External standards

The intelligent use of standards that are adopted by the international commu-nity greatly simplifies the task of securing information in IT environments.

This applies to all standards, not only those applying to information security.

Advantages of adhering to internationally agreed upon standards include:

◗ Software implementing such standards will be subject to more testing in the field.

◗ Security issues are likely to be discovered and fixed more rapidly.

◗ Experience will be more widely available.

As we are discussing international standards, it is to be expected that software implementing such standards will be installed in a variety of

different environments. In addition, universities and research groups are more likely to study the strengths and weaknesses of popular standards and the software that implements them. This will increase the probability that different options within the software are exercised in some environment, and this in turn should result in a more rapid detection of flaws and bugs.

Largely due to the mechanisms discussed in Section 2.2 of this book, infor-mation regarding any security issues that are discovered via this process will be quickly made available to the international community as a whole. This not only puts pressure on vendors to implement solutions rapidly, it increases the chances that some interested party will identify and publish a workaround for the issue in the intervening period.

It is clearly not feasible in a book of this size to provide an exhaustive overview of external standards that are likely to be of interest to information-security managers. It is, however, possible to provide a rapid introduction to the subject by quickly identifying some of the more influen-tial standards groups, and this is the approach we have taken. Interested readers are pointed to the Web site of the World Standards Services Net-work (WSSN) for more information on international, regional, and national standards [12].

Arguably the best-known standards organization in the world is the ISO.

The ISO is a nongovernmental institution founded in 1947 and organized as a federation of national standards bodies. At the time of writing, the ISO comprises 147 members [13], including the American National Standards Institute (ANSI) and the British Standards Institute (BSI). Examples of stan-dards published by ISO include the OSI model and related security architec-ture [14, 15], numerous standards in the area of network and transaction security (of which examples are provided in [16]), and a series of security-related standards published jointly with the IEC.

6.5 Standards 145

Standards

External standards

Internal standards

Specification standards

Procedural standards (e.g., ITU X.509)

(e.g., The Secure Bank UNIX configuration)

(e.g., The Secure Bank UNIX administration procedure)

Figure 6.4 Classification of standards.

Other international standards bodies include the IEC and the ITU, which is the parent organization of the former CCITT. Examples of security-related standards published by the IEC include the Code of Practice [17] and the Common Criteria [18–20], both of which were published jointly with the ISO. The ITU publishes a range of extremely important standards related to data communication, including the X.25 [21], X.400 [22], and X.500 dards [23]. Particularly noteworthy in the area of security is the X.509 stan-dard [24], which is widely adopted in the area of PKI.

At the national level, standardization is coordinated by national stan-dards organizations. In the United States, the national stanstan-dards organiza-tion is the ANSI. The ANSI has published a wealth of standards related to information security, which are available via the ANSI electronic standards store [25]. More recently, the ANSI established the Homeland Security Standards Panel (HSSP) in February 2003 [26]. This panel was created to assist the Department of Homeland Security by coordinating standards developed to meet homeland-security requirements. The panel is also charged with ensuring that the public and private sectors are aware of the existence of such standards.

Organizations such as the NIST, the IETF, and the Institute of Electrical and Electronics Engineers (IEEE) produce standards for a specific commu-nity. The NIST, for instance, produces standards to meet the needs of the U.S. federal government and industry [27]. In particular, the NIST issues the FIPS documentation, which governs the use of federal computing systems [28]. More security-related standards and a great deal of other useful infor-mation are available from the NIST’s Computer Security Resource Center (CSRC) [29].

One of the most useful bodies of standards where the Internet or TCP/IP is concerned is the RFC documentation published by the IETF. These stan-dards are extremely important, as they effectively define the TCP/IP proto-col stack. Many of the most important security protoproto-cols used to protect network transmissions over TCP/IP are also documented in the form of RFC documents. RFC 1539, “The Tao of IETF: A Guide For New Attendees of the Internet Engineering Task Force” [11], provides an excellent introduction to documentation produced by the IETF and provides references to other documentation providing more detailed information.

The important thing to remember when using external standards is that there are a lot of good standards available, but care needs to be exercised in selecting a standards set that is coherent. Wherever possible, the simplest solution is to select a set of standards for use in a particular domain and to stick to it, rather than selecting standards produced by different standards bodies.

At The Secure Bank, we will make extensive use of the IETF RFC docu-mentation within the area of network security. When dealing with legacy applications, it may well be necessary to refer to ITU recommendations, notably those dealing with X.25. In the area of cryptography, use will be made of several important FIPS standards and other relevant NIST standards.

In this latter area, we will also make use of the public key cryptography

standards [30], which have not been discussed in the preceding paragraphs.

Other standards will be used on an as-needed basis, taking care to ensure that the particular group of standards selected is self consistent and can be used as the basis for a coherent approach.