Search in ISMS Guides


Monday, August 6, 2007

Two Standards, One Tough Choice

By Roy Wiseman
Director, Information Technology Services
Regional Municipality of Peel

Prominent on the agenda of the most recent meeting
of the National CIO Subcommittee for Information
Protection (NCSIP) was a discussion of various
standards for security assessment and certification.
The meeting was held in Charlottetown from June 18
through 20 and included representatives from the
Government of Canada, nine of the 10 provinces and
myself, representing municipalities. (What’s not to like
about Charlottetown in June? Even so, our host, Garth
Matthews of the Province of Prince Edward Island,went
out of his way to ensure that delegates were exceedingly
well looked after – including providing spectacular
weather for our lobster and steak cruise!)
Here are some highlights of our discussions.

ISO 17799: Code of Practice for Information
Security Management
Perhaps the best known, and least understood, standard
for information security management goes under the
unwieldy name of ISO 17799.
ISO 17799 was based on an earlier BS 7799 standard
adopted in 1995 by the British Standards Institute. The
International Standards Organization (ISO) adopted ISO
17799 in August of 2000. Since that time,work has proceeded
on a major review of the standard to overcome
the objections from many participating countries, including
Canada and the United States. While the Government of
Canada is participating in this review, it has yet to take a
position on whether the updated version will be
endorsed as a standard for the Government of Canada.

In its original version, ISO 17799:2005 consists of 12
prime sections:

* 1: Risk assessment and treatment - analysis of the organization's information security risks
* 2: Security policy - management direction
* 3: Organization of information security - governance of information security
* 4: Asset management - inventory and classification of information assets
* 5: Human resources security - security aspects for employees joining, moving and leaving an organization
* 6: Physical and environmental security - protection of the computer facilities
* 7: Communications and operations management - management of technical security controls in systems and networks
* 8: Access control - restriction of access rights to networks, systems, applications, functions and data
* 9: Information systems acquisition, development and maintenance - building security into applications
* 10: Information security incident management - anticipating and responding appropriately to information security breaches
* 11: Business continuity management - protecting, maintaining and recovering business-critical processes and systems
* 12: Compliance - ensuring conformance with information security policies, standards, laws and regulations

ISO 17799 has been criticized for being “a mile wide
and an inch deep.” As noted by Lawrence Walsh in
Information Security magazine (March 2002):“It outlines
security measures an organization should have, but
doesn’t specify how to implement them. . . . For instance,
the standard recommends the use of adequate access
control procedures and defines many of the different
technologies for access control – tokens, certificates and
smart cards. However, it doesn’t discuss the pros and cons
of these technologies in different operational contexts.”
In this regard, ISO 17799 is attempting to be technology
neutral and also avoid becoming quickly outdated by
rapidly changing technology. At the same time, it means
that ISO 17799 is most useful as a checklist identifying
areas to be addressed, rather than providing substantial
guidance in how to address each area.
Notwithstanding this, a substantial industry is emerging,
primarily in Europe, around consulting and certification
services for ISO 17799. Software tools to support ISO
17799 self assessment, as well as ISO 17799 compliant
policies, are widely available from a number of Internet
sites (for a price).

NIST 800-37: Guidelines for the Security,
Certification and Accreditation of Federal
Information Technology Systems (US)
The other major standard for information security has
been developed by the National Institute of Standards
and Technology (NIST) in the United States as a guideline
for use by federal government agencies (and on a voluntary
basis for non-government agencies).
Unlike the ISO 17799 standard, NIST publications are
freely available on the NIST Computer Security Research
Center (CSRC) Web site – In addition
to NIST Special Publication 800-37, referenced above,
these will include:
• FIPS (Federal Information Processing Standards)
Publication 199, Standards for Security Categorization of
Federal Information and Information Systems
• NIST Special Publication 800-26, Security
Self-Assessment Guide for Information Systems
• NIST Special Publication 800-53, Security Controls
for Federal Information Systems
• NIST Special Publication 800-53A, Techniques and
Procedures for Verifying the Effectiveness of Security
Controls in Federal Information Systems
• NIST Special Publication 800-60, Guide for Mapping
Types of Information and Information Systems to
Security Objectives and Risk Levels.
The first of these publications, FIPS 199, provides a
framework for associating a level of risk with a particular
information system. In the document, risk is identified
as being a combination of:
• Likelihood that particular vulnerabilities will be either
intentionally or accidentally exploited, resulting in
loss of confidentiality, integrity or availability, and
• Impact or magnitude of harm that the loss of confidentiality,
integrity or availability would have on
agency operations (including mission, functions,
image or reputation), agency assets or individuals
(including privacy).
Interestingly enough, FIPS 199 virtually discounts differences
in likelihood of an event occurring, arguing that
“in today’s interconnected and interdependent information
systems environment . . . there is a high likelihood of a
variety of threats . . . Accordingly, the levels of risk focus
on what is known about the potential impact or harm
that could arise.”
Guidelines are then provided for rating the level of
risk as low, moderate or high against three security
• Confidentiality – guarding against unauthorized
disclosure of information
• Integrity – guarding against improper information
modification or destruction
• Availability – ensuring timely and reliable access to
and use of the information.
Another interesting document is the Self Assessment
Guide, NIST 800-26, which provides in questionnaire format
a set of control objectives for each of 17 control areas,
organized as follows:
• Management Controls
• Risk Management
• Review of Security Controls
• Life Cycle
• Certification and Accreditation
• System Security Plan
• Operational Controls
• Personnel Security
• Physical Security
• Production, Input/Output Controls
• Contingency Planning
• Hardware and System Software Maintenance
• Data Integrity
• Documentation
• Security Awareness,Training and Education
• Incident Response and Capacity
• Technical Controls
• Identification and Authentication
• Logical Access Controls
• Audit Trails.

Readers will note the similarity, in some areas,
between the organization of this document and ISO
17799. Equally apparent is that there are differences.

Supporting this document and the associated questionnaire
is an “Automated Security Self-Evaluation Tool”
(ASSET), which is again freely downloadable.

Whither Canada?
Since it appears likely that ISO 17799 will continue to
gain momentum in Europe while the United States will
focus on the work being done by NIST, Canada is left
somewhat in the middle. While NIST is intended for use
only by US government agencies, it will probably have
an impact beyond this limited application, making it less
likely that ISO 17799 will be widely adopted in the US.

It is not clear whether Canada, the provinces or
municipalities need to specifically adopt any standard.
At this point, it is worth reviewing both ISO 17799 and
the NIST publications, taking the best of each – as the
Government of Canada and many provinces have
already been doing in developing their own self-assessment

But if we are to develop a common security assessment
framework for use by a broad set of agencies
(such as governments at all levels), then we may have
to put a stake in the ground, adopting one standard or
the other (or a home-grown combination of the two).
NCSIP and the Public Sector CIO Council will continue
to wrestle with this issue.

No comments: