Resources
for information security management

The following resources are listed in chronological order, with the most recent first.

Documents that were included in the Center for Internet Security’s list of “Foundational Standards” are marked with a red “subsection” glyph: §.

The Standard of Good Practice for Information Security
(Information Security Forum (ISF) – March 2003)

The ISF, formerly known as the European Security Forum (ESF), is “an international association of over 260 leading organizations, which fund and co-operate in the development of a practical research programme in information security. During the last 12 years the Forum has spent more than US$40 million providing authoritative material to its Members. The Forum’s work probably represents the most comprehensive and integrated set of reports anywhere in the world regarding the process of managing information risk.”

SGPIS has been developed over many years to produce the international standard for information security. It embodies other standards, such as COBIT and BS 7799, and the experience of the ISF’s members. SGPIS is intended to provide a practical, business-oriented basis for assessing an organization’s information security arrangements.

(The March 2003 document supersedes the previous version of November 2000.)

Management Planning Guide for Information Systems Security Audit
(NSAA & U.S. GAO – December 2001)

“This guide was prepared by members of the National State Auditors Association (NSAA) and auditors from local governments in cooperation with staff of the United States General Accounting Office (GAO). It is intended to aid government audit organizations in responding to the risks attributable to the pervasive and dynamic effects of the expanding use of information technology by governments. Also, it is intended to be pertinent to any government audit organization, regardless of its size and current methodology. Directed primarily at senior and executive audit management, the guide leads the reader through the steps for establishing or enhancing an information security auditing capability. These include planning, developing a strategy, implementing the capability, and assessing results.”

Information Security Governance: Guidance for Boards of Directors and Executive Management
(IT Governance Institute – July 2001)

“To exercise effective enterprise and IT governance, boards of directors and executive management must have a clear understanding of what to expect from their enterprise’s information security programme. They need to know how to implement an effective information security programme, how to evaluate their own status with regard to the security programme in place and how to decide what security programme is desired.

This guide, prepared by one of the world’s leading institutions dedicated to researching the principles of IT governance, is written to address these concerns. It covers such fundamental issues as:

• What is information security?
• Why is it important?
• Who is responsible for it?

It also provides practical, pragmatic advice on:

• Questions to ask to uncover potential security weaknesses.
• What information security governance should deliver.
• How to implement information security.
• How to measure your enterprise’s maturity level relative to information security governance.”

COBIT – Control Objectives for Information and related Technology
(3rd Edition – July 2000)   §

COBIT is an open standard for information technology security and control practices, developed and promoted by the IT Governance Institute, and published by Information Systems Audit and Control Association (ISACA). COBIT provides a reference framework for management, users, and IS audit, control, and security practitioners. Since the 1st edition of COBIT was released in 1996 it has been sold and implemented in over 100 countries throughout the world.

COBIT consolidates and harmonizes standards from prominent global sources into a critical resource for management, control professionals, and auditors. COBIT applies to enterprise-wide information systems, including personal computers, mini-computers, mainframes, and distributed environments. It is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes in order to provide the pertinent and reliable information an organization needs to achieve its objectives.

COBIT 3rd Edition contains:

• An Executive Summary, consisting of an Executive Overview Background and Framework, designed to provide senior management a succinct description of COBIT’s key concepts.
• The Framework, which illustrates and identifies IT business requirements for information through the introduction of high level control objectives.
• Control Objectives, which contain statements of desired results or purposes to be achieved by implementing the 318 specific, detailed control objectives.
• Audit Guidelines, which provide guidance for preparing audit plans and are linked to the control objectives. (Unlike the other COBIT documents, the Audit Guidelines are available only to ISACA members.)
• An Implementation Tool Set, which describes practical approaches used by those organizations that quickly and successfully applied COBIT in their work environments.
• Management Guidelines, which provide guidance in assessing the status of the organization, identifying critical activities leading to success and measuring performance in reaching enterprise goals.

GAO/AIMD-00-33
Information Security Risk Assessment: Practices of Leading Organizations
(November 1999)

A Supplement to GAO’s May 1998 Executive Guide on Information Security Management

“Managing the security risks associated with our government’s growing reliance on information technology is a continuing challenge. In particular, federal agencies, like many private organizations, have struggled to find efficient ways to ensure that they fully understand the information security risks affecting their operations and implement appropriate controls to mitigate these risks. This guide is intended to help federal managers implement an ongoing information security risk assessment process by providing examples, or case studies, of practical risk assessment procedures that have been successfully adopted by four organizations known for their efforts to implement good risk assessment practices. More importantly, it identifies, based on the case studies, factors that are important to the success of any risk assessment program, regardless of the specific methodology employed.”

“GAO” is the United States General Accounting Office.

Generally Accepted System Security Principles (GASSP)
(Version 2.0 – June 1999)   §

“GASSP incorporate the consensus, at a particular time, as to the principles, standards, conventions, and mechanisms that information security practitioners should employ, that information processing products should provide, and that information owners should acknowledge to ensure the security of information and information systems. GASSP relates to physical, technical, and administrative information security and encompasses pervasive, broad functional, and detailed security principles. GASSP nomenclature considers the terms policy, rules, procedures, and practices to relate to the organizational implementation of security. Information technology (IT) changes rapidly, and GASSP are expected to evolve accordingly. Consensus regarding accepted information security principles is achieved first within the GASSP Committee followed by international IT community review.”

GASSP were developed by the International Information Security Foundation (I²SF)-Sponsored Committee to Develop and Promulgate Generally Accepted System Security Principles.

RFC 2504 Users’ Security Handbook
(February 1999)

“This document provides guidance to the end-users of computer systems and networks about what they can do to keep their data and communication private, and their systems and networks secure. Part Two of this document concerns “corporate users” in small, medium, and large corporate and campus sites. Part Three of the document addresses users who administer their own computers, such as home users. System and network administrators may wish to use this document as the foundation of a site-specific users’ security guide; however, they should consult the Site Security Handbook first [RFC2196].”

BS 7799
Information security management  §

• Part 1: BS ISO/IEC 17799:2000
  Information technology – Code of practice for information security management
  (December 2000)
• Part 2: BS 7799-2:2002
  Specification for information security management systems
  (September 2002)

BS 7799 originated as a UK Department of Trade and Industry (h5I) guideline published in 1993, was subsequently developed by the British Standards Institution (BSI), and first published in 1995. Since then it has been periodically reviewed and after several months of public consultation and comment, a revised, two-part version of BS 7799 was issued in 1999. It has been used extensively in the UK, the Netherlands, Scandinavia, Australia, and elsewhere – but is not without its critics…

BS ISO/IEC 17799:2000 (formerly BS 7799-1:1999 – Information security management – Part 1: Code of practice for information security management) – A standard for information security management, intended for use as a reference document by employees who are responsible for developing, implementing, and maintaining information security within their organization.

The BSI submitted BS 7799-1:1999 for international standardization via the ISO/IEC JTC 1 fast track process. The draft international standard, DIS 17799, was approved by a majority of the ISO/IEC National Bodies (NBs) in the autumn of 2000 and was published, with only a few textual changes for clarity, as International Standard 17799, Information technology – Code of practice for information security management, in December 2000. The BSI subsequently issued it a British Standard.

While ISO/IEC 17799:2000 is an international standard, it is considered by many NBs with the largest IT markets to be technically flawed or incomplete. (As it’s all but identical to BS 7799-1:1999, the same criticisms can presumably be made against the original British Standard.) Many procedural and substantive content objections were raised against it both before and since approval. An immediate revision process has now been started in response to these substantial objections. (See: NIST’s Frequently Asked Questions [PDF].)

BS 7799-2:2002 (formerly BS 7799-2:1999 – Information security management – Part 2: Specification for information security management systems) – This document specifies requirements for establishing, implementing and documenting an information security management system (ISMS) – i.e., an organizational information security management program. It specifies security controls to be implemented by an organization following a risk assessment to identify the most appropriate control objectives and controls applicable to their own needs.

The 2002 revision of BS 7799-2 was developed primarily to harmonise it with other management system standards to assist in the integration and operation of an organization’s management systems and where required to facilitate combined third party audits; to ensure effective information security management is established and maintained through a continual improvement process; and to implement the OECD principles governing the security of information systems and networks.

This part of BS 7799 forms the basis of an assessment of the ISMS of the whole, or part of, an organization and is used as the basis for accredited BS7799 certification. There is no ISO equivalent of BS 7799-2:2002.

NIST Special Publication 800-18
Guide for Developing Security Plans for Information Technology Systems
(December 1998)

“The purpose of the security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behaviour of all individuals who access the system. The security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable.”

RFC 2196 Site Security Handbook
(September 1997)   §

“This handbook is a guide to setting computer security policies and procedures for sites that have systems on the Internet (however, the information provided should also be useful to sites not yet connected to the Internet). This guide lists issues and factors that a site must consider when setting their own policies. It makes a number of recommendations and provides discussions of relevant areas. This guide is only a framework for setting security policies and procedures. In order to have an effective set of policies and procedures, a site will have to make many decisions, gain agreement, and then communicate and implement these policies.”

GAO/AIMD-12.19.6
Federal Information System Controls Audit Manual (FISCAM)
(August 1997)   §

“GAO published a manual to provide auditors guidance for evaluating internal controls over the integrity, confidentiality, and availability of data maintained in computer-based information systems. The manual’s sections provide detailed guidance on evaluating and testing computer-related controls, including guidance on: (1) identifying the auditee’s significant computer-supported operations, assessing the risk associated with these operations, and identifying the controls to be tested; (2) control objectives and commonly used control techniques, as well as audit procedures; and (3) common application control objectives and related control techniques, as well as suggested audit procedures.”

“GAO” is the United States General Accounting Office.

ISO/IEC TR 13335
Information technology – Guidelines for the management of IT Security (GMITS)
(December 1996 onwards)

This series of ISO Technical Reports, referred to as ISO/IEC TR 13335, developed by ISO/IEC JTC 1/SC 27 – the “Security techniques” subcommittee of the Joint Technical Committee, provides guidance on the management of IT security. The reports are noteworthy in that they embrace the challenges posed by global connectivity. As the need for electronic communication between businesses and among the individuals who run these enterprises increases, organizations are being forced to adopt a more holistic philosophy of security management. This new approach is complicated by the plethora of IT security solutions now available. For example, security problems can be addressed through technical, physical, procedural or administrative controls. Typically, solutions are based on a combination of safeguards drawn from the above-mentioned categories. Given the range of options available, it is unlikely that any two organizations will have solved their IT security problems using the same combination of safeguards. GMITS not only provides a basis to assist an organization in developing and enhancing its own internal security architecture, but also provides a means to establish commonality between organizations. [Source: CanCERT.]

At present, the GMITS project consists of five parts:

• ISO/IEC TR 13335-1:1996 (December 1996) – Part 1: Concepts and models of IT Security, introduces a series of concepts and models for IT Security that are independent of the nature of the organization. Part 1 is the foundation for other components of the GMITS standard. (Currently under revision.)
• ISO/IEC TR 13335-2:1997 (December 1997) – Part 2: Managing and planning IT Security, presents issues an organization must tackle before establishing or altering its IT Security program. (Currently under revision.)
• ISO/IEC TR 13335-3:1998 (June 1998) – Part 3: Techniques for the management of IT Security, pays particular attention to the complex topic of IT security risk assessment. Several different approaches to risk assessment are considered. (Currently under revision.)
• ISO/IEC TR 13335-4:2000 (March 2000) – Part 4: Selection of safeguards, discusses the relative merits of different solutions and provides pointers to readily available safeguard catalogues. These catalogues are sensitive to differing national legislation.
• ISO/IEC TR 13335-5:2001 (October 2001) – Part 5: Management guidance on network security, looks at the problem of crossing the “trust boundary”. All organizations need to communicate electronically with other organizations and/or the public. In so doing, they will be required to face the dangers inherent in crossing the trust boundary, or security perimeter, of their organization.

NIST Special Publication 800-14
Generally Accepted Principles and Practices for Securing Information Technology Systems
(September 1996)   §

“As more organizations share information electronically, a common understanding of what is needed and expected in securing information technology (IT) resources is required. This document provides a baseline that organizations can use to establish and review their IT security programs. The document gives a foundation that organizations can reference when conducting multi-organizational business as well as internal business. Management, internal auditors, users, system developers, and security practioners can use the guideline to gain an understanding of the basic security requirements most IT systems should contain. The foundation begins with generally accepted system security principles and continues with common practices that are used in securing IT systems.”

NIST Special Publication 800-12
An Introduction to Computer Security: The NIST Handbook
(1995)

“… provides assistance in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations.”

NIST Special Publications 500 Series
Guides to the Protection of Information Resources

Although these documents are more than ten years old, and are aimed at U.S. government agencies, the principles that they embody are still sound.

• Executive Guide to the Protection of Information Resources – NIST Special Publication 500-169 (1989)
• Management Guide to the Protection of Information Resources – NIST Special Publication 500-170 (1989)
• Computer User’s Guide to the Protection of Information Resources – NIST Special Publication 500-171 (1989)