1 / 31

Fundamentals of Information Systems Security Chapter 12 Information Security Standards

Fundamentals of Information Systems Security Chapter 12 Information Security Standards. Learning Objective. Apply international and domestic information security standards to real-world applications in both the public and private sectors. Key Concepts.

alika
Télécharger la présentation

Fundamentals of Information Systems Security Chapter 12 Information Security Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fundamentals of Information Systems Security Chapter 12 Information Security Standards

  2. Learning Objective • Apply international and domestic information security standards to real-world applications in both the public and private sectors.

  3. Key Concepts • International information security standards and their impact on IT infrastructures • ISO 17799 • ISO/IEC 27002 • Payment Card Industry Data Security Standard (PCI DSS) requirements

  4. DISCOVER: CONCEPTS

  5. National Institute of Standards and Technology (NIST) • Federal agency within the U.S. Department of Commerce • Maintains a list of standards and publications for computer security • 800 series by the name NIST SP

  6. International Organization for Standardization (ISO) • Publishes many standards, such as: • International Standard Book Number (ISBN) • Open Systems Interconnection (OSI) reference model

  7. International Electrotechnical Commission (IEC) • Standards organization that often works with ISO • Standards address: • Power generation • Power transmission and distribution • Commercial and consumer electrical appliances • Semiconductors • Electromagnetics • Batteries • Solar energy • Telecommunications

  8. World Wide Web Consortium (W3C) • The main international standards organization for the World Wide Web • Has developed or endorsed include the following: • Cascading Style Sheets (CSS) • Common Gateway Interface (CGI) • Hypertext Markup Language (HTML) • Simple Object Access Protocol (SOAP) • Web Services DescriptionLanguage (WSDL) • Extensible Markup Language (XML)

  9. Internet Engineering Task Force (IETF) • Develops and promotes Internet standards • Produces Requests for Comments (RFCs) • Internet Architecture Board (IAB) is a subcommittee of the IETF

  10. IEEE • An international nonprofit organization • Focuses on developing and distributing standards that relate to electricity and electronics

  11. IEEE Working Groups

  12. Other Standards Organizations • International Telecommunication Union Telecommunication Sector (ITU-T) • American National Standards Institute (ANSI)

  13. ISO 17799 • An international security standard • Documents a comprehensive set of controls that represent best practices in information systems • Consists of two parts: • ISO 17799 code of practice • BS 17799-2 specification for an information security management system

  14. ISO 17799 Sections

  15. ISO 17799 Sections (Cont.)

  16. ISO/IEC 27002 • Provides organizations with best-practice recommendations on information security management • Appeared in 2005 as an update to the ISO 17799 standard

  17. ISO/IEC 27002 Sections

  18. ISO/IEC 27002 Sections (Cont.)

  19. DISCOVER: PROCESS

  20. Payment Card Industry Data Security Standard (PCI DSS) • An international set of standards for handling payment card transactions • Helps organizations that process card payments to prevent fraud by having increased control over data and its exposure • Requires a security assessment by a Qualified Security Assessor (QSA) to check compliance

  21. PCI DSS Security Assessment Steps • Principle #1: Build and maintain a secure network. • Requirement 1: Install and maintain a firewall configuration to protect cardholder data. • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

  22. PCI DSS Security Assessment Steps (Continued) • Principle #2: Protect cardholder data. • Requirement 3: Protect stored cardholder data. • Requirement 4: Encrypt transmission of cardholder data across open, public networks.

  23. PCI DSS Security Assessment Steps (Continued) • Principle #3: Maintain a vulnerability management program. • Requirement 5: Use and regularly update antivirus software or programs. • Requirement 6: Develop and maintain secure systems and applications.

  24. PCI DSS Security Assessment Steps (Continued) • Principle #4: Implement strong access control measures. • Requirement 7: Restrict access to cardholder data by business need to know. • Requirement 8: Assign a unique ID to each person with computer access. • Requirement 9: Restrict physical access to cardholder data.

  25. PCI DSS Security Assessment Steps (Continued) • Principle #5: Regularly monitor and test networks. • Requirement 10: Track and monitor all access to network resources and cardholder data. • Requirement 11: Regularly test security systems and processes.

  26. PCI DSS Security Assessment Steps (Continued) • Principle #6: Maintain an information security policy. • Requirement 12: Maintain a policy that addresses information security for employees and contractors.

  27. DISCOVER: ROLES

  28. PCI DSS Security Assessment Roles

  29. DISCOVER: RATIONALE

  30. Impact of Standards on Business • Standards ensure that products and services are consistent • Standards enable different products from different organizations to work well together

  31. Summary • International information security standards and their impact on IT infrastructures • ISO 17799 • ISO/IEC 27002 • Payment Card Industry Data Security Standard (PCI DSS) requirements

More Related