, ISO/IEC. ORCID ORCID ISO/IEC

Transcription

1 .,. «ИФИ» ,, К, 31, ORCID ORCID DOI: ( ) ( ) ( )., ( ). (ISO) ISO/IEC ISO/IEC 19896,., ISO/IEC «e-cf 3.0». К :,,, ISO/IEC. Д. А А,.;, А. ISO/IEC., ДS.Х.], Я. 24, Ч. 4, p. 6-18, nov ISSN : <СЭЭpЬ://ЛТЭ.ЦОpСТ.Ыu/ТЧНОб.pСp/ЛТЭ/КЫЭТМХО/ЯТОа/282>. : 28 nov doi: Natalia G. Miloslavskaya, Alexander I. Tolstoy National Research Nuclear University MEPhI (Moscow Engineering Physics Institute), Kashirskoe shosse, 31, Moscow, , Russia NGMiloslavskaya@mephi.ru, ORCID AITolstoj@mephi.ru, ORCID Competence Requirements of ISO/IEC Standards for Information Security Professionals DOI: Abstract. The rapid progress in the filed of information security (IS) puts one in a need of periodic revision of professional competencies (formulated in the federal state educational standards FSESs) and working functions (formulated in the professional standards PSs). Under these conditions, a timely reaction to everything new that emerges or will appear in modern regulatory documents (primarily in standards) is extremely important. We make a forecast for the content of the ISO/IEC and ISO/IEC standards drafted by the International Organization for Standardization (ISO), which should contain the requirements for the competencies of IS management system professionals and the competence of IS testers and evaluators. Our forecast takes into account the requirements of the ISO/IEC standard group and the recommendations of the European e-competence Framework e-cf 3.0. Keywords: information security, competence, Information Security Professional, ISO/IEC standard For citation. MILOSLAVSKAYA, Natalia G.; TOLSTOY, Alexander I. Competence Requirements of ISO/IEC Standards for Information Security Professionals. IT Security, [S.l.], v. 24, n. 4, p. 6-18, nov ISSN = IT Security, 24, 4(2017) 6

2 7136. Available at: < Date accessed: 28 nov doi: ( ). ( ) [1]. : 1. ( ) (, ).. ( ) (, ). 2. ( ),,.,.,., ( ) ( ). ( ), ( ( ), ( ) ( )) ( )., (,, ), (, ).,.,.. ( ) «,» Д2]. ( ). (АШЫХН ТЧЭОЫЧКЭТШЧКХ МШЧПОЫОЧМОЬ ШЧ IS EНuМКЭТШЧ АISE) Д3-5]. ( CISA, CISSP, GIAC..). = IT Security, 24, 4(2017) 7

3 , : 1., : «( ):» Д7] Д8]; 2. (AGIMO) Д9]; 3. «e-cf 3.0» [10]., ( -CF 3.0) ( ): - ISO/IEC ; - ISO/IEC ( ): «,»; «, ISO/IEC 19790»; «, ISO/IEC 15408». e-cf 3.0, ISO/IEC ISO/IEC Е ( -CF 3.0) [10] - ( ), CENICTSkills Workshopcommunity.. ( ) ( ) ( ).,.,, /., ( ).,,,,,,,,.,., - CF 3.0, = IT Security, 24, 4(2017) 8

4 ( / ): 1:, : ( ) ( ) (C) (D) ( ). 2: ( -CF ) 1. 3: 2. 4: (, ) 2. e-cf 3.0,,,. (.1). ( ), ИК ИК А ИК М : ( )....,. : ( ): ; :, ( ); :,,. О :, ; ; ; ; ;. ИК М :..,,..,. : ( ): ( ); : ( ); :,. О : ;, ; ; ; ; ;,. = IT Security, 24, 4(2017) 9

5 К :. К :. e-cf 3.0 ( )..2.3., щ, A.7. ( ): ;, ;. D.1. ( ):, ; ;, ;,. E.3. ( ): ;,, ;. E.8. ( ): ;, ;, ;,,. E.9. ( ):, - ;, 2. ИК.4:, :..5:..3:, ;, ;..4:,,,..4:, = IT Security, 24, 4(2017) 10

6 ( )., щ, C.2. ( ): ;, ; (SLA);. C.3. ( ): SLA;, ; ; (, ); ;. D.9. ( ):, ;, ; /. D.10. ( ): ; ;,,,, -,. E.8. ( ):.. 3. ИК.3:,, ;..3: ; ;,..3:..3: -..3: ; -. = IT Security, 24, 4(2017) 11

7 4:. : 1.,. 2. ( ) A.7., (C) C.2. C (D) ( ) : D.1., E.3., E.8. E.9. ( ); ( ): D.9., D.10., E.8. ( ). 4. ( ) E.8.,.4. -CF 3.0 ( ), (, - K) (, - S).,.8. (K1,, K7) (S1,,S7).. :, (K1); (K2); (K3); (K4);, (K5); (K6); (K7). : - (S1); (S2); (S3); (S4); (S5); (S6); (S7).,,, -CF 3.0,, :.1. И ( 8) ИК, ИК (S4);.2. ИК (K6);.5. (,,,,, ) (K2); B.1 И ( 14); И ( 5). = IT Security, 24, 4(2017) 12

8 e-cf 3.0,.,. 2 Ч ISO/IEC ISO/IEC ISO/IEC , ( ).,..,,,,,, ( ) PDCA (PХКЧ-Do-Check-Act). 7.2 ISO/IEC 27001, / 27001, Д11]. :, (,, );, ; ;, ;. ISO/IEC 27021,, : ),,. ; ),. ; ) ; ), ; ),. ISO/IEC 27001, : ( ), - = IT Security, 24, 4(2017) 13

9 -., : 1) : :,,,, ; : :,,,,,, ; :,, ; 2) - : : -,,, ( ISO/IEC 27014),,,,..; : ( ISO/IEC 27005); :,,, ( ISO/IEC 27035); :,, ( ISO/IEC ); :,,,,,,,.. 3) - : :,,,,,,,,,,, ; :,,,,,,,, SIEM-, ; :,,,, ; :,,, / ; :. 3 Ч ISO/IEC ISO/IEC ISO/IEC «,» -, - - / = IT Security, 24, 4(2017) 14

10 , (Committee on Conformity Assessment, CASCO). ISO/IEC 19896,. ISO/IEC 27021, ISO/IEC ( ),,,,,,,. ISO/IEC «, ISO/IEC 19790», ISO/IEC ISO/IEC «, ISO/IEC 15408», ISO/IEC ISO/IEC ISO/IEC 17025, CASCO / ( - ). ISO/IEC 17025:2005 :,, /,,,,, /., -,,.,.,,, -. (,, ) -,,,,,. ( ),,,,,,,. = IT Security, 24, 4(2017) 15

11 .,,...,,,,,.,,. ( ),., ( ) ( ),,,,,,,. ( ),,.,, (, ). ISO/IEC ,,., ( ),.. ( ),. ( ),,,,. ( ) ( )., ( ). ISO/IEC ISO/IEC : 1., ISO/IEC 27000,,. 2. = IT Security, 24, 4(2017) 16

12 ,. -CF 3.0. ISO/IEC ISO/IEC ,.,,,., ISO/IEC ISO/IEC : 1 Tolstoy A., Miloslavskaya N. Professional Competencies Level Assessment for Training of Masters in Information Security. In book: Information Security Education Across the Curriculum. IFIP Advances in Information and Communication Technology. 9th IFIP WG 11.8 World Conference, WISE 9, Hamburg, Germany, May 26-28, 2015, Proceedings. ISBN ISSN Springer International Publishing. Vol. 453, 2015, pp Bishop, M., Engle, S. The Software Assurance CBK and University Curricula. 10 th Colloquium for Information Systems Security Education. University of Maryland, U.S.A (2006). URL: (access date ). 3 FТЬМСОЫ-HüЛЧОЫ, S., ВЧРЬЭЫШ Ц, L. (EНЬ.): АISE 1: PЫШМООНТЧРЬ ШП ЭСО IFIP АG 11.8 FТЫЬЭ Аorld Conference on Information Security Education, June 1999, Kista, Sweden. 4 AЫЦЬЭЫШЧР, H., ВЧРЬЭЫШ Ц, L. (EНЬ.): АISE 2: pышмоонтчрь ШП ЭСО IFIP АG 11.8 SОМШЧН АШЫХН CШЧПОЫОЧМО ШЧ Information Security Education: July 2001, Perth, Australia. 5 Irvine, C.E., Armstrong, H.L. (Eds.): Security Education and Critical Infrastructures, IFIP WG11.8 Third Annual World Conference on Information Security Education (WISE3), June 26-28, 2003, Monterey, California, U.S.A. Kluwer Miloslavskaya N., Tolstoy A. State-Level Views on Professional Competencies in the Field of IoT and Cloud Information Security. Proceedings of th International Conference on Future Internet of Things and Cloud Workshops. The 3rd International Symposium on Intercloud and IoT (ICI 2016). Vienna (Austria), August Pp State Government Information Security Workforce Development Model. A Best Practice Model and Framework. June Final Version 1.0 (U.S.). 8 The U.S. National Cybersecurity Workforce Framework. URL: nationalcybersecurity-workforce-framework (access date ). 9 The Cyber Security Capability Framework & Mapping of ISM Roles. Final Report. Australian Government Information Management Office. June The European e-competence Framework 3.0. A common European Framework for ICT Professionals in all industry sectors. CWA 16234:2014 Part 1. CEN. 11 ISO/IEC 27001:2013 "Information technology -- Security techniques Information security management systems Requirements". REFERENCES: [1] Tolstoy A., Miloslavskaya N. Professional Competencies Level Assessment for Training of Masters in Information Security. In book: Information Security Education Across the Curriculum. IFIP Advances in Information and Communication Technology. 9th IFIP WG 11.8 World Conference, WISE 9, Hamburg, Germany, May 26-28, 2015, Proceedings. ISBN ISSN Springer International Publishing. Vol. 453, 2015, pp [2] Bishop, M., Engle, S. The Software Assurance CBK and University Curricula. 10th Colloquium for Information Systems Security Education. University of Maryland, U.S.A (2006). URL: (access date ). [3] FТЬМСОЫ-HüЛЧОЫ, S., ВЧРЬЭЫШ Ц, L. (EНЬ.): АISE 1: PЫШМООНТЧРЬ ШП ЭСО IFIP АG 11.8 FТЫЬЭ АШЫХН CШЧПОЫОЧМО ШЧ Information Security Education, June 1999, Kista, Sweden. [4] AЫЦЬЭЫШЧР, H., ВЧРЬЭЫШ Ц, L. (EНЬ.): АISE 2: pышмоонтчрь ШП ЭСО IFIP АG 11.8 SОМШЧН АШЫХН CШЧПОЫОЧМО ШЧ Information Security Education: July 2001, Perth, Australia. [5] Irvine, C.E., Armstrong, H.L. (Eds.): Security Education and Critical Infrastructures, IFIP WG11.8 Third Annual World Conference on Information Security Education (WISE3), June 26-28, 2003, Monterey, California, U.S.A. Kluwer [6] Miloslavskaya N., Tolstoy A. State-Level Views on Professional Competencies in the Field of IoT and Cloud Information Security. Proceedings of th International Conference on Future Internet of Things and Cloud = IT Security, 24, 4(2017) 17

13 Powered by TCPDF ( Workshops. The 3rd International Symposium on Intercloud and IoT (ICI 2016). Vienna (Austria), August Pp [7] State Government Information Security Workforce Development Model. A Best Practice Model and Framework. June Final Version 1.0 (U.S.). [8] The U.S. National Cybersecurity Workforce Framework. URL: nationalcybersecurity-workforce-framework (access date ). [9] The Cyber Security Capability Framework & Mapping of ISM Roles. Final Report. Australian Government Information Management Office. June [10] The European e-competence Framework 3.0. A common European Framework for ICT Professionals in all industry sectors. CWA 16234:2014 Part 1. CEN. [11] ISO/IEC 27001:2013 "Information technology -- Security techniques Information security management systems Requirements" Received July 21, The final version November 09, = IT Security, 24, 4(2017) 18