluation can be carried out.

The guide introduces the concept of maturity models to security. Explanations are
given to the importance of statistical control processes and how they can predict
defects and help identify where improvements in a process can be made. It also
addresses the concept of process maturity describing it as “the extent to which a
specific process is explicitly defined, managed, measured, controlled, and
effective”. Applied to security engineering this means that a capability maturity

28
 SSE-CMM Systems Security Engineering—Capability Maturity Model 3.0

model can help an organisation evolve from an “ad hoc, less organised, less
effective state to a highly structured and highly effective state”.

The guide describes expected results from using SSE-CMM as most likely to be:
• Improvements in predictability—Organisations are better at knowing whether
they will meet their targets and, if not, by how much they will miss.
• Improvements in control—Targets are revised more accurately and corrective
actions are evaluated to select the best application of control measures.
• Improvements in process effectiveness—Targeted results improve as the costs
decrease, and productivity and quality increase.

There are three main security engineering areas in the SSE-CMM:

• Risk—Identifying and prioritising dangers
• Engineering—Determining and implementing solutions that address the risks
• Assurance—Being able to give customers confidence in the solutions

A number of practices are used in each of these areas. Practices are split into base
practices and generic practices. The generic practices are those that indicate process
management, whilst base practices are those that collectively define security
engineering. One performs generic practices as a part of performing a base practice.
This is most easily explained using the example provided by the guide.

Extract From 3.3 SSE-CMM Architecture Description

A fundamental part of security engineering is the identification of security
vulnerabilities. This activity is captured in the SSE-CMM in Base Practice
05.02, “Identify System Security Vulnerabilities.”

One way to determine an organization’s ability to do something is to check

whether it has a process for allocating resources to the activities it claims to be
doing. This “characteristic” of mature organizations is reflected in the SSE-
CMM in Generic Practice 2.1.1, “Allocate Resources.”

Putting the base practice and generic practice together provides a way to check
an organisation’s capability to perform a particular activity. Here an interested
party might ask, “does your organization allocate resources for identifying
system security vulnerabilities?” If the answer is “yes,” the interviewer learns
a little about the organization’s capability, additional information is gained
from the supporting documentation or artefacts.

The SSE-CMM has 61 base practices within 11 process areas that cover security
engineering. As security engineering must integrate with so many other areas, the
guide also includes for context 68 base practices and 11 process areas that address
project and organisation (drawn from both the Systems Engineering CMM and the
Software CMM).

29
Information Security Harmonisation—Classification of Global Guidance

The 11 security processes are numbered for reference and are purposely referred to
in alphabetical order to discourage thoughts that the process areas are ordered by
life cycle. The 11 security process areas are:
• PA01 Administer Security Controls—The intended security for the system is
achieved in its operational state.
• PA02 Assess Impact—Identify impacts (tangible and intangible) and the
likelihood of the impacts occurring.
• PA03 Assess Security Risk—Identify and assess the likelihood of exposures.
• PA04 Assess Threat—Identify and characterise security threats.
• PA05 Assess Vulnerability—Identify and characterise security vulnerabilities.
• PA06 Build Assurance Argument—Clearly convey that security requirements are
met (evidential activities).
• PA07 Co-ordinate Security—Ensure open communications between security
engineering and all other involved parties (e.g., project personnel).
• PA08 Monitor Security Posture—Identify and report all breaches or attempted
breaches of security as well as mistakes that could lead to breaches.
• PA09 Provide Security Input—Provide security information needed by interested
parties (e.g., system architects, designers).
• PA10 Specify Security Needs—Explicitly identify security needs for the system.
• PA11 Verify and Validate Security—Verify and validate throughout design and
development and against the customer’s operational security needs.

Extract of a Security Practice from Process Area

PA02 Assess Impact
BP.02.03 Select Impact Metric(s)
Select the impact metric(s) to be used for this assessment.

Description
A number of metrics can be used to measure the impact of an event. It is
advantageous to predetermine which metrics will be used for the particular
system under consideration, i.e., example work products, selected impact
metrics.

Notes
A limited set of consistent metrics minimizes the difficulty in dealing with
divergent metrics. Quantitative and qualitative measurements of impact can be
achieved in a number of ways, such as:
• Establishing the financial cost
• Assigning an empirical scale of severity, e.g., 1 through 10
• The use of adjectives selected from a predefined list, e.g., low, medium, high

30
 SSE-CMM Systems Security Engineering—Capability Maturity Model 3.0

Generic practices are grouped into five capability levels and reflect the maturity of
the capability. Each has common features that describe an organisation’s
characteristic manner of performing a work process, as follows:
• Level 1 Performed Informally—Base practices. “You have to do it before you can
manage it” is how SSE-CMM characterises this level.
• Level 2 Planned and Tracked—Project-level definition, planning and
performance, characterised by SSE-CMM as understanding what is happening on
the project before defining organisationwide processes.
• Level 3 Well Defined—Disciplined tailoring, characterised as “using the best of
what is learned from projects to create organisationwide processes”.
• Level 4 Quantitatively Controlled—Measurements tied to organisational business
goals, characterised by “you cannot measure it until you know what ‘it’ is” and
“managing with measurement is only meaningful when you’re measuring the right
things”.
• Level 5 Continuously Improving—Sustaining gains and improvements,
characterised by “a culture of continuous improvement (that) requires a
foundation of sound management practice, defined processes, and measurable
goals”.

Extract of a Generic Practice Performed at Capability Level 2

GP 2.1.5 Ensure Training
Description
Ensure that the individuals performing the process area are appropriately
trained in how to perform the process.

Notes
Training, and how it is delivered, will change with process capability due to
changes in how the process(es) is performed and managed.

Relationships
Training and training management is described in PA21 Provide Ongoing
Skills and Knowledge.

The guide also contains advice on how to use the SSE-CMM separately addressing
process improvement, capability evaluation and gaining assurance.

31
Information Security Harmonisation—Classification of Global Guidance

Extract from 4.2 Using the SSE-CMM for Process Improvement

Stimulus for Change
The first step in any process improvement is to identify the business reasons for
changing the organization’s practices. There are many potential catalysts for
an organization to understand and improve its processes. Acquisition
organizations may require certain practices to be in place for a particular
program, or they may define a capability level as the minimally accepted
standard for potential contractors. Organizations may have realized certain
processes would allow them to more quickly and efficiently produce quality
evidence in support of evaluation and certification efforts, provide an alternate
means to formal evaluations for customers, or increase consumer confidence
that security needs are adequately addressed. Regardless of the catalyst for
change, a clear understanding of the purpose of examining existing processes
in light of security is vital to the success of a systems security engineering
process improvement effort.

References
www.issea.org
www.sse-cmm.org
www.iso.org

32
 GAISP Version 3.0

4. GAISP Version 3.0

Issuer
Generally Accepted Information Security Principles (GAISP) is being produced by
the Information Systems Security Association (ISSA), a not-for-profit international
organisation of information security practitioners.

The current draft version of GAISP appeared as of August 2003 as a merged effort
between Generally Accepted System Security Principles (GASSP), produced by
International Information Security Foundation (IISF) in the early 1990s, and
Commonly Accepted Security Practices and Recommendations (CASPR), produced
by the CASPR Working Group.

Document Taxonomy
GAISP is a collection of security principles that is being defined and produced as
a collective effort by members of the organisations involved.

Circulation
GAISP is known to the wider information security community, but particularly so
by members of ISSA and within North America.

Goal of the Standard or Guidance Publication

The major goal of ISSA’s GAISP Committee is to “Identify and develop pervasive,
broad, functional and detailed GAISP in a comprehensive framework of emergent
principles, standards, conventions, and mechanisms that will preserve the
availability, confidentiality, and integrity of information”.

Information Security Drivers for Implementing the

Guidance—Why
GAISP represents a good foundation of principles that have been developed by
experienced security practitioners.

33
Information Security Harmonisation—Classification of Global Guidance

Related Risks of Noncompliance—What Could Happen

There are no specific risks from noncompliance.

Target Audience
This is not stated explicitly in GAISP, but it would appear to be most suited to the
information security practitioner and is flexible enough to serve most types and
sizes of organisation.

Timeliness
Version 3 of GAISP is described on the Internet as a draft document. It is undated
but has obviously been altered as recently as August 2003. However, many of the
references provided are well out of date and it is likely that much of the document
in its current form was written in the early to mid 1990s. As of the date of this
publication, it has not yet been updated or finalised.

Certification Opportunities
There is no certification process for adhering to GAISP principles.

Completeness
GAISP provides a good set of general principles that addresses the necessary areas
of information security management and should be relevant for an organisation of
any type, size or geographic location.

It does not contain any level of detail below information security principles.

Availability
GAISP is currently in draft mode and can be downloaded without cost from
www.gaisp.org.

34
 GAISP Version 3.0

Recognition/Reputation
Based on data gathered from the global CISM survey (described in this document’s
Introduction), GAISP is generally well known in North America (67 percent) but is
less known elsewhere, particularly in Europe/Africa (40 percent). Acceptance of
GAISP as a standard is rather limited (90 percent feel it has either limited or no
acceptance), a view expressed in all geographic regions.

Usage
Usage of GAISP is very low (less than 18 percent), even in North America where
it is well known. However, it is thought to be reasonably comprehensive and
effective in what it addresses by all regions except Europe/Africa.

CISM Domain Alignment

Information Security Governance, 2

GAISP addresses only lightly some of the tasks within the governance domain but
it does contain some useful principles that would be helpful in establishing high-
level security policies.

Risk Management, 1
GAISP addresses risk management as a principle, but not in great depth.

Information Security Programme Management, 1

It provides a set of principles, but does not supply great detail.

Information Security Management, 1

GAISP provides a set of principles, but no great detail.

Response Management, 0
Response management is briefly addressed as a principle.

Overall, 2
GAISP contains a good set of principles upon which an information security
programme can be created, but it provides very little in the way of detailed
guidance. What it does provide, not found elsewhere, is examples to support each
of the principles.

35
Information Security Harmonisation—Classification of Global Guidance

Description and Guidance on Use

GAISP is a document of 54 pages covering what it describes as “pervasive
principles” and “broad functional principles”. There is a chapter heading for
detailed security principles that has not yet been written. The document also
contains a number of appendices.

Pervasive principles are described as those that provide general governance-level

guidance to establish and maintain the security of information. Pervasive principles
form the basis of the broad functional principles and detailed principles.

There are nine pervasive principles and each is briefly described in GAISP along
with a rationale for the principle and an example of application. The nine principles
were founded on those contained within the Guidelines for Security of Information
Systems published by the OECD in 1992. The OECD reissued its guidelines in 2002
with a different set of principles. Although GAISP is in line with the original nine
that were issued in 1992, each is still valid in the way in which it is described.
GAISP’s nine pervasive principles are:
• Accountability principle—Ensuring that responsibilities and accountability are
clearly defined and accepted
• Awareness principle—Ensuring that everyone, regardless of organisational role,
has the required security knowledge
• Ethics principle—Ensuring that the application and administration of security
practices are undertaken in an ethical manner
• Multidisciplinary principle—Ensuring that everyone’s needs, across all
disciplines, are met in the way security is defined and applied
• Proportionality principle—Ensuring that the costs of security are practical and
appropriate to the risk
• Integration principle—Ensuring that security complements and integrates with
other organisational compliance requirements
• Timeliness principle—Ensuring that the response to threats and events is timely
• Assessment principle—Ensuring that risks are assessed on a regular basis
• Equity principle—Ensuring that the rights and dignity of individuals are respected

Extract of 2.4 Multidisciplinary Principle

Principles, standards, conventions, and mechanisms for the security of
information and information systems should address the considerations and
viewpoints of all interested parties.

Rationale:
Information security is achieved by the combined efforts of information
owners, users, custodians, and information security personnel. Decisions made
with due consideration of all relevant viewpoints and technical capabilities can
enhance information security and receive better acceptance.

36
 GAISP Version 3.0

Example:
When developing contingency plans, the organization can establish a
contingency planning team of information owners, representatives from
facilities management, technology management, and other functional areas in
order to better identify the various expectations and viewpoints from across the
organization and other recognized parties.

Broad functional principles are described as the building blocks that provide
guidance for operational accomplishment of pervasive principles. There are 14
broad functional principles and GAISP contains a table showing how they address
the nine pervasive principles. Each of the 14 broad functional principles is
described in a brief paragraph and is accompanied by a longer rationale and
example of the principle in practice. The 14 broad functional principles are
generally self-explanatory and are:
• Information security policy
• Education and awareness
• Accountability
• Information asset management
• Environmental mmanagement
• Personnel qualifications
• Incident management
• Information systems life cycle
• Access control
• Operational continuity and contingency planning
• Information risk management
• Network and Internet security
• Legal, regulatory and contractual requirements of information security
• Ethical practices

Extract from 3.1 Information Security Policy

Management shall ensure that policy and supporting standards, baselines,
procedures, and guidelines are developed and maintained to address all
aspects of information security. Such guidance must assign responsibility, the
level of discretion, and how much risk each individual or organizational entity
is authorized to assume.

Rationale:
In order to assure that information assets are effectively and uniformly secured
consistent with their value and associated risk factors, management must
clearly articulate its security strategy and associated expectations. In the
absence of this clarity, some resources will be under-secured—that is,
ineffective; other resources will be over-secured—that is, inefficient.

37
Information Security Harmonisation—Classification of Global Guidance

Appendix A provides a page-long list of major recommendations contained within

Computers at Risk5 which are addressed by GAISP. Appendix B contains the
entirety of the OECD Guidelines for the Security of Information Systems, published
by OECD in 1992.

References
www.gaisp.org
www.issa.org

5
National Research Council; Dr. David Clark (MIT), committee chair; Computers at Risk, National
Academy Press, 1991

38
 The Standard of Good Practice for Information Security

5. The Standard of Good Practice for

Information Security
Issuer
Information Security Forum is a corporate member-based organisation currently
compromised of more than 250 organisations, a large percentage based in Europe
with global operations.

Document Taxonomy
The standard is a collection of information security principles and control practices
that was generated by members of ISF. The precursor to ISF was the European
Security Forum (ESF).

Circulation
The standard was previously known and available only to ISF members, but it was
made publicly available a few years ago and since has begun to build a wider
recognition.

Goals of the Standard or Guidance Publication

The stated goals of the standard are to “promote good practice in information
security in all organisations world-wide; help organisations improve their level of
security and to reduce their information risk to acceptable levels; assist in the
development of standards that are practical, focussed on the right areas and effective
in reducing information risk”.

Information Security Drivers for Implementing the

Guidance—Why
This guidance is for those who want to improve their security benchmark against
other major organisations.

Related Risks of Noncompliance—What Could Happen

There is no direct risk from not complying unless the organisation has an inherent
need to comply with this standard.

39
Information Security Harmonisation—Classification of Global Guidance

Target Audience
The standard is specifically aimed at major national and international organisations
although the ISF believes it is also likely to be of use to any organisation regardless
of industry, geographic location or size. It is also likely to be of practical use to
information security practitioners, IT management and assurance professionals.

Timeliness
It is planned to be updated every two to three years and a specific aim is to ensure
that the latest security “hot topics” are addressed. The ISF produced version 4 of the
Standard of Good Practice for Information Security in March 2003.

Certification Opportunities
No certification is available. However, ISF (corporate) members can benchmark
their performance against the standard through ISF’s biannual information security
status survey.

Completeness
The standard provides a broad and detailed range of security principles, control
objectives and security practices. It is particularly aimed at large organisations of
any industry type in any geographic location.

The standard does not deal with security management concepts nor provide
guidance on how to select appropriate controls. If it is to be used, it needs to be
applied by an experienced security practitioner or in combination with other
guidance publications.

Availability
The standard is publicly available as a free download at
www.isfsecuritystandard.com.

Recognition/Reputation
Results from the ISACA global survey of 5,000 CISMs (described in this
document’s Introduction) revealed that this standard is generally well recognised
(approximately two-thirds of surveyed CISMs) although slightly less so in the
Oceania region. However, the majority (55 percent) of CISMs familiar with the
publication feel it has only limited acceptance as a standard.

40
 The Standard of Good Practice for Information Security

Usage
Of those familiar with the standard, at least one-fifth are actively using it in some
form or another (i.e., implemented, used as best practice or used for assessment)
within their organisation. Usage is practised by almost one-third in Europe/Africa.
A good majority (73 percent) of surveyed CISMs familiar with its contents believe
the standard has a good level of comprehensiveness and it is also generally
considered to be effective in use.

CISM Domain Alignment

Information Security Governance, 2

The standard provides implicitly (through its controls listings) some of the activities
an information security manager should address in this domain, but it does not
provide any real guidance and direction on how to set up and maintain an
information security governance framework.

Risk Management, 2
It provides a good list of risk analysis requirements throughout the organisation. It
does not describe approaches and methods of risk management.

Information Security Programme Management, 3

The standard is an excellent source of controls and practices that should help an
organisation establish its security baselines and integrate them within the various
parts of the organisation. This is clearly the best part of this guidance document.
However, it contains nothing about how to develop and maintain security plans,
project management methods and techniques, nor advice on establishment of
metrics.

Information Security Management, 2

The guidance provides implicitly (through its controls listings) some of the
activities an information security manager should address within this domain with
particularly good lists on security awareness. However, it does not provide any
guidance on how to establish or carry out these activities.

Response Management, 1
It defines the requirement for response management but provides very little that
would help an information security manager develop and maintain a response
management capability.

41
Information Security Harmonisation—Classification of Global Guidance

Overall, 2
This is a good source of controls and detailed control practices for the experienced
information security practitioner. Those with less experience may find it
overwhelming and have difficulty deciding which control practices are appropriate
for their own organisation.

Description and Guidance on Use

ISF’s Standard of Good Practice (the standard) is a document of 248 pages covering
a range of principles and practice statements for the management of information
security. An introductory section within the document explains the background to
the development of the standard and provides drivers and benefits for its use. The
standard is comprehensive in its coverage and depth of practices and should be used
by security managers experienced in determining whether the cost of applying the
security practices provides adequate benefits.

The standard’s framework splits information security management into five distinct
aspects, each of which covers a particular type of environment:
• Security management (enterprisewide)—High-level direction and control
• Critical business applications—Risks and protection of applications
• Computer installations—Requirements for the setup and running of computer
services
• Networks—Requirements for the setup and running of networks
• Systems development—Incorporation of security requirements into new systems

The five aspects are broken into a number of supporting areas, which are then
further broken into sections containing a principle and objective. Suggested practice
statements advising on how each principle and objective can be met, usually
between four and six statements per section, are also provided. A detailed second
index addressing a wide range of security-related topics provides easy reference to
every practice statement. As each of the five aspects is designed to be complete
within its own right, some sections (e.g., risk analysis) are repeated, with the
practice statements being varied accordingly. The structure of the standard is shown
in figure 5.

42
 The Standard of Good Practice for Information Security

Figure 5—Structure of the Standard

?
Aspect
e.g., a critical business
application

Area 1 Area 2 Area 3

Section 1.1 Section 1.2 Section 1.3 Section 2.1 Section 3.1 Section 3.2
Good Practice

Good Practice

Good Practice

Good Practice

Good Practice

Good Practice
Statement of

Statement of

Statement of

Statement of

Statement of

Statement of
Source: Information Security Forum, The Standard of Good Practice for Information Security,
Version 4.1, January 2005

Extract From Area 1 “High-Level Direction” from the Security

Management Aspect
Section SM1.2—Security Policy
Principle—A comprehensive, documented information security policy should
be produced and communicated to all individuals with access to the
enterprise’s information and systems.
Objective—To document top management’s direction on and commitment to
information security, and communicate it to all relevant individuals.
SM1.2.3 (i.e., the third practice statement for this section)
The information security policy should require:
a) Critical information and systems to be subjected to a risk analysis on a
regular basis
b) That an ‘owner’—typically the person in charge of a particular business
application, computer installation or network—is assigned for all critical
information and systems
c) That information and systems are classified in a way that indicates their
criticality to the enterprise
d) That staff are made aware of information security

43
Information Security Harmonisation—Classification of Global Guidance

e) Compliance with software licenses and with legal, regulatory and

contractual obligations
f) Breaches of the security policy and suspected security weaknesses to be
reported
g) Information to be protected in terms of its requirements for confidentiality,
integrity and availability

The standard addresses the following major topic areas under each aspect:
• Security management
– Establishing, documenting and communicating direction and commitment for
information security
– Making the organisational arrangements necessary for managing and applying
security throughout the enterprise
– Establishing classification and ownership schemes for information assets
– Defining arrangements for a secure environment
– Taking steps for protection from and response to malicious attacks
– Including special topics: e-mail, cryptography, PKI and outsourcing
– Ensuring adequate audit, review and monitoring of the security environment
• Critical business applications
– Assessing the security requirements of an application
– Managing applications, including roles and responsibilities, internal controls,
change management, and continuity planning
– Controlling access to applications
– Ensuring that applications are adequately supported and backed up
– Addressing practices for application security co-ordination, classification, risk
analysis and review
– Including special topics: third-party agreements, key management and
web-enabled applications
• Computer installations
– Running and monitoring the computer installations to a desired level
– Designing and configuring the live environment
– Ensuring basic controls over the operations of systems
– Controlling access to information and systems in the computer installation
– Addressing practices for computer installation security co-ordination,
classification, risk analysis and review
– Developing, maintaining and validating contingency plans
• Networks
– Designing and running computer networks to a desired level
– Ensuring that unauthorised network traffic is prevented
– Managing and monitoring network performance and resilience
– Addressing practices for network security co-ordination, classification, risk
analysis and review
– Ensuring the security of voice networks
• Systems development
– Managing the systems development process, environment and staff

44
 The Standard of Good Practice for Information Security

– Addessing practices for systems development security co-ordination and review

– Ensuring arrangements for specification of security requirements
– Addressing security during design, acquisition and build
– Addressing practices for system testing and implementation

Reference
www.isfsecuritystandard.com

45
Information Security Harmonisation—Classification of Global Guidance

46
 ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security

6. ISO/IEC 13335 Information Technology—

Guidelines for the Management of IT
Security
Issuer
The International Organisation for Standardisation and International
Electrotechnical Commission established a joint technical committee, the ISO/IEC
JTC1, Subcommittee SC27 (IT security techniques), which is tasked with
publishing international standards (e.g., ISO/IEC 17799:2000).

Document Taxonomy
ISO/IEC 13335 Information Technology—Guidelines for the Management of IT
Security is a collection of five technical documents that provide guidance on aspects
of information security management.

Circulation
The guidance is known and recognised globally by the information security
community. Parts of it have been in existence since 1996.

Goals of the Standard or Guidance Publication

The goal of ISO was to create a document that provides guidance on aspects of IT
security management, and is divided into five parts:
1. The management tasks of IT security are outlined, providing an introduction to
security concepts and models.
2-3. These parts discuss implementation and management aspects and techniques
of IT security management, such as planning, design and testing.
4. This section provides guidance on the selection of safeguards, considering the
type of IT systems as well as security concerns and threats.
5. This portion contains information on identifying and analysing communication-
related factors that should be taken into account when introducing network
security.

47
Information Security Harmonisation—Classification of Global Guidance

Information Security Drivers for Implementing the

Guidance—Why
ISO/IEC 13335:
• Provides guidance for information security management
• Provides a structured approach
• Offers internationally recognised security practices
• Enables the enterprise to meet audit, regulatory and legal expectations

Related Risks of Noncompliance—What Could Happen

There is no direct risk from not complying unless the organisation has an inherent
need to comply with this guidance.

Target Audience
The guidance is applicable to organisations of all types, size and geographic
location. Part 1, containing the management aspects of IT, explicitly addresses
senior management and information security managers, whereas the other parts
target individuals responsible for the implementation of security measures, for
instance, IT managers and IT security staff.

Timeliness
Dates of publication range from 1996 (part 1) to 2001 (part 5). Parts 1 and 2 have
been revised into a new part 1 titled “Concepts and Models for ICT Security
Management”, which is to be published in 2006. Parts 3 and 4 are at an early stage
of redevelopment and will be made into a new part 2 titled “Techniques for
Information Security Risk Management”. Part 5 is also in the early stages of
redevelopment.

Certification Opportunities
There is no specific certification available.

Completeness
ISO/IEC 13335 contains comprehensive guidance on managing IT security;
however, this does not detract from its general validity or usefulness. The guidance
could be used by organisations of any type or size, although small organisations
may find the level of detail overwhelming.

48
 ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security

There is a good list of safeguards provided in part 4, although purely due to its age
(part 4 was published in 2000), these may not fully address all of today’s technical
risks.

Availability
The documents can be purchased from ISO at www.iso.org (where prices range
between Swiss CHF 73.00 and 158.00 depending on the portion ordered), and from
the American National Standards Institute (ANSI) at http://webstore.ansi.org
(prices from US $58.00 to US $125.00 depending on the part ordered).

Recognition/Reputation
Results of the ISACA global survey of 5,000 CISM holders (described in this
document’s Introduction) indicated that the guidance is known to at least 60 percent
of surveyed CISMs, with recognition levels in Oceania particularly high at 85
percent. Figures for North America and Asia are surprisingly low for such a long-
established international standard. The majority (60 percent) of those CISMs
familiar with the guidance felt it has only limited acceptance within the information
security community.

Usage
More than one-quarter of surveyed CISMs in Oceania actively use the guidance
(i.e., implemented, used as best practice or used for assessment). The level of usage
is much lower in other areas (as low as 11 percent in Central/South America). Of
those CISMs familiar with it, at least half consider it both comprehensive in its
coverage and effective in use.

CISM Domain Alignment

Information Security Governance, 4

By far, this is the best aspect of the guidance. It provides sound guidance for the
information security manager covering most of the tasks in this domain, even
though some of the documents and information provided within are somewhat
dated.

Risk Management, 3
The guidance provides good fundamentals for information security risk
management but it stops short of providing the detail that would be required for an
appropriate methodology to be developed and used within an organisation.

49
Information Security Harmonisation—Classification of Global Guidance

Information Security Programme Management, 4

ISO/IEC 13335 provides sound guidance for the information security manager,
covering most of the tasks in this domain even though some of the documents are
somewhat dated. No guidance is provided on project management.

Information Security Management, 4

It provides sound guidance for the information security manager, covering most of
the tasks in this domain even though some of the documents are somewhat dated.

Response Management, 1
Response management is referenced but not in any detail.

Overall, 4
The guidance is recommended as an excellent source of guidance for those involved
in the management of information security.

Description and Guidance on Use

The current version of the report consists of five parts that have been written and
published over the period of 1996 to 2001.

Part 1—Concepts and Models for IT Security

The first part (23 pages) was published in 1996 with the objective of providing an
introduction to the management of IT security. Whilst it purposely does not suggest
a particular IT security management approach, it does provide a general discussion
of concepts, models, tools and techniques.

The requirements for the definition of a policy, the identification of roles and
responsibilities, systematic risk management, configuration and change
management, contingency/disaster recovery planning, selecting and implementing
safeguards, and follow-up activities are all described at a high level that is suitable
for senior managers not involved in IT security or those just beginning to work in
IT security.

Part 1 identifies how corporate objectives, strategies and policies influence the
organisation’s general security objectives, strategies and policies, which in
themselves form the basis for the narrower set of IT security objectives, strategies
and policies. IT system security objectives, strategies and policies are derived from
the more general level of overall IT security.

50
 ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security

The major elements involved in the security management process are:

• Assets (physical assets, information, software, people and intangibles)
• Threats (human and environmental)
• Vulnerabilities
• Impact
• Risk
• Safeguards
• Residual risk
• Constraints

The ongoing process of IT security management consists of the subprocesses:

• Configuration management—Changes in the configuration may not lead to a
reduction of the security level. Furthermore, tracking of changes is available, and
changes to the systems are reflected in various types of documentation (e.g.,
disaster recovery plan).
• Change management—This is the process of identifying security requirements
when systems change.
• Risk management—Risk management is to be performed throughout the system’s
life cycle. A risk management process compares risks with benefits and costs of
different types of safeguards.
• Risk analysis—Risks are identified by the analysis of asset values, threats and
vulnerabilities, resulting in a statement of the likelihood of risks to previously
mentioned assets.
• Accountability—Responsibility for security is to be assigned explicitly.
Ownership is assigned to assets.
• Security awareness—This explains the security objectives, strategies and policies
and the need to comply with them.
• Monitoring—A periodic review of the safeguards is needed to assure their
effectiveness.
• Contingency plans and disaster recovery—Contingency plans describe how to
maintain core business processes in the case of system outages. Disaster recovery
contains information on restoration of systems affected by an unintended outage.

Part 2—Managing and Planning IT Security

Part 2 (19 pages), published in 1997, contains guidelines that address essential
topics on the management of IT security.

Establishing and maintaining an IT security programme is the main task of IT

security management. It consists of a planning and management process, risk
management, implementation, follow-up (maintenance and monitoring) and
integration throughout the organisation.

A sound corporate IT security policy should address the following questions:

• Objectives—What is to be achieved? How are these objectives to be achieved?
What are the rules for achieving these objectives?

51
Information Security Harmonisation—Classification of Global Guidance

• Management commitment—What are the commitment and support of senior

management?
• Policy relationships—What are the relationships amongst corporate strategy,
marketing policy, security policy, IT policy, IT security policy and system-specific
policies?
• Policy elements—Is there a comprehensive list of topics that are to be covered?

Organisational aspects of IT security, such as roles and responsibilities, the

initiation of a security forum and the nomination of security, project and system
security officers, are discussed. The need for support by all levels of management
is outlined, as is the importance of following a consistent approach throughout the
organisation and to all systems.

Strategic options for a risk management strategy are presented thereafter. The
specific advantages and disadvantages are addressed. The approaches are:
• Baseline approach—By selecting a set of safeguards to all systems, a baseline
protection level is achieved.
• Informal approach—A pragmatic risk analysis for all systems, it requires
experience of individuals and seems to be suitable for small organisations.
• Detailed risk analysis—A detailed analysis begins with the identification and
valuation of assets, the threats to those assets, a selection of appropriate
safeguards and the identification of an acceptable level of residual risk.
• Combined approach—Using the detailed approach at a high level identifies
systems with a high risk, which are analysed in a more comprehensive manner.
The other systems are appropriate for a baseline protection approach.

The security recommendations section addresses different types of safeguards, their

interdependency and recommendations for selecting and maintaining them as well
as the need for acceptance of residual risk and its classification into “acceptable”
and “unacceptable”.

Following the discussion of risk management, other issues briefly mentioned are:
• IT system security policy—Contents and endorsement
• IT security plan—Documentation of actions to be taken for implementing the IT
security policy
• Implementation of safeguards—Implementing the safeguards as defined in the
plan, including security training
• Security awareness—Passing the knowledge from the security officer to all levels
of the organisation
• Follow-up—Activities such as maintenance of safeguards and policies, security
compliance checking, monitoring and incident handling

52
 ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security

Part 3—Techniques for the Management of IT Security

Management techniques are described and recommended in this part, which was
published in 1998 and is 54 pages.

In addition to general information, an overview of the IT security management

process is provided. Its major activities are:
• Analysis of security requirements—The definition of security objectives, strategy
and the development of a corporate IT security policy
• Selection of a corporate risk analysis strategy—Identification and assessment of
risks and their reduction to an acceptable level based on security requirements of
different systems
• Implementation of the IT security plan—Implementation of safeguards, including
security awareness and security training
• Follow-up—Checking of compliance, monitoring, change management practices
and incident handling

The importance of a corporate IT security policy is discussed, and recommended

parts are listed. A detailed table of contents is provided in the annex of the report.

The implementation of safeguards and a security awareness programme follows the

methodology-based identification of security needs. During the implementation
phase, a security awareness programme is used to increase the level of awareness
within the organisation. A sound awareness programme consists of:
• Needs analysis—Existing and targeted levels of awareness within different target
groups and identification of necessary methods
• Programme delivery—Interactive and promotional techniques
• Monitoring—Periodic performance evaluation to determine the level of awareness
and comprehensive change management to ensure that skills and awareness reflect
modifications to systems

Internal or external experts ensure the achievement of the objectives by closing the
implementation phase with an approval of the implemented systems. Part 3
concludes with a discussion of follow-up activities, such as maintenance,
compliance checking, change management, monitoring and incident handling. In
the annex, after the aforementioned table of contents of a security policy, a
comprehensive list of possible threat types and vulnerabilities and a description of
a risk analysis method are provided.

Part 4—Selection of Safeguards

Part 4 (70 pages) was published in 2000 and promotes the selection of safeguards
based on a high-level risk analysis. The high-level result is the identification of
systems requiring a detailed risk analysis and the need for baseline protection. The
method for detailed risk analysis is discussed in part 3. Baseline protection can
come in two flavours: selection of safeguards according to the type of IT system and
safeguards according to security concern and threats.

53
Information Security Harmonisation—Classification of Global Guidance

The basic assessments of the safeguard selection process are:

• Identification of the type of system—IT systems can be a standalone workstation,
a workstation connected to a network or a server/workstation sharing resources via
a network.
• Identification of physical/environmental conditions—In addition to general
considerations concerning the environment of the organisation, more specific
concerns are to be taken into account, such as perimeter and building (physical
situation, single occupant or multi-occupied, information about other occupants,
identification of sensitive/critical areas), access control (access to the building,
physical access controls, robustness and structure of the building, protection level
of doors, windows, etc.) or the protection in place (protection of rooms, fire
detection/suppression facilities, water leakage detection, UPS, temperature and
humidity controls, etc.).
• Assessment of existing/planned safeguards—By identifying existing safeguards,
reselection of safeguards should be prevented. The identification is done by a
review of documentation, a check with responsible personnel, or a walk through
of the building. It has to be borne in mind that existing safeguards may exceed the
current needs.

Safeguards can be classified into organisational/physical and system-specific

safeguards:
• Organisational and physical safeguards
– IT security management and policies
– Security compliance checking
– Incident handling
– Personnel
– Operational issues
– Business continuity planning
– Physical security
• System-specific safeguards
– Identification and authentication
– Logical access control and audit
– Protection against malicious code
– Network management
– Cryptography

The organisational/physical safeguard categories are applicable to all IT systems.

Thus all safeguards from this category should be considered first when following
the baseline approach. IT system-specific safeguards require an in-depth
consideration of the needs of the type and characteristics of the system.

When selecting safeguards, the security concerns—the loss of confidentiality,

integrity, availability, accountability, authenticity or reliability—should be
considered. Each of these categories faces several threats.

54
 ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security

No specific threats are listed in the report, only such exemplary threats as account
sharing; lack of traceability; masquerading user identity; software failure;
unauthorised access to computers, data and applications; or a weak authentication
of identity.

Examples of countermeasures to the previously mentioned threats are provided in

the report. During the selection of a specific safeguard, it has to be decided which
basic aspect should be addressed by the safeguard. These aspects are:
• Threat—Reduction of the likelihood
• Vulnerability—Removal of the vulnerability or making it less serious
• Impact—Reduction or avoidance of the impact

During the implementation of an organisationwide baseline, it must be decided

whether the organisation can be protected by the same baseline or if different levels
have to be identified.

The annexes contain a short description of several sources of information

concerning baseline protection and IT security.

Part 5—Management Guidance on Network Security

Part 5 (38 pages), published in 2001, deals with network security and provides
guidance for identification and analysis of communication and networks. It also
provides an introduction to safeguard areas.

The following series of activities is recommended for the process of identification

and analysis of communications-related factors:
• Review corporate IT security requirements—The IT security policy states the
requirements for confidentiality, integrity, availability, nonrepudiation,
accountability, authenticity and reliability of information.
• Review network architectures and applications—Depending on the types of
networks, the protocols used, the applications installed and other considerations
such as trust relationships, different safeguard areas may be identified.
• Identify types of network connections—Networks are usually connected in
different topologies and at different organisational levels:
– A single controlled location within an organisation
– Connection amongst different geographical parts but within an organisation
– Connection between an organisation site and personnel working in locations
away from the organisation
– Connection amongst different organisations with a closed community
– Connections with other organisations
– Connections with the Internet

55
Information Security Harmonisation—Classification of Global Guidance

• Review networking characteristics and related trust relationships—The

characteristics can be classified into public or private networks and data and/or
voice networks. Another distinction can be made between packet (using hubs) or
switched network. The trust relationship is—depending on its environment—
classified into low, medium and high. The combination of the two classes of
publicity of the network connection (private or public) and trust environment (low,
medium or high) provides basic information for identification of safeguards.
• Determine the types of security risks—Depending on the type of security risk
(loss of confidentiality, loss of integrity, etc.) and the previous combination of
characteristics and trust, characteristic safeguards are nominated.
• Identify appropriate potential safeguard areas—On the basis of the security risks,
several safeguards can be identified. They are grouped into disciplines, such as:
– Secure service management
– Identification and authentication
– Audit trails
– Intrusion detection
– Protection against malicious code
– Network security management
– Security gateways
– Data confidentiality over networks
– Data integrity over networks
– Nonrepudiation
– Virtual private networks
– Business continuity and disaster recovery
• Document and review security options—The documentation of the intended
architecture allows a final analysis of its design.
• Prepare for the allocation of safeguard selection, design, implementation and
maintenance—An organisation can be set up and specific tasks defined for
selection, implementation and maintenance of the safeguard.

A suitable security gateway arrangement will protect the organisation’s internal

systems and securely manage and control the traffic flowing across them, in
accordance with a documented security gateway service access policy.

References
www.iso.org
http://webstore.ansi.org

56
 ISO/TR 13569:1997 Banking and Related Financial Services—
Information Security Guidelines

7. ISO/TR 13569:1997 Banking and Related

Financial Services—Information Security
Guidelines
Issuer
ISO/TR 13569:1997 is published by the International Organisation for
Standardisation (ISO). It was prepared by ISO Technical Committee
ISO/TC68/SC2, which develops financial services security standards and guides.

Document Taxonomy
The guidance Banking and Related Financial Services—Information Security
Guidelines is a technical report containing guidelines on security concepts and
suggested control objectives and solutions for financial sector organisations.

Circulation
This guidance is recognised internationally, but more so by the banking and
financial services industry at which it is specifically aimed.

Goals of the Standard or Guidance Publication

The guidance states three objectives:
• To present an information security programme structure
• To present a selection guide to security and control that represents accepted
prudent business practice
• To be consistent with existing standards, as well as emerging work in objective
and accreditable security criteria

Information Security Drivers for Implementing the

Guidance—Why
Amongst the reasons for implementing ISO/TR 13569:1997 are:
• Financial services organisations are expected to conform to internationally
accepted standards.
• Conformance to the standard may improve trust relationships with other financial
organisations.
• Conformance enables the organisation to meet regulatory, audit and legal
expectations.

57
Information Security Harmonisation—Classification of Global Guidance

Related Risks of Noncompliance—What Could Happen

There is no direct risk from not complying unless the organisation has an inherent
need to comply with this standard.

Target Audience
The guidance is intended for use by financial institutions of all sizes and types and
by providers of service to financial institutions.

Timeliness
The first edition of ISO/TR 13569:1997 was issued in 1996 and then reissued in
1998. It has not been updated since. Most of its content is still valid and relevant but
it should be noted that, due to technology changes, parts of the document are either
stale or outdated. A new version of the standard is currently under development
with no date given for expected completion.

Certification Opportunities
There is no certification associated with the guidance.

Completeness
The majority of the guidance is concerned with documenting control objectives and
controls for the financial services sector and in this it covers a broad range of areas,
many of which are specific to financial services (e.g., automated teller machines).
Its age means that the controls are light for many technical areas; for instance,
networking of trusted third parties (TTPs) was a new concept at the time of issue in
1996, and there is no mention of Internet banking. However, most of the controls
remain appropriate as a source of commonly accepted security practices.

The section on information security programme components is detailed enough for

management briefing purposes and, although it is aimed toward the financial
services sector, it is generally applicable to all organisations.

Availability
The documents can be acquired from the ISO web site, www.iso.org, at a cost of
Swiss CHF 184.00.

58
 ISO/TR 13569:1997 Banking and Related Financial Services—
Information Security Guidelines

Recognition/Reputation
Results of the global CISM survey that was conducted by ISACA in 2004
(described in this document’s Introduction) indicate that the document is less known
than some of the others reviewed for this research. However, the ISO standard still
scored a reasonable 60 percent recognition level amongst surveyed CISMs (only 50
percent in Asia). However, the majority (59 percent) of those CISMs familiar with
the guidance believe it has only limited acceptance as a standard.

Usage
The IT guideline is being put to practical use (i.e., implemented, used as best
practice or used for assessment) by less than 15 percent of CISMs (only 2.5 percent
in Central/South America), but that could be due to its emphasis on financial
institutions. Over half of CISMs familiar with the guidance found it effective in use
(rising to almost 90 percent in Oceania). Whilst more than half also found it
comprehensive, this figure fell to only 36 percent in Oceania.

CISM Domain Alignment

Information Security Governance, 2

ISO/TR 13569:1997 provides good descriptions of the components for establishing
and maintaining information security, but it does not provide guidance on how to
undertake the various tasks required.

Risk Management, 3
The guidance provides a simple risk assessment methodology that could easily be
used and adapted by anyone. It may not provide the level of detail required for
evaluating very high-risk systems and it does not address all the aspects of risk
management.

Information Security Programme Management, 3

Overall, it provides a good set of baseline controls over a wide range of topics
although some controls contain insufficient detail due to technology changes. It
does not provide guidance on security programme planning or project management.

Information Security Management, 2

The guidance addresses many of the tasks in this domain implicitly through the
controls practices, but there is limited guidance on establishing and carrying out
the tasks.

59
Information Security Harmonisation—Classification of Global Guidance

Response Management, 1
Response management is referenced in the guideline, but only limited guidance is
provided.

Overall, 2
ISO/TR 13569:1997 is a valuable reference source of control practices, particularly
for financial organisations, but since it was last published in early 1998, it is dated.

Description and Guidance on Use

The ISO/TR 13569:1997 guidance is a 97-page document that briefly describes the
components of an information security programme and provides a range of control
objectives and suggested solutions.

The guidance is split into nine sections and a number of annexes. The first sections
deal with introductions, references, executive summary, etc. Section 6 of the
guideline describes the components of an information security programme:
• General duties—Responsibilities for a range of roles within the organisation,
including directors, managers, employees, legal and security
• Risk acceptance—Process for accepting risks that fall outside the organisation’s
policies, standards and directives
• Insurance—Liaising with others to ensure that insurance conditions are
understood and can be dealt with, and insurance premiums are kept to a minimum
• Audit—Describes the activities of audit in the area of information security
• Regulatory compliance—Liaising with others to ensure that the information
security requirements of regulations are understood and implemented
• Disaster recovery planning—Activities within a disaster recovery plan to recover
information and information processing facilities
• Information security awareness—Ensuring that the awareness programme
achieves a balance of control and accessibility
• External services providers—Including Internet service providers, red-teams
(penetration testers) and electronic money token providers
• Cryptographic operations—Benefits and issues in selecting and using
cryptographic controls
• Privacy—Areas that should be addressed through policies and procedures

Extract From 6.8.2 Red-Teams

The use of a red-team, usually a contractor, to test system security by attempting
system penetration with the knowledge and consent of an appropriate official of
the institution, is a method of deriving assurance for the security programme.

As computer systems become more and more complex, security will become
increasingly harder to maintain. Use of red-teams can help in finding specific
points of weakness in an institutions system.
60
 ISO/TR 13569:1997 Banking and Related Financial Services—
Information Security Guidelines

Section 7 addresses control objectives and suggested solutions. In this part of the
guideline, there are 20 main topic areas, many broken down into further topics, as
follows:
• Information classification, including suggested labels and descriptions for
criticality and sensitivity
• Logical access control, further broken into a number of topics
• Audit trails
• Change control (including emergency procedures)
• Computers
• Networks
• Software
• Human factors
• Voice, telephone and related equipment
• Facsimile and image
• Electronic mail
• Paper documents
• Microform and other media storage (disclosure, destruction, etc.)
• Financial transaction cards (physical security, abuse, PINS, audit, etc)
• Automated teller machines (user identification, fraud prevention,
maintenance, etc.)
• Electronic fund transfers
• Checks
• Electronic commerce
• Steganography
• Electronic money

Appendix A contains a number of sample forms including:

• Information security policy—A simple, one-page document that can be easily
amended
• Employee awareness form—Which can be signed by the employee and
his/her manager
• Sign-on warning screen—Alerting users that they must be authorised to use
the system
• Risk acceptance form—Detailing all relevant facts about the risk, with spaces for
signatures of the relevant management
• Telecommuting agreement—Describing the duties and obligations of the
employee and company

Appendix E contains a simple risk assessment process that includes step-by-step

instructions and guidance along with a number of useful tables.

Reference
www.iso.org

61
Information Security Harmonisation—Classification of Global Guidance

62
 ISO/IEC 15408:1999 and Common Criteria

8. ISO/IEC 15408:1999 and Common Criteria

The international standard ISO/IEC 15408:1999 Security Techniques—Evaluation
Criteria for IT Security is based on Common Criteria for Information Technology
Security Evaluation 2.0 (referred to as Common Criteria or CC), thus they are
treated in one chapter. Common Criteria succeeds Information Technology Security
Evaluation Criteria (ITSEC), published by the European Commission in 1991. The
naming of those documents is synonymous.

Issuer
ISO/IEC 15408:1999 was published in 1999 by the ISO/IEC JTC1 working group
in collaboration with the Common Criteria Project Sponsoring Organisation, which
published Common Criteria. Members of this organisation are:
• Canada—Communications Security Establishment
• France—Service Central de la Sécurité des Systèmes d’Information
• Germany—Bundesamt für Sicherheit in der Informationstechnik
• Netherlands—Netherlands National Communications Security Agency
• United Kingdom—Communications-Electronics Security Group
• United States—National Institute of Standards and Technology and National
Security Agency

From a historical point of view, the various standards/guidance issued by some of

the member bodies were influenced by other standards/guidance, as shown in
figure 6.

Figure 6—Standards Influences

US Orange Book TCSEC (1985)

Canadian Criteria (1993)
UK Confidence Levels (1989)
Common Criteria v1.0 (1996)
Federal Criteria Draft (1993)
German Criteria
Common Criteria v2.0 (1998) ISO/IEC 15408 (1999)
French Criteria ITSEC (1991)
Common Criteria v2.1 (1999)

Common Criteria v2.2 (2004)

63
Information Security Harmonisation—Classification of Global Guidance

Document Taxonomy
ISO/IEC 15408:1999 is an international standard. Common Criteria is labelled as a
multipart standard.

Circulation
Because it was developed by an international committee and published as an
international standard, Common Criteria has gained worldwide recognition.

Goal of the Standard or Guidance Publication

Common Criteria was issued to define criteria as the basis for a common and
comparable evaluation of IT security, focussing on the security of systems and
products.

Information Security Drivers for Implementing the

Guidance—Why
ISO/IEC 15408:1999 is especially suited for:
• Implementation of security products or systems that shall be certified
• Security that is imperative to the development of semifinished products
(e.g., control systems)

Related Risks of Noncompliance—What Could Happen

There is no direct risk for not complying unless the organisation has an inherent
need to comply with this standard.

Target Audience
CC describes three specific target audiences, with a fourth having some tangential
targeting. They are:
• Consumers—The needs of consumers are considered throughout the evaluation
process. The level of security provided by an evaluated product is comprehensible
for consumers.
• Developers—Developers have a guideline to prepare the evaluation of their
systems. On the other hand, CC helps in identifying security requirements. CC can
be useful as a source of security functions that may be implemented into a system.

64
 ISO/IEC 15408:1999 and Common Criteria

• Evaluators—Evaluators have clear and agreed criteria to assess the security of a

system. Steps necessary for an evaluation are included, but the standard does not
stipulate procedures to be followed.
• Others—CC may be seen as a useful source of information by others, such as
security and assurance professionals.

Timeliness
ISO/IEC 15408:1999 was first published in 1999 and is now somewhat out of
step with the latest Common Criteria version 2.2, published in 2004 (CC2.2) If
the past serves as an indicator, it seems likely that CC2.2 (following some minor
editorial changes) will be accepted as the new version of ISO/IEC 15408, perhaps
by 2006.

Certification Opportunities
The purpose of the document is to provide common criteria for the certification of
security products and systems.

Completeness
There is a detailed description of the criteria that must be fulfilled to obtain
certification of security products and systems. It does not describe the full role and
responsibilities of an information security manager for establishing, implementing
and maintaining an enterprisewide information security programme. Whilst the
document contains security controls, they are not in a format that would make them
easy to find and use by the average organisation defining security controls for itself.

Availability
The international standard can be purchased from ISO at www.iso.org for
Swiss CHF 142.00, 294.00 and 230.00 for parts 1, 2 and 3 respectively. Common
Criteria is freely available for public use from www.nist.gov and
www.commoncriteriaportal.org.

Recognition/Reputation
Referring to the global survey of CISMs conducted in 2004 (described in this
document’s Introduction), two-thirds of surveyed CISMs are aware of the Common
Criteria, slightly more in the Europe/Africa and Oceania regions. Well over half of
all CISMs familiar with the CC felt it had only limited acceptance in the

65
Information Security Harmonisation—Classification of Global Guidance

information security community. This is a rather surprisingly high figure

considering its background; however, this may be a reflection of its more narrow
focus primarily on security products and systems rather than a specific criticism of
the standard.

Usage
CC is being used (mostly as best practice or for assessment) by approximately one-
fifth of surveyed CISMs except in Central/South America and Asia where usage is
quite low (5 and 11 percent, respectively). It is considered by more than half of
CISMs familiar with the standard to be comprehensive. At the same time, however,
half the CISMs in Europe/Africa and Central/South America felt it had only limited
effectiveness—again, most likely due to the focus on security products.

CISM Domain Alignment

Information Security Governance, 0

Information security governance is not addressed at all in the guidance.

Risk Management, 0
Risk management is not addressed at all in the guidance.

Information Security Programme Management, 2

CC provides detailed descriptions for identifying, designing and developing
security requirements of security products and systems, but it is aimed at the
security engineer rather than the information security manager.

Information Security Management, 0

Information security management is not addressed at all in this guidance.

Response Management, 0
Response management is not addressed at all in this guidance.

Overall, 2
This guidance would mostly be of use to a security engineer as the level of technical
detail is much greater than that of normal interest to an information security
manager with enterprisewide responsibilities. The exception may be in
organisations developing security products.

66
 ISO/IEC 15408:1999 and Common Criteria

Description and Guidance on Use

Common Criteria 2.2 is supplied in three parts. It is primarily focussed on
applicable IT security measures implemented in hardware, software and firmware.

Part 1—Introduction and General Model

Part 1 is a document of 64 pages and explains the general model, general concepts
and the principles to be considered when evaluating IT security. Identification of
threats, vulnerabilities, risks and countermeasures are addressed conceptually, in
particular as they pertain to the development of products. Guidance is also provided
on activities that need to be addressed as part of the development process. This is
done in a general manner without specific development methodologies being
recommended or preferred.

Extract of Paragraph 129

The CC does not mandate a specific set of design representations. The CC
requirement is that there should be sufficient design representations presented at
a sufficient level of granularity to demonstrate where required:
a) that each refinement level is a complete instantiation of the higher levels
(i.e., all target of evaluation (TOE) security functions, properties, and
behaviour defined at the higher level of abstraction must be demonstrably
present in the lower level);
b) that each refinement level is an accurate instantiation of the higher levels (i.e.,
there should be no TOE security functions, properties, and behaviour defined
at the lower level of abstraction that are not required by the higher level).

Instructions for writing high-level specifications for products and systems are
provided in two annexes. Annex A addresses security targets and annex B addresses
protection profiles. A security target contains the IT security requirements of an
identified TOE and specifies the functional and assurance security measures
offered by that TOE to meet stated requirements. A protection profile defines an
implementation-independent set of IT security requirements for a category of
TOEs.

Extract From Paragraph 234 Rationale for the Security Target

c) The TOE summary specification rationale shall show that the TOE security
functions and assurance measures are suitable to meet the TOE security
requirements. The following shall be demonstrated:
– that the combination of specified TOE IT security functions works together
so as to satisfy the TOE security functional requirements;
– that the strength of TOE function claims made are valid, or that assertions
that such claims are unnecessary are valid;
– that the claim is justified that the stated assurance measures are compliant
with the assurance requirements.

67
Information Security Harmonisation—Classification of Global Guidance

The statement of rationale shall be presented at a level of detail that matches

the level of detail of the definition of the security functions.

Part 2—Security Functional Requirements

Part 2 is a document of 365 pages and contains functional components that are used
for expressing the security requirements of TOEs in a standardised manner. It is
structured into sets of functional components, families and classes. It is noted
within the document that not all security functional requirements can be assumed
to be included, but rather all of those that were known and agreed to be of value by
the CC part 2 authors at the time of release.

The security classes—the highest level in the catalogue structure—are:

• FAU—Security audit
• FCO—Communication
• FCS—Cryptographic support
• FDP—User data protection
• FIA—Identification and authentication
• FMT—Security management
• FPR—Privacy
• FPT—Protection of the TOE security function
• FRU—Resource utilisation
• FTA—TOE access
• FTP—Trusted path/channels

Extract of Paragraphs 319 and 320 of Security Attribute Expiration of the

Security Management Class (FMT_SAE)
319 FMT_SAE.1 Time-limited authorisation provides the capability for an
authorised user to specify an expiration time on specified security attributes.
320 The following actions could be considered for the management functions
in FMT Management:
a) managing the list of security attributes for which expiration is to be
supported
b) the actions to be taken if the expiration time has passed

There are a number of annexes providing explanatory information for potential

users of the functional components and classes including a complete cross-
reference table of the functional component dependencies.

Extract of Paragraph 1051 From Annex H Security Attribute Expiration

(FMT_SAE)
1051 For FMT_SAE.1.1, the PP/ST author should provide the list of security
attributes for which expiration is to be supported. An example of such an
attribute might be a user’s security clearance.

68
 ISO/IEC 15408:1999 and Common Criteria

Part 3—Security Assurance Requirements

A set of assurance components is included in part 3 (171 pages), enabling a
standardised approach for defining assurance requirements for IT products and
services. The structure of the catalogue is similar to the one in part 2 in that it is
subdivided into components, families and classes. Evaluation criteria for protection
profiles (PPs) and security targets (STs) are also included in part 3. The evaluation
of PP and ST is to be performed before evaluating the TOE.

The evaluation criteria tasks for PPs are:

• APE_DES—TOE description
• APE_ENV—Security environment
• APE_INT—PP introduction
• APE_OBJ—Security objectives
• APE_REQ—IT security requirements
• APE_SRE—Explicitly stated IT security requirements (applicable only for an
extended evaluation)

The ST evaluation tasks are:

• ASE_DES—TOE description
• ASE_ENV—Security environment
• ASE_INT—ST introduction
• ASE_OBJ—Security objectives
• ASE_PPC—PP claims
• ASE_REQ—IT security requirements
• ASE_SRE—Explicitly stated IT security requirements (applicable only when
evaluating extended requirements)
• ASE_TSS—TOE summary specification

Detailed requirements of each of seven assurance components, grouped by class

and family, are provided. The seven assurance classes with their respective families
are:
• ACM—Configuration management
– ACM_AUT—Automation
– ACM_CAP—Capabilities
– ACM_SCP—Scope
• ADO—Delivery and operation
– ADO_DEL—Delivery
– ADO_IGS—Installation, generation and start-up
• ADV—Development
– ADV_FSP—Functional specification
– ADV_HLD—High-level design
– ADV_IMP—Implementation representation
– ADV_INT—TSF internals
– ADV_LLD—Low-level design
– ADV_RCR—Representation correspondence
– ADV_SPM—Security policy modelling
69
Information Security Harmonisation—Classification of Global Guidance

• AGD—Guidance documents
– AGD_ADM—Administrator guidance
– AGD_USR—User guidance
• ALC—Life cycle support
– ALC_DVS—Development security
– ALC_FLR—Flaw remediation
– ALC_LCD—Life cycle definition
– ALC_TAT—Tools and techniques
• ATE—Tests
– ATE_COV—Coverage
– ATE_DPT—Depth
– ATE_FUN—Functional tests
– ATE_IND—Independent testing
• AVA—Vulnerability assessment
– AVA_CCA—Covert channel analysis
– AVA_MSU—Misuse
– AVA_SOF—Strength of TOE security functions
– AVA_VLA—Vulnerability analysis

Extract from AGD_ADM.1 Administrator Guidance

AGD_ADM.1.1C The administrator guidance shall describe the administrative
functions and interfaces available to the administrator of the TOE.
AGD_ADM.1.2C The administrator guidance shall describe how to administer
the TOE in a secure manner.
AGD_ADM.1.3C The administrator guidance shall contain warnings about
functions and privileges that should be controlled in a secure processing
environment.
AGD_ADM.1.4C The administrator guidance shall describe all assumptions
regarding user behaviour that are relevant to secure operation of the TOE.

Seven evaluation assurance levels (EALs) are presented, representing packages of

assurance components. These EALs allow the IT security rating of products and
services. For each EAL a description of its objectives and minimal assurance
components is provided.

The EALs identified within Common Criteria are as follows:

• EAL1—Functionally tested
• EAL2—Structurally tested
• EAL3—Methodically tested and checked
• EAL4—Methodically designed, tested and reviewed
• EAL5—Semiformally designed and tested
• EAL6—Semiformally verified design and tested
• EAL7—Formally verified design and tested

70
 ISO/IEC 15408:1999 and Common Criteria

References
www.iso.org
www.iec.org
www.nist.gov
www.commoncriteriaportal.org

71
Information Security Harmonisation—Classification of Global Guidance

72
 ISO/IEC 17799:2000 Information Technology—Code of Practice
for Information Security Management

9. ISO/IEC 17799:2000 Information

Technology—Code of Practice for
Information Security Management
Issuer
ISO/IEC 17799 Information Technology—Code of Practice for Information
Security Management was published by the International Organisation for
Standardisation and International Electrotechnical Commission. The technical
committee identified as ISO/IEC JTC1/SC27 WG1 is responsible for its
maintenance.

Document Taxonomy
ISO/IEC 17799:2000 is a collection of information security practices, and is based
on British Standard BS 7799-1:1999, Code of Practice for Information Security
Management.

Circulation
ISO/IEC 17799:2000 is available and used internationally. It has been published in
several languages including Chinese, Czech, Danish, Dutch, Finnish, French,
German, Icelandic, Japanese, Korean, Norwegian, Portuguese and Swedish.

Goal of the Standard or Guidance Publication

ISO/IEC 17799:2000 provides information to parties responsible for implementing
information security within an organisation. It can be seen as a basis for developing
security standards and management practices within an organisation to improve
reliability on information security in interorganisational relationships.

Information Security Drivers for Implementing the

Guidance—Why
ISO/IEC 17799:2000 offers internationally recognised security practices that
enable an organisation to meet audit, regulatory and legal expectations. Compliance
can help promote an organisation as trusted and can be used as part of the basis for
certification to BS 7799-2:2002.

73
Information Security Harmonisation—Classification of Global Guidance

Related Risks of Noncompliance—What Could Happen

There is no direct risk from not complying unless the organisation has an inherent
need to comply with this standard.

Target Audience
During the drafting of ISO/IEC 17799:2000 it was assumed that the execution of its
provisions would be entrusted to appropriately qualified and experienced people.
As all of the contents are considered guidance as opposed to mandatory
requirements, it is assumed that the individual implementing ISO/IEC 17799:2000
will have the experience needed to evaluate and apply controls as they relate to the
specific risks and needs of their organisation.

Timeliness
ISO/IEC 17799:2000 is a first edition, currently being reviewed as part of the
normal three-to-five-year ISO revision process. Whilst the majority of its contents
remain valid, changes in IT inevitably have meant that some of the guidance may
be dated or incomplete. A new version has already been developed and is expected
for publication within 2005.

Certification Opportunities
There is no certification available for ISO/IEC 17799:2000. However, it can be used
as guidance for those wishing to achieve certification to BS 7799-2:2002.

Completeness
ISO/IEC 17799:2000 is designed to be comprehensive to a level that meets the
needs of the majority of organisations, from small to large, and across industry
sectors. As a set of control objectives and security practices it has good coverage
although it does not deal with technology changes that have taken place over the last
four or five years. Security management concepts are only briefly addressed.

Availability
ISO/IEC 17799:2000 can be purchased from ISO at www.iso.org for Swiss CHF
172.00, as well as from many national standards bodies.

74
 ISO/IEC 17799:2000 Information Technology—Code of Practice
for Information Security Management

Recognition/Reputation
Findings from the global CISM survey that was conducted by ISACA in 2004
(described in this document’s Introduction) indicate that ISO/IEC 17799:2000 has
made a significant impact on the information security community, and was
recognised by more than 97 percent of the surveyed CISMs. Acceptance levels of
the standard are also very high: more than 85 percent of the surveyed CISMs
(falling to 65 percent in North America) believed it to be an acceptable standard,
whilst most of the remaining CISMs thought it has at least limited acceptance.

Usage
As the survey indicated, active usage (i.e., implemented, used as best practice or
used for assessment) of the standard is very high at greater than 58 percent, with a
large majority of surveyed CISMs (in excess of 80 percent) finding it
comprehensive.

CISM Domain Alignment

Information Security Governance, 1

Some aspects of information security governance are referenced in the introduction.
No further detail is present.

Risk Management, 1
Some references are made to risk management in the introduction. No further detail
is present.

Information Security Programme Management, 3

It provides a very good set of general security controls, although it does not address
some of the latest technology areas. No guidance is provided on security planning
or project management.

Information Security Management, 2

ISO/IEC 17799:2000 addresses implicitly through its guidance many of the
activities undertaken in information security management. It does not provide any
guidance on how to establish or carry out these activities.

Response Management, 2
The guidance provides a good list of important control practices for business
continuity, but it does not fully address all areas of this domain nor provide
guidance on how to establish and manage a response management function.

75
Information Security Harmonisation—Classification of Global Guidance

Overall, 2
This is a good source of controls and control practices designed to be used by an
experienced information security practitioner. However, those with less experience
may find it difficult to decide which control practices are necessary.

Description and Guidance on Use

ISO/IEC 17799:2000 (94 pages) describes guiding principles as the initial point
when implementing information security. They rely on either legal requirements or
generally accepted best practices.

Measures based on legal requirements are (amongst others):

• Protection and nondisclosure of personal data
• Protection of internal information
• Protection of intellectual property rights

Best practices mentioned are:

• Information security policy
• Assignment of responsibility for information security
• Problem escalation
• Business continuity management

When implementing a system for information security management, several critical

success factors should be considered:
• The security policy, its objectives and its activities reflect the business objectives.
• The implementation considers cultural aspects of the organisation.
• Open support and engagement of senior management are required.
• Thorough knowledge of security requirements, risk assessment and risk
management is required.
• Effective marketing of security targets is to all personnel, including members of
management.
• The security policy and security measures are communicated to contracted third
parties.
• Users are trained in an adequate manner.
• A comprehensive and balanced system for performance measurement, which
supports continuous improvement by giving feedback, is available.
• Security meets requirements of agreements and contracts.

After the introductory information (scope, terms and definitions), guidance is

presented for initiating, implementing and maintaining information security. This
guidance is structured into 10 sections, which contain 36 objectives and 127
controls. Suggestions are provided on how each control can be met.

76
 ISO/IEC 17799:2000 Information Technology—Code of Practice
for Information Security Management

Information security should at least consider the following parts:

• Security policy
– An information security policy should define the direction and contain the
commitment and the support of management.
– The policy should be communicated throughout the organisation.
• Organisational security
– The definition of adequate organisation structures for the management of
information security within the organisation should include:
N An information security management forum
N A forum for co-ordination
N Assignment of responsibility for information security to individuals
N Definition of responsibility areas for managers
N Definition of an authorisation process for IT facilities
N Definition of responsibility for investigation of security-relevant know-how
N Defined range for co-operation with third parties as well as independent
security reviews
– Comprehensive measures should exist for management of third-party services
(definition or risks and security requirements).
– Risks caused by outsourcing contracts should be managed.
• Asset classification and control
– The inventory of assets and the assignment of the responsibility should be seen
as a prerequisite to sound accountability for assets.
– Information should be classified following a generally accepted system, thus
ensuring an appropriate level of protection.
• Personnel security
– Security responsibilities, confidentiality agreements and the contract of
employment should be part of the job responsibility.
– Adequate controls for personnel screening should be in place.
– Information security education and training should increase users’ security
awareness.
– The process of reporting security incidents, weaknesses and software
malfunctions should be defined. This should include the assessment of the
adequacy of the controls implemented by a permanent process of learning from
incidents.
• Physical and environmental security
– Central equipment should be installed only within a secure area, where adequate
access controls and damage prevention are implemented. These areas include
offices, rooms and facilities. There is also a need for special attention to delivery
and loading areas.
– Equipment should be protected against loss, damage or compromise by being
sited and protected in an appropriate manner. Power supplies, an adequate level
of cabling security and correct maintenance of the equipment should be in place.
– Equipment installed off-premises and disposal or reuse of information should be
considered.

77
Information Security Harmonisation—Classification of Global Guidance

– General controls (such as a clear desk and clear screen policy) to protect
information processing facilities or to prevent damage caused by unauthorised
offsite usage of equipment should be in place.
• Communications and operations management
– Operations should follow documented procedures.
– All changes to equipment should be documented.
– Procedures for sound incident management should be defined.
– Duties should be segregated, ensuring that no individual can both initiate and
authorise an event.
– Development and operational facilities should be separated.
– Risks caused by contracted external facilities organisations should be covered.
– Capacity demands should be observed and future demands should be projected.
– Acceptance criteria for new systems should be defined.
– Damage caused by malicious software should be prevented, using preventive
and detective controls, formal policies, and defined recovery procedures.
– Information should be backed up and the backup files tested regularly.
– Activities performed by operational staff and errors should be logged.
– Networks should be set up and managed with a view to ensuring the necessary
level of security.
– Removable media should be handled with special care.
– Media with sensitive information should be disposed of in a secure manner.
– Adequate controls in information handling procedures (e.g., labelling of media,
ensuring completeness of inputs, storage of media) should be considered.
– System documentation should be protected, as it may contain sensitive
information.
– Agreements for the exchange of information and software should be established,
including media in transit, electronic commerce transactions, electronic mail,
electronic office systems, publicly available systems and other forms of
information interchange.
• Access control
– Access to information should be granted in accordance with business and
security requirements.
– A formal access control policy should be in place.
– Access control rules should be specified.
– User access management (registration, privilege management, password
management, review of user access rights) should follow a formal process.
– Responsibilities of users should be clearly defined.
– Networked services, operating systems and applications should be protected
appropriately.
– System access and use should be monitored constantly.
– Mobile computing and teleworking should be performed in a secure manner.
• Systems development and maintenance
– Security issues should be considered when implementing systems, following
defined requirements.

78
 ISO/IEC 17799:2000 Information Technology—Code of Practice
for Information Security Management

– Security in application systems should take into account the validation of input
data, adequate controls of internal processing, message authentication and
output data validation.
– Use of cryptographic systems should follow a defined policy.
– Access to system files (including test data and source libraries) should be
controlled.
– Project and support environments should allow for security by being rigorously
controlled (e.g., change management procedures, arrangements for outsourced
development).
• Business continuity management
– A comprehensive business continuity management process should permit
prevention of interruptions to business processes.
– The business continuity management process should not be restricted to IT-
related areas and activities.
– An impact analysis should be executed that results in a strategy plan.
– Business continuity plans should be developed following a single framework.
– Business continuity plans should be tested, maintained and reassessed
continuously.
• Compliance
– Any unlawful act (e.g., data protection acts) should be avoided.
– Compliance with the security policy should be ensured by periodic reviews.

Extract From 3.1.2 Security Policy Review and Evaluation

The policy should have an owner who is responsible for its maintenance and
review according to a defined review process. The process should ensure that
a review takes place in response to any changes affecting the basis of the
original risk assessment, e.g., significant security incidents, new vulnerabilities
or changes to the organisational or technical infrastructure. There should also
be scheduled, periodic reviews of the following:
a) The policy’s effectiveness, demonstrated by the nature, number and impact
of recorded security incidents
b) Cost and impact of controls on business efficiency
c) Effects of changes to technology

References
www.iso.org
www.iec.org
www.bsi-global.co.uk

79
Information Security Harmonisation—Classification of Global Guidance

80
 Security Management

10. Security Management

Issuer
IT Infrastructure Library (ITIL) is a collection of best practices and guidelines for
IT service management and comprises a series of books on the quality provision of
IT-related services. They are published and copyrighted by the UK’s Office of
Government Commerce (OGC).

Document Taxonomy
ITIL’s Security Management, published in 1999, is a methodology describing how
IT security management processes link into other IT infrastructure management
processes.

Circulation
Although developed by the UK government, ITIL is used internationally.

Goal of the Standard or Guidance Publication

ITIL was designed to provide a foundation for the management of the IT
infrastructure. Security Management is included as comprising one of many
activities that must be addressed by IT management, e.g., service level management
and business continuity planning.

Information Security Drivers for Implementing the

Guidance—Why
An important part of the ITIL library, organisations implementing ITIL would
benefit from also including ITIL Security Management. It formalises the
relationships between IT security management processes and other IT management
processes and can be used as part of the process for conformance with
BS 15000 Specification for IT Service Management, which is based
on ITIL.

81
Information Security Harmonisation—Classification of Global Guidance

Related Risks of Noncompliance—What Could Happen

Organisations implementing ITIL but not including ITIL Security Management
may find critical processes fragmented or incomplete.

Target Audience
The stated audience of Security Management is “anyone responsible for critical IT
processes as well as business managers who may find it helpful in defining their
requirements for security”.

Timeliness
ITIL Security Management has not been updated since 1999. There are some plans
that call for ITIL to begin a scoping process for change in 2005. No further details
were available at the time of publication.

Certification Opportunities
There is no certification for ITIL Security Management, but it is suggested that by
following its guidance (along with that provided in the other ITIL IT services
publications), an organisation would be well placed to obtain certification to
BS 15000 Specification for IT Service Management.

Completeness
Within the scope of ITIL Security Management, security management processes are
well covered and are suitable for any type of organisation with a large or complex
IT infrastructure. However, ITIL does not extend outside the management of the IT
infrastructure, meaning this is not an ideal publication for establishing an
enterprisewide security function.

The document includes a number of control practices but not to great depth, instead
referring the reader to ISO/IEC 17799:20006 for more detailed information.

6
ITIL actually uses the term “BS 7799” and refers to the 1995 and draft 1999 versions of the Code of
Practice that eventually evolved into BS 7799-1:1999 and then ISO/IEC17799:2000. No mention is
made by ITIL of BS 7799-2:2002, which was published much later than ITIL Security Management.

82
 Security Management

Availability
ITIL Security Management can be purchased from The Stationery Office (TSO) in
the UK (online at www.tso.co.uk). The cost is GB Sterling £44.95.

Recognition/Reputation
Based on the ISACA global survey of CISMs (described in this document’s
Introduction), ITIL has wide international recognition (around 85 percent of the
surveyed CISMs) although slightly less so in North America (68 percent). More
than half of all CISMs felt the standard has only limited acceptance, although 35
percent felt it has wide acceptance.

Usage
The CISM survey results showed that ITIL is actively used (i.e., implemented, used
as best practice or used for assessment) by 40 percent in the Oceania and
Europe/Africa regions. Usage is also strong (more than 23 percent) in other regions.
It is considered by most to be effective in use (except for Oceania with half feeling
it has only limited effectiveness). More than half of those familiar with ITIL felt it
is either “somewhat comprehensive” or “comprehensive”.

CISM Domain Alignment

Information Security Governance, 1

There are several references to the activities within this domain, but they are not
addressed in any great detail and are focussed on security management only as it
relates to the operation of the IT infrastructure.

Risk Management, 0
Risk management is rarely addressed within this document.

Information Security Programme Management, 2

The guidance provides a good model for planning and establishment of information
security services within the IT infrastructure. It does not cover all areas of an
information security programme and provides controls at only a high level.

83
Information Security Harmonisation—Classification of Global Guidance

Information Security Management, 2

Security Management provides a good model for the delivery and monitoring of
information security services within the IT infrastructure. It does not cover all areas
of an information security programme.

Response Management, 1
References are made to security incident registration and problem management, but
not to any great level.

Overall, 2
This is most likely to be of interest to an information security manager if the
organisation is implementing ITIL or plans to apply for BS 15000 certification. Its
main audience is likely to be IT managers.

Description and Guidance on Use

Security Management is a document of 94 pages devoted to processes of integrating
IT security management into the overall IT services management framework. It is
designed to be used somewhat like a workbook to be of practical assistance.

Chapter 1 provides a brief introduction to the document, and chapter 2 describes the
basics of security management. The third chapter describes the links to other ITIL
processes. Chapter 4 covers measures and chapter 5 provides guidelines for
implementing the security management function. There are also five useful
annexes.

Chapter 2—Fundamentals of Information Security

Information security is explained from a business perspective and that of the IT
infrastructure management. The majority of the emphasis is placed on the IT
security management process as that is within the scope of ITIL, but
acknowledgement is made of the wider role for security. In simple terms, a
customer defines requirements for security and these are reflected in a service level
agreement (SLA). A control process is then used to manage four major
activity areas:
• Plan (includes policy statement, contracts, etc.)
• Implement (includes awareness, classification, control of access rights, etc.)
• Evaluate (includes internal and external audits)
• Maintain (includes learning and improvement)

Reporting is then used to link back to the customer, confirming that security
arrangements within SLAs have been met.

84
 Security Management

Chapter 3—ITIL and Security Management

ITIL is concerned with best practice and exploitation of the IT infrastructure and
managing an existing working environment. This chapter puts security management
into context with other ITIL processes. However, ITIL is not specifically concerned
with system development nor strategic and tactical processes for developing the IT
architecture and infrastructure, so these areas that are also of concern to the security
manager are not addressed.

ITIL defines its processes under “sets” and the relationship with security
management is described in each case in varying detail. There are three sets:
• Manager’s set—The strategic layer that is important with regard to the
organisation of information security activities of the IT service provider
• Service delivery set—Represents the tactical processes where SLAs are drawn up
and service provided. Other processes that link with security management are:
– Service level management
– Availability management
– Performance and capacity management (including workload, resource and
demand management)
– Business continuity planning
– Financial management and costing
• Service support set—The operational layer that provides beneficial processes for
service delivery and includes links to:
– Configuration and asset management
– Incident control/help desk
– Problem management
– Change management
– Release management

Extract from 3.3.4.1. Change Management and Security Management

Security proposals also form part of the RFC (request for change). The starting
point here is again the agreements contained in the SLA, as well as the security
baseline chosen by the IT service provider. The general security profiles are
often used, which specify which security measures have to be implemented for
which types of products. For example, the following have to be specified for
each operating system: identification and authentication, authorisation, access
control, audit/logging, and management (including user management and the
management of rights). Security proposals therefore consist of a collection of
security measures that are often combined in a procedure laid down in
documentation.

85
Information Security Harmonisation—Classification of Global Guidance

Chapter 4—Security Management Measures

This chapter provides a general overview of security measures (controls rather than
metrics) that are implemented through the security management process. They have
been based on, but do not approach the depth or detail of, the guidelines provided
in ISO/IEC 17799:2000. Included are:
• Organisation of information security
• Asset classification and control
• Personnel security
• Communication and operations management
• Access control

Control measures are also defined for the auditing and evaluation of security in IT
systems, maintenance and reporting. Annex A provides a cross-reference table
providing an easy reference to the areas covered and not covered by ITIL.

Extract of Some of the Possible Reports a Security Manager May Provide into the
Service Level Management Process
• Reports on the Plan activity:
– Reports on conformance to the SLA including the agreed upon KPIs for
security
– Reports on underpinning contracts and any disconformities in their
fulfilment
– Reports on operation level agreements and policy statements

• Regular reports on the Implementation activity:

– Status of information (such as) implemented measures, education and
reviews including self-assessments and risk analyses
– Overview of security incidents and the reaction to these incidents—this
compared to a previous time frame
– Status of awareness programmes
– Trends on incidents per system, per process, per department, etc.

Chapter 5—Guidelines for Implementing Security Management

Five areas are covered in this chapter:
• Awareness—The types of activities that can be taken to improve awareness across
the organisation
• Organisation of security management—The choices available in how to organise
security and the characteristics that one may look for in a security manager
• Documentation—The types of documentation that should be produced and their
corporate placement
• Security management for small and medium enterprises—A brief description of
minimum security requirements (based on the original 10 key controls contained
within ISO/IEC 17799:2000)
• Pitfall and success factors—A few ideas on what not to do

86
 Security Management

Annexes
• Annex A provides a cross-reference table showing the relationship between ITIL
and ISO/IEC 17799:2000. Annex A recommends the use of ISO/IEC 17799:2000
when implementing Security Management.
• Annex B provides a specimen security section in the SLA.
• Annex C describes a framework that can be used in drawing up a security plan.
• Annex D is a reference showing the various documents that were referred to in
drawing up Security Management, potentially useful web sites and a list of other
ITIL books.

Reference
www.tsoonline.co.uk

87
Information Security Harmonisation—Classification of Global Guidance

88
 NIST 800-12 An Introduction to Computer Security—The NIST Handbook

11. NIST 800-12 An Introduction to Computer

Security—The NIST Handbook
Issuer
The Computer Security Resource Centre (CSRC) of the National Institute of
Standards and Technology (NIST), a department of the US Department of
Commerce, published the document. It is part of NIST’s 800 series (computer
security) and was published in October 1995.

Document Taxonomy
NIST 800-12 An Introduction to Computer Security—The NIST Handbook
describes the common requirements for managing and implementing a computer
security programme and some guidance on the types of controls that are required.

It is the first in a NIST series of three and is followed by:

• NIST 800-14 Generally Accepted Principles and Practices for Securing
Information Technology Systems (September 1996)
• NIST 800-18 Guide for Developing Security Plans for Information Technology
Systems (December 1998)

Circulation
The guidance is published by a US government department, thus it is more
commonly used by US organisations. However, the NIST series of security
publications is internationally known by the information security industry. NIST is
also the US representative in Common Criteria guidance.

Goal of the Standard or Guidance Publication

The guidance is designed to provide a broad overview of computer security and
assistance to the reader in developing and implementing a computer security
programme. It does not intend to provide detailed guidance on implementation of
the computer security programme nor to specify control requirements in detail.
Rather, it focusses on the benefits that good security promotes.

89
Information Security Harmonisation—Classification of Global Guidance

Information Security Drivers for Implementing the

Guidance—Why
Compliance with NIST 800-12 is often driven by a need to comply with principles
and criteria for US government organisations.

Related Risks of Noncompliance—What Could Happen

There is no direct risk from not complying unless the organisation has an inherent
need to comply with this guidance.

Target Audience
The guidance states that it is aimed at those with responsibilities for computer
security, particularly those in US government organisations. However, the majority
of its contents could be applicable to any individual with information security
responsibilities.

Timeliness
The guidance is somewhat dated on the controls side, having been produced in
1995. However, its overall guidance on a computer security programme remains
valid. No updates have been published.

Certification Opportunities
No certification is available for NIST 800-12.

Completeness
Although it was designed primarily for US government agencies, it is also
considered appropriate for organisations of any type or size. Many of the references
are US-specific, but this should not be a major problem for non-US readers. The
controls are somewhat dated and are provided at a relatively high level compared
with guidance available in other publications. Despite this, it does a good job of
meeting its stated objectives.

Availability
The guidance is posted for complimentary download electronically from the CSRC
web site, www.csrc.nist.gov. Printed versions are not available.

90
 NIST 800-12 An Introduction to Computer Security—The NIST Handbook

Recognition/Reputation
Based on the results of the global CISM survey conducted in 2004 (described in this
document’s Introduction), the guidance is well recognised by more than 60 percent
of surveyed CISMs globally, particularly in North America (85 percent). Around
half of the surveyed CISMs felt the guidance has only limited acceptance although
responses from North America were much more positive.

Usage
The guidance is actively used (i.e., implemented, used as best practice or used for
assessment) by one-third of all North American CISMs and also by many in
Central/South America. The application levels are quite low (less than 14 percent)
in other areas. Despite this low usage outside the Americas, more than half of all
CISMs familiar with the publication considered it to be comprehensive and
effective.

CISM Domain Alignment

Information Security Governance, 4

NIST 800-12 provides sound guidance for the information security manager,
covering most of the tasks in this domain even though the content is somewhat
dated and focussed on US government requirements.

Risk Management, 3
The guidance provides good descriptions of risk management concepts, but it does
not provide direction on how to carry out risk assessments.

Information Security Programme Management, 4

It provides good guidance on setting up and managing an information security
programme although aspects of project management are not addressed.

Information Security Management, 4

NIST 800-12 provides sound guidance for the information security manager,
covering most of the tasks in this domain even though some of the documents are
somewhat dated.

Response Management, 3
It provides good guidance on the components of contingency planning, but it does
not go fully into response management nor cover forensics.

91
Information Security Harmonisation—Classification of Global Guidance

Overall, 4
NIST 800-12 is a good guideline that covers many aspects of information security
management. It is focussed on the US government and may be somewhat
cumbersome for small, commercial organisations, but overall it is a valuable source
of guidance. It would benefit from being updated as it was last published in 1995.

Description and Guidance on Use

The NIST Handbook is a document of 290 pages split into a number of sections,
further divided into chapters.

Section I provides an introduction to the handbook and also includes the

foundations upon which the chapters on controls are based. The handbook’s general
approach to computer security is based on eight major principles. The principles are
based on those published by the Organisation for Economic Co-operation and
Development in 1992, and imply the premise of being generally accepted and
applied when developing or maintaining IT systems. The 1992 OECD principles
are accountability, awareness, ethics, multidisciplinary, proportionality,
integration, timeliness, reassessment and democracy. (The OECD published new
principles in 2002.)

Taking these into account, the handbook’s eight principles are:

• Computer security supports the mission of the organisation—Even though the
protection of assets (information, hardware and software) is essential to achieve
the goals of the organisation, security is frequently seen as inconsistent with the
business objectives. Thus, management needs to understand the mission of the
organisation and how this mission is supported by IT systems. Security is a means
to an end, not an end in itself.
• Computer security is an integral element of sound management—Management
must accept the fact that harm to assets can be caused even though security
provisions are in place. Management has to commit to the level of risk it is willing
to accept.
• Computer security should be cost-effective—The cost for securing systems has to
be aligned with the security need. This requires that the cost and benefits of
security be examined in monetary and nonmonetary terms. Direct and indirect
costs should be considered when analysing the costs.
• System owners have security responsibilities outside their own organisations—
System owners have to inform external users of the security measures of their
systems, and they are responsible for incidence response in a timely and co-
ordinated manner.
• Computer security responsibilities and accountability should be made explicit—
Every organisation, regardless of size, should document responsibilities and
accountabilities of owners, providers and users. Those with specific
responsibilities for IT security, e.g., programmers and software development
managers, should also have these responsibilities documented.

92
 NIST 800-12 An Introduction to Computer Security—The NIST Handbook

• Computer security requires a comprehensive and integrated approach—Computer

security and areas outside computer security should be considered. The
interdependence of security controls and other controls must be understood and a
mix of managerial, operational and technical controls applied to enable an
adequate and stable level of security.
• Computer security should be periodically reassessed—The need for re-evaluation
of security measures is obvious in the wake of permanent changes to
organisations, business environments, legal issues, threats or technologies.
• Computer security is constrained by societal factors—Security measures may
come into conflict with other limitations, such as workplace privacy. Those
conflicts must be solved.

Another chapter within section I provides ideas on how roles and responsibilities
for security may be allocated within an organisation. These roles and
responsibilities are nonprescriptive, and it is recognised within the handbook that
they will vary depending on many factors, including size of organisation. Examples
are given for 18 typical roles, including senior management, audit, quality
assurance, help desk, system management and administration.

Common threats to information are explained under nine headings, including fraud
and theft, employee sabotage, malicious hackers, malicious code, errors and
omissions, and espionage.

Sections II, III and IV address controls that have been divided into three areas:
management, technical and operational. Section II contains management controls
and these are divided into a number of chapters, each addressing a specific area.

Computer Security Policy Chapter

This chapter breaks policy into three types:
• Programme policy is defined as that which is “used to create an organisation’s
computer security programme”. Guidance is provided on defining programme
purpose, scope, responsibilities and compliance. Programme policy is assumed to
be broad-based and relatively stable.
• Issue-specific policy is related to consideration of areas that are new or more
likely to need change, for instance, resulting from dynamics in technology.
Examples given include Internet and e-mail.
• System-specific policy relates to the detailed attention that must be given to an
individual system, keeping in mind that different systems may need different
levels of protection. A distinction is drawn between security objectives (explicitly
defined requirements based on the confidentiality, integrity and availability needs)
and operational security rules (documenting the who, what and when).

93
Information Security Harmonisation—Classification of Global Guidance

Computer Security Programme Management Chapter

This chapter provides suggestions on how the computer security programme should
be structured. Examples provided reflect common structures found in US federal
organisations, with an emphasis on the fact that organisations differ and there is no
single solution that will work for everyone.

Detailed guidance is also provided on the benefits of centralised computer security

programmes vs. system-level computer security programmes and how the two
approaches can be used and work together.

Computer Security Risk Management Chapter

This chapter goes into detail on explaining risk management by breaking it down
into three main areas:
• Risk assessment is defined as “the process of analyzing and interpreting risk”.
Within this activity area are determination of scope, methodology to be used,
collection of data, analysis and interpretation of results. Asset valuation and threat,
vulnerability and safeguard assessment are defined.
• Risk mitigation covers the selection and implementation of additional safeguards
(to the point where residual risk is acceptable) and the process of monitoring them
for effectiveness.
• Uncertainty analysis is described as the need to understand how accurate and
reliable the risk analysis has been (e.g., the accuracy of the valuation of assets) to
enable management to use the analysis results effectively.

Security and Planning in the Computer System Life Cycle Chapter

Five basic phases are described for life cycle planning:
• Initiation is when the sensitivity of the system and the information it will process
are determined to provide an early indication of the likely security safeguards and
their costs.
• Development and acquisition is when security requirements are defined in more
detail (including consideration of legal requirements, policies, standards and cost),
incorporated into designs and either built or acquired.
• Implementation includes security testing and accreditation (the formal
authorization by the accrediting management official for system operation and an
explicit acceptance of risk).
• Operation and maintenance covers operations and administration of safeguards,
assurance that they are being followed and working, and reanalysis of safeguards
with reaccreditation as necessary.
• Disposal includes discarding information, hardware and software using
appropriate methods.

94
 NIST 800-12 An Introduction to Computer Security—The NIST Handbook

Assurance Chapter
The handbook defines computer security assurance as “the degree of confidence
one has that the security measures, both technical and operational, work as intended
to protect the system and the information it processes”. This chapter examines both
accreditation and assurance, describing objectives, methods and when assurance is
required within planning, design, implementation and operations of systems. Many
tools and methods for obtaining assurance (e.g., penetration testing and automated
tools) are described.

Extract From 7.1.2 Collecting and Analyzing Data

Risk has many different components: assets, threats, vulnerabilities,
safeguards, consequences, and likelihood. This examination normally includes
gathering data about the threatened area and synthesizing and analyzing the
information to make it useful.

Because it is possible to collect much more information than can be analyzed,

steps need to be taken to limit information gathering and analysis. This process
is called screening. A risk management effort should focus on those areas that
result in the greatest consequence to the organization (i.e., can cause the most
harm). This can be done by ranking threats and assets.

A risk management methodology does not necessarily need to analyze each of

the components of risk separately. For example, assets/consequences or
threats/likelihoods may be analyzed together.

Section III on operational controls also contains a number of chapters describing

controls requirements for specific areas.

Personnel/User Issues Chapter

Staffing issues include consideration of the sensitivity of positions, segregation of
duties, screening before employment and the requirements for training. User
account management is also covered, with guidance provided on the
creation/maintenance/deletion of user accounts, processes for tracking usage,
review of authorisations, and dealing with staff transfers and departures.

Preparing for Contingencies and Disasters Chapter

This chapter describes the six main activities for contingency planning as:
• Identifying business critical functions
• Identifying required resources
• Anticipating disasters
• Selecting a strategy
• Implementing the strategy
• Testing/revising the plan

95
Information Security Harmonisation—Classification of Global Guidance

Resources addressed include human, computer-based, data, infrastructure and

documentary. Some examples are provided on the different types of questions that
may arise in planning, given different scenarios. Suggestions are also provided on
the types of backup sites that may be considered, depending on requirements.

Computer Security Incident Handling Chapter

The chapter describes the benefits of having an incident handling capability and
describes the common characteristics that are most likely to lead to success,
although not in much detail. Also included are guidelines on the types of technical,
mechanical information security management system that will help ensure rapid
communication and response in the event of an incident.

Awareness, Training and Education Chapter

This chapter defines the three main purposes for security awareness, training and
education as:
• Improving awareness of the need to protect system resources
• Developing skills and knowledge so computer users can perform their jobs more
securely
• Building in-depth knowledge, as needed, to design, implement or operate security
programmes for organisations and systems

It describes the different objectives, suggested teaching methods and impacts for
awareness, education and training and provides a seven-step approach to
implementing a programme to address all three:
• Identify programme scope, goal and objectives.
• Identify training staff.
• Identify target audiences.
• Motivate management and employees.
• Administer the programme.
• Maintain the programme.
• Evaluate the programme.

Security Considerations in Computer Support

and Operations Chapter
This chapter describes seven main areas that need addressing to run a computer
system: user support, software support, configuration management, backups, media
controls, documentation and maintenance. Media controls include those for
marking, logging, integrity verification, physical safety, movement and disposal.

Physical and Environmental Security Chapter

This chapter considers the controls necessary to protect buildings and
infrastructure. It addresses this in the context of three areas—the type of facility, the

96
 NIST 800-12 An Introduction to Computer Security—The NIST Handbook

geographic location and the services supporting facilities (human and technical)—
and recognises that variations mean that the likelihood of some threats will differ.
Amongst the threats considered are physical damage to buildings, intruders
(physical) and physical theft.

Extract from 14.1 User Support

An important security consideration for user support personnel is being able to
recognize which problems (brought to their attention by users) are security-
related. For example, users’ inability to log onto a computer system may result
from disabling their accounts due to too many failed access attempts. This
could indicate the presence of hackers trying to guess users’ passwords.

In general, system support and operations staff need to be able to identify

security problems, respond appropriately, and inform appropriate individuals.
A wide range of possible security problems exists. Some will be internal to
custom applications, while others apply to off-the-shelf products. Additionally,
problems can be software- or hardware-based.

Section IV addresses technical controls and is, again, split into a number of
chapters.

Identification and Authentication Chapter

This chapter describes the three means of authentication (what you know, what you
have and what you are) and provides the different methods used for each, along with
associated benefits, problems and suggestions on how they should be used. It also
considers implementation and maintenance of the identification and authentication
system.

Logical Access Control Chapter

This chapter addresses access criteria and control mechanisms, including ACLs,
encryption and firewalls. It includes consideration of roles, locations, time
restrictions, service constraints and common types of access modes (e.g., read and
execute). Amongst the internal controls described are passwords, encryption,
security labels, port protection devices and host-based authentication.
Administration of access control is also considered, along with comparisons made
for centralised and decentralised administration functions.

Audit Trails Chapter

This chapter considers the benefits of audit trails under the four areas of
accountability, event reconstruction, intrusion detection and problem analysis.
Types of auditing are also discussed with examples provided of system logs and
application logs. There is also guidance on implementing and protecting audit logs,
reviewing logs and the types of tools that can be used for log analysis.

97
Information Security Harmonisation—Classification of Global Guidance

Cryptography Chapter
This chapter explains the differences between secret and public key cryptography,
and common applications for their use, including integrity checking and digital
signatures. Guidance is also provided on selection and implementation issues such
as hardware vs. software, key management and export controls.

Chapter 20 of the handbook provides a detailed example of how computer security

may be addressed, using a hypothetical government agency. The example describes
an environment, provides details and outcome of risk assessment, identifies threats,
defines existing security measures and existing vulnerabilities, and finishes with
recommendations for mitigation.

References
www.nist.gov
www.csrc.nist.gov

98
 NIST 800-14 Generally Accepted Principles and Practices for
Securing Information Technology Systems

12. NIST 800-14 Generally Accepted

Principles and Practices for Securing
Information Technology Systems
Issuer
The Computer Security Resource Centre of the National Institute of Standards and
Technology, a department of the US Department of Commerce, published the
document. It is part of NIST’s 800 series (computer security), and was published
in 1996.

Document Taxonomy
NIST 800-14 Generally Accepted Principles and Practices for Securing
Information Technology Systems is a collection of principles and practices to
establish and maintain system security. It is labelled as a special publication and is
one of a series of three produced by NIST. The other two are:
• NIST 800-12 An Introduction to Computer Security—The NIST Handbook
(October 1995)
• NIST 800-18 Guide for Developing Security Plans for Information Technology
Systems (December 1998)

Circulation
The NIST 800-14 guidance was published by a US government department, thus it
is more commonly used by US organisations. However, the NIST series of security
publications is internationally known by the information security industry.

Goal of the Standard or Guidance Publication

NIST 800-14 intends to provide a baseline for establishing or reviewing IT security
programmes. It should help in gaining an understanding of basic security
requirements of IT systems. It not only focusses on security practices, it also
describes the intrinsic expectations of security provisions from a high viewpoint in
the form of principles.

99
Information Security Harmonisation—Classification of Global Guidance

Information Security Drivers for Implementing the

Guidance—Why
Compliance with NIST 800-14 is often driven by the need to comply with the
principles and criteria for US government organisations.

Related Risks of Noncompliance—What Could Happen

There is no direct risk from not complying unless the organisation has an inherent
need to comply with this standard.

Target Audience
NIST 800-14 targets management, security practitioners, users, system developers
and internal auditors. Thus, it explicitly addresses all parties responsible for IT
security. When following the document, the security principle and practices are to
be applied for governmental IT systems, particularly for systems of e-governance.

Timeliness
The document was published in September 1996, and no subsequent revision is
available. However, the majority of contents are high-level and still relevant.

Certification Opportunities
Certification to these principles is not available.

Completeness
NIST 800-14 describes at a high level the issues that must be considered in
selecting appropriate policy and controls for an organisation. It does not provide the
level of detail an organisation would need in deciding on appropriate security
controls and practices, instead providing more of a framework. It provides a good
foundation for those new to information security management albeit more IT-
focussed than many modern approaches to the subject.

Availability
The guidance is posted for complimentary download electronically from the CSRC
web site at www.csrc.nist.gov.

100
 NIST 800-14 Generally Accepted Principles and Practices for
Securing Information Technology Systems

Recognition/Reputation
The results produced by a global CISM survey conducted in 2004 (described in this
document’s Introduction) showed that NIST 800-14 is highly recognised in North
America (80 percent). However, it scored only slightly more than half (55 percent)
in Europe/Africa and Asia. The guidance was also considered to have only limited
or no acceptance by a huge majority (88 percent) of CISMs except, again, in North
America where acceptance levels are higher but still are not overwhelming.

Usage
The global CISM survey showed that NIST 800-14 is being actively used (i.e.,
implemented, used as best practice or used for assessment) by more than one-third
of North American CISMs but levels in Oceania, Europe/Africa and Asia show very
low usage, at less than 15 percent. Despite this low usage, it is considered by more
than half of all CISMs familiar with it to be comprehensive and effective.

CISM Domain Alignment

Information Security Governance, 2

NIST 800-14 contains a useful set of information security principles that can be
used as a foundation for an information security policy and gives high-level
descriptions of activities needed for an information security governance framework.

Risk Management, 1
The guidance describes a risk management framework, but not in sufficient detail
to undertake risk assessments or make risk-based decisions.

Information Security Programme Management, 2

It provides guidance for creating a security plan to implement the governance
framework and offers high-level controls.

Information Security Management, 2

NIST 800-14 addresses through its guidance many of the activities undertaken in
information security management. However, it does not provide any guidance on
how to establish or carry out these activities.

Response Management, 2
It provides a good list of important control practices for business continuity, but it
does not fully address all areas of this domain nor provide guidance on how to
establish or carry out the practices.

101
Information Security Harmonisation—Classification of Global Guidance

Overall, 2
NIST 800-14 is good as an introduction for those new to information security
and/or for briefing and educating IT and business managers. It would be
particularly useful for smaller organisations or those that have never addressed
information security.

Description and Guidance on Use

NIST 800-14 (56 pages) describes eight principles and fourteen practices. The
principles are based on those published by the Organisation for Economic Co-
operation and Development in 1992, and imply the premise of being generally
accepted and applied when developing or maintaining IT systems. The 1992 OECD
principles provided by the guideline are accountability, awareness, ethics,
multidisciplinary, proportionality, integration, timeliness, reassessment and
democracy. (The OECD published new principles in 2002.)

Similar to NIST 800-12, the eight principles are:

• Computer security supports the mission of the organisation.
• Computer security is an integral element of sound management.
• Computer security should be cost-effective.
• System owners have security responsibilities outside their own organisations.
• Computer security responsibilities and accountability should be made explicit.
• Computer security requires a comprehensive and integrated approach.
• Computer security should be periodically reassessed.
• Computer security is constrained by societal factors.

Each of the principles applies to each of the practices although their relationship
varies. The 14 common practices in IT security are meant as a companion to the
NIST Special Publication 800-12 An Introduction to Computer Security—The NIST
Handbook. NIST 800-14 describes itself as the “broad overview of computer
security and an excellent primer,” with NIST 800-12 providing the “what” and
“why to” and a template for deriving the practices.

Each of the 14 practices is to a level that would allow a security manager to put
together an information security programme framework, and these practices are
also considered the minimum required for any organisation. Most of the practices
provided in the guideline are quite common and the style is similar to the
international standard ISO/IEC 17799:2000, which was used as a reference during
the development of the practices in NIST 800-14 and is recommended as further
reading.

The 14 practices are:

• Policy—Policy is further broken down into different types, described as
programme, issue-specific and system-specific. Each type of policy has seven or
eight recommended activities.

102
 NIST 800-14 Generally Accepted Principles and Practices for
Securing Information Technology Systems

• Programme management—Programme management includes a central security

programme that applies to the enterprise and system-level programme, which is
concerned with typical systems life cycle activities.
• Risk management—This practice addresses risk assessment, risk mitigation and
uncertainty analysis and also provides a number of common definitions and
explanations.
• Life cycle planning—Life cycle planning has six phases, described as security
plan, initiation phase, development/acquisition phase, implementation phase,
operation/maintenance phase and disposal phase.
• Personnel/user issues—These activities address staffing and user administration,
including steps for dealing with terminations.
• Preparing for contingencies and disasters—Five main activities in this practice are
business plan, identification of resources, scenario development, strategy
development and test/revision of plan.
• Computer security incident handling—This is split into descriptions of how the
incident response capability can be used and suggestions on its common
characteristics.
• Awareness and training—The practice describes seven steps: identify programme
scope, goal and objectives; identify training staff; identify target audiences;
motivate management and employees; administer the programme; maintain the
programme; and evaluate the programme.
• Security considerations in computer support and operations—This practice
describes eight considerations, including user support, configuration
management, media controls and standardised logon banner.
• Physical and environmental security—This practice includes consideration of
physical access controls, fire, flood and interception of data.
• Identification and authentication—This includes practices for identification,
authentication and password, with common aspects such as limited logon attempts
being addressed.
• Logical access control—The practice addresses access criteria and control
mechanisms, including ACLs, encryption and firewalls.
• Audit trails—This practice is split into four areas covering audit trail content,
audit trail security, audit trail reviews and keystroke monitoring.
• Cryptography—This practice includes consideration of selection, design and key
management.

Extract From 3.10 Physical and Environmental Security, Fire Safety

Factors
Building fires are a particularly important security threat because of the
potential for complete destruction of both hardware and data, the risk to
human life, and the pervasiveness of the damage. Smoke, corrosive gases, and
high humidity from a localized fire can damage systems throughout an entire
building. Consequently, it is important to evaluate the fire safety of buildings
that house systems.

103
Information Security Harmonisation—Classification of Global Guidance

References
www.nist.gov
www.csrc.nist.gov

104
 NIST 800-18 Guide for Developing Security Plans for Information Technology Systems

13. NIST 800-18 Guide for Developing

Security Plans for Information Technology
Systems
Issuer
The Computer Security Resource Centre (CSRC) of the National Institute of
Standards and Technology (NIST), a department of the US Department of
Commerce, published the document. It is part of NIST’s 800 series (computer
security) and was published in December 1998.

Document Taxonomy
NIST 800-18 Guide for Developing Security Plans for Information Technology
Systems is the third in a trilogy of NIST publications on IT security and provides
a format and guidance for developing a system security plan. The first
publications are:
• NIST 800-12 An Introduction to Computer Security—The NIST Handbook
(October 1995)
• NIST 800-14 Generally Accepted Principles and Practices for Securing
Information Technology Systems (September 1996)

Circulation
The publication is from a US government department, so it is more commonly used
by US organisations. However, the NIST series of security publications is
internationally known by the information security industry.

Goal of the Standard or Guidance Publication

Following on from the previous two NIST publications describing the “why” and
the “what” of computer security, this guide was created to provide a format and
guidance for developing a system security plan (which is a requirement for US
federal offices).

Information Security Drivers for Implementing the

Guidance—Why
Implementation of NIST 800-18 is generally driven by the need to comply with the
principles and criteria for US government organisations.

105
Information Security Harmonisation—Classification of Global Guidance

Related Risks of Noncompliance—What Could Happen

There is no direct risk from not complying unless the organisation has an inherent
need to comply with this standard.

Target Audience
The guideline is directed at those with little or no computer security expertise, but
who are responsible for IT security at the system or organisational level. The
concepts are intended to be generic and as such could be used by the private or
public sector. The guideline can also be used as an auditing tool.

Timeliness
The guideline was published in 1998 but still remains valid and appropriate. No
subsequent revision of the document is available.

Certification Opportunities
There is no certification for this guideline.

Completeness
NIST 800-18 provides a comprehensive template and instruction for completing a
security plan. It needs to be used in combination with other reference material and,
by itself, does not describe all of the responsibilities and activities that are likely to
be performed by an information security manager.

Availability
The guidance is posted for complimentary download electronically from the CSRC
web site, www.csrc.nist.gov.

Recognition/Reputation
The results of the global CISM survey (described in this document’s Introduction)
indicate that the recognition of the guideline is very high in North America, at
nearly 85 percent of CISMs, but it falls to a bit more than 50 percent in

106
 NIST 800-18 Guide for Developing Security Plans for Information Technology Systems

Europe/Africa and Asia. At least half of CISMs in all regions feel it has at least
limited or wide acceptance as a guideline.

Usage
The CISM survey results indicate that the guideline is actively used (i.e.,
implemented, used as best practice or used for assessment) by one-third of North
America CISMs, but usage is less than 17 percent elsewhere. However, it is
considered by more than half of those familiar with it to be both comprehensive and
effective.

CISM Domain Alignment

Information Security Governance, 1

NIST 800-18 implicitly addresses some of the activities in this domain but only as
part of the process of creating a security plan.

Risk Management, 1
The guidance implicitly addresses some of the activities in this domain but only as
part of the process of creating a security plan.

Information Security Programme Management, 3

It provides an excellent model for building an information plan for a system. It does
not address programme management or project management.

Information Security Management, 1

The guide implicitly addresses some of the activities in this domain but only as part
of the process of creating a security plan.

Response Management, 1
It implicitly addresses some of the activities in this domain but only as part of the
process of creating a security plan.

Overall, 2
This publication was designed to provide guidance on developing a security plan for
a system and it does so very well. It could be a valuable tool but should be used by
an experienced information security practitioner alongside other tools and
methodologies.

107
Information Security Harmonisation—Classification of Global Guidance

Description and Guidance on Use

The guideline is a document of 101 pages providing guidance on how a security
plan should be devised. It describes the purpose of a security plan as “to provide an
overview of the security requirements of the system and describes the controls in
place or planned for meeting those requirements. The system security plan also
delineates responsibilities and expected behavior of all individuals who access the
system”.

The guideline describes the process of system analysis as the first step in creating
a security plan. System analysis is concerned with understanding and defining a
system in enough detail to know what type of security plan will be needed. Within
this step, system boundaries are defined (e.g., whether the system includes PCs
using the application even when they are not directly connected) and the system is
categorised. The guideline has two categories: major application or general support
system. Major application is used for systems performing functions that can be
clearly defined, whilst general support systems are for less tangible systems, such
as LANs and backbones.

Within appendix C of the guideline are security plan templates, one for major
applications and one for general support systems. Each is nine pages long and
contains probing questions that may be asked to complete the template. The
remaining chapters of the guideline provide further guidance on completing the
plan.

Plan Development Chapter

This chapter provides guidance on how to complete the first parts of the templates,
what to consider and what level of detail may be appropriate. Several examples are
provided.

Extract From 3.5 System Environment

Provide a brief (one-three paragraphs) general description of the technical
system. Include any environmental or technical factors that raise special
security concerns, such as:
• The system is connected to the Internet
• It is located in a harsh or overseas environment
• Software is rapidly implemented
• The software resides on an open network used by the general public or with
overseas access
• The application is processed at a facility outside of the organization’s control
• The general support mainframe has dial-up lines

108
 NIST 800-18 Guide for Developing Security Plans for Information Technology Systems

Management Controls
The guideline explains how to complete the management controls section of the
template. This includes the results of a risk assessment, what types of security
reviews the system has had (or are planned) and rules of behaviour for using the
system. Reference is also made to the five-phase security life cycle (initiation,
development/acquisition, implementation, operation/maintenance, disposal) and
what aspects of the security plan can be considered and documented through each
phase.

Extract From 4.3 Rules of Behavior Chapter

The rules of behavior should clearly delineate responsibilities and expected
behavior of all individuals with access to the system. The rules should state the
consequences of inconsistent behavior or noncompliance. The rules should be
in writing and form the basis for security awareness and training.

Operational Controls
The guideline discusses operational controls for major applications separately from
those for general support systems. In each case, issues to consider and guidance on
decision-making factors are provided. Guidance is provided under the headings of:
• Major applications
– Personnel
– Physical and environment protection
– Input/output controls
– Contingency planning
– Application software maintenance controls
– Data integrity/validation control
– Documentation
– Security awareness and training
• General support systems
– Personnel
– Physical and environment protection
– Input/output controls
– Contingency planning
– Hardware and system software maintenance controls
– Integrity control
– Documentation
– Security awareness and training
– Incident response capability

Extract From 5.MA.1 Personnel Security

• Have all positions been reviewed for sensitivity level? If all positions have not
been reviewed, state the planned date for completion of position sensitivity
analysis.

109
Information Security Harmonisation—Classification of Global Guidance

• A statement as to whether individuals have received the background

screening appropriate for the position to which they are assigned. If all
individuals have not had appropriate background screening, include the date
by which such screening will be completed.
• If individuals are permitted system access prior to completion of appropriate
background screening, describe the conditions under which this is allowed
and any compensating controls to mitigate the associated risk.
• Is user access restricted (least privilege) to data files, to processing
capability, or to peripherals and type of access (e.g., read, write, execute,
delete) to the minimum necessary to perform the job?

Technical Controls
Technical controls are also addressed differently in the guide for major applications
and general support systems. Again, in each case, issues to consider and guidance
on decision-making factors are provided. Each considers controls under the
headings of identification and authentication, logical access control and audit trails.
Major applications also considers control for public access.

Extract From 6.GSS.1.2 Authentication

• Describe the method of user authentication (password, token, and
biometrics).
• If a password system is used, provide the following specific information:
– Allowable character set;
– Password length (minimum, maximum);
– Password aging time frames and enforcement approach;
– Number of generations of expired passwords disallowed for use;
– Procedures for password changes;
– Procedures for handling lost passwords, and
– Procedures for handling password compromise.
• Procedures for training users and the materials covered.
Note: The recommended minimum number of characters for a password is six
to eight characters in a combination of alpha, numeric, or special characters.
• Indicate the frequency of password changes, describe how password changes
are enforced (e.g., by the software or system administrator), and identify who
changes the passwords (the user, the system, or the system administrator).

In addition to the template plans, the appendix also has examples of rules of
behaviour (one for major applications and one for general support systems) in the
form of a document designed to be read and signed by the relevant users.

References
www.nist.gov
www.csrc.nist.gov

110
 NIST 800-53 Recommended Security Controls for
Federal Information Systems, Second Public Draft

14. NIST 800-53 Recommended Security

Controls for Federal Information Systems,
Second Public Draft
Issuer
The National Institute of Standards and Technology is a US-based organisation
responsible for providing US agencies with standards and guidelines for
information security. The 800 series contains a number of security-related guides,
many of which are designed to be suitable for the private as well as the public
sectors. NIST 800-53 Recommended Security Controls for Federal Information
Systems was published as a first draft in October 2003 and followed by a second
draft in September 2004. Although written for US federal agencies, it is expected
to have a wide audience amongst businesses.

Document Taxonomy
NIST 800-53 Recommended Security Controls for Federal Information Systems is
a public draft document containing baseline security controls. It is one of a series
of documents published and planned on security for US federal information
systems to be finalised in the first quarter of 2005. NIST 800-53 will be replaced
in 2005 by FIPS Publication 200 Minimum Security Controls for Federal
Information Systems, which will be the mandatory standard for US federal
agencies.

Circulation
The publication is from a US government department, so it is likely to be more
commonly used by US organisations. However, the NIST series of security
publications is internationally known and used by the information security industry.
Although a relatively new document, it is also likely to already have been
considered by a wide audience.

Goal(s) of the Standard or Guidance Publication

NIST 800-53 is designed “to provide guidelines for selecting and specifying
security controls for information systems supporting the executive agencies of the
federal [US] government”. The ultimate aim of the US government is to ensure that
day-to-day government operations are undertaken with “adequate security”.

111
Information Security Harmonisation—Classification of Global Guidance

Information Security Drivers for Implementing the

Guidance—Why
This will become a mandatory standard for US federal agencies in 2005.

Related Risks of Noncompliance—What Could Happen

There is no direct risk from not complying unless the organisation has an inherent
need to comply with this standard.

Target Audience
The NIST 800-53 draft dated October 2003 was incomplete when issued for
reviewers to comment. Despite this, extensive feedback was received and the
second draft issued in September 2004 was a shorter but complete version. Draft 2
was also open to comment until November 2004, with the final version expected to
be published in 2005. NIST 800-53 will be of specific interest to any individual
who has security responsibilities and works in a US federal agency. However, it
would be of interest to information security practitioners, IT managers and auditors
in any type or size of organisation.

Timeliness
NIST 800-53 is in final drafting, with the final version due in the first quarter
of 2005.

Certification Opportunities
There is no certification to this guide; however, NIST Special Publication 37
provides guidance on security certification and accreditation of information
systems.

Completeness
NIST 800-53 is focussed on providing security controls; therefore, it does not
describe in any detail the role of the information security manager or the
requirements for establishing, implementing and maintaining an enterprisewide
information security programme. A total of 154 security controls are described,
with guidance and, in many cases, actions to enhance the control for higher risk
systems. The set of controls within draft 2 is shorter and in less detail than those
provided in draft 1.

112
 NIST 800-53 Recommended Security Controls for
Federal Information Systems, Second Public Draft

Availability
The draft is posted for complimentary download (as will be the final version) from
the CSRC web site, www.crsc.nist.gov.

Recognition/Reputation
The global survey of CISMs (described in this document’s Introduction) shows that
NIST 800-53 is already known to 80 percent of North American CISMs but
recognition falls to around half in Europe/Africa and Asia. The vast majority (90
percent) of those familiar with it feel it has only limited or no acceptance. The
exception to this is in North America, but, even there more than 50 percent feel it
has only limited acceptance. One can assume this will change when the final
document is published in 2005 and becomes a US government agency mandatory
standard.

Usage
Surprising for a new and still draft document, NIST 800-53 is already being actively
used (i.e., implemented, used as best practice or used for assessment) by almost
one-third of North American CISMs. However, usage figures for other areas are
less than 15 percent. CISMs familiar with NIST 800-53 also generally feel it is (or
will be) comprehensive and effective.

CISM Domain Alignment

Information Security Governance, 1

This domain is addressed only lightly in NIST 800-53’s description of security
fundamentals.

Risk Management, 1
The domain is addressed only lightly in its description of security fundamentals.

Information Security Programme Management, 3

NIST 800-53 provides a good set of basic security controls, with suggestions on
additional controls for higher risk systems. No guidance is provided on security
planning or project management.

113
Information Security Harmonisation—Classification of Global Guidance

Information Security Management, 1

This domain is addressed only lightly in its description of security fundamentals.

Response Management, 1
This domain is addressed only lightly in the document’s description of security
fundamentals.

Overall, 2
This is a good source of controls and control practices designed to be used by US
government agencies. It provides a good source of basic security controls and will
be even more useful when completed in 2005.

Description and Guidance on Use

NIST 800-53 is a document of 94 pages, primarily describing recommended
security controls. There are three initial chapters covering introduction and security
fundamentals. NIST 800-53 identifies the need for an organisation to consider not
only which controls are necessary to protect assets and fulfil legal responsibilities,
but also which can be maintained on a day-to-day basis. It also points out the need
for a practical implementation plan for any controls that have been selected.

NIST 800-53 describes an effective security programme as including the following

eight important areas:
• Periodic assessment of risk—Taking into account the needs of the organisation
and potential impacts of incidents
• Policies and procedures—Ensuring that these are based on the organisation’s risk
assessment and are integrated throughout the life cycle
• Security plans—For every part of the IT infrastructure or organisation as
necessary
• Security awareness training—To be tailored to the needs of each individual’s
activities
• Periodic testing and evaluation—To ensure that policies and procedures remain
effective
• Remedial processes—To ensure that deficiencies are dealt with formally and
effectively
• Incident response—To ensure that problems are detected and dealt with
effectively
• Continuity planning—To ensure that information systems continue to operate at
the required levels

114
 NIST 800-53 Recommended Security Controls for
Federal Information Systems, Second Public Draft

Figure 7—NIST Control Families

Identifier Family Number of Controls

AC Access Control 18
AT Awareness and Training 4
AU Audit and Accountability 10
CA Certification, Accreditation and Security
Assessments 7
CM Configuration Management 6
CP Contingency Planning 10
IA Identification and Authentication 7
IR Incident Response 7
MA Maintenance 6
MP Media Protection 8
PE Physical and Environmental Protection 20
PL Planning 5
PS Personnel Security 8
RA Risk Assessment 4
SA System and Services Acquisition 9
SC System and Communications Protection 18
SI System and Information Integrity 7

A major objective of NIST 800-53 is to provide a set of controls for selection and
implementation. There are 154 controls categorised over 17 families, each of which
is given a two-character identifier, as shown in figure 7.

Controls are numbered within each family and each control has three components:
• The control section gives the specific security-related activity or action that is
required to be undertaken. There may be some flexibility for the organisation in
applying the control and this is indicated by assignment and selection options. For
instance, an assignment may enable the organisation to define its own frequency
or time period for reviews. A selection may provide, for instance, four or five
possible actions, of which the organisation must implement at least two.
• Supplemental guidance gives addition detail that an organisation may need to
consider, including applicable federal legislation, directives, etc.
• Controls enhancements provide the additional steps necessary to strengthen the
basic controls when a risk assessment has determined that this is necessary.

NIST 800-53 differentiates between common security controls and system-specific

controls. It describes common security controls as those that can be applied across
one or more organisational information systems, and as having properties that allow
their development, implementation and assessment to be assigned to responsible

115
Information Security Harmonisation—Classification of Global Guidance

organisational officials or organisational elements. Common security controls are

those that can be centrally managed to ensure consistency and reduce costs.
System-specific controls are simply described as the responsibility of the system
owner.
NIST 800-53 points out the need to ensure clarity in differentiating which controls
are common and which are system-specific. It goes on to contend that information
system owners are not responsible for the common security controls protecting their
systems, only those that are system-specific issues. (Author’s note: Such an
approach may not meet the needs of every organisation.)

As this piece of security guidance is aimed at US federal systems, and how to go

about selecting baseline controls, it is of course based on US federal standards for
categorising the system for security. Categories are low, moderate and high and
selection is based on the highest value, given the potential impacts on
confidentiality, integrity and availability. NIST 800-53 requires the highest value to
be ascertained using the “FIPS Publication 199 security category of the system”.
This system derives the security category as being the triple of the associated
potential impacts for confidentiality, integrity and availability and is expressed as:
SC = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where
the acceptable values for potential impact are low, moderate, or high.

Having determined the security category, appendix D can be referenced to

determine which are the minimum security (baseline) controls required (i.e.,
corresponding to low, moderate, or high impact). The full controls catalogue is
provided in appendix F.

Extract From Appendix F of System and Information Integrity—

Control Number SI-6
SI-6 SECURITY FUNCTIONALITY VERIFICATION
Control: The information system verifies the correct operation of security
functions [Selection (one or more): upon system start-up and restart, upon
command by the user with appropriate privilege, periodically every
(Assignment: organization-defined time-period)] and [Selection (one or
more): notifies system administrator, shuts the system down, restarts the
system] when anomalies are discovered.

Supplemental Guidance: None.

Control Enhancements:
(1) The organization employs automated mechanisms to provide centralized
notification of failed security tests.
(2) The organization employs automated mechanisms to support centralized
management of distributed security testing.

116
 NIST 800-53 Recommended Security Controls for
Federal Information Systems, Second Public Draft

Security assurance requirements are provided via appendix E. In general, low

baseline controls are generally expected to have no obvious errors and should be
corrected, as necessary, in a timely manner. Moderate baseline controls require a
higher level of correctness and should be designed in a manner such that
correctness is incorporated into its design. High baseline controls continue this
theme with a requirement for capabilities that support ongoing, consistent operation
and continuous improvement.

The activities relating to management of organisational risk are described within

NIST 800-53 in the context of the system development life cycle. Nine activities are
described as:
• Categorise the information system based on the FIPS 199 impact assessment.
• Select baseline controls.
• Adjust controls based on specific organisational requirements.
• Document the agreed list of controls including justifications for changes made.
• Implement the controls.
• Assess to ensure that the implemented controls are working as expected.
• Determine risk from the continued operation of the system.
• Authorise that this level of risk is acceptable.
• Monitor controls on a continuous basis.

The draft of appendix G conveniently provides a mapping of the 154 NIST 800-53
controls against ISO/IEC 17799:2000 Code of Practice for Information Security
Management, NIST Special Publication 800-26 Security Self-assessment Guide for
Information Technology Systems, and the US Government Accountability Office
(GAO) Federal Information System Controls Audit Manual.

References
www.crsc.nist.gov
www.nist.com

117
Information Security Harmonisation—Classification of Global Guidance

118
 OCTAVE Criteria Version 2.0 Networked Systems Survivability Program

15. OCTAVE Criteria Version 2.0 Networked

Systems Survivability Program
Issuer
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
Criteria Version 2.0 Networked Systems Survivability Program was published by the
Carnegie Mellon Software Engineering Institute (SEI) in December 2001. The
Software Engineering Institute is a federally funded research and development
centre sponsored by the US Department of Defence.

Document Taxonomy
The OCTAVE criteria are a set of principles, attributes and outputs. OCTAVE
Method (18 volumes) and OCTAVE-S (10 volumes) provide a full methodology for
applying the criteria, including detailed process guidelines, worksheets, security
practices and presentation slides. Introduction to the OCTAVE Approach has also
been published.

Circulation
OCTAVE is available and promoted through the CERT organisation of SEI, which
is internationally well known in the information security industry.

Goal of the Standard or Guidance Publication

OCTAVE’s purpose was to provide a risk-based strategic assessment and planning
technique for security. OCTAVE defines criteria for operationally critical threat,
asset and vulnerability evaluations with the goal of defining a general approach for
evaluating and managing information security risks. The OCTAVE approach
provides a method to use the criteria for large organisations (e.g., 300-plus
employees), whilst OCTAVE-S is an abridged version of the method for smaller
organisations.

119
Information Security Harmonisation—Classification of Global Guidance

Information Security Drivers for Implementing the

Guidance—Why
OCTAVE is a recognised methodology for risk management that allows an
organisation to take ownership and accountability for risks.

Related Risks of Noncompliance—What Could Happen

There are no risks associated with not complying unless an organisation has decided
to make it mandatory.

Target Audience
OCTAVE is aimed at the individuals within an organisation responsible for
evaluating risks and ensuring appropriate protection strategies are developed and
implemented.

Timeliness
The OCTAVE framework was first published in 1999, and since then, the SEI has
continued to improve and develop the approach and method. The latest issuance
occurred in 2001.

Certification Opportunities
No certification exists for OCTAVE.

Completeness
OCTAVE provides a complete methodology, with supporting documents, for the
evaluation of security risks and selection of practices for the management of these
risks. It has been designed to be suitable for organisations of any type, size or
geographic location.

OCTAVE covers only activities relating to evaluating risks, setting priorities and
selecting controls. It does not address the full role and responsibilities of
information security management.

Availability
OCTAVE documents are freely available from www.cert.org/octave.

120
 OCTAVE Criteria Version 2.0 Networked Systems Survivability Program

Recognition/Reputation
According to the global survey of CISMs that was conducted in 2004 (described in
this document’s Introduction), OCTAVE has fairly low recognition amongst
surveyed CISMs compared to many other standards (50 percent, with only 40
percent in Europe/Africa). Acceptance levels are also very low, with less than 10
percent in all regions believing the method to be widely accepted and more than
half believing it has no acceptance whatsoever. This seems to be a very low figure
for such a comprehensive methodology.

Usage
Usage (i.e., implemented, used as best practice or used for assessment) of OCTAVE
is highest in North America and Asia, but still is at only 14 percent. There are
varying opinions on how comprehensive it is considered, with North America,
Europe/Africa and Central/South America coming out at more than 50 percent in
favour of its coverage. Oceania, Central/South America and Asia find it most
effective (60 to 80 percent).

CISM Domain Alignment

Information Security Governance, 2

OCTAVE includes many governance activities within its model but it does not
provide any real guidance on how to set up and maintain an information security
governance framework.

Risk Management, 4
OCTAVE includes a detailed and well-explained methodology for risk management
that can be applied to large and small organisations.

Information Security Programme Management, 4

The OCTAVE catalogue of practices contains a good set of security practices.
Following the methodology inherently helps in the planning, project management
and ongoing review of an information security programme.

Information Security Management, 1

OCTAVE addresses implicitly through its guidance many of the activities
undertaken in information security management. It does not provide any guidance
on how to establish or carry out these activities.

121
Information Security Harmonisation—Classification of Global Guidance

Response Management, 1
It provides a list of important control practices for response, but does not fully
address all areas of this domain or provide guidance on how to establish and
manage a response management function.

Overall, 3
OCTAVE is an excellent methodology designed to involve management and staff at
all levels in selecting and implementing information security controls. It is a bit
detailed, and may be best suited to implementation and integration of security
management.

Description and Guidance on Use

OCTAVE is an approach, based on self-determination, for undertaking an
evaluation of the threats and vulnerabilities of operationally critical assets,
including the process for identifying the assets and determining criticality. There are
a number of documents; the main ones are described below.

Introduction to the OCTAVE Approach

This document (37 pages) provides an excellent overview of the OCTAVE
approach, including an overview of the criteria and brief descriptions of the
OCTAVE method for large companies and OCTAVE-S for smaller firms. It also
provides guidance on how to choose the two methods and, for those firms needing
a combination of the two, information on which method suits which organisational
attribute.

The OCTAVE approach is designed to be self-directed and takes into account

operational risks and security practices. A three-phased process is described that,
when followed, should provide a comprehensive picture of an organisation’s
information security needs:
• Phase 1. Build asset-based threat profiles—The identification of information
assets, evaluation of existing controls, and selection of the most critical assets,
their security needs and their specific threat profiles
• Phase 2. Identify infrastructure vulnerabilities—The evaluation of IT
infrastructure including the identification of key components and their resistance
to network attacks
• Phase 3. Develop security strategy and plans—Identification of risks to critical
assets and decision and protection strategies for mitigation

OCTAVE Criteria
This document (143 pages) contains an introduction and background to OCTAVE
along with a more detailed description of the OCTAVE approach’s three phases and
how they fit into an ongoing process or continuum.

122
 OCTAVE Criteria Version 2.0 Networked Systems Survivability Program

The criteria are built on a foundation of principles, attributes and outputs. There are
10 principles that are grouped into three areas:
• Information security risk evaluation principles
1. Self-direction—People within an organisation should manage and direct their
own evaluations and make their own decisions on risk.
2. Adaptable measures—Evaluations must be done through a flexible process to
enable changes in the organisation and technology to be reflected.
3. Defined process—Standardised procedures for evaluation should be used to
ensure consistency in results.
4. Foundation for a continuous process—Good practices should be adopted and
a continuous improvement process should be introduced.
• Risk management principles
5. Forward-looking view—Strategic thinking should identify the impacts of risks
on the organisation’s mission and business objectives.
6. Focus on the critical few—The majority of effort should focus on the most
critical areas to ensure efficient use of resources.
7. Integrated management—Security should be integrated into other
organisation strategies, including consideration of business goals when
deriving security policy.
• Organisational and cultural principles
8. Open communication—Collaborative approaches should be used in
determining risks and communicating them in an open manner.
9. Global perspective—A common view of security should be ensured
throughout the organisation.
10. Teamwork—An interdisciplinary approach, including business and technical
employees, should be undertaken.

There are 15 attributes, each of which has a primary relationship with one or more
of the principles. Each of the attributes is described and an explanation of its
importance is provided:
• Self-direction
– RA.1 Analysis team—Describes a multidisciplinary team of employees and
their responsibilities
– RA.2 Augment analysis team skills—Enables the primary analysis team to find,
when needed, specialist skills from other parts of the organisation or externally
• Adaptable measures
– RA.3 Catalogue of practices—The requirement for a set of practices that
address strategic and operational security, including management practices,
technical security, physical security, etc.
– RA.4 Generic threat profile—Assessment of threats, including system, human
and environmental
– RA.5 Catalogue of vulnerabilities—Technological vulnerabilities and tools for
their identification and evaluation

123
Information Security Harmonisation—Classification of Global Guidance

• Defined process
– RA.6 Defined evaluation activities—Documented procedures for every step of
the evaluation process
– RA.7 Documented evaluation results—Documented risks to the organisation
and strategies for mitigation
– RA.8 Evaluation scope—Clearly documenting what has been included or not
within the scope of the evaluation
• Foundation for a continuous process
– RA.9 Next steps—The activity of documenting next steps and assigning
ownership for their progression
– RA.3 Catalogue of practices—As above
• Forward-looking view
– RA.10 Focus on risk—Examining interrelationships amongst assets, threats to
assets and vulnerabilities, and their effect on the organisation’s business
objectives
• Focus on the critical few
– RA.8 Evaluation scope—As above
– RA.11 Focussed activities—Ensuring that evaluation activities focus on critical
assets for efficient use of resources
• Integrated management
– RA.12 Organisational and technological issues—Ensuring that technology is
considered alongside existing practices used by staff
– RA.13 Business and information technology participation—Ensuring
participation from all areas of the business and from all levels (senior
management to junior staff)
– RA.14 Senior management participation—Active sponsorship, involvement in
and review of the output of evaluations
• Open communication
– RA.15 Collaborative approach—Using workshops or other interactive
approaches to ensure interdisciplinary knowledge and skills
• Global perspective
– RA.12 Organisational and technological issues—As above
– RA.13 Business and information technology participation—As above

Extract of Organisational and Technological Issues (RA.12)

Requirements
The evaluation process must examine both organizational and technological
issues. Information security risk evaluations typically include the following
practice- and vulnerability-related information:
• Current security practices used by staff members
• Missing or inadequate security practices (also called organizational
vulnerabilities)
• Technological weaknesses present in key information technology systems and
components

124
 OCTAVE Criteria Version 2.0 Networked Systems Survivability Program

Importance
Because security has both organizational and technological components, it is
important that an evaluation surface both organizational and technological
issues. The analysis team analyzes both types of issues in relation to the
mission and business objectives of the organization when creating the
organization’s protection strategy and risk mitigation plans. By doing this, the
team is able to address security by creating a global picture of the information
security risks with which the organization must deal.

The criteria also describe the various outputs required from each of the three
phases:
• RO1.1 Critical assets
• RO1.2 Security requirements for critical assets
• RO1.3 Threats to critical assets
• RO1.4 Current security practices
• RO1.5 Current organisation vulnerabilities
• RO2.1 Key components
• RO2.2 Technology vulnerabilities
• RO3.1 Risks to critical assets
• RO3.2 Risk measures
• RO3.3 Protection strategy
• RO3.4 Risk mitigation plans

Extract of RO3.3 Protection Strategy Output

Requirements
A protection strategy must be an output of the evaluation process. An
organization’s protection strategy defines its direction with respect to efforts to
improve information security. It includes approaches for enabling,
implementing, and maintaining security practices in an organization. A
protection strategy tends to incorporate long-term organizationwide initiatives
and is structured using the practice areas defined in the catalog of practices.
(See Attribute RA.3.)

Importance
Creating a protection strategy is important because it charts a course for
organizational improvement with respect to information security activities.

OCTAVE Method
Included within this 18-volume set of documentation is an introduction on how to
use the method and guidelines on how to prepare for an OCTAVE assessment,
including selection of the team. Volumes 3 to 12 contain all of the information for
the three phases and eight processes of the method, including detailed processes,
worksheets, slides for presentations with notes and examples results.

125
Information Security Harmonisation—Classification of Global Guidance

Extract of Guidance for Running a Workshop to Capture Senior Management

Knowledge/Views
Prior to the workshop, you should review the following types of information:
• The organization’s security policies and procedures
• An organizational chart
• Any laws and regulations with which your organization must comply

An understanding of the information contained in the above items will be useful

as you facilitate this workshop and as you analyze information in later
workshops.

You should use the slides provided to explain the concepts and activities of this
workshop to the participants as you conduct the workshop.

The process guidelines for Process 1 are written primarily for the lead
facilitator of the workshop. All guidance for the scribe is specifically noted in
these guidelines. Other members of the analysis team will support the lead
facilitator, observe all activities, and take general notes. Regardless of
workshop roles, all members of the analysis team should read and understand
these guidelines.

The volumes also include a number of appendices, which include flow diagrams
and more examples. Volume 15: Appendix, the OCTAVE Catalogue of Practices (48
pages), provides a good range of practices defined as either strategic or operational
that organisations can use when creating their own practices. These practices
include:
• Strategic practices
– SP1 Security awareness and training
– SP2 Security strategy
– SP3 Security management
– SP4 Security policies and regulations
– SP5 Collaborative security management
– SP6 Contingency planning/disaster recovery
• Operational practices
– OP1.1 Physical security plans and procedures
– OP1.2 Physical access control
– OP1.3 Monitoring and auditing physical security
– OP2.1 System and network management
– OP2.2 System administration tools
– OP2.3 Monitoring and auditing IT security
– OP2.4 Authentication and authorisation
– OP2.4 Vulnerability management
– OP2.6 Encryption
– OP2.7 Security architecture and design
– OP3.1 Incident management
– OP3.2 General staff practices

126
 OCTAVE Criteria Version 2.0 Networked Systems Survivability Program

Extract of One of the SP3 Security Management Practices SP3.5

The organization manages information security risks, including:
• Assessing risks to information security both periodically and in response to
major changes in technology, internal/external threats, or the organization’s
systems and operations
• Taking steps to mitigate risks to an acceptable level
• Maintaining an acceptable level of risk using information security risk
assessments to help select cost-effective security/control measures, balancing
implementation costs against potential losses

The catalogue of practices also contains a survey that can be used to obtain a view
on the existing security posture, along with suggestions on where the various
security statements could apply.

Extract of One of the Survey Questions on Vulnerability Management (OP2.5)

There is a documented set of procedures for managing vulnerabilities,
including:
• Selecting vulnerability evaluation tools, checklists, and scripts
• Keeping up to date with known vulnerability types and attack methods
• Reviewing sources of information on vulnerability announcements, security
alerts, and notices
• Identifying infrastructure components to be evaluated
• Scheduling of vulnerability evaluations
• Interpreting and responding to the results
• Maintaining secure storage and disposition of vulnerability data

Reference
www.cert.org/octave

127
Information Security Harmonisation—Classification of Global Guidance

128
 Guidelines for the Security of Information Systems and
Networks and Associated Implementation Plan

16. Guidelines for the Security of Information

Systems and Networks and Associated
Implementation Plan
Issuer
The Organisation for Economic Co-operation and Development is a member
organisation of 30 countries and has active relationships with another 70 countries.
The OECD’s Guidelines for the Security of Information Systems and Networks was
first produced in 1992 and the latest update was issued in July 2002. The
Implementation Plan was released as a second draft in July 2003 and is still under
review.

Document Taxonomy
Guidelines for the Security of Information Systems and Networks: Towards a
Culture of Security provides a set of nine principles aimed at fostering a “culture of
security”. The associated Implementation Plan describes the responsibilities of
government, business and civil society in implementing the guidelines.

Circulation
Although OECD is internationally known to those working in government
economic departments and corporate finance and law, its profile within the
information security industry remains low.

Goals of the Standard or Guidance Publication

OECD was first established in 1960 predominately to help achieve sustainable
economic growth and financial stability in member countries and to contribute to
economic expansion and world trade. In progressing these aims, OECD takes a
prominent role in fostering good governance in public services and corporate
activity. The guidelines are meant to provide a framework of principles to promote
better understanding of how participants (in OECD) may benefit from, and
contribute to, the development of a culture of security. The Implementation Plan is
aimed predominately at government responsibilities but also refers to the roles of
business and civil society.

129
Information Security Harmonisation—Classification of Global Guidance

Information Security Drivers for Implementing the

Guidance—Why
OECD guidelines are taken seriously by a number of countries and have formed the
foundation for security principles defined in other standards and guidance
documents. The principles are in keeping with many of the current and planned
legislative changes being made by OECD member countries. Corporate social
responsibility is becoming an important business driver for many large international
organisations.

Related Risks of Noncompliance—What Could Happen

Noncompliance with the principles, whether defined in the same manner or not,
may lead to breaches of local law or regulation.

Target Audience
The guidelines are aimed at senior persons within organisations responsible for
governance, ethics (corporate social responsibility) and development of IT systems.

Timeliness
The guidelines are high-level and have been reviewed at least twice since first
issued to ensure that they reflect changes in world economics, technology and
events.

Certification Opportunities
Unlike conventions, the guidelines are nonbinding and governments are not legally
bound to their use. However, a number of governments have produced publicly
available plans on how they are implementing the principles. No certification is
available.

Completeness
The guidelines are intended to be high-level and in this context are complete in the
coverage they provide relating to information security principles. They are broad-
based enough to relate to any type of organisation, of any size or geographic
location. No security or technical knowledge is assumed or required. However,
these guidelines would need to be heavily complemented with other publications for
an information security manager as they do not begin to cover the full range of
issues that must be addressed for enterprisewide information security management.
130
 Guidelines for the Security of Information Systems and
Networks and Associated Implementation Plan

Availability
The guidelines are publicly available as a complimentary download at
www.oecd.org.

Recognition/Reputation
The results of the 2004 global survey of CISMs (described in this document’s
Introduction) revealed that recognition is very low, with the highest in Oceania at
just slightly more than 60 percent and Central/South America the lowest at 32
percent. The guidelines are felt to have very low acceptance across all regions, with
almost 50 percent giving them no acceptance at all.

Usage
The guidelines are actively used (i.e., implemented, used as best practice or used for
assessment) by only 8 percent or fewer of surveyed CISMs. Bearing in mind that
the principles within the guidelines are used in other security-related publications
(e.g., NIST), it is likely that many CISMs are applying the principles but with
different wording, or they are just not aware of them as OECD principles. There are
mixed opinions on the level of comprehensiveness and effectiveness, both positive
and negative.

CISM Domain Alignment

Information Security Governance, 2

OECD’s guidelines contain a useful set of information security principles that have
been adopted by many governments and are slowly being built into law within some
countries. They will also be of value to organisations with a business ethics or
corporate social responsibility function.

Risk Management, 1
Risk assessment is one of the nine principles, but it is not addressed in a
comprehensive manner.

Information Security Programme Management, 1

The guidelines are of limited interest to those working in government as they define
the expectations of government.

131
Information Security Harmonisation—Classification of Global Guidance

Information Security Management, 0

This domain is not addressed at all by the guidance.

Response Management, 1
One of the principles deals with response management, but not in a comprehensive
manner.

Overall, 1
The document does not provide much in the way of guidance for the information
security manager, although knowledge of the OECD and its nine security principles
is highly recommended as they are referenced in many other information security
standards and guides.

Description and Guidance on Use

OECD Guidelines for the Security of Information Systems and Networks is a short
document of just 16 pages, including a history of the document’s development,
introduction and references.

The guidelines provide nine principles that are designed to be complementary and
are aimed at promoting a culture of security. Each principle is briefly explained.
Perhaps uniquely, the principles include ethics and democracy. And, unusually, the
risk assessment principle identifies the need to consider risks to others as well as to
oneself. The guidelines should be of particular interest to an organisation with a
business ethics or corporate social responsibility function.

The nine principles address:

• Awareness
• Responsibility
• Response (i.e., to incidents)
• Ethics
• Democracy
• Risk assessment
• Security design and implementation
• Security management
• Reassessment

Extract of Principle 6 Risk Assessment

Participants should conduct risk assessments.

Risk assessment identifies threats and vulnerabilities and should be sufficiently

broad-based to encompass key internal and external factors, such as

132
 Guidelines for the Security of Information Systems and
Networks and Associated Implementation Plan

technology, physical and human factors, policies and third-party services with
security implications. Risk assessment will allow determination of the
acceptable level of risk and assist the selection of appropriate controls to
manage the risk of potential harm to information systems and networks in light
of the nature and importance of the information to be protected. Because of the
growing interconnectivity of information systems, risk assessment should
include consideration of the potential harm that may originate from others or
be caused to others.

The Implementation Plan for the Guidelines for the Security of Information Systems
and Networks is a brief document of six pages. The majority of the document is
aimed at defining the roles and responsibility of government in promoting a culture
of security, but there are a couple of references to business and civil societies.

Extract of Paragraph Nine Describing One of the Government

Responsibilities for Public Policy
9. A second aspect of the government’s public policy role is to conduct
outreach and support efforts by all participants to address security. In the
first instance government action should raise awareness of law and policy
that address cybersecurity. Beyond this, the government should facilitate
awareness and appropriate responses by other participants through
programmes and initiatives.

Reference
www.oecd.org

133
Information Security Harmonisation—Classification of Global Guidance

134
 Manager’s Guide to Information Security

17. Manager’s Guide to Information Security

Issuer
The Open Group is a vendor-neutral technology consortium with a vision to create
“boundaryless information flow achieved through global interoperability in a
secure, reliable and timely manner”. The booklet itself was written by members of
the Open Group Security Forum, a forum established for more than 10 years.

Document Taxonomy
Manager’s Guide to Information Security, issued in July 2002, provides general
guidance on acquiring secure IT products and systems.

Circulation
The Open Group is internationally recognised. However, no information is available
on circulation of the booklet.

Goal of the Standard or Guidance Publication

The booklet has been produced to help nonsecurity business managers understand
what to look for when purchasing security products and services.

Information Security Drivers for Implementing the

Guidance—Why
There are no specific drivers for this guidance.

Related Risks of Noncompliance—What Could Happen

No risks of noncompliance were identified by the authors of this document.

Target Audience
The booklet is aimed primarily at business managers responsible for some aspect of
IT systems or those who evaluate or approve information security purchases.

135
Information Security Harmonisation—Classification of Global Guidance

Timeliness
The booklet was published in 2002 as a simple guide to business managers. It is
nontechnical and remains valid in its content.

Certification Opportunities
No certification exists.

Completeness
As this is not directed at the information security manager, it does not begin to cover
the full range of issues that must be addressed for enterprisewide information
security management. However, it does provide some simple explanations of, and
arguments for, security that information security managers may find useful when
discussing information security with business managers.

Availability
This booklet is available for purchase from the Open Group at www.opengroup.org
for US $9.95.

Recognition/Reputation and Usage

Since this publication is not designed for, nor aimed at, information security
managers, CISM usage has not been surveyed.

CISM Domain Alignment

Information Security Governance, 0

Information security governance is not addressed.

Risk Management, 0
Risk management is not addressed.

Information Security Programme Management, 1

The booklet may be of some use for identifying some security questions before
purchasing IT products.

136
 Manager’s Guide to Information Security

Information Security Management, 1

It may be of some use for educating business managers with purchasing power for
IT products and services.

Response Management, 0
Response management is not addressed.

Overall, 1
This publication is designed for business managers; It is not aimed at information
security managers. However, it may be of some use in educating business managers
with purchasing power for IT products and services.

Description and Guidance on Use

This 50-page booklet provides a brief introduction to the importance of security,
including looking at information security from a business perspective. Simple
explanations are given to a number of common queries that are made by business
managers, including:
• How much security do you need?
• What are the risks?
• What sort of protection do you need?

The booklet makes clear that it is the business manager who responsible for
identifying and valuing the risks significant to the business. Technical risks
evaluation is up to trained security practitioners. It also talks about IT security as a
service to the organisation, helping it to run more effectively. The need for activity
logging and detection and response processes is briefly addressed as is the need for
security awareness and training. This naturally leads to explanations on the reality
of how much security is already present in IT systems and whether or not it is
properly enabled to meet the organisation’s acceptance of risks.

Extract from Security from a Business Perspective, Detection and

Response
Remember, a completely secure system is impossible. You must be able to detect
and respond to failures in the enforcement of your policies. Information
security systems should monitor your systems to identify anomalous patterns
of activity. This monitoring, together with the logging and audit functions
described above, will also help you (or your auditors) to determine that those
responsible for setting up and maintaining the system have done the job
correctly.

The booklet describes the types of things to expect from security solutions, and in
each case, this is provided in a simple and easy-to-understand manner. Included are:

137
Information Security Harmonisation—Classification of Global Guidance

• Administration—Explaining how access policies need to be enforced by the

security system
• Assurance and audit—Describing the reasons and benefits of logging and
monitoring
• Protection—Very general concepts from passwords to firewalls
• Know who is who and proving who is who—Simple concepts of identification
and authentication
• Managing the list—Registering with LDAP, for example
• What to allow—Simple concepts of authorisation services
• Confidence in documents—Digital signatures in simple terms
• Keeping trust—Reasons for cryptography and PKI
• Extend your reach—The use of VPNs
• Smell and detect trouble—Scanning and intrusion detection explained

Extract from 4. What to expect from Security Solutions

Digital signatures have a curious property that “real” signatures don’t. A
“real” signature is placed on the document it goes with. It can’t be separated
from the document without leaving a mark or a tear. A digital signature
contains a “fingerprint” of the document! While it can be physically separated
from the document, it is always possible to tell which document a signature was
attached to. Because of this odd property, a digital signature can help prove
that a document hasn’t been changed since it was signed. If the document is
changed, the fingerprint inside the signature will reveal the fact. So digital
signatures are, in some ways, more powerful that “real” signatures.

Finally, the booklet addresses what to do next by explaining the options of handling
security in-house or outsourcing.

Reference
www.opengroup.org

138
 Annex—CISM Job Domains

Annex—CISM Job Domains

Information Security Governance
Establish and maintain a framework to provide assurance that information security
strategies are aligned with business objectives and consistent with applicable laws
and regulations.

Tasks
• Develop the information security strategy in support of business strategy and
direction.
• Obtain senior management commitment and support for information security
throughout the enterprise.
• Ensure that definitions of roles and responsibilities throughout the enterprise
include information security governance activities.
• Establish reporting and communication channels that support information
security governance activities.
• Identify current and potential legal and regulatory issues affecting information
security and assess their impact on the enterprise.
• Establish and maintain information security policies that support business goals
and objectives.
• Ensure the development of procedures and guidelines that support information
security policies.
• Develop business case and enterprise value analysis that support information
security programme investments.

Knowledge Statements
• Knowledge of information security concepts
• Knowledge of the relationship between information security and business
operations
• Knowledge of techniques used to secure senior management commitment and
support of information security management
• Knowledge of methods of integrating information security governance into the
overall enterprise governance framework
• Knowledge of practices associated with an overall policy directive that captures
senior management level direction and expectations for information security in
laying the foundation for information security management within an organisation
• Knowledge of an information security steering group function
• Knowledge of information security management roles, responsibilities and
organisational structure
• Knowledge of areas of governance (for example, risk management, data
classification management, network security, system access)

139
Information Security Harmonisation—Classification of Global Guidance

• Knowledge of centralised and decentralised approaches to co-ordinating

information security
• Knowledge of legal and regulatory issues associated with Internet businesses,
global transmissions and transborder data flows (for example, privacy, tax laws
and tariffs, data import/export restrictions, restrictions on cryptography,
warranties, patents, copyrights, trade secrets, national security)
• Knowledge of common insurance policies and imposed conditions (for example,
crime or fidelity insurance, business interruptions)
• Knowledge of the requirements for the content and retention of business records
and compliance
• Knowledge of the process for linking policies to enterprise business objectives
• Knowledge of the function and content of essential elements of an information
security programme (for example, policy statements, procedures and guidelines)
• Knowledge of techniques for developing an information security process
improvement model for sustainable and repeatable information security policies
and procedures
• Knowledge of information security process improvement and its relationship to
traditional process management
• Knowledge of information security process improvement and its relationship to
security architecture development and modelling
• Knowledge of information security process improvement and its relationship to
security infrastructure
• Knowledge of generally accepted international standards for information security
management and related process improvement models
• Knowledge of the key components of cost-benefit analysis and enterprise
transformation/migration plans (for example, architectural alignment,
organisational positioning, change management, benchmarking,
market/competitive analysis)
• Knowledge of methodology for business case development and computing
enterprise value proposition

Risk Management
Identify and manage information security risks to achieve business objectives.

Tasks
• Develop a systematic, analytical and continuous risk management process.
• Ensure that risk identification, analysis and mitigation activities are integrated into
life cycle processes.
• Apply risk identification and analysis methods.
• Define strategies and prioritise options to mitigate risk to levels acceptable to the
enterprise.
• Report significant changes in risk to appropriate levels of management on a
periodic and event-driven basis.

140
 Annex—CISM Job Domains

Knowledge Statements
• Knowledge of information resources used in support of business processes
• Knowledge of information resource valuation methodologies
• Knowledge of information classification
• Knowledge of the principles of development of baselines and their relationship to
risk-based assessments of control requirements
• Knowledge of life cycle-based risk management principles and practices
• Knowledge of threats, vulnerabilities and exposures associated with
confidentiality, integrity and availability of information resources
• Knowledge of quantitative and qualitative methods used to determine sensitivity
and criticality of information resources and the impact of adverse events
• Knowledge of use of gap analysis to assess generally accepted standards of good
practice for information security management against current state
• Knowledge of recovery time objectives (RTO) for information resources and how
to determine RTO
• Knowledge of RTO and how it relates to business continuity and contingency
planning objectives and processes
• Knowledge of risk mitigation strategies used in defining security requirements for
information resources supporting business applications
• Knowledge of cost-benefit analysis techniques in assessing options for mitigating
risks, threats and exposures to acceptable levels
• Knowledge of managing and reporting status of identified risks

Information Security Programme Management

Design, develop and manage an information security programme to implement the
information security governance framework.

Tasks
• Create and maintain plans to implement the information security governance
framework.
• Develop information security baseline(s).
• Develop procedures and guidelines to ensure that business processes address
information security risk.
• Develop procedures and guidelines for IT infrastructure activities to ensure
compliance with information security policies.
• Integrate information security programme requirements into the organisation’s life
cycle activities.
• Develop methods of meeting information security policy requirements that
recognise the impact on end users.
• Promote accountability by business process owners and other stakeholders in
managing information security risks.
• Establish metrics to manage the information security governance framework.
• Ensure that internal and external resources for information security are identified,
appropriated and managed.
141
Information Security Harmonisation—Classification of Global Guidance

Knowledge Statements
• Knowledge of methods to develop an implementation plan that meets security
requirements identified in risk analyses
• Knowledge of project management methods and techniques
• Knowledge of the components of an information security governance framework
for integrating security principles, practices, management and awareness into all
aspects and all levels of the enterprise
• Knowledge of security baselines and configuration management in the design and
management of business applications and the infrastructure
• Knowledge of information security architectures (for example, single sign-on,
rules-based as opposed to list-based system access control for systems, limited
points of systems administration)
• Knowledge of information security technologies (for example, cryptographic
techniques and digital signatures, to enable management to select appropriate
controls)
• Knowledge of security procedures and guidelines for business processes and
infrastructure activities
• Knowledge of the systems development life cycle methodologies (for example,
traditional SDLC, prototyping)
• Knowledge of planning, conducting, reporting and follow-up of security testing
• Knowledge of certifying and accrediting the compliance of business applications
and infrastructure to the enterprise’s information security governance framework
• Knowledge of types, benefits and costs of physical, administrative and technical
controls
• Knowledge of planning, designing, developing, testing and implementing
information security requirements into an enterprise’s business processes
• Knowledge of security metrics design, development and implementation
• Knowledge of acquisition management methods and techniques (for example,
evaluation of vendor service level agreements, preparation of contracts)

Information Security Management

Oversee and direct information security activities to execute the information
security programme.

Tasks
• Ensure that the rules of use for information systems comply with the enterprise’s
information security policies.
• Ensure that the administrative procedures for information systems comply with
the enterprise’s information security policies.
• Ensure that services provided by other enterprises, including outsourced
providers, are consistent with established information security policies.
• Use metrics to measure, monitor and report on the effectiveness and efficiency of
information security controls and compliance with information security policies.

142
 Annex—CISM Job Domains

• Ensure that information security is not compromised throughout the change

management process.
• Ensure that vulnerability assessments are performed to evaluate effectiveness of
existing controls.
• Ensure that noncompliance issues and other variances are resolved in a timely
manner.
• Ensure the development and delivery of the activities that can influence culture
and behaviour of staff, including information security education and awareness.

Knowledge Statements
• Knowledge of how to interpret information security policies into operational use
• Knowledge of information security administration process and procedures
• Knowledge of methods for managing the implementation of the enterprise’s
information security programme through third parties, including trading partners
and security services providers
• Knowledge of continuous monitoring of security activities in the enterprise’s
infrastructure and business applications
• Knowledge of methods used to manage success/failure in information security
investments through data collection and periodic review of key performance
indicators
• Knowledge of change and configuration management activities
• Knowledge of information security management due diligence activities and
reviews of the infrastructure
• Knowledge of liaison activities with internal/external assurance providers
performing information security reviews
• Knowledge of due diligence activities, reviews and related standards for managing
and controlling access to information resources
• Knowledge of external vulnerability reporting sources, which provide information
that may require changes to the information security in applications and
infrastructure
• Knowledge of events affecting security baselines that may require risk
reassessments and changes to information security requirements in security plans,
test plans and reperformance
• Knowledge of information security problem management practices
• Knowledge of information security manager facilitative roles as change agents,
educators and consultants
• Knowledge of the ways in which culture and cultural differences affect the
behaviour of staff
• Knowledge of the activities that can change the culture and behaviour of staff
• Knowledge of methods and techniques for security awareness training and
education

143
Information Security Harmonisation—Classification of Global Guidance

Response Management
Develop and manage a capability to respond to and recover from disruptive and
destructive information security events.

Tasks
• Develop and implement processes for detecting, identifying and analysing
security-related events.
• Develop response and recovery plans, including organising, training and
equipping the teams.
• Ensure periodic testing of the response and recovery plans where appropriate.
• Ensure the execution of response and recovery plans as required.
• Establish procedures for documenting an event as a basis for subsequent action,
including forensics when necessary.
• Manage post-event reviews to identify causes and corrective actions.

Knowledge Statements
• Knowledge of the components of an incident response capability
• Knowledge of information security emergency management practices (for
example, production change control activities, development of computer
emergency response team)
• Knowledge of disaster recovery planning and business recovery processes
• Knowledge of disaster recovery testing for infrastructure and critical business
applications
• Knowledge of escalation processes for effective security management
• Knowledge of intrusion detection policies and processes
• Knowledge of help desk processes for identifying security incidents reported by
users and distinguishing them from other issues dealt with by the help desks
• Knowledge of the notification process in managing security incidents and
recovery (for example, automated notice and recovery mechanisms, in response to
virus alerts in a real-time fashion)
• Knowledge of the requirements for collecting and presenting evidence, rules for
evidence, admissibility of evidence, quality and completeness of evidence
• Knowledge of post-incident reviews and follow-up procedures

144
 ITGI Publications

Other Publications
All publications come with detailed assessment questionnaires and work
programmes. For further information, please visit www.isaca.org/bookstore or
e-mail [email protected].

Managing Enterprise Information Integrity

The Centre for IS Assurance conducted this project to define the key elements of
enterprise information integrity, as well as benefits criteria associated with them,
and to present a framework and process for management. In an increasingly
dynamic global environment, IT organisations must address complex solutions and
operating environments to provide assurance of the dependability and
trustworthiness of information across the enterprise. 2004

COBIT Security Baseline

Control Objectives for Information and related Technology covers security in
addition to other risks that can occur with the use of IT. Using the COBIT
framework, this guide focusses on the specific risks of IT security in a way that is
simple to follow and implement for all users—small to medium enterprises,
executives and board members of larger organisations,
and home users. It is available through the ISACA Bookstore at
www.isaca.org/bookstore. COBIT Security Baseline provides:
• Useful background reading:
– An introduction to information security—What does it mean and what does it
cover?
– An explanation of why security is important, with examples of the most
common things that can go wrong
– Thought-provoking questions to help determine the risks
• The COBIT-based security baseline, providing key controls
• Six information security survival kits, offering essential awareness messages
• An appendix containing a summary of technical security risks
2004

Control Practices
Control Practices extends the capabilities of the COBIT framework with an
additional level of detail. The COBIT IT processes, business requirements and
control objectives define what needs to be done to implement an effective control
structure. The control practices provide the more detailed how and why needed by
management, service providers, end users and control professionals, to help them
justify and design the specific controls needed to address IT project and operational
risks and improve IT performance by providing guidance on why controls are
needed, and what the best practices are for meeting specific control objectives. All
of the control practices are individually integrated into COBIT Online. This
publication, which contains control practices for all of the 34 high-level COBIT
control objectives, is available in the ISACA Bookstore. 2004

145
Information Security Harmonisation—Classification of Global Guidance

IT Control Objectives for Sarbanes-Oxley

The publication explains, step-by-step in a road map approach, the current focus on
enhancing corporate accountability, the audit committee’s responsibility, the need to
adopt and use an internal control framework (COSO), the need to consider fraud in
an audit or review of internal control, the necessary but unique challenge of
focussing on IT controls and using a compatible IT governance framework (COBIT),
and how to seize the opportunity of turning compliance into a competitive
challenge. The document provides IT professionals and organisations with
assessment ideas and approaches, IT control objectives mapped into COSO for
disclosure and financial reporting purposes, and a clear road map to deal with the
murkiness of these regulatory times. 2004

COBIT Mapping: Mapping ISO/IEC 17799:2000 With COBIT

The mapping document is a profound source of information for all stakeholders
responsible for, and interested in, IT governance and information security
management and their respective controls. It provides clear insights as to how
COBIT and ISO/IEC 17799:2000 interrelate and fit together. This paper is a valuable
source and useful guideline for implementation of these standards in an
organisation, independent of its size, geography or industry. It will help improve
completeness and quality and reduce the cost of such implementations. ISACA
member download posted at www.isaca.org/research. 2004

COBIT Mapping: Overview of International IT Governance

A global overview of the most important standards relative to control and security
of IT and how they relate to each other on a high level. The research includes:
• An overview of the most important standards relative to control and security of IT
• A demonstration of the possible integration of COBIT with other standards into
live IT processes
• A high-level overview of COBIT, COSO, ITIL, ISO/IEC 17799:2000, ISO/IEC
13335, ANSI, TickIT and the Common Criteria—ISO/IEC 15408:1999
The publication is posted at www.isaca.org/cobitmapping. 2004

Board Briefing on IT Governance, 2nd Edition

The Board Briefing on IT Governance, 2nd Edition is addressed to boards of
directors, supervisory boards, audit committees, chief executive officers, chief
information officers and other executive management, and is designed to help these
individuals understand why IT governance is important, what its issues are and what
their responsibility is for managing it. The document is posted at www.itgi.org.

The document covers:

• A summarised background on governance
• Where IT governance fits in the larger context of enterprise governance
• A simple framework with which to think about IT governance

146
 ITGI Publications

• Questions board members should ask

• Good practices and critical success factors
• Performance measures board members can track
• A maturity model against which to benchmark organisations
2003

Other Titles
Oracle® Database Security, Audit and Control Features (2004)
OS/390—z/OS: Security, Control and Audit Features (2003)
IT Governance Implementation Guide (2003)
COBIT Quickstart (2003)
Risks of Customer Relationship Management: A Security, Control and Audit
Approach (2003)
Security Provisioning: Managing Access in Extended Enterprises (2002)
Electronic and Digital Signatures: A Global Status Report (2002)
Virtual Private Network—New Issues for Network Security (2001)
COBIT 3rd Edition® (2000)
Control Objectives for Net Centric Technology (CONCT©) (1999)
Digital Signatures—Security and Controls (1999)
ERP Series:
Security, Audit and Control Features PeopleSoft®: A Technical and Risk
Management Reference Guide (2004)
Security, Audit and Control Features Oracle® Applications: A Technical and Risk
Management Reference Guide (2003)
Security, Audit and Control Features SAP®R/3®: A Technical and Risk
Management Reference Guide (2002)
E-commerce Security Series:
Securing the Network Perimeter (2002)
Business Continuity Planning (2002)
Trading Partner Authentication, Registration and Enrollment (2000)
Public Key Infrastructure (2001)
A Global Status Report (2000)
Enterprise Best Practices (2000)

Web Postings (www.isaca.org/research)

Enterprise Identity Management: Managing Secure and Controllable Access in the
Extended Enterprise Environment (2004)
Introduction to Voice-over IP Technology (2004)
Peer-to-peer Networking Security and Control (2003)

147
Information Security Harmonisation—Classification of Global Guidance

Future Publications

Cybercrime: Incident Response and Digital Forensics

The research describes the threat posed by cybercrime and discuss the increase in
incidents. The publication will also provide an analysis of the type of risks and
guidelines to prevent, detect and respond appropriately. It will highlight the new
partnership and initiatives between the US government and the IT industry, and the
strategy that could mitigate the potential risks.

Linux Security and Control Requirements

The project studies the Linux security issues for one of the more popular versions
of Linux: Redhat 7.2. A technical security configuration table will be included,
which could be used as a standard reference by security administrators, security
professionals and IS auditors. The publication will provide guidance to IT
management in the areas of identification of vulnerabilities of the Linux operating
system, a detailed checklist giving the best practices to be followed, deployment of
Linux on different hardware platforms, and comparison of the security features of
major Linux implementations. The publication will address risk management issues
with an action-oriented perspective.

Security Awareness—Best Practice to Serve Your Enterprise

Today, from the most senior executive to junior staff, all have a role to play in the
protection of the enterprise’s information assets. Awareness of the risks and
available safeguards is the first line of defence. Information systems and networks
can be affected by internal and external risks, and everyone must understand that
security failures may significantly harm those systems and the information under
their control, as well as interdependencies. Additionally, the increased regulatory
pressure of the European Data Protection Directive, Sarbanes-Oxley, HIPAA and
others is requiring organisations to implement formal security policies. The
education of employees is certainly a frontline defence for adherence and proper
implementation.

This research publication will provide the steps needed to implement an awareness
effort and how to build concurrence of other departments, and provides baselines,
maturity levels and control objectives. A security awareness self-assessment
programme and a case study will be included.

148
 ITGI Publications

Information Security Governance: Top Actions for Security

Managers
Information Security Governance: Guidance for Boards of Directors and Executive
Management, published by ITGI in 2001, provides a background as to why
information security is important. Its focus is on what the board and senior
management should do to fit information security within the governance
framework.

Information Security Governance: Top Actions for Security Managers furthers that
research by taking the list of questions and creating specific actions for information
security managers and CISOs. It will address:
• Uncovering the information security issues in an enterprise from a business and
management perspective
• Dealing with management’s perception of information security and security risk
management issues
• Positioning information security as a component of IT and business governance
• Establishing what is required to ensure that information security governance is
successfully implemented within the enterprise

IT Governance Domains—Practices and Competencies

The IT Governance Institute is conducting a survey of executives around the globe.
An in-depth personal interview is being held with 200 IT directors and managers
for feedback on the following five domains:
• Value delivery—Obtaining a return on IT investments
• Performance measurement
• Risk management
• IT alignment—IT strategy committees
• Managing IT resources—Outsourcing

149
Information Security Harmonisation—Classification of Global Guidance

150
ITGI Publications

151