The Standard

Overview

This chapter provides an overview and a brief abstract of the scope of each IT Security Standard. This description does not contain details about IT security. This chapter aids in the understanding of the Taxonomy. Starting with Chapter 4, details on each Taxonomy area are provided by offering a more in-depth profile of each IT Security Standard. These profiles explain the challenges that may arise in terms of information security as well as to summarize major security objectives. Furthermore, other area dependencies are touched upon.

Networks: All IT Security Standards belonging to the “Networks” cluster are specified and briefly characterized in this section. Networks connect users (or user organizations) with IT services from the IT service provider. Hence, Wide Area Network Security is the first standard. Corporate Provider Access comprises all network and IT elements required to protect the provider’s computing periphery and to provide VPN capabilities. The customers connect from their side. User LAN Periphery consists of the corresponding IT security solutions such as firewalls and VPNs, where provided by the IT service provider. The customers (and other third parties) may also connect via Remote User Access. The standard Gateway and Central Services (on the provider’s side) encompasses elements above the sole connection such as e‑mail security services.

For more details, refer to Table 1 below, which provides the name of the standard, its icon and abbreviation. It presents a short summary and definition of the standard with the IT components or other major elements being covered.

Networks Communication of users (from their LAN or remote) to consume IT services centrally produced (in a data center)
IT Security StandardAbbr.IT components and major areas
Wide Area Network Security
WANAll means to transport data between users and among users and IT systems in data centers, including direct network links, Internet access, bandwidth, MPLS.
Corporate Provider Access
CPAAll IT equipment between the WAN and the data center LAN, i.e., the communication periphery of the data center. This includes packet filter firewalls, switches and routers, VPN gateways and intrusion detection/prevention (IDS/IPS) solutions.

“Transportation level” only: application-related IT equipment comes under Gateway and Central Services (GCS).
Gateway and Central Services
GCSAll IT equipment that is centrally provided for specific communication such as e mail and user authentication. Included in this area are e mail security and archiving, other communication services, file sharing as well as directory services, LDAP, other authentication servers, web SSO and identity federation services, application level gateways including proxies and reverse proxies and web application firewalls (WAF).

“Application level” only: purely transport-oriented “gateways” are found under Corporate Provider Access (CPA).
User LAN Periphery
ULPAll IT equipment between the user LAN and the WAN, i.e., the users’ central communication periphery. This includes site-to-site gateways, firewalls, intrusion detection/prevention (IDS/IPS) solutions and domain services.
Remote User Access
RUAAll client components that are used to securely communicate via the WAN or the Administration Network, or to securely connect to IT services that are centrally produced (in a data center). This includes VPN clients, authentication tokens and other such tools.

“Transportation level” only: other equipment comes under Office Workplace Security (OWS) and Mobile Workplace Security (MWS).

Table 1: IT Security Standards related to “Networks”

Data Center: All IT Security Standards that belong to the “Data Center” cluster are specified and briefly characterized in this section. IT services are produced in data centers (of the IT service provider). Therefore, Data Center Security is important, comprising all aspects of physical and environmental security relating to the data center as a whole. Management of the IT is performed remotely from operations centers. Administration Network Security defines security requirements for such administrative access. There are Data Center Networks within the data centers which connect physical computer systems to each other, these computer systems to storage and administrators to both computers and storage systems. Operations Support Security concerns all security aspects of procedures, tool sets and utilities needed for data center operations. Computer Systems Security comprises computer hardware and operating systems as a minimum. Database and Storage Security is considered as an extra discipline. Applications are executed on top. Thus, Application and Application Management Security is a further issue. In dynamic computing environments, hypervisors and such means of virtualization are part of the computer systems. Virtual Machine and Software Image Management addresses the security issues relating to the engineering (creation and configuration) of software images, their handling and deployment to machines as well as moves and other management activities including the management systems required for this. Access by operations personnel (administrators) to these and other critical systems or systems functions needs to be controlled with care. The related security issues are summarized in Provider Identity Management.

For more details, refer to Table 2 below, which provides the name of the standard, its icon and abbreviation. Also provided are a short summary and definition of the standard with the IT components or other major elements being are covered.

Data Center Equipment and means for the production of central IT services (location: data center)
IT Security StandardAbbr.IT components and major areas
Data Center Security
DCSAll physical and environmental security aspects of a data center. It does not include IT security equipment except for that relating to entrance control and alike.
Data Center Networks
DCNAll networks and network equipment within the data center that is used to connect Computer Systems (to each other, to the data center’s external interface, and with Storage) as well as connect operations personnel (administrators) to Computer Systems, Storage and Operations Support equipment.

Note that all that network and network equipment is “inside the firewall”. Connectivity between the data centers of the IT service provider is also included.
Computer Systems Security
CSSAll parts of the IT stack except user applications, centralized storage and middleware including runtime environments and databases. Computer Systems comprise physical computers with operating systems and system virtualization software such as hypervisors.
Database and Storage Security
DSSAll centralized storage equipment and software (accessed by Computer Systems via Data Center Networks) plus Data Base Management Systems, even if they run on individual Computer Systems. It also contains all resources for backup and disaster recovery.
Operations Support Security
OSSAll procedures, tool sets and utilities that are used by operations personnel (administrators) for basic data center operations. This includes software for systems management, IT asset and life-cycle management, IT service management as well as for service availability and performance management.
Application and Application Management Security
AMSAll software that produces the primary IT services for users. It does not include platforms and infrastructure services. Applications sit on top of Computer Systems. Middleware such as runtime environments (e.g., .NET) is also included except for Database Management Systems.
Virtual Machine and Software Image Management
VMMAll procedures, tool sets and utilities that are used by operations personnel (administrators) to deploy, start, stop, move and otherwise manage Virtual Machines that run on Computer Systems.
All procedures, tool sets and utilities that are used to generate and configure software images (engineering of images) and for archiving as well as the inventory of these images. Software images comprise those for operating systems and those for applications.
Administration Network Security
ANSAll networks and other equipment that allow operations personnel (administrators) to connect to the data center and its components remotely in order to perform management and maintenance tasks. This includes network security plus jump servers and centrally provided services such as authentication services.
Note that the use of such equipment is confined to administrators only.
Provider Identity Management
PIMAll procedures and regulations, IT systems and services that are used to create and manage the digital identities including rights and other attributes for operations personnel (administrators).

Table 2: IT Security Standards related to “Data center”

Customer and Users: All IT Security Standards that belong to the “Customer and Users” cluster are specified and briefly characterized in this section. The user organization requires an identity and access management solution in order to manage users, equipment and their access to IT components and services. If provided by the IT service provider, the management of digital identities is described in User Identity Management. Users use their workplace to access IT services that are provided remotely. Office Workplace Security and Mobile Workplace Security address the corresponding security issues of protecting these workplaces and the information and applications being used and processed with them.

For further details, refer to Table 3 below. The table provides the name of the standard, its icon and abbreviation. Also provided are a summary and definition of the standard with the IT components or other major elements being covered.

Customer and users Equipment and means used by customers and users (location: users’ premises or mobile)
IT Security StandardAbbr.IT components and major areas
User Identity Management
UIMAll procedures and regulations, systems and services that are used to create and manage the digital identities including rights and other attributes for users. The digital identities of a person are described as “personalized identity objects”, which are assigned to other identity objects like location, organization, legal entity, etc. These identities are managed in the so-called Identity Management Life-Cycle. The IDM service is the basis for real-time access management.
Office Workplace Security
OWSAll software and equipment that is used to protect desktop computers and the data and software stored and processed there.
Note that Office Workplaces may also be provided in a virtualized way and hosted as “application” in the data center.
Mobile Workplace Security
MWSAll software and equipment that is used to protect mobile computers and the data and software stored and processed on these. This includes notebook computers and different types of smart phones.
Note that mobile workplaces may also be provided in a virtualized way and hosted as “application” in the data center.

Table 3: IT Security Standards related to “Customer and Users”

 

Evidence and Customer Relation: All IT Security Standards that belong to the “Evidence and Customer Relation” cluster are specified and briefly characterized in this section. The Customer Communication and Security standard provides more details on how the IT service provider works, interacts and communicates with customers. Vulnerability Assessment and Mitigation Planning refers to all related activities such as security testing, regular scanning, CERT services, evaluation of impact and planning of corrective actions. Logging, Monitoring and Security Reporting concerns log management and analysis, monitoring of systems, measurement and information provisioning to customers. In Incident Handling and Forensics, practices are described to handle (security) incidents in IT production and potentially together with the customer. It also describes investigations of log data and systems to find evidence of suspicious, malicious and fraudulent action.

For additional details, see Table 4 below. The table provides the name of the standard, its icon and abbreviation and a summary and definition of the standard with the IT components or other major elements covered therein.

Evidence and Customer Relation Vulnerability Management, Management of Security Information, Events and Incidents as well as secure communication with customers
IT Security StandardAbbr.IT components and major areas
Customer Communication and Security
CCSAll procedures that establish the communication with customers and all means used to secure this electronic communication. Included here are non-disclosure agreements and encryption technology for e-mails.
Vulnerability Assessment and Mitigation Planning
VAMAll activities relating to regular security testing and scanning of systems software and their configuration, CERT services, evaluation of impacts and planning of corrective actions.
Logging, Monitoring and Security Reporting
LMRAll activities and tools used for central log management and analysis, monitoring of systems, measurement and information provisioning to customers. It includes Security Information Management (SIM) with Log Management, data collection, analysis and reporting of log data, Privileged User and Resource Access Monitoring as well as Security Event Management (SEM) with Real Time Log and Event Data Processing, correlation and analysis of events.
Incident Handling and Forensics
IHFAll procedures and means used to handle and respond to security-related circumstances that may have a significant impact and require a timely resolution by implementation of workarounds or by removing the root cause.

Table 4: IT Security Standards related to “Evidence and Customer Relation”

 

Service Management: All IT Security Standards that belong to the “Service Management” cluster are specified and briefly characterized in this section. These IT Security Standards relate to life-cycle issues and general aspects of operations security. The Release Management and Acceptance Testing standard describes the corresponding security-related activities that are conducted in the plan–build phases, which are the typical planning, designing, and implementation as well as end-of-life management. Security testing is also part of the acceptance procedures. System Development Life-Cycle describes requirements for software being developed by the provider and used for IT service provisioning in particular. Systems Acquisition and Contracting describes specific requirements for systems and services being purchased from vendors for the purpose of IT service provisioning. The Change and Problem Management standard describes how new requirements are met and realized and how possible problems are managed, possibly in cooperation with the customer. Changes may be initiated by customers or may be required as the result of vulnerabilities being identified or security incidents that have occurred. The four remaining standards refer to general aspects of operations security: Asset and Configuration Management, Hardening, Provisioning and Maintenance, Security Patch Management and Business Continuity Management.

For more details, refer to Table 5 below in which the name of the standard, its icon and abbreviation, a summary and definition of the standard with the IT components or other major elements are covered.

Service Management  Life-cycle issues and general aspects of operations security
IT Security StandardAbbr.IT components and major areas
Release Management and Acceptance Testing
RMARelease Management plans, tests, communicates, implements and monitors the implementation of a release into the IT service environment and ensures that all technical and non-technical aspects are considered.
A release is considered as a set of pre-approved changes of the IT service environment (i.e., IT systems and components used by the IT service provider to provide IT services).
System Development Life-Cycle
SDLThe System Develop¬ment Life-Cycle is a process for developing demonstrably reliable and secure IT systems. It includes activities performed with the goal that IT systems respond to needs by providing the required functionality correctly and nothing more. This means that requirements are implemented correctly without creating vulnerabilities.
Systems Acquisition and Contracting
SACSelecting the right supplier is critical when purchasing IT systems and components (or even services) that are reliable, secure, etc.
Properties and other characteristics, the possibility of corrections and the process to achieve them are all examples of key aspects which need to be fixed in a contract. Otherwise, it may be difficult to have any of these areas of concern carried out.
Change and Problem Management
CPMChanges are alterations to IT components, which are requested mainly due to incidents or problems. Change Management is the life-cycle process from request and analysis to implementation and final verification.
Problems are the cause of any failure of, or incidents in, IT service delivery. Problem management is the life-cycle process from occurrence, notification, analysis and identification of causes to the planning of workarounds and changes.
Asset and Configuration Management
ACMAsset Management is the process responsible for tracking and reporting the value and ownership of IT systems and components throughout their life-cycle.
Configuration Management is the process responsible for maintaining information about any component required to deliver an IT Service, including their relationships.
Hardening, Provisioning and Maintenance
HPMHardening includes all methods applied to IT systems, software and components that reduce the possibility of vulnerabilities and susceptibility to attacks. Provisioning comprises all methods of deployment and activation of IT service including conception, installation, configuration, and approval. Maintenance consists of technical support to ensure continued operation and actuality, including the help desk.
Security Patch Management

SPMSecurity Patch Management is the process responsible for the consolidated proactive update of IT systems for which new potential vulnerabilities are discovered and their fixes are available. It is applicable to all IT systems, both customer specific installations and general infrastructure.
Business Continuity Management
BCMBusiness Continuity Management provides precautions that minimize the impact of possible disruptions to IT service provisioning or of loss of data, which includes a timely and full recovery of service and data.

Table 5: IT Security Standards related to “Service Management”

 

Risk Management and Certification: All IT Security Standards that belong to the “Risk Management and Certification” cluster are specified and briefly characterized in this section. Certification and 3rd Party Assurance describes the general approach of the IT service provider to certifications and how third-party assurance, gained through audits and assessments, is planned, conducted and integrated into the provider’s business strategy and communication. The Risk Management standard describes the procedures of making decisions on the implementation of security controls.

For more information, refer to Table 6 below, which provides the following: the name of the standard, its icon and abbreviation, a summary and definition of the standard with the IT components or other major elements which are outlined.

Risk Management and Certification Top-level security issues
IT Security StandardAbbr. IT components and major areas
Certification and 3rd Party Assurance
CTPThird party assessment and validation may provide a greater level of independence and acceptance in a wider market. Utilization of security practices from industry standards generates benefits since expertise and experience from a wider market are utilized.
Risk Management
RMPSecurity and compliance can encounter risk arising from different circumstances. Risk management comprises the identification of risks, the analysis and categorization of risks, and determination of countermeasures to reduce the risks to an acceptable level.

Table 6: IT Security Standards related to “Risk Management and Certification”