Saturday, March 02, 2002
Security, Standards and Choices. If you don't care where you are you're not lost. However, when it comes to security you will be lost without a map, and being lost is a bad thing.
Finding the Right Map. If you've been following security standards you know that it's a mess. A good starting point on your journey to sorting out the standards is Uncovering security standards, which is a single page that gives a brief summary of the standards you're likely to encounter and links to primary sources of information.
Choices. In the US you're probably examining the two major standards: Common Criteria and ISO 17799. We've written about Common Criteria in previous entries. What makes the choice confusing is the Common Criteria is an international standard, International Standard (IS) 15408, sponsored by ISO, and 17799 is also an ISO-sponsored standard. The crux of the matter is twofold:
At first glance it would seem logical to use both standards, and this approach has some merit. However, not all national bodies in the ISO 17799 standards making process are in agreement. Indeed, the US is among the group of national bodies that is in disagreement with the way ISO 17799 is written. This issue, among others, is addressed in the National Institute of Standards and Technology (NIST) ISO/IEC 17799:2000 FAQ. This document is clear about the US view of the standard; however, a more complete picture can be found by examining the following documents:Outside the US. A Zip archive with two PowerPoint presentations describe how one country, Malaysia, is standardizing on security. This is illustrative because it shows that the world is not centered on the US and Europe.
- Common Criteria and ISO 17799 are apples and oranges. In other words, there is no connection between the two. Common Criteria is designed to guide in the technical specification and evaluation of systems, while ISO 17799 is a management standard that deals with non-technical issues related to security (personnel, procedural, and physical security issues).
- Where Common Criteria is used as an assurance measure, and as such, as a certification of sorts, ISO 17799 is not a certification program. There will be no ISO 17799 certification in the same manner that ISO certifies for ISO 9000.
Other Considerations. For those who are in healthcare, the PowerPoint presentation titled, HIPAA by the Numbers shows the standards and issues that surround security in connection with the Healthcare Insurance Portability and Accountability Act. Also worthwhile are: Enabling Confident E-Commerce, Mobile Security, and Security Engineering Best Practices, all of which are in PowerPoint format.
End Note. I will follow-up this entry with a later one that discusses tools and techniques that can be used with any of the security standards.