The ongoing disagreement between IT security pros about what security standards should look like is not due to a lack of ideas. In fact, the abundance of standards efforts—there are nearly a half-dozen groups working on similar projects at this point—is a big reason why experts say uniform standards haven’t yet been, and may never be, developed. Those involved say that a void in leadership, a lack of cooperation and coordination, and the necessity to incorporate both technical requirements and the security process within a standard are the major hurdles. What follows is a snapshot of the groups currently working on security standards as well some insight into why reaching industry agreement on security standards is such a difficult and contentious process.
Plenty of opinions and players
Today’s security standards organizations run the gamut from government initiatives to international standards-setting groups to professional movements within the industry. Here’s a look at the biggest players in the field:
- The National Information Assurance Partnership (NIAP)
The NIAP was created in 1997 to join the efforts of the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to meet the security testing, evaluation, and assessment needs of both IT producers and consumers. Its long-term goal is to boost consumer confidence in their information systems and networks. Agencies such as the Federal Aviation Administration are starting to work with NIAP to better define their security requirements, and NIAP is looking for other target communities where the organization can serve as a catalyst to spur security requirements and standardization of rules.
- Generally Accepted System Security Principles (GASSP)
The GASSP effort began in mid-1992 in response to a 1990 recommendation from the National Research Council. The effort is sponsored by the International Information Systems Security Certification Consortium ((ISC)2), an international common criteria effort to develop IT product-related information security principles. Its objectives include promoting good practices and providing an authoritative point of reference for IT professionals and a legal reference for the rest of the world for information security principles, practices, and opinions. The GASSP Pervasive Principles have been developed, and work has begun on defining and mapping the GASSP Broad Functional Principles.
- The Center for Internet Security
The Center, founded in October 2000, is focused on helping organizations worldwide efficiently manage information-security risk. The group, which is vendor neutral, provides tools to measure, monitor, improve, and compare the security status of Internet-connected appliances and systems. Nearly 200 members help identify the top security threats and participate in creating practical methods to reduce those threats.
- British Standard (BS) 7799
This enterprise security policy standard is popular in several European countries. BS 7799 has two main parts: a code of practice for information security management and a specification for information security management systems. It prescribes a specific process to determine what policies should be in place, how to document them, and how to develop those that are not specifically identified in the model. It hasn’t been widely adopted within the U.S. IT community, as the International Organization for Standardization (ISO) community considers it incomplete and too restrictive. The ISO, established in 1947, is a non-government, worldwide federation of national standards bodies from some 140 countries.
- Commonly Accepted Security Practices & Recommendations (CASPR)
The CASPR project, launched in August 2001, focuses on distilling expert information through a series of free papers available via the Internet. With the open source movement as a guide, CASPR has nearly 100 certified security professionals involved and is actively recruiting subject matter experts in all areas of information security.
Agreeing on a standard
Because there are so many initiatives in the works, establishing just one set of standards would be a Herculean task requiring considerable cooperation and some big bucks, say security experts.
“It could happen if someone like NIAP takes the leadership role. This would, however, also require that all involved in current duplicative efforts defer to the NIAP lead. And I’m not sure this would ever happen,” said James Wingate, director of information assurance for Backbone Security.com in Fairmont, WV.
Wingate became aware of the deluge of standards while researching corporate strategies related to vulnerability assessment. He quickly learned there are many simultaneous duplicate efforts as well as conflicting best practices.
“It seems there are many out there who seek to portray themselves as having the ‘best’ of the ‘best practices.’ In my opinion, NIAP should step up to lead the standards development/best practice promulgation efforts, as it has access to a great deal of experience in standards setting and IT security,” he said.
While Will Ozier, the GASSP committee chairman since 1992, acknowledges that there are numerous documents offering more detail than GASSP’s offering at this point, none, he said, are comprehensive, sufficiently detailed, or generally accepted. A big obstacle facing the GASSP Detailed Principles movement is financial support—he estimates the effort will cost half a million dollars, which would cover start-up costs for the organization, including establishing an office and a Web site, equipping and staffing testing labs, paying an executive director, and covering incorporation costs.
Ozier, also president and founder of OPA Inc., The Integrated Risk Management Group in Petaluma, CA, has served as a member of the International Information Risk Management Advisory Group’s Risk Model Builders’ Workshop Committee. He is also on the CSI Advisory Council and most recently, he served as a consultant to the President’s Commission on Critical Infrastructure Protection.
“No one body has established itself as the authoritative custodian charged with the development and ongoing maintenance of such guidance. There have been several for-profit documents drafted [by vendors or industry groups] that represent the agenda of specific areas of vulnerability, though. But these fall far short of broadly based, Detailed Principles guidance,” he said.
“What also interferes is the proprietary interest of existing professional organizations and published guidance documents that would be developed and maintained by IISF [the International Information Security Foundation], which is not yet a fully established, not-for-profit entity,” he added.
Defining the scope of the standards
Security expert Ed Skoudis believes that a big obstacle to standards uniformity is that it would need to incorporate both technical issues and policy issues involved in security and that no group’s effort yet encompasses both areas.
“I don’t think it’ll be just one group or one standard. Instead, I see two or three initiatives complementing each other within a unified approach in the next few years,” said Skoudis, who is vice president of security strategy for Predictive Systems, a New York network and security consulting firm. Skoudis recently published his first book, Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses .
In the meantime, the various standards efforts mandate that security professionals keep up with current documents and developments. Wingate recommends hitting the Web sites of NIST, CASPR, GASSP, and IIA for news and standards updates. Ozier recommends diligently reading security journals and attending networking opportunities, such as conferences.
The ever-changing technologies and related security complexities prompt many IT leaders to rely on security consultants, explained Meg Weinberg, senior manager of the IS and Privacy Center at McLean, VA-based Mitretek Systems, a nonprofit research and systems engineering organization that assists government entities: “One reason there’s no set standard is that the technology keeps moving so fast. That’s also what makes it so difficult to keep up to date on what’s happening.”
What are the key components of a security standard?
From your perspective, what must such a standard include? Should one group come up with a technical standard and another group work on a policy standard? Is it even possible for all of the IT industry players to agree on one document? Send us your opinion on a security standard.