Michele Moss, Booz Allen Hamilton - Build Security In

International Standards Efforts Help 

Address Challenges in Today’s Global 

Market Place 

Facilitator: 

Michele Moss, Booz Allen Hamilton

National Security Perspective

Critical Infrastructure Perspective

Business Perspective 

INCIDENT: 

Telvent Canada, a company that provides industrial 

automation technology to agencies managing the energy 

industry, was the target of a malicious software attack. 

Telvent stated someone installed the software and stole 

files pertaining to control software for their electric grid 

management. The malware used in the attack is believed 

to be associated with a Chinese hacker group called 

“Comment Group.” Comment Group has a history of 

spying and hacking into important Western infrastructure 

systems and databases. 

IMPACT: 

Files associated with the firm’s Supervisory Control and Data 

Acquisition (SCADA) were stolen. The firm does not believe 

the intruder stole any information that would enable them to 

gain access to a customer system. The CEO of Digital Bond 

believes the hackers are specifically targeting the industrial 

control system sector. 

Loss of Intellectual Property 

MITIGATION: 

As a precautionary measure the company indefinitely 

terminated any customer system access by Telvent. 

Telvent is actively working with law enforcement, security 

specialists, and customers to ensure the breach has been 

contained. Two days after the breach, Telvent partnered 

with a security firm named Industrial Defender in order to 

expand its cybersecurity capabilities. 

Source: Don Davidson, DOD-CIO Trusted Mission Systems and Networks 

• http://www.mnn.com/earth-matters/energy/stories/smart-gridcompany-telvent-struck-by-chinese-hackers 

• http://news.cnet.com/8301-1009_3-57521049-83/maker-ofsmart-grid-software-discloses-hack/

Mandiant APT 1 Report – February 2012

Communicating and sharing supply chain risk-related 

Cyber Security Executive Order: Section. 7. Baseline Framework to 

Reduce Cyber Risk to Critical Infrastructure 

• The Cybersecurity Framework shall 

incorporate voluntary consensus standards 

and industry best practices to the fullest extent 

possible. 

• The Cybersecurity Framework shall focus on 

identifying cross-sector security standards and 

guidelines applicable to critical infrastructure. 

• Recommendations on the feasibility, security 

benefits, and relative merits of incorporating 

security standards into acquisition planning 

and contract administration. 

• The report shall address what steps can be 

taken to harmonize and make consistent 

existing procurement requirements related to 

cybersecurity.

Success Involves Multiple Standards 

• A set of foundational standards is needed to create the common elements of 

the framework 

• A robust pool of standards that can be combined to meet unique environment 

and mission requirements

Public Private Collaboration

Panel Members 

• Nadya Bartol, Utilities Telecom Council (UTC) 

• Jed Pickel, Microsoft 

• Mike Grimm, Microsoft 

• Andras Szakal, The Open Group

Panel Members 

• Nadya Bartol, Utilities Telecom Council (UTC) - is a US technical 

expert working on the ISO/IEC 27000 series standards and Project 

Editor for ISO/IEC 27036. In her role at UTC, she is responsible for 

creating a cybersecurity information sharing platform for the utilities 

industry to deliver practical solutions to emerging cyber challenges.

ISO/IEC 27036 – Information 

Security for Supplier 

Relationships 

© 2012 Utilities Telecom Council

Why Standards 

• Interoperability 

• Competitive advantage for countries and companies 

• Common language for acquirers and suppliers 

ISO standards: global applicability and acceptance 

3/11/2013 12 


Standards Landscape 

3/11/2013 13 

Source: Booz Allen Hamilton and DoD 


ISO Cybersecurity Standards 

ISO 

IEC 

JTC1 

SC27 

WG1: Information 

Security Management 

Systems 

WG2: Cryptography and 

Security Mechanisms 

WG3: Security 

Evaluation Criteria 

WG4: Security Controls 

and Services 

WG5: Identity 

Management and 

Privacy Technologies 

3/11/2013 14 


ISO has over 90 existing cyber security standards and is 

currently developing or revising over 45 standards 

• Information Security Management System 

• Security Controls 

• Information Security Risk Management 

• Information Security Measurement 

• Disaster Recovery 

• Vulnerability Management 

• Network Security 

• Intrusion Detection System 

• Incident Management 

• Application Security 

• Identity Management 

• Authentication Assurance 

• Trusted Platform Module 

• Cryptographic Techniques 

• Key Management 

• Authentication Protocols 

• Information Security Governance 

And Many More… 

• Sector-Specific Guidance (Telecom, Financial 

Services) 

• Biometric Techniques 

• Privacy Technologies 

• Access control and management 

• Entity Authentication 

• Hash Functions 

• Authenticated Encryption 

• Random Bit Generation 

• ICT Readiness for Business Continuity 

• Common Criteria 

• Security Engineering 

• Security Assurance 

• Security of Outsourcing 

• ICT Supply Chain Security 

• Economics of Information Security 

• Forensic Investigation 

• Cyber Security 

3/11/2013 15 

Source: Booz Allen Hamilton and DOD 


Guidelines 

Requirements 

Terminology 

Governance 

ISO/IEC Information Security Management System (ISMS) 

Family of Standards 

ISO/IEC 27000 – Overview and Vocabulary 

ISO/IEC 27001 – 

ISMS Requirements 

ISO/IEC 27006 – 

Audit & Certification Requirements 

ISO/IEC 27002 – 

Code of Practice 

ISO/IEC 27003 – 

ISMS Guidelines 

ISO/IEC 27007 – 

Audit 

Guidelines 

ISO/IEC 27008 – 

Guidance for auditors 

on ISMS controls 

ISO/IEC 27004 – 

Measurement 

ISO/IEC 27005 – 

Risk Management 

ISO/IEC 270XX (concept) – 

ISO/IEC 2700X (concept) – 

Sector-Specific Guidelines 

Sector-Specific Guidelines 

ISO/IEC 27017 (concept) – ISO/IEC 

27017 - ISMS – Code of practice 

for information security controls 

for cloud computing services 

Security Engineering 

Tamper Protection 

Study Period 

ISO/IEC 15408 - 

Common Criteria 

ISO/IEC 21913 – Secure 

System Engineering 

Principles and Techniques 

ISO/IEC 20004-Secure software development and 

evaluation under ISO/IEC 15408 and ISO/IEC 18405 

Implementation 

ISO/IEC 27034– 

Application Security 


Supplier Relationships 


Network Security 

3/11/2013 16 

Source: Booz Allen Hamilton 


Why Use ISO/IEC 27001 

• Integrate security governance into business and IT 

processes 

Plan 

– Standardize security processes and controls 

– Establish a common approach to risk management 

– Reduce the likelihood, severity, duration and cost of 

incidents 

Establish 

• Establish risk-based control selection as a standard 

for risk management 

– Focus resources only on your organization’s risks 

– Facilitate identification and elimination (or minimal 

retention) of non-critical data 

Do 

Implement and 

operate 

Maintain and 

improve 

Act 

– Ensure costs reflect the risk’ appetite 

• Use ISMS processes to improve overall asset 

management capabilities 

– Identify and eliminate redundant, duplicate and obsolete 

assets 

– Enable simplified cost determination for new or revised 

control deployments 

Monitor and 

review 

Check 

– Provide risk reference point for both operations and 

management 



Draft ISO/IEC 27002:2013 Security Controls 

• Security Policies 

• Organization of information security 

• Human resource security 

• Asset Management 

• Access Control 

• Cryptography 

• Physical and Environmental Security 

• Operations Security 

• Communications Security 

• System Acquisition, Development, and Maintenance 

• Supplier Relationships 

• Information Security Incident Management 

• Information Security Aspects of Business Continuity Management 

• Compliance 

3/11/2013 18 



Existing and Emerging Practices 

ISO/IEC 27036, Information Technology – Security Techniques – 

Information Security for Supplier Relationships 

• Addresses Acquirer and Supplier 

practices 

• Applies to all types of organizations 

e.g., commercial, public sector, 

non-profit and all types of supplier 

relationships that may have security 

implications 

• Harmonized with ISO standards for 

system/software engineering and 

information security 

• Parts 1-3 are currently Draft 

International Standard, Part 4 is 

Working Draft 

Part 1 – Overview and Concepts 

Part 3 – 

Guidelines for 

ICT Supply 

Chain Security 

Part 2 –Requirements 

Part 4 – 

Guidelines for 

Security of 

Cloud Services 

19 


Processes and 

Techniques 

Overview 

Requirements 

Guidance 

ISO/IEC 27036 Dependencies and Influences 

ISO/IEC 27036-1 – 

Overview and 

Concepts 

ISO/IEC 27000 – 

Overview and 

Vocabulary 

ISO/IEC 27001 – Information 

Security Management 

Systems 

ISO/IEC 27036-2 – Information Security for 

Supplier Relationships - Requirements 

ISO/IEC 15288/12207 – 

Systems and Software 

Lifecycle Processes 

ISO/IEC 27036-3 - Information 

Security for Supplier 

Relationships – ICT SCRM 

ISO/IEC 27002 – Code of 

Practice for Information 

Security Controls 

• ISO/IEC 15026 – Software Assurance 

• ISO/IEC 27034 – Application Security 

• Security Engineering and Design techniques 

• NASPO and other Anti -Counterfeiting techniques 

• Microsoft Secure Development Lifecycle (SDL) 

• SAFECode 

• OWASP 

• BSIMM 

• Common Criteria – ISO/IEC 15408 

• OMG KDM BPMN, RIF, XMI, RDF 

• OWASP Top 10 

• SANS TOP 25 

• Secure Content Automation Protocol (SCAP) 

• Secure Coding Checklists 

• Encryption 

• Software Asset Tagging 

• Trusted Platform Module (TPM) 



Using ISO/IEC 27036 with other SC27 Standards 

Certify against ISMS and… 

…general requirements 

for supplier relationships 

ISO/IEC 27036-2 – Information 

Security for Supplier Relationships - 

Requirements 

…ICT SCRM guidance 

ISO/IEC 27036-ICT Supply - 

Information Security for Supplier 

Relationships – ICT Supply Chain 

Security 

…Cloud-specific guidance 

ISO/IEC 27036-4 - Information 

Security for Supplier Relationships – 

Cloud Services 

ISO/IEC 27001 – 

Information Security 

Management Systems 

…27002 controls 

ISO/IEC 27002 – Code of Practice for 

Information Security Controls 

…27017 Cloud Controls 

ISO/IEC 27017 - ISMS – Code of 

practice for information security 

controls for cloud computing 

services 



Timeline for Parts 1-3 

Timeframe 

November 2009 – October 2010 

October 2010 – May 2012 

May 2012 

October 2012 

October 2012- 

April 2013 

October 2013 

Outcomes 

Built consensus through Study Period 

Developed Working Drafts 

Progressed to Committee Draft 

Progressed to Draft International Standard 

Ready for Publication 

Another Draft International Standard 

Ready to publish 


Contact Information 

• Nadya Bartol 

Utilities Telecom Council 

202-833-6809 

nadya.bartol@utc.org 

23 


Panel Members 

• Jed Pickel, Microsoft - is a senior security program manager in 

Microsoft’s Trustworthy Computing (TwC) group. Jed is focused on 

alignment of Microsoft’s Security Development Lifecycle (SDL) with 

international security standards and sharing Microsoft SDL best 

practices with the software development ecosystem.

Panel Members 

• Mike Grimm, Microsoft - is a senior program manager at Microsoft, 

currently focused on assurance and evaluation strategy. He manages 

security evaluations for Windows and has contributed to the 

development of Microsoft products and services since Windows 95.

Panel Members 

• Andras Szakal, The Open Group - vice president and chief 

technology officer IBM U.S. Federal. He is a chair of the Open Group 

Trusted Technology Forum and leads the development of the Open 

Trusted Technology Provider Framework.

Questions

Michele Moss, Booz Allen Hamilton - Build Security In

Create successful ePaper yourself

Delete template?

Save as template?