102 Information security standards and specifications

www.huawei.com
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Information Security
Standards and Specifications

Foreword
 In the process of information security system construction, enterprises
comply with international standards and specifications to develop their
own information security specifications and improve operations.
 This document describes and analyzes several international information
security standards to help better understand information security.

Objectives
 Upon completion of this course, you will be able to describe:
 Common information security standards.
 Significance of information security standards.
 Main points of common information security standards.

Contents
1. Information Security Standards and Specifications
2. ISO 27001 ISMS
3. Graded Protection of Information Security
4. Other Standards

Significance of Information Security Standards
 Standards are normative documents that are jointly formulated, approved
by recognized authorities, and used throughout the industry to achieve the
best security.
How can an enterprise build a
secure information system?
Implement each step
according to international
authoritative standards.

Information Security Standards Organizations
 International organizations related to information security standardization:
 International Organization for Standardization (ISO)
 International Electronical Commission (IEC)
 Chinese security standards organizations:
 China Information Security Standardization Technical Committee
 Cyber and Information Security Technical Committee (TC8) of China Communications
Standards Association (CCSA)
 Other standards organizations:
 International Telecommunication Union (ITU)
 Internet Engineering Task Force (IETF)

Common Information Security Standards and
Specifications
ISO 27001
EU:
Information
Technology
Security
Evaluation
Criteria (ITSEC)
US: Trusted
Computer
System
Evaluation
Criteria
(TCSEC)
China: Graded
Protection of
Information
Security
(GB)

ISMS
 The Information Security Management System (ISMS), based on the
BS7799 standard developed by the British Standards Institution (BSI), has
been widely recognized as the international standard.
Plan
Action
Check
Do
 Plan (Establish an ISMS)
 Do (Implement and operate
ISMS)
 Check (Monitor and review
ISMS)
 Action (Maintain and improve
ISMS)
ISMS

ISO 27000 ISMS Family of Standards
II
ISO/IEC 27006
ISO/IEC 27007
ISO/IEC 27008
Audit and
certification
guidelines
I
ISO/IEC 27000
ISO/IEC 27001
ISO/IEC 27002
ISO/IEC 27003
Requirements and
supporting
guidelines
ISO/IEC 27004
ISO/IEC 27005
IV
ISO 27799
Health information
security management
standards
Projects that are in
the research phase.
For example,
medicine supply
chain and storage
security.
III
Industry information
security management
requirements
Finance
Telecommunication
Other specific
security domains

ISO 27001 Evolution
BS 7799-1 ISO/IEC 17799 ISO/IEC 27002
Code of practice for information
security management
Code of practice for
information security controls
BS 7799-2 ISO/IEC 27001
Specification with
guidance for use
Information security management
system requirements

ISMS and ISO/IEC 27000
 ISO/IEC 27001 is an international standard that describes the requirements for an
ISMS.
 ISO/IEC 27002 proposes 35 control objectives and 113 controls across 14
categories. These control objectives and controls are the best practices of
information security management.
Requirements and
standards for
implementing and
establishing security
management systems
ISMS
ISO 27001
Establish
ISO/IEC 27001 ISO/IEC 27002
Provide best
practice rules
Information security
management idea
Information security
management operations

Elements for Building an ISMS
 14 control areas in ISO 27002:
3. Human Resource
Security
4. Asset Management 5. Access Control 6. Cryptography
2. Organization of
I. Information Security
Policies
7. Physical and
Environmental Security
8. Operation Security
9. Communication
Security
11. Supplier
Relationships
10. System Acquisition,
Development and
Maintenance
12. Information Security
Incident Management
13. Information Security
Aspects of Business
Continuity Management
14. Compliance

ISO 27001 Project Implementation Methodology
and Steps
Project initiation
and variance
analysis
 Project kick-off
meeting, team setup,
and team
management
architecture creation
 Rapid assessment of
information security
management status
 Information security
policy design
 Information security
management
training
Stage
Main
Tasks
(Example) Risk
assessment
 Training on asset
collection and risk
assessment
methods
 Threat and
vulnerability
identification, and
security
vulnerability
scanning
 Risk assessment
and rating
 Project review
meeting
System design
and release
System
operation and
monitoring
Certification and
continuous
improvement
1 2 3 4 5
 Risk tolerance and
preference
determination
 Risk handling and
rectification plan
implementation
 System integration
and ISMS
document
preparation
 ISMS release and
training
 Development of
the information
security
management
performance
monitoring process
 ISMS trial run
 System operation
monitoring
 Business continuity
management
training
 Project review
meeting
 ISMS internal audit
 ISMS external audit
 ISMS management
review
 Continually update
corrective and
preventive measures
 Project review
meeting
 Assistance in follow-
up internal and
casual audits

Definition
No. 27 [2003] of the General Office of
the CPC Central Committee
Opinions for Strengthening Information
Security Assurance Work
Key contents:
• Implementing the policy on graded
protection of information security
• Attaching importance to information
security risk assessment
• Building and improving the information
security monitoring system
• Ensuring information security funds
• Improving the accountability system for
information security management
No. 66 [2004] of the Ministry of Public
Security:
Notice on Issuing the Implementation
Opinions on the Graded Protection of
• Public security sector: supervision,
inspection, and guidance of graded
protection
• State secrecy departments: supervision,
inspection, and guidance of classified
work for graded protection
• State cryptography administration
departments: supervision, inspection,
and guidance of cryptography work for
graded protection
1. Public communication networks of
telecom and broadcast/film/TV industries.
Basic information networks such as
broadcast/TV transmission networks.
Important information systems of units
such as Internet information service units,
Internet access service units, and data
centers
2. Important information systems for the
production, scheduling, management,
and office of railway, bank, custom,
taxation, electricity, securities, insurance,
diplomacy, science and technology,
development reform, defense science and
technology, public security,
personnel/labor and social security,
finance, auditing, commerce, water
conservancy, land and energy resources,
transportation, culture, education,
statistics, industry and commerce
administration, and postal sectors
Graded protection of information and information carriers based on their importance levels
National Regulations and
Requirements
Supervision by Public
Security Dept
Implemented by HQs and
Industries

Chapter III: Network Operations Security
Section 1: General Provisions
Article 21: The State implements a tiered cybersecurity protection system.
Network operators shall fulfill the following security protection duties
according to the requirements of the tiered cybersecurity protection system,
to ensure that networks avoid interference, damage, or unauthorized access,
and to guard against network data leaks, theft, or tampering:
• Formulate internal security management systems and operating rules,
determine persons responsible for cybersecurity, and implement
cybersecurity protection responsibility;
• Adopt technological measures to prevent computer viruses, network
attacks, network intrusions and other actions endangering cybersecurity;
• Take technological measures for monitoring and recording network
operating status and cybersecurity incidents, and follow regulations to
store network logs for no less than six months;
• Adopt measures such as data classification, backup of important data, and
encryption;
• Fulfill other obligations as provided by law or administrative regulations.
Significance
Improving overall protection
Effectively improving overall information
security assurance and resolving threats and
major issues faced by information systems
Optimizing resource allocation
Investing limited financial, material, and
human resources in key areas to maximize
economic benefits of security
2. Law and regulation compliance
1. Improve protection and
resource allocation

Background and Development
 After nearly 20 years of development, graded protection has experienced
three stages.
2007 to now:
promotion stage
Started grading, assessment,
rectification, and review. All sector
units started comprehensive
grading/rectification.
2004-2006:
development stage
Many protection-related
standards and specifications
formulated and piloted.
1994-2003: initial stage
The Chinese government called for
strengthening of information security
construction and proposed graded
protection of information systems.

Scope
Protected object
Big data
Information
system (computer)
Industrial control
system
IoT
Cloud computing
platform
Information
system using
mobile internet
technologies
Basic information
network

Grade
Legitimate Rights
and Interests of
Citizens and Legal
Persons
Social Order and
Public Interests
National Security
I Damage N/A N/A
II Severe damage Damage N/A
III / Severe damage Damage
IV / Severe damage Severe damage
V / / Severe damage
Grades
 The grades are defined based on the extent of information system damage
to citizens, society, and state.

Basic Technical Requirements
 Each grade of protection has corresponding technical requirements. For
example, the technical requirements for Grade III cover 5 aspects:
Physical security App security Data security Network security Host security
 7 control points and 33 items:
1. Structure security (7 items)
2. Access control (8 items)
3. Security audit (4 items)
4. Boundary integrity check (2
items)
5. Intrusion prevention (2 items)
6. Malicious code program (2 items)
7. Network device protection (8
items)

Process
Graded Protection Process
Grading Filing Assessment Rectification
 Mandatory
procedure for
notifying the
supervision
department of
graded
protection
construction
 Key to the
implementation
of graded
protection
 Method to
assess the
status of
security
protection
 Primary
step of
graded
protection
Supervision
 External
management
of graded
protection

Other Standards - US - TCSEC
 Trusted Computer System Evaluation Criteria (TCSEC)
 First formal standard for computer system security evaluation
 Proposed by the Defense Science Board in 1970 and released by the United States
Department of Defense in December 1985
A: Verified
protection
A1
The system administrator must receive a formal security
policy model from the developer. All installation operations
must be performed by the system administrator. Formal
documents must be available for all of these operations.
B: Mandatory
protection
B1
Class-B systems are protected against access from users
without security levels.
B2
B3
C: Discretionary
protection
C1 Audit protection is available, and users' actions and
responsibilities can be audited.
C2
D: Minimal
protection
D1
Security protection is provided only for files and users. The
most common D1 system is a local operating system or a
completely unprotected network.

Other Standards - Europe - ITSEC
 Information Technology Security Evaluation Criteria (ITSEC)
 Formulated by the UK, France, Germany, and the Netherlands, the ITSEC makes better progress in
function flexibility and related evaluation technologies than TCSEC; applied in the military, government,
and business sectors
Function
Level Description
F1-F5 TCSEC D-A
F6 Data and program
integrity
F7 System availability
F8 Data communication
integrity
F9 Data communication
confidentiality
F10 Network security
including confidentiality
and integrity
Level Description
E0 Inadequate assurance
E1
At this level there shall be a security target and an informal description of the architectural design of the
Target of Evaluation (TOE). Functional testing shall indicate that the TOE satisfies its security target.
E2
In addition to the requirements for level E1, there shall be an informal description of the detailed design.
Evidence of functional testing shall be evaluated. There shall be a configuration control system and an
approved distribution procedure.
E3
In addition to the requirements for level E2, the source code and/or hardware drawings corresponding to
the security mechanisms shall be evaluated. Evidence of testing of those mechanisms shall be evaluated.
E4
In addition to the requirements for level E3, there shall be an underlying formal model of security policy
supporting the security target. The security enforcing functions, the architectural design and the detailed
design shall be specified in a semi-formal style.
E5
In addition to the requirements for level E4, there shall be a close correspondence between the detailed
design and the source code and/or hardware drawings.
E6
In addition to the requirements for level E5, the security enforcing functions and the architectural design
shall be specified in a formal style, consistent with the specified underlying formal model of security policy.
Evaluation

Other Standards - Sarbanes-Oxley Act
 Public Company Accounting Reform and Investor Protection Act of 2002,
commonly called SOX.
 Clauses in the SOX Act regarding the monitoring of contract
management and enterprise operation processes can also apply
to information system inspections.
What is the relationship between SOX
and information security?
AN ACT To protect investors by improving the
accuracy and reliability of corporate disclosures
made pursuant to the securities laws, and for
other purposes.
--- Sarbanes-Oxley Act

Quiz
1. Which of the following are internationally known information security standards
organizations?
A. ISO
B. IEC
C. ITU
D. IETF
2. The ISMS complies with the ______ process.

Summary
 Common information security standards
 Significance of information security standards
 Main points of common information security standards

Thank You
www.huawei.com

102 Information security standards and specifications

More Related Content

What's hot (20)

Similar to 102 Information security standards and specifications (20)

More from SsendiSamuel (11)

Recently uploaded (20)

102 Information security standards and specifications