CH A PTER ,3

SECURITY STANDARDS AND BEST PRACTICES

OBJECTIVES
the students will know the
meaning andd
At the end of this chapter,
of Stondards like ISO in general, their relevance particularly in the
standards, howthey enhance
InformationSecuritylike the ISO27001 financial organisations
significont,
I.T. and why banks and
moving intowards
environment
ingly such cetification. Besides, the chapter also ifocuse
secum
are ncreos.
on other best practices in Information Security accepted globally and certain
specific stondards and legal compliance requirements as per some Spest
lows applicoble in other countries as
well.
8.0 INTRODUCTION
We have seen earlier that Information System Security is the commonk
occepted ond dynamic concept applicable tor any industry that deals wi
information. Though the systerm is common in any type ot industry, there wog
o need felt globally, for evolving agenerally accepted standard that moy be
referred and used in all industries so that whatever is applicable from thos:
widely accepted normsmay be adopted ina particular organisation or bank
8.1.0Organisations felt the need for commonly accepted standards which
would be dynamic so that whatever is applicable and relevant to the particula
orgonisotion be adopted and those that are not relevant may be express
declored os not applicable.
sucho
8.1.1 Hence the standards should be dynamic enough to provide forenough
brooder framework, a generic format of standards and yet be specific be
so that an analysis of the existing scenario be made and gap anglysis
done, to ascertain how best the system can be improved.
rest
8.1.2 As already seen in the earlier chapters, information security mainly
on the pillars viz. Confidentiality, Integrity and Availability Non-Repudiation and
pillarsore
Authenticotion hence in any organisation wherein if any of these
and
106
 CH. 8: SECURITY STANDARDS AND BEST PRACTICES
107
weakthat will deteriorate the intormation security structure. To ensure formal
aSSUranceto cUstomers that data in the organisation is secure enough, which
is a mustespeciallyin a finance critical industry like banking and insurance,
oflote,ISOstandards of informotion security is normally referred to.
8.2.0International Organisation for Standordisation, popularly known as
SOinshortis the world's largest developer and publisher of international
stondords. t is a network ot the national standards
institutes of over 160
coUntries, one member per country. It is a non
governmental organisation
withcentral secretariat in Switzerland, Geneva. Structurally, its members gre
mostly representatives of the respective governments of member nations with
ogood mix of private sector and business representation. Because of this
orgonisational structure, ISO ensures the dynamism of
private sector with the
power and commitment ot public sector with deep inroads into the
needs.
business
8.2.1 1SO is an organisation which has over the years evolved
The ISO 9000 tamily ot quality management is among the standards.
standords internationally. Ihis is mainly on quaiity managementmost popular
standards as
the feotures of a product or service which are required by a
customer. Quality
Monagement System (QMS) is what an organisation does to ensure that its
products or services satisty the customers' requirernents satistying with the
requisite quolity ensuring compliance with all legal regulations.
8.2.2.0The focus of this chapter will be mainly on ISO 27000standards,
though there are other ISO/EC standards and methods relating to
security, risk management and related areas, Occupational Health information
&
Advisory Services (OHSAS) ISO 18000 series standards, ISO 14000 Safety series
for the environmental
management etc.
Betore going into the details of these Information Security Management Sys
Tem (|SMS), let us hgve a look at some of the most relevant
standards and
menods in quality management principles applied specifically to Software
Development Life Cycle (SDLC).
8.2,2.1ISO/IEC 12207:2008 establishes a common framework forsoftware
lte cycle processes, with well-defined terminology, applicable for software
inadustry. contains processes, activities, and tasks that are to be applied in
It
typical software environment, whether acquisition of asoftware product
Service or its supply, or development, operation, maintenance and disposal orof
sotcontwraroleingproducts. This iis specifically
and enhancing software lforite thecycleprocess associated with defining,.
processes.
 A: IT
SECURITYOVERVIEW
108 MODULE
15288:2008 is for systems and software
8.2.2.2ISO/EC relatedIterminology.
processes for the same and \n other wOrd
loted to the framework for describing the life cycle
it estoblishes o common defines a set ot processes and is
Created by humans and
These applied
standards mayybe configured in
software, data, hei
erarchy of o systems structure.
elements viz. hardware.
or more ot the constituent
processes, procedures, focilities etc.
8.2.2.3 ISO/EC 90003:2004 is another
standard that is
context. This is a stondard exclusive for the software industry and
hu
relevant
mons
in thi
guidance for organizations in the application of 1SO
ocquisition,supply, development, operation and 9001:2000
maintenance
of
provdes
sotware ond related support services. ISO/EC 90003:2004
or otherwise chonge the requirements of1SO 9001:2000 anddoes not add computer
provided herein ore not intendedto be usedfor certification. Thethe guidelines,
ISO/IEC 90003:2004 is appropriate to software that is part of a
contract with onother organization. applcoimmecotiorcndid
8.3.0 ISO 27000 STANDARDS
8.3.1 This popular standord fromISO, has been
for estoblishing, inplementing, prepared to provideeamode
operating, monitoring, reviewing, maintaininm
ond improving an Information Security
referred to os ISMS, these standards areManagement System (SMS). Populg
of security requirements and often adopted by organisations as a resuh
objectives ond its implementation inflvenced by the needs for security and the
largely depends on factors like the ngture
of business, size, scale of
activity, criticality of data handled etc.
8.3.2 This International Stondard
proach for establishing, promotes the adoption of a process ap
maintoining and improvingimanplorganization'
ementing, operating, monitoring, reviewing,
identiy and manage many activities in stoISMS. An organization needsto
USing resources and order function effectively. Any achiw
into outputs can be managed in order to enable the
process directly considered be a process, Often
to transtormation ot inpus
the output trom ol
asystem of forms the input to the
and processes within an following process. The application d
of organization,
to asinteractions these processes, and
identiication
together thecan be refered
with
a"process approach". their
management,
8.3.3 The
in this process approach for
International
tance ot: Standard iencourages
nformation its
security management
presented
theimpor
users to emphasize
 CH. 8: SECURITY STANDARDS AND BEST PRACTICES
109

understanding an organization's information security requirements and

ol need|to establish policy and objectives for information security;
the
implementing and operating controls to manage an organization'sinfor-
b) mationsecurityrisks in the context of the organization's overall business
risks;
monitoringandireviewingthe performance andleffectiveness
e of thelISMS;
c and
continualimprovement based on objective measurement.
8.4.0ISO-ISMS
standards (SMS) consists of the following chapters :
84.1Broadly, these
Genergl
" Scopeand
Application and Normative Reference
Terms and Definitions
Documents
Fstablishing and Managing the ISMS, Records and
Management, Training
Manogement Responsibility including Resource
etc.
Internal Audits (1SMS Audits)
of ISMS (Management Review including review input, review
Review
output)
ISMS Improvement (Corrective and Preventive Action)
+ ISO 2700l made
popularguidelines later adoptedas
8.4.2 BS 7799 was very specifications for assisting organisations
guidelines and
os astructured set of information security framework. The standard assists
in developingtheir own information security framework. Totally
orgonisations in developing their own
domain areas, 39 control objectives and 133 controls in
SO27001 has 11 enumerated, in the tollowing para
discussed in brief, and not
ollwhich are controls represent information security best
security
9raphs in this chapter. The suggests that these controls should be applied
procices and the standard
Oepending on the business requirements. implementation of astructured
development and
.3150 27001 suggests (SMS), which governs the security
Information Security Management System
enterprise. The standard is designedto
inplementation and monitoringin an range of controls needed,
serve as a single mainly under Chapter Nos. 10, 11 and
which are discussed laterinthe book
 OVERVIEW
SECURITY
MODULEA: IT
110
applicable for most situations where
ore
12. Allsuch controls
8.4.4 The
systems importance
are used. ofthelSO27001standards con be easily gouged
Gopalakrishng
Group of G (RBI) on
\ntormaion
thot the Working Technology Risk:Management, Cyber froudsho
thefoct Electronic Banking,
Security, theses
adoptionof estandards, their contormones
thesignificance of
emphasized India.
ond certification in banks in
BENEFITS OF ISO 27001?
THE
8.5.0 WHAT ARE
of the main advantages are :
8.5.1Some
management practices
Minimises risks and ensures befter risk
and exhibits your commitment to
Enhances the vendor status vendors
" Brings the organisation to compliance with legal and statutory require.
ments
and ensures better
Reduces information security violations data securty
Ensures better business continuity and disaster recovery practices sin ploce
Gives market leverage because the global recognitions of ISO 27001
certification
8.5.2 t would be pertinent to note that savings in cost ot manufacure
standards nor
stroight Return on Investment is not part ot ISO 27001
direct result of the certification. However, contormance to the standards and
compliance to the certification procedures will minimise the business risk
ensure business continuity, increase business efficiency all of which do pove
the way for beter operational efficiency and enhanced profits.
8.5.3 One of the reasons for worldwide acceptance of ISC 27001 so
dards or the ISMS is the applicability of Plan Do Check Act (PDCA) Modelin
is opproach, thot makes it formal, easy tounderstand and procedural. Ii.
PDCA opprooch is best depicted in the following diagram:

ISMS
 CH, 8:SECURITY STANDARps AND BEST PRACTICES 111
have a brief look at the chapters mentioned obove ondthe salient
Nowletus
features of some of the important claUses mentioned in the standards.
B.5.4 While the first two chapters deal with Scope and general introduction
andthe need for the same, the chapter on terrns and definitions
of1SMS
down
loys the definition of some of the most important and significant words
Usedin
the document/Usage of the words in the security scenorio and the
contexrtual meoning of such words is properly documented in this chapter.
8.5.5The chapter on records and documents defines the policy, staternent
of opplicability, steps involved in formulating arisk treatrnent plan, process
olved in implementation ondoperating the ISMS, monitoring, reviewing and
identifyingthe documentation requirements and all other measures relating
ncontrol of documentation and controlof records etc.
.5.6 The next chapter is on Management Responsibility including procedures
nr monagement's role in ISMS, utilizotion of and avoilability of resources for
properrimplementation of ISMS including factors like training,awareness and
rompetence of all humanresources and maintainproper records for allthese.
8.5.7Audit programmes, procedures for conducting regularaudits to monitor
implementation of ISMS in the organisation, maintenance of records thereof,
conformance of such audit functions to security requirements are all discussed
in this chapter. Audit criteria, scope and methods for conducting the audit
ond oll other relevant procedures reloting to audit are also addressed in this
chopter.
8.5.8 Monagement review as a result of the responsibility discussed in Chap
ter No.5 above, are dealt with in detail here. What should constitute inputs
fo review meetings of monggement and what should be outcome and the
output from review including the follow-up action or other decision taken as
output of review are alldiscussed in detoil.
8.5.9 The steps related to improvement of ISMS procedures are discussed
here. Continual improvement of the procedures and effectiveness and efficiency
of the systern through oudit programs, monitoring and review are mandatory
0s per this chapter. Commonly referred to as CAPA, this chapter mainly deals
with Corrective Action and Preventive Action.
O.10 Corrective gctions mentioned in the process include identitying the
Non Contormities with ISMS requirements, defining the couse for such non
conformi ties evaluating the need for actions to ensure that such non confor-
mities do not recur andimplementing those actions are all port for corrective
oction. Similarly, preventive action mainly involves identification of potential
non conformities and taking action to prevent such non conformities. CAPA
 T SECURTOVERVIEW
112 UE
reviewedfor their effectiveness and
sho be
constontly
dsUsse ot he
manogement

&6.0 The impotonce

of
review meetings as
ISMS con be gouged from
weli

Intormation Security.
eticienc
the fact thot Gnó
Goooloirishno Working Group onCyber Frauds has mode Eleleoctborat
ronice
should Bomerriti .
and
Tachnoiogy Ri_k Monagement that Commerciol banks
hos stated
obo the SMS andManagement
intomation Security Ihe committee reports :
The best known ISMS is described in ISO//EC 27001 ond ISO//EC
ond reloted stondards published jointly by ISO ond IEC. ISO 27001
inmpler e
maintain and
cemed with how to implement,
monitor,
ISO27002 continually
infomation Security Manogement System while used provides
when building andetIaSiler,
which can be
steos or olist ot security meosures
standards called
8.6.1 The ISO hos come out with its latest the 1SO/EC
27001:2013 which is being gradually adopted by"The orgonisations.
oficial introduction of these standards stotes that ISO,
information ini,
monogement system preserves the confidentiality, integrity and securty
intormation by opplying a risk monagement process and givesayvailability c
to interested parties that risks are adequotely managed. It is
tne intormation security management system is part of and
confidenca
important
tne organization's processes and overall monogement structure and integrated
with
information security is considered in the design of processes, tha
systems, and controls. It is expected that an information
security informati
managemet
svstem implementation will be scaled in accordance with the needs
on
of th
organizotion".

8.7.0 COBIT-CONTROL OBJECTIVES IN IT

Another popular framework being spoken about is the COBIT from ISACA
formerly known as the lS Auditand ControlAssociation),a worldwide renowned
professional body representing lT auditors This framework has matured from
quite modest beginnings as a guide for computer auditors on best
in IT monagement controls into a comprehensive model or tool to practice
guide the
implementation of sound IT governance processes/systens.
8.7.1 The current incarnation, COBIT v4, is
IT governonce fromework and supporting toolset described by ISACA as "anto
that allows manogers
bridge the gap between control requirements,technical
risks". COBIT enobles clear policy development and good issues practice
and bUSine
forIT
control throughout organízations, emphasizes
regulatory compliance, d
orgonizotions to increase the value ottained from
sirnplifies implementotion of the COBIT framework. IT, enables
The latestalignmenre
in COBITis
 CH. 8: SECURITY STANDARDS ANDBEST PRACTICES 113

COBIT5 which provides a comprehensive framework that assists enterprises

o
achieve their goals and deliver value through effective
governgnce and
management of enterprise IT.
8.7.2 cOBIT 5 is the only business framework for the governance and
manogement of enterprise IT. This evolutionary version incorporates the
lotest thinking in enterprise governonce and management techniques, and
providesglobally accepted principles, practices, analytical tools and models
increase the trust in, and value from,
o help information systems. COBIT 5
builds and expands on COBIT 4.1 by integrating other major frameworks,
nndords andresources, including ISACA's Val |T, Risk IT and BMIS. We have
diso alignedCOBIT5 with signiticant guidance and standards, including ITIL
ond ISO. (Source: isaca.org)
8.7.3 Though not acertitication standard like ISO,COBIT is often referred to
so model, as atramework with best practices discussing the toolset serving
5 aguide to IT managers to study the IT and IS Security environments in
their organisations, assess the requirements, benchmark them with the best
ones in the industry and study the gap with the overall view to enhance the
security initiatives.
8.8.0 GAISP (Generaly Accepted Information Security Practices) was once
developed from many internationalworks and activities on Information SecU
iy ond later modified and amended to be presented as a bigger worldwide
stondord. However, thanks to the popularity and global acceptance of ISO/
IEC 27002 and the certificate under ISO 27001, this project did not gain
popularity.
8.8.1 GAIT (Guide to the Assessment of IT risk) is the Institute of Internal
Auditors' guidance to identify key IT risks such as SOX Compliance and HI
PAA in the US and gained some reasonable popularity in the US that has an
impoct especially in the financia! sector like banks, payment card industry,
insurance, health and related sectors.
8.8.2 Study on Security Standards will not be complete without reference to
Some popular scenario in the US and those nations or organisations having
OUSiness associations with the corporate in the US.
8.8.2.1 The Sarbanes-Oxley Act (SOX) was signed into law in 2002 and
amed after its guthors: Senator Paul Sarbanes (D-MD) and Representative
Poul
Oxley (R-Ohio). This Act mandated a number of reforms to enhance
Orate responsibility, enhance financial disclosures, and combat corporate
and
certifyaccounting fraud. As the Act, the CEO and CFO must
that their organizotionper has the proper internal controls, theirpersonally
fingncial
114 MODULE A IT SECURITY OVERVIEW
the
reports ore accurate and complete and that alsodata they use for
reporting is accurate and secure. The report includes a
effectiveness of internal controls around financial reporting. Thedause on
infrastrUcture should be designed to protect and preserve inoncil ha
8.8.2.2 Popularly known as HIPAA(Health Insurance
records,
ability Act) this Act protects health insurance coveragePortability
for and neces a
families when they change or lose their jobs. Establishing workers and
for electronic health care transactions and national national Accouthnei. r
health plans, and employers. The
identifiers
Act mandates security and
for
sptarnodvaidredrss,
of electronic health care information, with a potential need to
nature capability with information being electronically stored or
8.8.2.3 Gramm-Leach- Bliley-Act (GLBA) was signed into law in
cassociotnrafindsemnatititeaelidty.
Sig
resultedin the most sweeping overhaul of financial services
United States by eliminatingthe long-standing barriers between \999in andthe
regulation
ment banking, and insurance. The information security program
assigning a designated program manager for the security related
banking,ininclvestude.
must
conducting periodic risk and vulnerability assessments, defining
for making changes in lieu of test results or changes in activities,
procedures
popular standard that nations like India should seriously
circumstance
8.8.2.4 PCI DSS Payment Card Industry Data Security Standard etc.
is a
consider
The standard imposes specific card holder data security control and adapt.
very
on merchants and banks handling cards or the data
concerned. the requirements
independentstandard
enforces structure compliance activities, including routine
assessments by accredited PCI (Payment Card Industry) professionals, securi
overall mission to protect the credit card industry. The with on
getting evolved with the latest version (v2) having beenstandardsare gradualv
2011 with atime-bound provision tor introduced in January
revisions every 3 years.
8.8.2.5 SAS 70 Statement on Auditing Standards 70, is
though on auditing and attestation, that has another standord
relevance to
It discusses a method for
auditors to check and to attest information
the
security
control status ot
the financial services. Though audit and
io each other, adherence to this security are generally closely related
standard
controls are in place. Often, SAS 70 redUces is a formal acceptance that securt
financial services companies to audit each other's the need for interdependent
cessantly since receiving apositive SAS 70 report from security arrangemens
is generally taken as due a trustworthy au
diligence.
 CH. 8:
SECURITY STANDARDs AND BEST 115
8.8.2.6 ETSI - TCcgyber PRACTICts
(European
FTSI
non-profit
stondardsfor
Tel ecommuni
orgonisation
Informat io
cati on
with worldwide
n and
Stondords Institute) is an independent,
presence evolving globally applicable
Internet, broodcast and all
nized bythe Communi
communi cotioc
nation Technol ogy covering
European Union as aEuropeantechnologies. is officially recog-
It
mobile,
signiticant presence in the
o lechnical CI Security Standords Orgonisotion. With
onew
TC Cyber Committee
focuses mainly on the populary standardizotion
known as TC
areos, ETSI opened
CYBER in March 2014.
Cyber-security following oreas:
" Security of
infrastructures, devices, services and protocols
Security advice, guidance and operational security
manutacturers network and infrastructure operators
and requirements to users,
Security tools and
techniques to
Creotion ot security specifications ensure security
ETSIcommittees, and alignment with work done in other
KNOW YOUR PROGRESS
Information Security normally consists of
ond Non repudiation with AuthenticationConfidentiality,
added to it os
Integrity, Availability
oillar Adapting the earlier BS 7799 another important
hos come out with ISO 27001 and standards on information security, ISO
curity. The standards addresses risks 27002 standards evolved mainly for se
associated with the
controls for containing the same and puts in place the security architecture,
the whole issue by virtue of its global procedures to address
wider reach,almost all security acceptability, comprehensiveness and
conscious organisations have recognized the
importance of these standards. Gopalakrishna Working Group of RBI on
Internet Banking in its report in
2011 has also underlined the significance of
Intormation Security Management System as enshrined in ISO 27000 series
standards. Besides, these standards there are also frameworks like the one
evolved by ISACA called COBIT etc. that can be reterred to
Intormation security architecture is in place in US, however, ensure a robust
there are some
more regulations and legal enactments like SOX, HIPAA, PCI-DSS etc. that
ore allapplicable in the bankingand related
areas.
KEY WORDS
ISO ISMS PDCA SDLC PCIDSS OHSAS
SOX SAS70 HIPAA COBIT ISACA