introduction to international standardization
Post on 22-Nov-2014
233 Views
Preview:
DESCRIPTION
TRANSCRIPT
INTRODUCTION TO INTERNATIONAL STANDARDIZATIONby Kris Kimmerle
ABOUT THE AUTHOR
INTERNATIONAL STANDARDIZATION 2
Hi.
My name is Kris Kimmerle.
I have 9 years of comprehensive and international experience in the following domains.
I have I am training for
Certifications
Disaster Recovery Planning
Risk Management
Vulnerability Management
Threat Profiling
Compliance Management
Auditor
Information Security Instructor
Business Continuity Planning
Network Operations
Asset Management
Third Party Risk Management
Information Security Instructor
Business Operations Management
Security Operations Management
Physical Security Management
Project ManagementSecurity Intelligence Technician
Agile Project Management
SharePoint Administrator
Enterprise Application Development
Enterprise Architecture
Enterprise Security Architecture
Security Analyst
Cloud Computing
Chain of Custody
Change Management
IdM Solutions
Repudiation
Automation
Security Awareness
Access Control
MySQL
Duty Segregation
Defense-in-Depth
Supply Chain Processes
Enterprise Risk Management
ISO 27000 Family of Standards
Simplicity in Complex Security
Flexibility in Security
Interoperability
INTERNATIONAL STANDARDIZATION 3
Let’s get started.
INTERNATIONAL STANDARDIZATION 4
PURPOSE
INTERNATIONAL STANDARDIZATION 5
Basic understanding of standardization terms and definitions✔
Basic understanding of the international standardization organizations✔
Basic understanding of the international standardization development process✔
Basic understanding of key stake holders in technological standardization✔
Basic understanding of the international certification and accreditation process✔INTERNATIONAL STANDARDIZATION 6
TERMINOLOGY
INTERNATIONAL STANDARDIZATION 7
International Standard
Standards developed by international standards organizations. International
standards are available for consideration and use worldwide. One prominent
organization is the International Organization for Standardization.
🌏🌏
Standards Organization
Standards organization, standards body, standards developing organization
(SDO), or standards setting organization (SSO) is any organization whose primary activities are developing, coordinating,
promulgating, revising, amending, reissuing, interpreting, or otherwise
producing technical standards that are intended to address the needs of some
relatively wide base of affected adopters.
🏢🏢
Standardization
The Process of developing and implementing technical standards.
Standardization can help to maximize compatibility, interoperability, safety, repeatability, or quality. It can also
facilitate commoditization of formerly custom processes.
🔃🔃
INTERNATIONAL STANDARDIZATION 8
Accreditation
The formal declaration by a neutral third party that the certification program is administered in a way that meets the
relevant norms or standards of certification program.
👓👓Certification & Accreditation
A two-step process that ensures security of information systems. Certification is the process of evaluating, testing, and examining security controls that have
been pre-determined based on the data type in an information system.
🔦🔦
Certification
The comprehensive evaluation of a process, system, product, event, or skill
typically measured against some existing norm or standard. Industry and/or trade associations will often create certification programs to test and evaluate the skills of those performing services within the
interest area of that association.
📰📰
INTERNATIONAL STANDARDIZATION 9
Protection Profile (PP)
Common Criteria defines this as the implementation-independent statement
of security needs for a TOE type
🔘🔘
Target of Evaluation (TOE)
Common Criteria defines this as a set of software, firmware and/or hardware possibly accompanied by guidance
🎯🎯
INTERNATIONAL STANDARDIZATION
Evaluation Assurance Level (EAL)
Common Criteria defines this as the numerical rating which describes the
depth and rigor of an evaluation. Each EAL corresponds to a package of
security assurance requirements (SARs) which covers the complete development
of a product, with a given level of strictness. Common Criteria lists seven levels, with EAL 1 being the most basic
and EAL 7 being the most stringent
📦📦
10
Security Assurance Requirements (SARs)
Common Criteria defines this as the descriptions of the measures taken
during development and evaluation of the product to assure compliance with
the claimed security functionality.
👍👍Security Functional
Requirements (SFRs)
Common Criteria defines this as the specific individual security functions
which may be provided by a product. The Common Criteria presents a
standard catalogue of such functions.
🔒🔒
INTERNATIONAL STANDARDIZATION
Security Target (ST)
Common Criteria defines this as the implementation-dependent statement of
security needs for a specific identified TOE
📄📄
11
OVERVIEW
INTERNATIONAL STANDARDIZATION 12
What is the IEC organization?The International Electrotechnical Commission (IEC) is the leading global organization that publishes consensus-based International Standards and manages conformity assessment systems for electric and electronic products, systems and services, collectively known as electrotechnology. IEC is a non-profit and non-governmental body.
🏦🏦
What is the ISO organization?The International Organization for Standardization (ISO ) is the world’s largest developer of voluntary International Standards. International Standards give state of the art specifications for products, services and good practice, helping to make industry more efficient and effective. Developed through global consensus, they help to break down barriers to international trade. ISO is a non-profit and non-governmental body.
🏦🏦
INTERNATIONAL STANDARDIZATION 13
What is the Common Criteria organization?Common Criteria (CC) aims to: eliminate redundant evaluation activities; reduce/eliminate activities that contribute little to the final assurance of a product; clarify CC terminology to reduce misunderstanding; restructure and refocus the evaluation activities to those areas where security assurance is gained; and add new CC requirements if needed.
The CC permits comparability between the results of independent security evaluations. The CC does so by providing a common set of requirements for the security functionality of IT products and for assurance measures applied to these IT products during a security evaluation. These IT products may be implemented in hardware, firmware or software.
The evaluation process establishes a level of confidence that the security functionality of these IT products and the assurance measures applied to these IT products meet these requirements. The evaluation results may help consumers to determine whether these IT products fulfil their security needs.
💻💻🔐🔐
INTERNATIONAL STANDARDIZATION 14
ISO & IEC
🏦🏦🏦🏦INTERNATIONAL STANDARDIZATION 15
PARTNERSHIPISO and IEC began their partnership in the field of information technology back in 1976 following the boom of
information technology . The two organizations signed an agreement aimed to enable the two parties to collaborate. Ten years later ISO and IEC made a commitment to this partnership by created the ISO/IEC JTC 1
(ISO/IEC Joint Technical Committee) with the focus to cover the vast and expanding field of information technology.
UNITED STATESThe American National Standards (ANSI) is the foremost national standardization organization in the United
States and represents the USA in both ISO and IEC. ANSI is regarded as one of the largest players in ISO and IEC and directly administer over the ISO/IEC Joint-Committees and subgroups. Unlike the BSI the ANSI has
been responsible for ISO/IEC standards that relate to areas outside of the information technology and security.
UNITED KINGDOMThe British Standards Institution (BSI) is the foremost national standardization organization for the United Kingdom and represents the UK in both ISO and IEC. The BSI Group is well-known within the information
security field due to their contributions through their British Standard (BS) 7799. This British standard eventually became what we know today as ISO/IEC 27001 & 27002.
INTERNATIONAL STANDARDIZATION 16
ISO/IEC STANDARDS DEVELOPMENT
🔨🔨INTERNATIONAL STANDARDIZATION 17
ISO/IEC standards are developed by groups of experts, within technical committees (TCs). TCs are made up of representatives of industry, NGOs, governments and other stakeholders, who are put forward by ISO/IEC members. Each TC deals with a different subject, for example there are TCs focusing on screw threads, shipping technology, food products and many, many more.
▶ISO standards respond to a need in the market
ISO does not decide when to develop a new standard. Instead, ISO responds to a request from industry or other stakeholders such as consumer groups. Typically,
an industry sector or group communicates the need for a standard to its national member who then contacts ISO. Contact details for national members can be
found in the list of members.
Respond to a need in the market1
🔽🔽ISO standards are developed by groups of experts from all over the world that are part of larger groups called technical
committees. These experts negotiate all aspects of the standard, including its scope, key definitions and content. Details can be
found in the list of technical committees.
Based on global expert opinion2
◀ISO standards are developed by groups of experts from all over the
world that are part of larger groups called technical committees. These experts negotiate all aspects of the standard, including its
scope, key definitions and content. Details can be found in the list of technical committees.
Developed on a multi-stakeholder process 3
◀ Developing ISO standards is a consensus-based approach and comments from stakeholders are taken into account
Standards are based on a consensus 4
PRINCIPLES OF DEVELOPMENT
INTERNATIONAL STANDARDIZATION 18
STAGES OF DEVELOPMENT
1.Proposal
2.Preparatory
3.Committee
4.Enquiry
5.Approval
6.Publication
Review
Fast Track
INTERNATIONAL STANDARDIZATION 19
FAST TRACK
If a document with a certain degree of maturity is available at the start of a standardization project, for example a standard developed by another organization, it is
possible to omit certain stages.
INTERNATIONAL STANDARDIZATION 20
1. PROPOSAL
The first step in the development of an International Standard is to confirm that a particular International Standard is needed
INTERNATIONAL STANDARDIZATION 21
2. PREPARATORY
Usually, a working group of experts, the chairman (convener) of which is the project leader, is set up by the TC/SC for the preparation of a working draft.
INTERNATIONAL STANDARDIZATION 22
3. COMMITTEE
As soon as a first committee draft is available, it is registered by the ISO Central Secretariat. It is distributed for comment and, if required, voting, by the P-members of the
TC/SC.
INTERNATIONAL STANDARDIZATION 23
4. ENQUIRY
The draft International Standard (DIS) is circulated to all ISO member bodies by the ISO Central Secretariat for voting and comment within a period of three months.
INTERNATIONAL STANDARDIZATION 24
5. APPROVAL
Once a final draft International Standard has been approved, only minor editorial changes, if and where necessary, are introduced into the final text. The final text is sent to
the ISO Central Secretariat which publishes the International Standard.
INTERNATIONAL STANDARDIZATION 25
REVIEW
All International Standards are reviewed at least every five years by all the ISO member bodies.
INTERNATIONAL STANDARDIZATION 26
ISO/IEC TECHNICAL COMMITTEES
📡📡INTERNATIONAL STANDARDIZATION 27
🏦🏦
What are the Technical Committees?ISO/IEC standards are developed by groups of experts, within technical committees (TCs). TCs are made up of representatives of industry, NGOs, governments and other stakeholders, who are put forward by ISO/IEC members. Each TC deals with a different subject, for example there are TCs focusing on screw threads, shipping technology, food products and many, many more.
👤👤👤👤👤👤
INTERNATIONAL STANDARDIZATION 28
This committee represents the standardization in the field of information technology. They are
currently addressing such critical areas as teleconferences and e-meetings, cloud data management interface, biometrics in identity management, sensor networks for smart grid
systems, and corporate governance of ICT implementation.
ISO/IECJoint Technical Committee 1
INTERNATIONAL STANDARDIZATION 29
ISO/IECJoint Technical Committee 1
Subcommittee 27
This subcommittee represents the standardization for information technology security techniques. Standardization activity by this
subcommittee includes general methods, techniques and guidelines to address both security and privacy aspects. The scope of this subcommittee is spilt across (5) working groups. (ISO/IEC JTC 1 - Subcommittee 27, 2014)
All working groups collaborate with the appropriate bodies to ensure the proper development and application of standards and technical reports in
relevant areas. This group is responsible for the ISO 27000 family of standards
- ISO/IEC JTC 1/SC 27/WG 1 - Information security management systems- ISO/IEC JTC 1/SC 27/WG 2 - Cryptography and security mechanisms - ISO/IEC JTC 1/SC 27/WG 3 - Security evaluation, testing and specification- ISO/IEC JTC 1/SC 27/WG 4 - Security controls and services- ISO/IEC JTC 1/SC 27/WG 5 - Identity management and privacy technologies
INTERNATIONAL STANDARDIZATION 30
COMMON CRITERIA
💻💻🔐🔐INTERNATIONAL STANDARDIZATION 31
Common Criteria Evaluation Life Cycle
INTERNATIONAL STANDARDIZATION
PP RegistryPP Evaluation Results Evaluated PPEvaluatePP
TOE RegistryTOE Evaluation Results Evaluated TOEEvaluateTOE
ST Evaluation Results Evaluated STEvaluateST
32
Your standard security relationship model.
INTERNATIONAL STANDARDIZATION 33
INTERNATIONAL STANDARDIZATION
OWNERS
COUNTERMEASURES
RISK
ASSETTHREATS
THREAT AGENTSTo
redu
ce
Impo
se
Minimize
Value
That
Incr
ease
Give
rise
to
abus
e an
d/or
dam
age
To
To
34
Common Criteria’s security relationship model.
INTERNATIONAL STANDARDIZATION 35
INTERNATIONAL STANDARDIZATION
OWNERS
COUNTERMEASURES
RISK
ASSET
CORRECT
SUFFICIENT Pr
ovid
es
EVALUATION
CONFIDENCE
Requ
ire
That Are
Are
ThereforeMinimizing
Ther
efor
eM
inim
izing
to
36
REFERENCES
British Standard Institution
American National Standards institute
Computer History Museum
International Electrotechnical Commission
International Organization for Standardization
ISO/IEC Joint Technical Committee 1
2014
2014
2013
2014
2014
2014
http://www.bsigroup.com
http://www.ansi.org
http://www.computerhistory.org/timeline/?year=1976
http://www.iech.ch/
http://www.iso.org
http://isotc.iso.org/livelink/livelink/open/jtc1
Common Criteria 2014 http://www.commoncriteriaportal.org/
Send me a message.
@KrisKimmerle
http://1drv.ms/1cgfZn0 http://www.linkedin.com/in/kriskimmerle
kris.kimmerle@outlook.com
🔻🔻
top related