[精选]国际信息安全技术标准发展(英文版)13284.pptx

《[精选]国际信息安全技术标准发展(英文版)13284.pptx》由会员分享，可在线阅读，更多相关《[精选]国际信息安全技术标准发展(英文版)13284.pptx（20页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、国际信息安全技术标准发展国际信息安全技术标准发展 ISO/IEC JTC 1/SC 27/WG 4江明灶江明灶 Meng-Chow Kang,CISSP,CISAMeng-Chow Kang,CISSP,CISAConvener,Security Controls&Services Working Group(WG 4),Convener,Security Controls&Services Working Group(WG 4),ISO/IEC JTC 1 SC 27(Security Techniques)ISO/IEC JTC 1 SC 27(Security Techniques)Ch

2、ief Security AdvisorChief Security AdvisorMicrosoft Great China RegionMicrosoft Great China RegionWG1 ISMS StandardsChair Ted HumphreysVice-Chair Angelika PlateWG4 Security Controls&ServicesChair Meng-Chow KangWG2Security TechniquesChair Prof.K NaemuraWG3Security EvaluationChair Mats OhlinWG5Privacy

3、 Technology,ID management and BiometricsChair Kai RannenbergISO/IEC JTC 1 SC 27ISO/IEC JTC 1 SC 27Chair Walter FumyChair Walter FumyVice Chair Marijike de SoeteVice Chair Marijike de SoeteSecretary Krystyna PassiaSecretary Krystyna Passia2700027000Fundamental&Fundamental&VocabularyVocabulary27004270

4、04ISMS ISMS MeasurementMeasurement2700527005ISMS Risk ISMS Risk ManagementManagement2700627006Accreditation Accreditation RequirementsRequirements2700127001ISMS RequirementsISMS Requirements2700327003ISMS ISMS Implementation Implementation GuidanceGuidanceInformation Security Management Systems(ISMS

5、)2700227002Code of PracticeCode of PracticeISMSFamilyRisk manage;Prevent occurrence;Risk manage;Prevent occurrence;Risk manage;Prevent occurrence;Reduce impact of occurrenceReduce impact of occurrenceReduce impact of occurrencePrepare to respond;eliminate or Prepare to respond;eliminate or Prepare t

6、o respond;eliminate or reduce impactreduce impactreduce impactSC27 WG4 Roadmap FrameworkInvestigate to establish facts Investigate to establish facts Investigate to establish facts about breaches;identify who about breaches;identify who about breaches;identify who done it and what went wrongdone it

7、and what went wrongdone it and what went wrongUnknown and emerging security issuesKnown security issuesSecurity breaches and compromisesNetwork Security(27033)Network Security(27033)Network Security(27033)TTP Services SecurityTTP Services SecurityTTP Services SecurityICT Readiness for Business ICT R

8、eadiness for Business ICT Readiness for Business Continuity(27031)Continuity(27031)Continuity(27031)SC27 WG4 RoadmapApplication Security(27034)Application Security(27034)Application Security(27034)Forensic InvestigationForensic InvestigationForensic InvestigationCybersecurity(27032)Cybersecurity(270

9、32)Cybersecurity(27032)Includes ISO/IEC 24762,Vulnerability Mgmt,IDS,&Incident Response related standardsAnti-Spyware,Anti-SPAM,Anti-Phishing,Cybersecurity-event coordination&information sharingISO 18028 revision;WD for new Part 1,2&3;New Study Period on Home Network Security1st WD available for com

10、mentsFuture NPNew Study Period proposed;Includes outsourcing and off-shoring securityGaps between Readiness&ResponseIT Security,BCP,and DRP Planning&ExecutionIT Security,BCP,and DRP Planning&ExecutionProtectDetectReact/ResponseIT Security PlanningActivateBCPActivate DCRPPlanPrepare&TestPlanPrepare&T

11、estBusiness Continuity PlanningDisaster Contingency&Recovery PlanningDisasterEventsIT SystemsFailuresICT Readiness for Business Continuity What is ICT Readiness?What is ICT Readiness?Prepare organization ICT technology(infrastructure,operation,Prepare organization ICT technology(infrastructure,opera

12、tion,applications),process,and people against unforeseeable focusing applications),process,and people against unforeseeable focusing events that could change the risk environmentevents that could change the risk environment Leverage and streamline resources among traditional business Leverage and st

13、reamline resources among traditional business continuity,disaster recovery,emergency response,and IT security continuity,disaster recovery,emergency response,and IT security incident response and managementincident response and management Why ICT Readiness focus on Business Continuity?Why ICT Readin

14、ess focus on Business Continuity?ICT systems are prevalent in organizationsICT systems are prevalent in organizations ICT systems are necessary to support incident,business continuity,ICT systems are necessary to support incident,business continuity,disaster,and emergency response and management nee

15、dsdisaster,and emergency response and management needs Business continuity is incomplete without considering ICT systems Business continuity is incomplete without considering ICT systems readinessreadiness Responding to security incident,disasters,and emergency situations Responding to security inci

16、dent,disasters,and emergency situations are about business continuityare about business continuityImplications of ICT ReadinessOperational StatusTimeIncidentCurrent IHM,BCM and DRP focus on shortening period of disruption and reducing the impact of an incident by risk mitigation and recovery plannin

17、g.T=0T=iT=kT=lT=j100%x%y%z%Early detection and response capabilities to prevent sudden and drastic failure,enable gradual deterioration of operational status and further shorten recovery time.Before implementation of IHM,BCM,and/or DRPAfter implementation of IHM,BCM,and/or DRPAfter implementation of

18、 ICT Readiness for BCICT Readiness for Business Continuity Re-proposed as single-part standard(Nov 07)Re-proposed as single-part standard(Nov 07)Structure(DRAFT,Document SC27N6274)Structure(DRAFT,Document SC27N6274)IntroductionIntroduction ScopeScope Normative ReferencesNormative References Terms an

19、d DefinitionsTerms and Definitions Overview(of ICT Readiness for Business Continuity)Overview(of ICT Readiness for Business Continuity)ApproachApproach Based on PDCA cyclical modelBased on PDCA cyclical model Extend BCP approachExtend BCP approach (using RA,and BIA)(using RA,and BIA)Introduce Failur

20、e Scenario Assessment(withIntroduce Failure Scenario Assessment(with FM FMEA)EA)Focus on Triggering EventsFocus on Triggering Events Management of IRBC ProgramManagement of IRBC ProgramP2P File SharingP2P File SharingP2P File SharingInstant Instant Instant MessagingMessagingMessagingBloggingBlogging

21、BloggingWeb 2.0 Cybersecurity IssuesSplogs,SPAM,Splogs,SPAM,Search Engine Search Engine PoisoningPoisoningSpywareSpywareTrojansTrojansVirus/WormsVirus/WormsSPAMSPAMExploit URLsExploit URLsPhishingPhishingTrojansTrojansVoIP/VideoVoIP/VideoVoIP/VideoPrivacy&Privacy&Information Information BreachBreach

22、Global Threat LandscapePrevalence of Malicious Software by CategoryWhat is Cybersecurity Definition of Cybersecurity overlaps Definition of Cybersecurity overlaps Internet/network securityInternet/network security Nature Cybersecurity issuesNature Cybersecurity issues Occurs on the Internet(Cyberspa

23、ce)Occurs on the Internet(Cyberspace)Global nature,multiple countries,different policy and Global nature,multiple countries,different policy and regulations,different focusregulations,different focus Multiple entities,simple client system to complex Multiple entities,simple client system to complex

24、infrastructureinfrastructure Weakest link and lowest common denominator prevailWeakest link and lowest common denominator prevail Highly creative landscape always changingHighly creative landscape always changingCybersecurity Cybersecurity concerns the protection of assets Cybersecurity concerns the

25、 protection of assets belonging to both organizations and users in the belonging to both organizations and users in the cyber environment.cyber environment.The cyber environment in this context is defined as The cyber environment in this context is defined as the public on-line environment(generally

26、 the the public on-line environment(generally the Internet)as distinct from“enterprise cyberspace”Internet)as distinct from“enterprise cyberspace”(closed internal networks specific to individual(closed internal networks specific to individual organizations or groups of organizations).organizations o

27、r groups of organizations).Guidelines for Cybersecurity“Best practice”guidance in achieving and maintaining security in the cyber“Best practice”guidance in achieving and maintaining security in the cyber environment for audiences as defined below.environment for audiences as defined below.Address th

28、e requirement for a high level of co-operation,information-sharing and Address the requirement for a high level of co-operation,information-sharing and joint action in tackling the technical issues involved in cybersecurity.This needs to be joint action in tackling the technical issues involved in c

29、ybersecurity.This needs to be achieved both between individuals and organizations at a national level and achieved both between individuals and organizations at a national level and internationally.internationally.The primary audiences for the standard are:The primary audiences for the standard are:

30、Cyberspace service providers such as Internet Service Providers(ISPs),web service Cyberspace service providers such as Internet Service Providers(ISPs),web service providers,outsourcing and data back-up service providers,on-line payment bureaux,on-providers,outsourcing and data back-up service provi

31、ders,on-line payment bureaux,on-line commerce operators,entertainment service providers and others.line commerce operators,entertainment service providers and others.Enterprises including not only commercial organizations but also non-profit bodies and Enterprises including not only commercial organ

32、izations but also non-profit bodies and other organizations in fields such as healthcare and education.other organizations in fields such as healthcare and education.Governments.Governments.End users,while highly important,are not seen as a key target audience as they are End users,while highly impo

33、rtant,are not seen as a key target audience as they are not in general direct users of international standards.not in general direct users of international standards.The standard will not offer technical solutions to individual cybersecurity issues,The standard will not offer technical solutions to

34、individual cybersecurity issues,which are already being developed by other bodies as described below.which are already being developed by other bodies as described below.Network Security Revision of ISO/IEC 18028Revision of ISO/IEC 18028 Re-focus,re-scoping,and new partsRe-focus,re-scoping,and new p

35、arts Part 1 Guidelines(Overview,Concepts,Principles)Part 1 Guidelines(Overview,Concepts,Principles)Part 2 Guidelines for Design and ImplementationPart 2 Guidelines for Design and Implementation Part 3 Reference Networking Scenarios:Risks,Design,Part 3 Reference Networking Scenarios:Risks,Design,Tech

36、niques,and Control IssuesTechniques,and Control Issues Part 4 Security communications between networks Part 4 Security communications between networks using security gatewaysusing security gateways Part 5 Securing remote accessPart 5 Securing remote access Part 6 Security communications between netw

37、orks Part 6 Security communications between networks using Virtual private networkusing Virtual private network Part 7 to-be-named“technology”topicPart 7 to-be-named“technology”topicSoftware Vulnerability Disclosures OS versus application vulnerabilitiesOS versus application vulnerabilities Applicat

38、ion vulnerabilities continued to grow relative to Application vulnerabilities continued to grow relative to operating system vulnerabilities as a percentage of all operating system vulnerabilities as a percentage of all disclosures during 2006disclosures during 2006 Supports the observation that sec

39、urity vulnerability Supports the observation that security vulnerability researchers may be focusing more on applications than in researchers may be focusing more on applications than in the pastthe pastGuidelines for Application Security Reduce security problems at the application layersReduce secu

40、rity problems at the application layers Eliminate common weaknesses at code and process levelsEliminate common weaknesses at code and process levels Strengthen security of code base improve application security Strengthen security of code base improve application security and reliabilityand reliabil

41、ity Multi-parts standards,includingMulti-parts standards,including Code Security CertificationCode Security Certification Process Security CertificationProcess Security Certification Code SecurityCode Security Testing and certification per major release of applicationTesting and certification per ma

42、jor release of application Process SecurityProcess Security Security Development LifecycleSecurity Development Lifecycle Assure security of code from design to operation,including minor releases,Assure security of code from design to operation,including minor releases,patch development&releasepatch

43、development&release Focus on Web-based applications(major problem areas)Focus on Web-based applications(major problem areas)Guidelines for Application Security Specify an application security life cycle,incorporating the security activities and Specify an application security life cycle,incorporatin

44、g the security activities and controls for use as part of an application life cycle,covering applications developed controls for use as part of an application life cycle,covering applications developed through internal development,external acquisition,outsourcing/offshoring1,or a through internal de

45、velopment,external acquisition,outsourcing/offshoring1,or a hybrid of these approaches.hybrid of these approaches.Provide guidance to business and IT managers,developers,auditors,and end-users Provide guidance to business and IT managers,developers,auditors,and end-users to ensure that the desired l

46、evel of security is attained in business applications in line to ensure that the desired level of security is attained in business applications in line with the requirements of the organizations Information Security Management with the requirements of the organizations Information Security Managemen

47、t Systems(ISMS).Systems(ISMS).Application security addresses all aspects of security required to determine the Application security addresses all aspects of security required to determine the information security requirements,and ensure adequate protection of information information security require

48、ments,and ensure adequate protection of information accessed by an application as well as to prevent unauthorized use of the application accessed by an application as well as to prevent unauthorized use of the application and unauthorized actions of an application.and unauthorized actions of an appl

49、ication.Informational security concerns in business applications are to be addressed in all Informational security concerns in business applications are to be addressed in all phases of the application life cycle,as guided by the organizations risk management phases of the application life cycle,as

50、guided by the organizations risk management principles and the ISMS adopted.principles and the ISMS adopted.Guidelines for Application Security Structure(DRAFT)Structure(DRAFT)Part 1 Overview,definition,concepts,and principlesPart 1 Overview,definition,concepts,and principles Part 2 Secure Applicati