: ISO/IEC , Information technology – Security techniques – Management of information and communications technology security – Part. Title: ISO/IEC – Information technology — Security techniques — Management of information and communications technology security — Part 1. International Organization for Standardization’s (ISO)  standards and guides for conformity The ISO/IEC  standard is dedicated in providing.
|Published (Last):||26 November 2018|
|PDF File Size:||3.78 Mb|
|ePub File Size:||14.86 Mb|
|Price:||Free* [*Free Regsitration Required]|
An ICT system security policy should reflect the security principles and directives contained within the corporate ICT security policy.
Part 1 focuses its attention on concepts and models for managing the planning, implementation and operations of ICT security. The existence of these policies and their key elements should be regularly communicated to all employees and contractors, as appropriate, underlining management interest and support.
Protection should be ensured throughout the life cycle of information and ICT systems, from planning to acquisition, testing and operation. Management should be responsible for all aspects of security management including risk-management decision-making. A risk scenario describes how a particular threat or group of threats may exploit a particular vulnerability or group of vulnerabilities that exposes assets to harm.
Vulnerabilities may be qualified in terms such as High, Medium, and Low, depending on the outcome of the vulnerability assessment. The information security policy may contain the principles and directives specific to the protection of information that is sensitive or valuable, or otherwise of importance, to the organization.
Once determined, the security strategy and its constituent topics should be encompassed in the corporate ICT security policy. Whilst security is most effective if it is integrated into new systems from the beginning, legacy systems and business activities benefit from the integration of security at any point in time. In such cases they may cause different impacts depending on which assets are affected. Management support across the organization is required for the development and effective implementation of the policy.
For example, some cultures consider the protection of personal information as very important while others give a lower significance to this issue. Concepts et modeles pour la gestion de la securite des technologies de l’information et des communications. Options for risk treatment include risk avoidance, risk reduction, risk transfer and risk acceptance.
Organizations should assess their requirements, environment and culture, to determine the specific topics that best suit their circumstances. In some instances the government is considered to be responsible and discharges this responsibility by the enactment and enforcement of laws. Where appropriate, the corporate ICT security policy may be included in the range of corporate technical and management policies, which together build a basis for a corporate ICT policy.
When flinctions are combined it is important to ensure that the appropriate checks and balances are maintained to avoid concentrating too much responsibility in one person’s hands without having the possibility of influence or control.
The measure of a vulnerability of a particular system or asset to a threat is a statement of the ease with which the system or asset may be harmed. The development of a corporate Oso security policy is essential to ensure that the results of the risk management process are appropriate and effective.
ISO/IEC Standard 13335
This would include the following: In large organizations, there may be a network of ICT security officers for business units, departments, etc. If, for example, the answers to one or more of the questions above indicates a strong reliance on ICT, then it is likely that the organization has high ICT security requirements, and it is advisable to choose a strategy that is sufficient to fulfill these requirements.
Furthermore, a programme for security awareness and training should be developed and implemented to communicate these responsibilities. It should also contain details of the particular security requirements 133335-1 safeguards to be implemented and procedures on how to use safeguards correctly to ensure adequate security.
Copyright BIS has 113335-1 copyright of all its publications. Then the question of what vulnerabilities or weaknesses might be exploited by the threats to cause the impact is addressed, i. These environmental, cultural and legal variations can be significant for international organizations and their use of ICT systems across international boundaries. They support the business of the organization and together they ensure consistency between all safeguards.
Possible indirect impact includes financial losses, and the loss of market share or company image. Technical standards need to be complemented by rules and guidelines on their implementation and use.
The benefits of using standards include: The amount of harm can vary widely for each occurrence of a threat. This is lso important when the amount of harm caused by each occurrence is low but where the aggregate effect of many incidents over time may be harmful. The example of the ICT security organization described in Figure 4 uses three organizational levels.
Standards may include international, national, regional, industry sector, and corporate standards or rules, selected and applied according to the ICT security needs of the organization.
ISO/IEC Standard — ENISA
uso Vulnerabilities should be assessed both individually and in aggregate to consider the full operational context. Safeguards may be implemented to monitor the threat environment to ensure that no threats develop which can exploit the vulnerability. Quantitative and qualitative measurements of impact can be achieved in a number 1335-1 ways, such as: Scenario 4 – The risk is considered acceptable and no safeguards are implemented even if threats are present and a vulnerability exists.
In this case, one strategy topic could be directed at minimizing virus infestation through organization- wide installation of anti-virus software. Figure 1 presents a model that shows how assets are potentially subject to a number of threats.
Organizational commitment to ICT security and risk management is essential. Government and commercial organizations rely heavily on the use of information to conduct their business activities. ICT security administrator In medium and large organizations there is a role for delegated administration. It is necessary to establish and maintain a corporate ICT security policy, consistent with the legislation, regulation, corporate business, security, and ICT policies.
As discussed earlier in this clause, the results of previous risk assessment reviews, security compliance checking and information security incidents may have an effect on the corporate ICT security policy. Risk is never completely eliminated. Sometimes several safeguards are required to reduce risk to an acceptable level so that the residual risk RR is acceptable.
The impact is first determined regardless of which threats might occur to cause the impact, to be sure of identifying the real values.