[ Pobierz całość w formacie PDF ]
.It is not too difficult to imaginethe difficulties in achieving this where several different operating systemsand versions of software are concerned.The term internal standard is used to refer to a standard that is producedby an organization and used exclusively within that organization.An exter-nal standard is a standard that is accepted and used by a community.Fol-lowing this nomenclature, the standard configuration for UNIX platformswithin The Secure Bank is therefore an internal standard, whereas theInternational Telecommunications Union (ITU) [formerly Comité Consulta-tif International Téléphonique et Télégraphique (CCITT)] X.509 standard isclearly an external standard.Where internal standards are concerned, a standard can either documentthe essential characteristics of something or explain how some activity is tobe carried out.We make this distinction because describing something that isstatic, such as an electric plug, requires a different vocabulary and approachthan describing something dynamic, such as a procedure.In the first case, wemight describe a plug by providing the material it is made of, the geometryand the distance between the pins, and a range of other values.A procedure,on the other hand, might be best described using a graphic technique such asa flow chart or a state transition diagram.Note that this distinction is notmade for external standards because we have no control over how suchstandards are produced.We will refer to the first type of document as a specification standard andthe second type as a procedural standard.This is illustrated in Figure 6.4.6.5.2 External standardsThe intelligent use of standards that are adopted by the international commu-nity greatly simplifies the task of securing information in IT environments.This applies to all standards, not only those applying to information security.Advantages of adhering to internationally agreed upon standards include:×%Software implementing such standards will be subject to more testingin the field.×%Security issues are likely to be discovered and fixed more rapidly.×%Experience will be more widely available.As we are discussing international standards, it is to be expected thatsoftware implementing such standards will be installed in a variety ofTLFeBOOK6.5 Standards 145StandardsExternal Internalstandards standards(e.g., ITU X.509)Specification Proceduralstandards standards(e.g., The Secure Bank (e.g., The Secure BankUNIX configuration) UNIX administrationprocedure)Figure 6.4 Classification of standards.different environments.In addition, universities and research groups aremore likely to study the strengths and weaknesses of popular standards andthe software that implements them.This will increase the probability thatdifferent options within the software are exercised in some environment,and this in turn should result in a more rapid detection of flaws and bugs.Largely due to the mechanisms discussed in Section 2.2 of this book, infor-mation regarding any security issues that are discovered via this process willbe quickly made available to the international community as a whole.Thisnot only puts pressure on vendors to implement solutions rapidly, itincreases the chances that some interested party will identify and publish aworkaround for the issue in the intervening period.It is clearly not feasible in a book of this size to provide an exhaustiveoverview of external standards that are likely to be of interest toinformation-security managers.It is, however, possible to provide a rapidintroduction to the subject by quickly identifying some of the more influen-tial standards groups, and this is the approach we have taken.Interestedreaders are pointed to the Web site of the World Standards Services Net-work (WSSN) for more information on international, regional, and nationalstandards [12].Arguably the best-known standards organization in the world is the ISO.The ISO is a nongovernmental institution founded in 1947 and organized asa federation of national standards bodies.At the time of writing, the ISOcomprises 147 members [13], including the American National StandardsInstitute (ANSI) and the British Standards Institute (BSI).Examples of stan-dards published by ISO include the OSI model and related security architec-ture [14, 15], numerous standards in the area of network and transactionsecurity (of which examples are provided in [16]), and a series of security-related standards published jointly with the IEC.TLFeBOOK146 Policy and standardsOther international standards bodies include the IEC and the ITU, whichis the parent organization of the former CCITT.Examples of security-relatedstandards published by the IEC include the Code of Practice [17] and theCommon Criteria [18 20], both of which were published jointly with theISO.The ITU publishes a range of extremely important standards related todata communication, including the X.25 [21], X.400 [22], and X.500 stan-dards [23].Particularly noteworthy in the area of security is the X.509 stan-dard [24], which is widely adopted in the area of PKI.At the national level, standardization is coordinated by national stan-dards organizations.In the United States, the national standards organiza-tion is the ANSI.The ANSI has published a wealth of standards related toinformation security, which are available via the ANSI electronic standardsstore [25].More recently, the ANSI established the Homeland SecurityStandards Panel (HSSP) in February 2003 [26].This panel was created toassist the Department of Homeland Security by coordinating standardsdeveloped to meet homeland-security requirements.The panel is alsocharged with ensuring that the public and private sectors are aware of theexistence of such standards.Organizations such as the NIST, the IETF, and the Institute of Electricaland Electronics Engineers (IEEE) produce standards for a specific commu-nity.The NIST, for instance, produces standards to meet the needs of theU.S.federal government and industry [27].In particular, the NIST issues theFIPS documentation, which governs the use of federal computing systems[28].More security-related standards and a great deal of other useful infor-mation are available from the NIST s Computer Security Resource Center(CSRC) [29] [ Pobierz caÅ‚ość w formacie PDF ]