Hey, did someone say something about our connected world being vulnerable to hacking? Luckily, when it comes to information technology, standards are right in the mix. And with the issue of identifying, reporting and fixing inherent weaknesses in software, ISO and IEC are at the ready with a new standard! The ISO/IEC 29147, “Information technology – Security techniques – Vulnerability disclosure,” is a companion for the ISO/IEC 30111, “Information technology – Security techniques – Vulnerability handling processes,” from last year. Together, they provide a protocol for handling these pesky (and potentially expensive) issues.
Vulnerabilities are weaknesses in software, hardware or online services that can be exploited. As we have discovered with the publicity surrounding several recent breaches (think Target, Neiman Marcus, and so on), these vulnerabilities can result in loss of mission critical information and potential financial loss as well. There’s no doubt that organizations are starting to rethink the risks involved with vulnerability.
Of course, such threats are normally identified by organizations like the Common Weakness Enumeration (CWE) and the Open Web Application Security Project (OWASP). However, in today’s world with product interdependency and networked applications, the need for communicating identified weaknesses and developing protocols for fixing them are essential.
As you’re probably aware, IT security begins with the ISO/IEC 27000, “Information technology – Security techniques – Information security management systems – Overview and vocabulary.” (FYI: The 3rd Edition for ISO/IEC 27000 was just released in January.) Now the one-two punch of ISO/IEC 29147 and ISO/IEC 30111 provide the tools for dealing with any vulnerabilities in your products when they are identified.
The new ISO/IEC 29147 deals with the process of processing external reports of vulnerability and disclosing this information downstream. This is a process of setting up processes to receive such information, acknowledge that fact, and issue an advisory to affected parties. It is geared for use by product vendors.
The ISO/IEC 30111 handles vulnerabilities, whether discovered internally or externally. It provides the structure for verifying the report, develop resolution, and disseminate the updates, etc., once completed.
When you use the ISO/IEC 29147 standard, you’ll have a system for making sure that your organization addresses all externally identified threats. This will provide you with a documented system of risk minimization internally, and will also provide users with enough information to evaluate risks in their systems as well. This climate of open communication of vulnerability issues is essential to help prevent unnecessary attacks on systems using or networking with your products.
The standard is laid out in the usual fashion at the beginning. There’s the scope, referenced documents, terms and definitions, and abbreviated terms sections. Then it moves into the meat of the publication, covering the general concepts behind vulnerability handling, disclosure policy considerations, keeping track of incoming notifications of vulnerabilities, possible information sharing between vendors, and the advisory process as the final step.
There are two additional Annexes that will be of help to you, the user. Annex A covers the details of handling incoming information, a form for submitting vulnerability findings to cover various situations (for Commercial Off-the shelf (COTS), Hardware based, or Cloud based products). Examples from CERT/CC and JPCERT are included. Details of possible information to include in advisories is also provided. Annex B give you some samples for policies, advisories, and more information on global coordinators (CERT, etc.). And since a number of large companies have had involvement in the development of this standard, you’ll find real-world examples here.
How are you going to get your copies of these standards? Go to the Document Center webstore to order online at www.document-center.com. Or contact our staff by phone (650-591-7600), fax (650-591-7617) or email (email@example.com). We are committed to helping you identify, purchase, and maintain the standards you need to protect and enhance your organization’s product line and reputation. Make us your Standards Experts!