Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation

OWASPAppSecJune 2004 NYC

http://www.owasp.org

ISO 17799 Project Review

Stan Guzik, CISSP, MCPChief Technology OfficerImmediatech Corp.ISO 17799 Project Leadsguzik@immediatech.com

2OWASP AppSec 2004

What Will Be Covered?

Background On The ISO 17799 Project What Is Information Security? Information Security Threats Developing Security Management

Policies/Procedures What Is The ISO 17799? ISO 17799 OWASP Project Details Implementation Example Critical Success Factors OWASP Needs Your Feedback References

3OWASP AppSec 2004

Background On The ISO 17799 Project

OWASP Holistic Approach To Security Top Ten Guide Testing WebGoat ISO 17799

Challenges Of Today’s Web Applications Security - CIA 24x7x365 uptime Fast and easy to use Integration with external systems Fast SDLC due to market pressures Bug free Customers expect it at no/low cost

4OWASP AppSec 2004

Background On The ISO 17799 Project

Management Of Web Applications In Production Traditional IT organizations are not familiar with web app

security management Auditors as head of IT (EDP) Internet applications 20 Year old policy/procedures do not apply

Benefits Of Applying ISO 17799 Increased security Increased uptime ROI – Fighting Fires Keep your job

5OWASP AppSec 2004

What Is Information Security?

Information Is An Asset – Value Information Protection – Ensure Business Continuity,

minimize damage, legal requirements Information Forms – Electronic, Paper, Spoken, and etc… Information Preservation

Confidentiality – Information is not disclosed to unauthorized subjects

Integrity – Accuracy and completeness of information and only modified by authorized subjects

Availability – Authorized subjects are granted assess to information. (SLA)

Information Security Controls – Policies, procedures, practices, organizational structure, and HW/SW.

6OWASP AppSec 2004

Information Security Threats

Viruses Hackers Espionage Sabotage Vandalism Fire Flood Employee With A Big Mouth (HR Info)

7OWASP AppSec 2004

Information Security Threats

Today Organizations Are More Vulnerable Interconnected public and private networks System complexities in achieving access controls Lack of security conscious developers – focus on functionality

& performance. Shorter Time To Market

Supplement Secure Applications With Appropriate Security Management Policies/Procedures Secure applications running in an unsecured environments Secure applications and a secured environment running with

insecure operations Etc…

8OWASP AppSec 2004

Develop Security Management Policies/Procedures

Legal, Regulatory, Contractual Requirements, Due Diligence

Risk Assessment – Threats to Assets The likelihood a threat will occur and evaluate its impact on an

asset Quantitative Risk Assessment

– Annual Loss Expectancy (ALE) – Yearly cost of all instances of a specific realized threat against a specific asset:

» ALE = ARO * SLE

– Annual Rate of Occurrence (ARO) – Expected frequency that a specific threat or risk will occur (probability determination)

– Single Loss Expectancy (SLE) –- Cost associated with a single realized risk against a specific asset.

» SLE = Asset Value * EF

– Exposure Factor (EF) – Loss Potential of a specific asset by a realized risk

– Example – DOS Web Application (Input Validation)» Asset Values = $2,000,000» EF = 20%» SLE =$2,000,000 * 20% = $400,000» ARO = 10%» ALE = 10% * $400,000 = $40,000

9OWASP AppSec 2004

Qualitative Risk Assessment– Scenario/Judgment Based– Experience Based …

Risk Assessment Results Determine the appropriate management actions Set priorities for managing information security risk Implement controls to protect against realized risk

Develop Security Management Policies/Procedures

10OWASP AppSec 2004

Select Appropriate Security Controls Implement controls to ensure risks are reduced to an

acceptable level. Controls should be selected based on the cost of

implementation in relation to the risk being reduced and the potential losses if a security breach occurs.

Develop Security Management Policies/Procedures

11OWASP AppSec 2004

What Is The ISO 17799 Standard? ISO – International Organization for Standardization Complete Set Of Controls To Ensure The Best

Practices For Information Security The Major Standard - Internationally Recognized

Information Security Standard Guideline - Guiding principle providing a good starting point for

implementing information security. They are either based on essential legislative requirements or considered to be common best practices for information security. Legislative Controls

12.1.4 – Data Protection and Privacy of Personal Information 12.1.3 – Safeguarding of Organizational Records 12.1.2 – Intellectual Property Rights

Best Practices 3.1 – Information Security Policy Document 4.1.3 – Allocation of Information Security Responsibilities 6.2.1 – Information Security Education and Training 6.3.1 – Reporting Security Incidents 11.1 Business Continuity Management

12OWASP AppSec 2004

What Is The ISO 17799 Standard? 10 Sections

Security Policy – To provide management direction & support for information security

Organizational Security – Manage information security within the organization

Asset Classification and Control – To maintain appropriate protection of organizational assets

Personnel Security – To reduce the risk of human error, theft, fraud or misuse of facilities

Physical & Environmental Security – To prevent unauthorized access, damage and interference to business premises and information

Communications and Operations Management – To ensure the correct and secure operations of information processing facilities

Access Control – Control access to information System Development and Maintenance – To ensure security is built

into information systems Business Continuity Management – To counteract interruptions to

business activities and to protect critical business processes from the effects of major failures or disasters

Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual

13OWASP AppSec 2004

ISO 17799 OWASP Project Details

Documentation Project Toolbox Of Sample Templates Of ISO 17799 Policies &

Procedures

What Exists Today ISO 17799 Is A Standard Not a tool Not Many Publicly Available Templates Commercial Licensed Templates Are

Poor Quality

14OWASP AppSec 2004

Implementation Example

8.1.2 Operational Change Control Inadequate control may cause system or security failures Formal management responsibilities and procedures should be

in place Operational programs subject to strict change control

Current State Of Project Many templates Todo: Pull all templates together into

a consistent format and publish

15OWASP AppSec 2004

Critical Success Factors

Targeted Risk Assessment Implement Good Controls Use Already Proven Policies & Procedures Training & Awareness Get Some More Sleep At Night!!!

16OWASP AppSec 2004

OWASP Needs Your Feedback!

Send Us Your Templates Modifications To Existing Templates Can you get involved?

17OWASP AppSec 2004

References

ISO/IEC 17799:2000(E) CISSP:Certified Information Systems Security Professional

Study Guide, Ed Tittel OWASP ISO 17799 Project