Security  Standards ontology’s

Gartner’s current Security Framework was acquired through the acquisition of Meta the research analyst company.

It is currently 3 years old and by their own admission is out of date!

ISO017799 Security controls

ISO/IEC 17799 is a code of practice for information security management published by the International Organization for Standardization in 2000. ISO 17799 will eventually be revised and re-issued in the ISO 2700x suite.

Used to develop security policies based on the ISO 017799 framework.

11 sections of controls

Can not find anything currently on this on Internet ?

ISO27001 Information Security management system (ISMS

An Information Security Management System (ISMS) is, as the name suggests, a system of management concerned with information security. The idiom arises primarily out of ISO/IEC 17799, a code of practice for information security management published by the International Organization for Standardization in 2000. ISO 17799 will eventually be revised and re-issued in the ISO 2700x suite.

The best known ISMS is ISO/IEC 27001, published by the ISO, complementary to ISO/IEC 17799 (developed from BS 7799-1). A system for certification against BS-7799-2:2002 is well established (But note that it is not possible to get ISO/IEC 17799 certified.)

ISM3 (pronounced ISM-cubed) is the only other ISMS that is accreditable. ISM3 was developed from ITIL, ISO 9001, CMM and ISO27001 and Information Governance concepts. ISM3 can be used as a template to make ISO 9001 compliant information security management systems. While ISO27001 is controls based, ISM3 is process based. ISM3 has process metrics included.

ISO 27001 Includes off shoring of services etc

ISF Standard of Good Practice

The Standard of Good Practice (SoGP) is a detailed documentation of best practice for information security. First released in 1996, the Standard is published and revised biannually by the Information Security Forum (ISF), an international best-practices association consisting of member organizations in financial services, manufacturing, consumer products, telecommunications, government, and other areas. The Standard is available free of charge from the ISF, whereas other ISF reports and tools are generally available only to member organizations.

The Standard is developed from research and the actual practices of and incidents experienced by major organizations, incorporating the ISF's extensive research program, comprehensive benchmarking program, analysis of other standards and prevailing practices, and the direct feedback from and active involvement of ISF members. Its regular and relatively frequent update cycle (every two years) also allows it to keep up with technological developments and emerging threats. The Standard is used as the default governing document for information security behavior by many major organizations, by itself or in conjunction with other standards such as ISO 17799 or COBIT.

The Standard was updated most recently in February 2007 to include a new addition focusing on end-user environments. It also includes expanded sections on application security, risk assessment, and other subjects and new sections addressing regulatory compliance and evolving security issues arising out of the ISF's best-practices research and recommendations.

ITIL Security Management

The ITIL Security Management Process describes the structured fitting of security in the management organization. ITIL Security Management is based on the Code of practice for information security management also known as ISO/IEC 17799.

A basic concept of Security Management is the information security. The primary goal of information security is to guarantee safety of information. When protecting information it is the value of the information that has to be protected. These values are stipulated by the confidentiality, integrity and availability. Inferred aspects are privacy, anonymity and verifiability.

The goal of the Security Management is split up in two parts:

1. The realization of the security requirements defined in the Service Level Agreement (SLA) and other external requirements which are specified in underpinning contracts, legislation and possible internal or external imposed policies.

2. The realization of a basic level of security. This is necessary to guarantee the continuity of the management organization. This is also necessary in order to reach a simplified Service Level Management for the information security, as it happens to be easier to manage a limited number of SLAs as it is to manage a large number of SLAs.

The input of the Security Management process is formed by the SLAs with the specified security requirements, legislation documents (if applicable) and other (external) underpinning contracts. These requirements can also act as Key Performance Indicator (KPIs) which can be used for the process management and for the justification of the results of the Security Management process.

The output gives justification information to the realization of the SLAs and a report with deviations from the requirements.

The Security Management Process has relations with almost all other ITIL-processes. However, in this particular section the most obvious relations will be the relations to the Service Level Management process, the Incident management process and the Change Management process.

COBIT v4.0

The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.

Basic Security Framework concepts

• “Keep the bad guys out” services

• Information Technical Services

• “Let the good guys in” services

• ID & A Services

• “Keep the wheels on” services

• Administration and strategic service

Define a security roadmap

Applications + process, identify risks and define security components.

#CyberSecurity #Standards