1、 ETSI GS ISI 001-1 V1.1.2 (2015-06) Information Security Indicators (ISI); Indicators (INC); Part 1: A full set of operational indicators for organizations to use to benchmark their security posture Disclaimer This document has been produced and approved by the Information Security Indicators (ISI)
2、ETSI Industry Specification Group (ISG) and represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP SPECIFICATION ETSI ETSI GS ISI 001-1 V1.1.2 (2015-06)2 Reference RGS/ISI-001-1ed2 Keywords ICT, security ET
3、SI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http
4、:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived d
5、ifference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or
6、 change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.a
7、spx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of E
8、TSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2015. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Ma
9、rks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS ISI 001-1 V1.1.2 (2015-06)3 Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 6g3
10、Introduction 6g31 Scope 8g32 References 8g32.1 Normative references . 8g32.2 Informative references 8g33 Definitions, symbols and abbreviations . 9g33.1 Definitions 9g33.2 Symbols 9g33.3 Abbreviations . 9g34 Fill the existing gap in continuous assurance standards . 9g34.0 Introduction 9g34.1 Overvie
11、w of existing continuous assurance standards . 9g34.2 Exchanging and sharing security events and indicators . 10g34.3 Position and target of the GS ISI series 10g35 Description of the proposed security indicators . 11g35.0 Introduction 11g35.1 Building a fully flexible indicators architecture . 11g3
12、5.2 The key issue of an organizations maturity level . 12g35.3 Indicators detailed definition 12g35.4 Indicators related to security incidents . 13g35.5 Indicators related to vulnerabilities 35g35.6 Indicators as regards impact measurement . 62g35.7 Recap of available state-of-the-art figures 63g3An
13、nex A (normative): Description of the proposed indicators with reference to the template recommended in ISO/IEC 27004 standard 68g3Annex B (informative): Authors Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. La
14、test updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI W
15、eb server) which are, or may be, or may become, essential to the present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Information Security Indicators (ISI). The present document is part 1 of a multi-part deliverable covering the Inform
16、ation Security Indicators (ISI); Indicators (INC), as identified below: Part 1: “A full set of operational indicators for organizations to use to benchmark their security posture“; Part 2: “Guide to select operational indicators based on the full set given in part 1“. The present document is include
17、d in a series of 6 ISI specifications. These 6 specifications are the following (see figure 1 summarizing the various concepts involved in event detection and interactions between all specifications): The present document addressing (together with its associated guide ETSI GS ISI 001-2 3) informatio
18、n security indicators, meant to measure the application and effectiveness of prevention measures. ETSI GS ISI 002 4 addressing the underlying event classification model and the associated taxonomy. ETSI GS ISI 003 i.5 addressing the key issue of assessing an organizations maturity level regarding ov
19、erall event detection capabilities (technology/process/ people) and to weigh event detection results. ETSI GS ISI 004 i.6 demonstrating through examples various means to produce these indicators and how to detect the underlying related events (with a classification of the main categories of use case
20、s/symptoms). ETSI GS ISI 005 i.2 addressing ways to produce security events and to test the effectiveness of existing detection mechanisms within an organization (for major types of events), which is use-case oriented thus more specific and complements the ISI 003 approach. ETSI ETSI GS ISI 001-1 V1
21、.1.2 (2015-06)6 GS ISG ISI Series Summary DefinitionReal eventsSecurity prevention measuresEvent detection measuresFake events (Simulation) Event reaction measuresDetectedeventsResidual risk (event model-centric vision)Figure 1: Positioning the 6 GS ISI against the 3 main security measures Modal ver
22、bs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT al
23、lowed in ETSI deliverables except when used in direct citation. Introduction Over the course of recent years, a general consensus has progressively taken place within the industry, recognizing that benchmarking the security of IT systems was worthwhile, on an equal footing with what is done in other
24、 areas or disciplines such as quality or management. In other words, it is possible to perform an objective assessment of the application and effectiveness of a security policy or, more generally, of an Information Security Management System (ISMS) and of the residual risk (refer to the chart in int
25、roduction of ETSI GS ISI 002 4, which highlights the 2 associated types of events - incidents and vulnerabilities - and the joint area covered by IT security policy through the concept of usage or implementation drift). Initial confirmation of this shared belief has been confirmed worldwide by the p
26、ublication of converging data, notably the figures from several advanced Cyber Defense and SIEM (Security Information and Event Management) projects in the USA and Europe, through reliable and very refined operational indicators dealing with both incidents and vulnerabilities. This emergence of secu
27、rity state-of-the-art figures (demonstrating a trend towards practical outcomes as much as sheer compliance) also made it possible: To separate between two categories of indicators, the ones that can under no circumstances serve as reference points (in particular, the ones that are very risk-oriente
28、d and consequently specific to a given industry sector), and the ones that are common to all industry sectors and situated on the right level (see the associated event classification model in ETSI GS ISI 002 4), To map these indicators to the 11 domains of the ISO/IEC 27001/2 standards 6 and 2 to co
29、ntinuously assess the enforcement and effectiveness of an existing ISMS (Continuous Checking), to the ISO/IEC 27006 i.7 standard on ISMS auditing, and to ISO/IEC 27004 1 that primarily relates to security indicators. ETSI ETSI GS ISI 001-1 V1.1.2 (2015-06)7 Furthermore, to meet the requirements of g
30、overnance (need to provide high-level information suitable for executive summary) and accuracy (need for clear description suitable for action), the idea is to tag and organize them according to the underlying event classification model and the associated taxonomy, making it therefore possible to gr
31、oup them based on various criteria (origin, type of action, type of asset impacted, type of impact, etc.) and to build a pyramidal structure of aggregated indicators (with high flexibility). Each incident and each vulnerability will be described following a structured language. The typical list of s
32、ome 95 indicators and the associated 10 to 15 possible derived and consolidated indicators (as provided in the present document) are generally shared by most advanced Cyber Defense and SIEM projects. They are meant as a priority list for CISOs, in order to help them assess and enforce their companys
33、 or organizations IT security governance. Some of them, or consolidated indicators, may also be used by Operational Risk Managers, CIOs and senior executives, providing them with an overview of trends, drifts or progress displaying the organizations whole security posture. The proposed list of indic
34、ators is in use within the community and accepted. The present document groups them into 4 distinct categories, each with different maturity levels: Well-known indicators: indicators related to accidental security incidents (i.e. breakdowns and natural disasters). Indicators requiring improved defin
35、ition: refined definition of indicators related to security incidents of the malicious and unawareness type (external intrusions and attacks, internal deviant behaviours). Under-developed indicators: indicators emerging in the community, related to impact measurements. Undeveloped indicators: indica
36、tors related to behavioural, software, configuration and general security vulnerabilities. The next remaining question is how to use the present document and select the relevant indicators, which depend on organizations existing ISMS. In this regard, the proposed range of indicators should be consid
37、ered as a simple but representative ground work, from which a selection can be made according to the existing ISMS. This process leads to a series of unique indicators that are specific to each organization, amongst which a first part will typically consist of specific indicators, with a second part
38、 consisting of a sub-set of the list given in the present document. The main characteristic of the former will be “effective ISMS implementation“, while that of the latter will be more “operational“. As such, the structuring side of the ISMS will clarify and validate the choice of a given indicator
39、from the proposed ground work. A second aspect to consider in the use of the present document is the publication (or not) of the proposed state-of-the-art figures, a state that can be directly associated with their qualification as a shared universal reference (which in some extreme cases can go so
40、far as production impossibility). As such, the summary table proposed in clause 5.7 brings to light the indicators which are highly convergent between organization. It is therefore possible to rely on these converging indicators in order to carry out benchmarking within ones organization or ones com
41、pany. These considerations, associated with a mapping of ISI to various reference frameworks and contexts are addressed in a separate Guide called ETSI GS ISI 001-2 3. Another completely different use of indicators, which is worth mentioning here, is also being dealt with in this Guide; it consists
42、of applying them to the field of security product certification (with ISO 15408 i.8). It should be finally mentioned that the present GS partially relies on a work carried out by Club R2GS (see annex C), a club composed of French companies created in 2008, specializing in Cyber Defense and Security
43、Information and Event Management (SIEM). This body brings together a large number of representatives from many of the bigger French institutions (mainly users) concentrating on those that are the most advanced in the Cyber Defense and SIEM field. The present document (and associated ETSI GS ISI 001-
44、2 3), as well as all other GS ISI 00x, is therefore based on factual experience, this community of users having adopted and used the set of indicators and the related event classification model sometimes for more than 3 years and sometimes on a world-wide scale. This ensures that the proposed indica
45、tors provide a dependable view of the factual state of vulnerability of the monitored information system. Moreover, it should be added that a survey amongst the members demonstrated that these members share a large subset (30 %) of these indicators. This core subset constitutes the set of indicators
46、 mentioned as Priority 1 in clause 5.7 (Recap of state-of-the-art figures). The use of this indicators subset ensures that they provide reliable and factual information on the security posture of the organizations that use them. ETSI ETSI GS ISI 001-1 V1.1.2 (2015-06)8 1 Scope The present document p
47、rovides a complete set of information security indicators (based on already existing results and hands-on user experience), covering both security incidents and vulnerabilities. These indicators become evidence of non-compliance to a security policy when they violate an organizations security policy
48、. The present document is meant to help CISOs and IT security managers in their effort to accurately evaluate and benchmark their organizations security posture. ETSI GS ISI 001-2 3 gives precise instructions on how to use the present document and select indicators. 2 References 2.1 Normative refere
49、nces References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publi
