• No results found

How To Manage Information Technology

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How To Manage Information Technology"

Copied!
33
0
0

Loading.... (view fulltext now)

Download now ( 33 Page )

Full text

(1)

Bundesamt für Sicherheit

in der Informationstechnik

DECUS Rheinlandtreffen

St. Augustin, 18.11.2004

Nachweis der erreichten Sicherheit

durch Prüfungen nach Standards?!

(2)

2. Standards 1. Basics

4. Fazit 3. Charakteristika

Sicherheitsmanagement

ISO/IEC nicht ISO/IEC

Darstellungsmerkmale Bewertungskriterien

(3)

Business needs

ICT Support

Critical business processes

Customer

requests

Service/ Product

delivery

Information

Processing

(4)

The more

Information

is processed by

Information and communications technology

Relationship between I and ICT

(5)

2. Standards 1. Basics

4. Fazit 3. Charakteristika

Sicherheitsmanagement

ISO/IEC nicht ISO/IEC

Darstellungsmerkmale Bewertungskriterien

(6)

BSI IT BPM

IS 17799

IS 13335

BS 7799-2

ISF FSoGP

IS 21827

(7)

2004-11-18 Martina Rohde

Ô TR 13335: Guidelines for the Management of IT Security

(GMITS)

Ô IS 13335: Management of information and

communications technology security (MICTS)

Ô IS 17799: Code of Practice for Information Security

Management

Ô IS 21827: System Security Engineering

-Capability Maturity Model

Ô TR 13569: Banking and other financial services

Ô ---Ô Study period on information security management systems

Ô =>

Ô NP on ISMS requirements (IS 24743)

Ô NP on ISM metrics and measurement (IS 24742)

[ISO/IEC JTC 1 SC 27 WG 1]

(8)

Ô (German) IT Baseline Protection Manual (IT BPM)

Ô (British) ISMS - Specification with Guidance for Use (BS 7799-2)

Ô ---Ô ISF: The Forum’s Standard of Good Practice (FSoGP)

Ô ISACA: Control objectives for information and related technologies

(Cobit)

Ô NIST: An Introduction to Computer Security - The NIST Handbook

(SP-800-12)

Ô ---Ô Information Technology Infrastructure Library (ITIL)

Ô ...

(9)

Benefit and effort of assessment

What a

standard

is able

to do!

What a

standard

is expected

to do!

Peer-to-peer comparison makes no sense

-> classification scheme

(10)

2. Standards 1. Basics

4. Fazit 3. Charakteristika

Sicherheitsmanagement

ISO/IEC nicht ISO/IEC

Darstellungsmerkmale Bewertungskriterien

(11)

Ô

Peer-to-peer comparison makes no sense

-> classification scheme

Ô „Black box“ comparison

Ô -> characteristics: subject, audience, granularity, certificate

Ô standard fits to users‘s problem

Ô „White box“ comparison

Ô -> characteristics: purpose, focus, statement Ô application of standard supports user‘s intention

(12)

Ô “Code of practice for information security management”

(fast track of BS 7799-1, under revision since 2000, now FDIS)

Ô “... guidelines and principles for initiating, implementing, maintaining,

and improving information security management ...” -> what to do

-> security officer

Ô ... each area introduced by a description of the goal (“objective”) and

structured into subchapters (“controls”) with different depth

new: control statement, implementation guidance, other information ... covers several control areas such as policy, organization, asset management, personnel, physical security, operational issues, access control, systems aquisistion & development, incident management, business continuity, and compliance

new: risk assessment and treatment

Ô checklist without priority/ sequence

BUT: no metric defined in order to support the assessment

IS 17799

(13)

2004-11-18

Martina Rohde [See IS 17799]

Asset Management Business Continuity Compliance Checking Security Policies Incident Management

Configuration & Change Management

17799 - Control areas

Personnel Physical & Environmental Security Organization Information and Communications Technology Operational Issues

(14)

Ô “Management of Information and Communications

Technology Security” (MICTS = the “new” GMITS)

part 1: concepts and models for ICT security management (now IS) part 2: techniques for ICT security risk management (now 4thWD)

Ô “... to assist the implementation of information security ...”

-> how to do

-> security officer

Ô ... covers security elements and relationships, ICT policy,

organizational aspects, security management functions, risk management process

... contains techniques for ICT risk management which can be used to assess security requirements and risks, and help to initiate and follow-up appropriate safeguards

Ô concepts/models, and techniques without pre-scribing

BUT: no metric defined to check whether the techniques are “in place”

IS 13335

(15)

2004-11-18

Martina Rohde [See IS 13335-2]

Treat risks

Establish context

Analyse risks

Evaluate risks

Identify risks

Assess risks

Communicate

/

Document

&

report

Monitor &

review

(16)

Ô “Information security management systems - Specification with guidance for use”

(new NP in ISO/IEC, now FCD)

Ô ... based on the PDCA-model (by Deming)

-> management system -> senior management

Ô ...defines key elements such as general requirements, establishing an

maintaining ISMS, documentation requirements, management

commitment, resource management, general review requirements, review input, review output, internal audits, continual improvements, corrective and prevention action

... emphasises systematic approach to risk assessment

Ô mingles operative and management processes

BUT: no parameters/ indicators to “measure” effectiveness/ performance

(17)

Ô “IT Baseline Protection Manual” Ô ... focuses on ICT security

-> what AND how to do

-> security officer and administrator

Ô ... based on the risk assessment methodology and risk treatment

option of IS 13335

... comprises criteria to select safeguards based on typical technical components & methodology to evaluate security level

(based on a published assessment scheme)

... deals with security activities/ elements supported by in-depth

implementation guidance & gives background information on threats/ vulnerabilities listed in catalogues

Ô AND: defines metric to support assessment and to check whether

techniques are “in place”

(18)

Evaluate

risks Compare implementation against catalogues

Security (compliance) checking:

Evaluate non-conformities Document results

Analyse risks

Baseline protection modelling

Supplementary

security analysis

Analysis of protection requirements

Identify

risks Document technical topology (network plan)

IT Structure analysis:

Draw up inventory of assets (systems/applications) Reduce complexity (by grouping)

(19)

documentation

Logical clusters of technical components (=set of IT assets) Model & Check

Produce an audit report based on

a defined methodology and a published scheme

Complete level C

Entry level A

Advanced level B

certificate self-declaration

(20)

IS 17799

IS 13335

BS 7799-2

BSI IT-BPM

subject audience granularity certificate

Information

Security Securityofficer Medium No

Informations- & communications

technology security

Security

officer Medium No

Information

Security managementSenior Low Yes

Informations- & communications technology security Security officer & administrator High Yes

(21)

Ô

Peer-to-peer comparison makes no sense

-> classification scheme

Ô „Black box“ comparison

Ô -> characteristics: subject, audience, granularity, certificate Ô standard fits to users‘s problem

Ô „White box“ comparison

Ô -> characteristics: purpose, focus, statement

Ô application of standard supports user‘s intention

(22)

Ô die Gesamtheit aller Tätigkeiten und Zielsetzungen Ô zum Erreichen und Aufrechterhalten

Ô eines angemessenen Sicherheitszustands þ basierend auf einer entsprechenden

Aufbau- und Ablauforganisation

þ bezogen auf die Bedürfnisse einer Organisation

• unter Mitwirkung aller Mitglieder

• mittels bestimmter Mittel und Verfahren

• ausgerichtet auf Kunden-/ Mitarbeiterzufriendenheit, langfristigen Geschäftserfolg sowie

gesellschaftlichen Nutzen.

(23)

Security level/ Security plan Prozess:

Activities

& Sub-processes Business needs/

Security policy

People, Budget, ... Roles &

Responsibilities, Principles, ...

Parameters, Indicators, ... Strategies,

Policies, ...

(24)

Design

Operation

Integration/

Deployment

Security

plan

(25)

Metrics

Organization

Resources

Goals

Security

policy

(26)

Functionality

detect, protect,

react Select controls

What is to do to secure ? Detect events

React on incidents

Security

Policy

Engineer requirements

Business

needs

Security

plan

Implement controls

Security

level

(27)

Assurance

Asses risks

accept, avoid, REDUCE,

transfer

What was done to be ensured ?

Document results Report deviations

Security

plan

Security

level

Monitor controls

Security

Policy

Business

needs

Review requirements

(28)

Non-technical compliance ? Security

policy Business needs

fulfilled !

Security plan

Technical compliance ?

Security level realised ! Procedures

performed ! Conformance ?

(29)

Doing the right things ! Quality/

Effectiveness ?

Security Management

Process

Doing things right !

Performance/ Efficiency ? Security

Management System

(30)

IS 17799

IS 13335

BS 7799-2

BSI IT-BPM

purpose focus statement

Process/ System System/ Process System Process/ System

White box comparison - summary

Functionality Functionality/ Assurance Functionality/ Assurance Assurance Conformance Conformance Conformance/ Compliance Conformance

(31)

2. Standards 1. Basics

4. Fazit 3. Charakteristika

Sicherheitsmanagement

ISO/IEC nicht ISO/IEC

Darstellungsmerkmale Bewertungskriterien

(32)

Intro

Business needs/ Security policy

Process(es)

Security level/ Security plan Environment

(33)

Vielen Dank

für Ihre

Aufmerksamkeit !

Fragen ?

?

?

?

?

?

?

?

References

Download now ( PDF - 33 Page - 633.08 KB )

Related documents

State of South Carolina Policy Guidance and Training

Policy:  Asset Management Policies:  Data Protection & Privacy  Access Control Policies:  Information System Acquisition, Development, Maintenance 

ABM Parking Services. Parking, Elevated Readiness Guide: Comprehensive Solutions for Parking and Transportation Management

Working with the Navy Pier team, ABM implemented dynamic pricing to maximize revenue, automated the debit card process to save time, and introduced online parking reservations

0415706203

Growing out of the failure of the New World Information and Communications Order (UNESCO, 1980; Mosco, 1996; Singh, 2011), the cultural turn in development studies (as generally in

Steve Prahst, NASA Glenn Research Center

The last point is a key one for knowledge management. A modern corporate language for collaboration can significantly increase the richness of communication and the ability to share

Heterogeneous Beliefs and Imperfect Competition in Sequential Auction Markets

• When the competition is strong (the number of informed traders and/or the number of auctions is high), increasing the noise in the traders’ private information leads to higher

Population size structure, growth and reproduction of the European anchovy (Engraulis encrasicolus, L.) in the Lagoon of Lesina (south-western Adriatic Sea, Italy)

Population size structure, growth and reproduction of the European anchovy (Engraulis encrasicolus, L.) in the Lagoon of Lesina (south-western Adriatic Sea,

Challenges and emerging technical solutions in on-growing salmon farming

Sea water can also be used in a RAS land farm, and the produced fish could reach higher weights (e.g. However the economically optimal size for transfer is not known. By using

Predicting Revisit Intention of Commuters: A Case Study of Private Bus Company in Pakistan

Final questionnaire was adopted containing 32 item scales with the name, service quality, relational/ relationship switching cost, commuter satisfaction, and revisit intention..