ISO/IEC 13888-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. This second edition cancels and replaces the first edition ( ISO/IEC 13888-2:1998 ), which has been technically revised.
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize securityrisks to physical property, information, computer systems, or other assets.
They can be classified by several criteria. For example, according to the time that they act, relative to a security incident:
- Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;
- During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;
- After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.
According to their nature, for example:
- Physical controlse.g. fences, doors, locks and fire extinguishers;
- Procedural controlse.g. incident response processes, management oversight, security awareness and training;
- Technical controlse.g. user authentication (login) and logical access controls, antivirus software, firewalls;
- Legal and regulatory or compliance controlse.g. privacy laws, policies and clauses.
A similar categorization distinguishes control involving people, technology and operations/processes.
In the field of information security, such controls protect the confidentiality, integrity and/or availability of information - the so-called CIA Triad
Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency.
- 1Information security standards and control frameworks
Information security standards and control frameworks[edit]
Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known are outlined below.
International information security standards[edit]
ISO/IEC 27001 specifies 114 controls in 14 groups:
- A.5: Information security policies
- A.6: How information security is organised
- A.7: Human resources security - controls that are applied before, during, or after employment.
- A.8: Asset management
- A.9: Access controls and managing user access
- A.10: Cryptographic technology
- A.11: Physical security of the organisation's sites and equipment
- A.12: Operational security
- A.13: Secure communications and data transfer
- A.14: Secure acquisition, development, and support of information systems
- A.15: Security for suppliers and third parties
- A.16: Incident management
- A.17: Business continuity/disaster recovery (to the extent that it affects information security)
- A.18: Compliance - with internal requirements, such as policies, and with external requirements, such as laws.
U.S. Federal Government information security standards[edit]
The Federal Information Processing Standards (FIPS) apply to all US government agencies. However, certain national security systems under the purview of the Committee on National Security Systems are managed outside these standards.
Federal information Processing Standard 200 (FIPS 200), 'Minimum Security Requirements for Federal Information and Information Systems', specifies the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs. The catalog of minimum security controls is found in NIST Special Publication SP 800-53.
FIPS 200 identifies 17 broad control families:
- AC Access Control.
- AT Awareness and Training.
- AU Audit and Accountability.
- CA Security Assessment and Authorization. (historical abbreviation)
- CM Configuration Management.
- CP Contingency Planning.
- IA Identification and Authentication.
- IR Incident Response.
- MA Maintenance.
- MP Media Protection.
- PE Physical and Environmental Protection.
- PL Planning.
- PS Personnel Security.
- RA Risk Assessment.
- SA System and Services Acquisition.
- SC System and Communications Protection.
- SI System and Information Integrity.
Starting with Revision 3 of 800-53, Program Management controls were identified. These controls are independent of the system controls, but are necessary for an effective security program.
Starting with Revision 4 of 800-53, eight families of privacy controls were identified to align the security controls with the privacy expectations of federal law.
Telecommunications[edit]
In telecommunications, security controls are defined as Security services as part of OSI Reference model
- ITU-T X.800 Recommendation.
- ISO ISO 7498-2
These are technically aligned.[1][2] This model is widely recognized [3][4]
Business control frameworks[edit]
There are a wide range of frameworks and standards looking at internal business, and inter-business controls, including:
See also[edit]
References[edit]
- ^X.800 : Security architecture for Open Systems Interconnection for CCITT applications
- ^ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture)
- ^William StallingsCrittografia e sicurezza delle retiSeconda edizioneISBN88-386-6377-7Traduzione Italiana a cura di Luca Salgarellidi Cryptography and Network security 4 editionPearson2006
- ^Securing information and communications systems: principles, technologies, and applicationsSteven Furnell, Sokratis Katsikas, Javier Lopez, Artech House, 2008 - 362 pages
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Security_controls&oldid=909985362'
Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers[1] as defined by ITU-T X.800 Recommendation.
X.800 and ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture)[2] are technically aligned. This model is widely recognized [3][4]
X.800 and ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture)[2] are technically aligned. This model is widely recognized [3][4]
A more general definition is in CNSS Instruction No. 4009 dated 26 April 2010 by Committee on National Security Systems of United States of America:[5]
- A capability that supports one, or more, of the security requirements (Confidentiality, Integrity, Availability). Examples of security services are key management, access control, and authentication.
Another authoritative definition is in W3CWeb service Glossary [6] adopted by NIST SP 800-95:[7]
- A processing or communication service that is provided by a system to give a specific kind of protection to resources, where said resources may reside with said system or reside with other systems, for example, an authentication service or a PKI-based document attribution and authentication service. A security service is a superset of AAA services. Security services typically implement portions of security policies and are implemented via security mechanisms.
- 5Other related meanings
Basic security terminology[edit]
Information security and Computer security are disciplines that are dealing with the requirements of Confidentiality, Integrity, Availability, the so-called CIA Triad, of information asset of an organization (company or agency) or the information managed by computers respectively.
There are threats that can attack the resources (information or devices to manage it) exploiting one or more vulnerabilities. The resources can be protected by one or more countermeasures or security controls.[8]
So security services implement part of the countermeasures, trying to achieve the security requirements of an organization.[3][9]
Basic OSI terminology[edit]
In order to let different devices (computers, routers, cellular phones) to communicate data in a standardized way, communication protocols had been defined.
The ITU-T organization published a large set of protocols. The general architecture of these protocols is defined in recommendation X.200.[10]
The different means (air, cables) and ways (protocols and protocol stacks) to communicate are called a communication network.
Security requirements are applicable to the information sent over the network. The discipline dealing with security over a network is called Network security.[11]
The X.800 Recommendation:[1]
- provides a general description of security services and related mechanisms, which may be provided by the Reference Model; and
- defines the positions within the Reference Model where the services and mechanisms may be provided.
This Recommendation extends the field of application of Recommendation X.200, to cover secure communications between open systems.
According to X.200 Recommendation, in the so-called OSI Reference model there are 7 layers, each one is generically called N layer. The N+1 entity ask for transmission services to the N entity.[10]
At each level two entities (N-entity) interact by means of the (N) protocol by transmitting Protocol Data Units (PDU).Service Data Unit (SDU) is a specific unit of data that has been passed down from an OSI layer, to a lower layer, and has not yet been encapsulated into a PDU, by the lower layer. It is a set of data that is sent by a user of the services of a given layer, and is transmitted semantically unchanged to a peer service user .The PDU at any given layer, layer 'n', is the SDU of the layer below, layer 'n-1'. In effect the SDU is the 'payload' of a given PDU. That is, the process of changing a SDU to a PDU, consists of an encapsulation process, performed by the lower layer. All the data contained in the SDU becomes encapsulated within the PDU. The layer n-1 adds headers or footers, or both, to the SDU, transforming it into a PDU of layer n-1. The added headers or footers are part of the process used to make it possible to get data from a source to a destination.[10]
OSI security services description[edit]
The following are considered to be the security services which can be provided optionally within the framework of the OSI Reference Model. The authentication services require authentication information comprising locally stored information and data that is transferred (credentials) to facilitate the authentication:[1][4]
- Authentication
- These services provide for the authentication of a communicating peer entity and the source of data as described below.
- Peer entity authentication
- This service, when provided by the (N)-layer, provides corroboration to the (N + 1)-entity that the peer entity is the claimed (N + 1)-entity.
- Data origin authentication
- This service, when provided by the (N)-layer, provides corroboration to an (N + 1)-entity that the source of the data is the claimed peer (N + 1)-entity.
- Access control
- This service provides protection against unauthorized use of resources accessible via OSI. These may be OSI or non-OSI resources accessed via OSI protocols. This protection service may be applied to various types of access to a resource (e.g., the use of a communications resource; the reading, the writing, or the deletion of an information resource; the execution of a processing resource) or to all accesses to a resource.
- Data confidentiality
- These services provide for the protection of data from unauthorized disclosure as described below
- Connection confidentiality
- This service provides for the confidentiality of all (N)-user-data on an (N)-connection
- Connectionless confidentiality
- This service provides for the confidentiality of all (N)-user-data in a single connectionless (N)-SDU
- Selective field confidentiality
- This service provides for the confidentiality of selected fields within the (N)-user-data on an (N)-connection or in a single connectionless (N)-SDU.
- Traffic flow confidentiality
- This service provides for the protection of the information which might be derived from observation of traffic flows.
- Data integrity
- These services counter active threats and may take one of the forms described below.
- Connection integrity with recovery
- This service provides for the integrity of all (N)-user-data on an (N)-connection and detects any modification, insertion, deletion or replay of any data within an entire SDU sequence (with recovery attempted).
- Connection integrity without recovery
- As for the previous one but with no recovery attempted.
- Selective field connection integrity
- This service provides for the integrity of selected fields within the (N)-user data of an (N)-SDU transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted or replayed.
- Connectionless integrity
- This service, when provided by the (N)-layer, provides integrity assurance to the requesting (N + 1)-entity. This service provides for the integrity of a single connectionless SDU and may take the form of determination of whether a received SDU has been modified. Additionally, a limited form of detection of replay may be provided.
- Selective field connectionless integrity
- This service provides for the integrity of selected fields within a single connectionless SDU and takes the form of determination of whether the selected fields have been modified.
- Non-repudiation
- This service may take one or both of two forms.
- Non-repudiation with proof of origin
- The recipient of data is provided with proof of the origin of data. This will protect against any attempt by the sender to falsely deny sending the data or its contents.
- Non-repudiation with proof of delivery
- The sender of data is provided with proof of delivery of data. This will protect against any subsequent attempt by the recipient to falsely deny receiving the data or its contents.
Specific security mechanisms[edit]
The security services may be provided by means of security mechanism:[1][3][4]
- Encipherment
- Authentication exchange
- Notarization
The table1/X.800 shows the relationships between services and mechanisms
Service | Mechanism | |||||||
Encipherment | Digital signature | Access control | Data integrity | Authentication exchange | Traffic padding | Routing control | Notarization | |
Peer entity authentication | Y | Y | · | · | Y | · | · | · |
Data origin authentication | Y | Y | · | · | · | · | · | · |
Access control service | · | · | Y | · | · | · | · | · |
Connection confidentiality | Y | . | · | · | · | · | Y | · |
Connectionless confidentiality | Y | · | · | · | · | · | Y | · |
Selective field confidentiality | Y | · | · | · | · | · | · | · |
Traffic flow confidentiality | Y | · | · | · | · | Y | Y | · |
Connection Integrity with recovery | Y | · | · | Y | · | · | · | · |
Connection integritywithout recovery | Y | · | · | Y | · | · | · | · |
Selective field connection integrity | Y | · | · | Y | · | · | · | · |
Connectionless integrity | Y | Y | · | Y | · | · | · | · |
Selective field connectionless integrity | Y | Y | · | Y | · | · | · | · |
Non-repudiation. Origin | · | Y | · | Y | · | · | · | Y |
Non-repudiation. Delivery | Y | · | Y | · | · | · | Y |
Some of them can be applied to connection oriented protocols, other to connectionless protocols or both.
The table 2/X.800 illustrates the relationship of security services and layers:[4]
Service | Layer | ||||||
1 | 2 | 3 | 4 | 5 | 6 | 7* | |
Peer entity authentication | · | · | Y | Y | · | · | Y |
Data origin authentication | · | · | Y | Y | · | · | Y |
Access control service | · | · | Y | Y | · | · | Y |
Connection confidentiality | Y | Y | Y | Y | · | Y | Y |
Connectionless confidentiality | · | Y | Y | Y | · | Y | Y |
Selective field confidentiality | · | · | · | · | · | Y | Y |
Traffic flow confidentiality | Y | · | Y | · | · | · | Y |
Connection Integrity with recovery | · | · | · | Y | · | · | Y |
Connection integrity without recovery | · | · | Y | Y | · | · | Y |
Selective field connection integrity | · | · | · | · | · | · | Y |
Connectionless integrity | · | · | Y | Y | · | · | Y |
Selective field connectionless integrity | · | · | · | · | · | · | Y |
Non-repudiation Origin | · | · | · | · | · | · | Y |
Non-repudiation. Delivery | · | · | · | · | · | · | Y |
Other related meanings[edit]
Managed security service[edit]
Managed security service (MSS) are network security services that have been outsourced to a service provider.
See also[edit]
References[edit]
- ^ abcdX.800 : Security architecture for Open Systems Interconnection for CCITT applications
- ^ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture)
- ^ abcWilliam StallingsCrittografia e sicurezza delle retiSeconda edizioneISBN88-386-6377-7Traduzione Italiana a cura di Luca Salgarellidi Cryptography and Network security 4 editionPearson2006
- ^ abcdSecuring information and communications systems: principles, technologies, and applicationsSteven Furnell, Sokratis Katsikas, Javier Lopez, Artech House, 2008 - 362 pages
- ^CNSS Instruction No. 4009 dated 26 April 2010
- ^W3C Web Services Glossary
- ^NIST Special Publication 800-95 Guide to Secure Web Services
- ^Internet Engineering Task Force RFC 2828 Internet Security Glossary
- ^Network security essentials: applications and standards, William Stallings, Prentice Hall, 2007 - 413 pages
- ^ abcX.200 : Information technology - Open Systems Interconnection - Basic Reference Model: The basic model
- ^Simmonds, A; Sandilands, P; van Ekert, L (2004). 'An Ontology for Network Security Attacks'. Lecture Notes in Computer Science 3285: 317–323
External links[edit]
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Security_service_(telecommunication)&oldid=909989756'