Views
InformationTechnology:Security:Practice
Contents |
[edit]
Navigation
[edit]
Related categories
[edit]
About this page
We apologize for the little information we provide, this page is still under construction. Please stay tuned.
[edit]
Disaster recovery planning
Many companies are ill prepared to meet disaster and unexpected shutdown. Eric L. Beser, CEO of former Ennovate Inc. [1] mentions a Gartner research finding that 50 percent of all businesses fail after experiencing a major disruption. It is reported that 45,000 businesses ceased operations after the 9-11 attack on the World Trade Centers.His e-book is still available online [2] and addresses:- How to identify and address immediate risks.
- The processes, policies, and procedures related to disaster planning.
- Ideas on how to identify business processes that are most essential for operations.
- Templates to help with analyzing business impact in the event of disaster.
- A sample contingency plan.
Interesting tips are also offered on:
- Understanding dependencies and risks that could affect the business.
- Practical advice on testing and updating the plan.
- How to make available the plan to key stakeholders.
- Planing for emergency meetings and key-staff backup planning.
- How to plan for disaster recovery beyond its IT aspects.
Resources
- Disaster Recovery Institute [3]
- Disaster Recovery [4]
- Disaster Recovery Institute Canada [5]
- Disaster Recovery Information Exchange (DRIE) [6]
[edit]
System and Network Security Practice
Business continuity depends on the high-availability and stability of information and network systems. The SA-BOK addresses best practices in system administration. The definite reference in the field is the book The Practice of System and Network Administration by Limoncelli & Hogan.The still actual NSA Rainbow Series [[7]] is a six-foot tall stack of books, each one of a different color, on evaluating "Trusted Computer Systems" according to the National Security Agency. The main book of the series is the Orange Book.
- NCSC-TG-001 [Tan Book] - A Guide to Understanding Audit in Trusted Systems [Version 2 6/01/88]
- NCSC-TG-002 [Bright Blue Book] - Trusted Product Evaluation - A Guide for Vendors [Version 1 3/1/88]
- NCSC-TG-003 [Orange Book] - A Guide to Understanding Discretionary Access Control in Trusted Systems [Version 1, 9/30/87]
- NCSC-TG-004 [Aqua Book] - Glossary of Computer Security Terms [Version 1, 10/21/88]
- NCSC-TG-005 [Red Book] - Trusted Network Interpretation [Version 1 7/31/87]
- NCSC-TG-006 [Orange Book] - A Guide to Understanding Configuration management in Trusted Systems [Version 1, 3/28/88]
- NCSC-TG-007 [Burgundy Book] - A Guide to Understanding Design Documentation in Trusted Systems
- NCSC-TG-008 [Lavender Book] - A Guide to Understanding Trusted Distribution in Trusted Systems [Version 1 12/15/88]
- NCSC-TG-009 [Venice Blue Book] - Computer Security Subsystem Interpretation of the Trusted Computer System Evaluation Criteria
- NCSC-TG-011 [Red Book] - Trusted Network Interpretation Environments Guideline - Guidance for Applying the Trusted Network Interpretation
- NCSC-TG-013 [Pink Book] - Rating Maintenance Phase Program Document [Version 2 - 01 Mar 1995]
- NCSC-TG-014 [Purple Book] - Guidelines for Formal Verification Systems [4/1/89]
- NCSC-TG-015 [Brown Book] - A Guide to Understanding Trusted Facility Management [6/89]
- NCSC-TG-016 [Yellow-Green Book] - Writing Trusted Facility Manuals
- NCSC-TG-017 [Light Blue Book] - A Guide to Understanding Identification and Authentication in Trusted Systems
- NCSC-TG-018 [Light Blue Book] - A Guide to Understanding Object Reuse in Trusted Systems
- NCSC-TG-019 [Blue Book] - Trusted Product Evaluation Questionnaire [Version-2 - 2 May 1992]
- NCSC-TG-020A [Grey/Silver Book] - Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX System
- NCSC-TG-021 [Lavender/Purple Book] - Trusted Database Management System Interpretation
- NCSC-TG-022 [Yellow Book] -A Guide to Understanding Trusted Recovery
- NCSC-TG-025 [Forrest Green Book] - A Guide to Understanding Data Remanence in Automated Information Systems (Ver.2 09/91)
- NCSC-TG-026 [Hot Peach Book] - A Guide to Writing the Security Features User's Guide for Trusted Systems
- NCSC-TG-027 [Turquoise Book] - A Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems
- NCSC-TG-028 [Violet Book] - Assessing Controlled Access Protection
- NCSC-TG-029 [Blue Book] - Introduction to Certification and Accreditation ( 09/94 )
- NCSC-TG-030 [ Light Pink Book] - A Guide to Understanding Covert Channel Analysis of Trusted Systems (11/93 )
Other good books, written by an anonymous hacker are available:
- Maximum Security - A Hacker's Guide on protecting your Internet [8] [9]
- Maximum Linux Security - A Hacker's Guide on protecting your server [10].
The system and network security practice transcedes the system and network administration alone and has very serious implications for the application development. The extensive IBM redbook JAVA 2 Network Security [11] [12] covers Java application development with security in mind. The Secure Coding [13] initiative at CERT is basesd on the observation that most vulnerabilities are caused by programming errors. A set of Secure Coding Practices' has been developed [14]. The extensive and up-to-date CERT database of known vulnerabilities can be found here [15].
Other Resources
- The Systems Administration Body of Knowledge (SA-BOK) [16]
- Essential System Administration, Third Edition [17]
- Everything Sysadmin - [18] - Thoughts, news and views of Limoncelli & Hogan, the authors of the must-have book The Practice of System and Network Administration
- ISACA [19]
- SANS Institute and SANS Internet Storm Center [20] [21]
- NIST Computer Security Clearinghouse (CSRC) [22]
- Information Systems Security Association [23]
- Computer Emergency Response Team (CERT) [24]
- Information Warfare & Information Security resources [25]
- IWS - The Information Warfare Site [26]
- Log analysis resources [27]
- OpenSource forensic toolset for analyzing hacked systems [28]
- TippingPoint IPS/IDS [29]
- Network Security Essentials, Second Edition [30]
- The NIST National Vulnerabilities Database - the U.S. government repository of standards based vulnerability management data
[edit]
Standards and recommendations
The Common Criteria and of the Common Evaluation Methodology is an international standard (ISO/IEC 15408 [31]). It was developed by an international cartel of standard bodies, among which NSA and NIST. It defines a framework for assessing and verifying the security features and risks related to information technology products and systems. The security requirements to be vefified are derived from high-level Protection Profiles (PP) and organized in Security Functional Requirements (SFRs), further organized into classes and families. The verification process also tries to establish the level of confidence that may be placed in the security features, through assessment of the quality assurance processes followed in the development of the Target of Evaluation (TOE), namely Security Assurance Requirements. The verification is however done in an environment recommended by the supplier of the system to be tested, therefore the level of confidence in the Evaluation Assurance Level (EAL) depends on the assumptions that were relied upon by the supplier. The EAL levels are from 1 to 7 but only EAL1 to EAL4+ are currently evaluated against. More references:The Information Systems Audit and Control Association (ISACA) ([34]) is an international organization of IS-IT professionals, dedicated to the audit, control, and security of information systems. The Control Objectives for Information and related Technology (COBIT) [35] publication defines a set of generally accepted measures, indicators, processes and best practices for IS-IT security governance. In its 4th edition, COBIT has 34 high level objectives that cover 318 control objectives categorized in four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
[edit]
IT security standards of relevance for outsourcing agreements
The most important security standards, requirements and recommended practices derived from standards, of relevance for outsourcing, especially for outsourcers catering to the financial sector, are:- ISO/IEC 15443 A framework for IT security assurance
- ISO/IEC 17799 Code of practice for information security management
- The Financial Institution Shared Assessments Program (FISAP), extremely granular, based on the ISO/IEC 17799 requirements
- The AICPA SAS-70 Statement on Auditing Standards Number 70
- Health Insurance Portability and Accountability Act (HIPAA) [36]
- ISO 27001 – Information Security Management Systems- to use with ISO 17799
The Financial Institution Shared Assessments Program is a new process for financial institutions to evaluate the security controls of their IT service providers. The new program replaces the 2004 ISO 17799-based IT Service Provider Expectations Matrix Launched in February 2006, the Program today has more than 40 member companies and 16 major service providers are committed to having assessments performed under the program.
Here are some resources on these topics:
- ISO/IEC 15443 A framework for IT security assurance (covering many methods, i.e. TCSEC, Common Criteria, ISO/IEC 17799)
- ISO/IEC 15443-1: Overview and framework
- ISO/IEC 15443-2: Assurance methods
- ISO/IEC 15443-3: Analysis of assurance methods
- ISO/IEC 15408 refer also to Common Criteria
- ISO/IEC 17799:2005 Code of practice for information security management refer also to ISO/IEC 17799, providing for detailed analysis of the following topic areas:
- Security Policy
- Security Organization
- Assets Classification and Control
- Personnel Security
- Physical and Environmental Security
- Computer and Network Management
- System Access Control
- Systems Development and Maintenance
- Business Continuity Planning
- Regulatory Compliance
- NIST 800 Series, contains both issue-specific (firewalls, IDS, PKI) and general standards.
- 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems
- 800-26, Security Self-Assessment Guide for Information Technology Systems
- Federal Information Systems Controls (FISCAM) Audit Manual, evaluating internal controls for the integrity, confidentiality, and availability of data maintained in systems managed by the federal government.
- Site Security Handbook RFC2916, a practical guide to developing computer security policies and procedures for internet-exposed sites.
- Commonly Accepted Security Practices and Recommendations (CASPR) - an open-source, vendor-neutral collection of security best practices.
- Control Objectives for Information and related Technology (CobiT), an open framework for IT controls, identifying key IT processes, control objectives and guidelines.
- TCSEC "Trusted Computer System Evaluation Criteria", Orange Book from the Rainbow series
- AICPA's "Systrust" standard for Trust Services Principles and Criteria, identifying 5 security principles to be assessed based on policies, communications, procedures, and monitoring.
- Security
- Availability
- Processing Integrity
- Online Privacy
- Confidentiality
- AICPA's Statement on Auditing Standards Number 70 (SAS70) for Service Organizations
- Does not explicitly require any particular controls or practices
- Involves a review of the existing controls utilizing industry standards for audit
- Requires that a “Service Auditor’s Report” is issued by an independent auditor, offering an opinion on the effectiveness of existing controls.
Here are some resources, including the assessment criteria, for the The Financial Institution Shared Assessments Program (FISAP) for IT outsourcer assessment
- Banking Industry Technology Secretariat (BITS) Financial Institution Shared Assesment Program
- Banking Industry Technology Secretariat (BITS) ISO 17799-based IT Service Provider Expectations Matrix
- The Agreed Upon Procedures v2.0 (local copy)
- The Standardized Information Gathering v2.0 (local copy) matrix
[edit]