Archive for the General Category

ISO/IEC 27001:2005

Posted April 5, 2009 at 5:19 pm in General | No Comments

ISO/IEC 27001:2005 is an information security management system (ISMS) standard.  It is intended to be “used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management, which lists security control objectives and recommends a range of specific security controls.”[1]

It was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) Joint Technical Committee 1 (JTC 1), Subcommittee 27 (SC 27).  ISO/IEC 27001 was officially published October 15, 2005, hence the 2005 in the name of the standard. The standards were to designed to “ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.” [2]

The standard includes a wide range of organizational types such as commercial, government, non-profit, and educational. This large umbrella ensures that you’ll most likely encounter it in your work. As a CIO/CISO you’re more than likely trying to follow the standards to the best of your organization’s ability for certification purposes or just as a security framework. Organizations certify they are within the ISO 27001 standards for a variety of reasons but most commercial organizations use this as a selling point to customers. By using the standards as a selling point they are hoping that it increase revenue, which on the opposite hand could be a target for someone with malicious intent. If you’re performing vulnerability assessments on an organization that follows the ISO 27001 standards then it wouldn’t hurt to glance over the standards to understand the underlying security infrastructure.

Continue reading..

Sarbanes-Oxley Act of 2002

Posted January 15, 2009 at 6:21 pm in General | No Comments

The Sarbanes-Oxley Act of 2002 or the Public Company Accounting Reform and Investor Protection Act of 2002 isn’t a security compliance standard or regulation. It is a United States law that introduced major changes to the regulation of financial practice and corporate governance.  The law emphasizes corporate accountability and was in part a response to the corporate scandals of Enron, Tyco Internationl, Adelphia, WorldCom, etc. in which shareholders lost billions of dollars when the share price of these companies collapsed.

The Sarbanes-Oxley Act of 2002, more commonly known as SOX, was named after Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH) who supported the bill. Continue reading..

Trusted Computer System Evaluation Criteria

Posted September 1, 2008 at 8:51 pm in General | No Comments

The Orange Book, part of the DoD’s rainbow series, the Trusted Computer System Evaluation Criteria was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information. It has been superseded by the Common Criteria.

It outlines the following objectives:

  • Policy
  • Accountability
  • Assurance
  • Documentation

Policy defines the Mandatory Security Policy and the Discretionary Security Policy. Accountability defines identification, authentication, and auditing. Assurance defines Operational, Life-Cycle, and Continuous Protection Assurance. Documentation defines Security Features User’s Guide, Trusted Facility Manual, Test Documentation and Design Documentation.

The Orange Book defines four divisions of security: A, B, C, and D with A having the highest level of security. Each division may contain sub-divisions, such as B1, B2, and B3.

  • A – Verified Protection
    1. A1 – Verified Design
  • B – Mandatory Protection
    1. B1 – Labeled Security Protection
    2. B2 – Structured Protection
    3. B3 – Security Domains
  • C – Discretionary Protection
    1. C1 – Discretionary Security Protection
    2. C2 – Controlled Access Protection
  • D – Minimal Protection
Page 5 of 6FIRST...23456