TECHNICAL REPORT ISO/IEC TR 13335-3 First edition 1998-06-15 Information technology Guidelines for the management of IT Security Part 3: Techniques for the management of IT Security Technologies de l'information Lignes directrices pour la gestion de sécurité IT Partie 3: Techniques pour la gestion de sécurité IT B C Reference number ISO/IEC TR 13335-3:1998(E)
ISO/IEC TR 13335-3:1998(E) Contents 1 Scope 1 2 References 1 3 Definitions 1 4 Structure 1 5 Aim 1 6 Techniques for the Management of IT Security 2 7 IT Security Objectives, Strategy and Policies 3 7.1 IT Security Objectives and Strategy 4 7.2 Corporate IT Security Policy 5 8 Corporate Risk Analysis Strategy Options 7 8.1 Baseline Approach 7 8.2 Informal Approach 8 8.3 Detailed Risk Analysis 8 8.4 Combined Approach 9 9 Combined Approach 10 9.1 High Level Risk Analysis 10 9.2 Baseline Approach 10 9.3 Detailed Risk Analysis 11 9.3.1 Establishment of Review Boundary 12 9.3.2 Identification of Assets 13 9.3.3 Valuation of Assets and Establishment of Dependencies Between Assets 13 9.3.4 Threat Assessment 14 9.3.5 Vulnerability Assessment 15 9.3.6 Identification of Existing/Planned Safeguards 16 9.3.7 Assessment of Risks 17 9.4 Selection of Safeguards 17 9.4.1 Identification of Safeguards 17 9.4.2 IT Security Architecture 19 9.4.3 Identification/Review of Constraints 20 9.5 Risk Acceptance 21 9.6 IT System Security Policy 21 9.7 IT Security Plan 22 10 Implementation of the IT Security Plan 23 10.1 Implementation of Safeguards 23 10.2 Security Awareness 24 10.2.1 Needs Analysis 25 10.2.2 Programme Delivery 25 10.2.3 Monitoring of Security Awareness Programmes 25 10.3 Security Training 26 10.4 Approval of IT Systems 27 11 Follow-up 28 11.1 Maintenance 28 11.2 Security Compliance Checking 28 ISO/IEC 1998 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from the publisher. ISO/IEC Copyright Office Case postale 56 CH-1211 Genève 20 Switzerland Printed in Switzerland ii
ISO/IEC ISO/IEC TR 13335-3:1998(E) 11.3 Change Management 30 11.4 Monitoring 30 11.5 Incident Handling 32 12 Summary 33 Annex A An Example Contents List for a Corporate IT Security Policy 34 Annex B Valuation of Assets 36 Annex C List of Possible Threat Types 38 Annex D Examples of Common Vulnerabilities 40 Annex E Types of Risk Analysis Method 43 iii
ISO/IEC TR 13335-3:1998(E) ISO/IEC Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Committee) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The main task of technical committees is to prepare International Standards, but in exceptional circumstances a technical committee may propose the publication of a Technical Report of one of the following types: type 1, when the required support cannot be obtained for the publication of an International Standard, despite repeated efforts; type 2, when the subject is still under technical development or where for any other reason there is the future but not immediate possibility of an agreement on an International Standard; type 3, when a technical committee has collected data of a different kind from that which is normally published as an International Standard ( state of the art, for example). Technical Reports of types 1 and 2 are subject to review within three years of publication, to decide whether they can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to be reviewed until the data they provide are considered to be no longer valid or useful. ISO/IEC TR 13335-3, which is a Technical Report of type 3, was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC TR 13335 consists of the following parts, under the general title Information technology Guidelines for the manangement of IT Security: Part 1: Concepts and models for IT Security Part 2: Managing and planning IT Security Part 3: Techniques for the management of IT Security Part 4: Selection of safeguards Part 5: Safeguards for external connections iv
ISO/IEC ISO/IEC TR 13335-3:1998(E) Introduction The purpose of ISO/IEC TR 13335 is to provide guidance, not solutions, on management aspects of IT security. Those individuals within an organization that are responsible for IT security should be able to adapt the material in ISO/IEC TR 13335 to meet their specific needs. The specific objectives of ISO/IEC TR 13335 are: to define and describe the concepts associated with the management of IT security, to identify the relationships between the management of IT security and management of IT in general, to present several models which can be used to explain IT security, and to provide general guidance on the management of IT security. ISO/IEC TR 13335 is organized into five parts. ISO/IEC TR 13335-1 provides an overview of the fundamental concepts and models used to describe the management of IT security. This material is suitable for managers responsible for IT security and for those who are responsible for the organization's overall security programme. ISO/IEC TR 13335-2 describes management and planning aspects. It is relevant to managers with responsibilities relating to an organization's IT systems. They may be: IT managers who are responsible for overseeing the design, implementation, testing, procurement, or operation of IT systems, or managers who are responsible for activities that make substantial use of IT systems. This part of ISO/IEC TR 13335 describes security techniques relevant to those involved with management activities during a project life-cycle, such as planning, designing, implementing, testing, acquisition, or operations. ISO/IEC TR 13335-4 provides guidance on the selection of safeguards, and how this can be supported by the use of baseline models and controls. It also describes how this complements the security techniques described in ISO/IEC TR 13335-3, and how additional assessment methods can be used for the selection of safeguards. ISO/IEC TR 13335-5 provides guidance to an organization connecting its IT systems to external networks. This guidance includes the selection and use of safeguards to provide security for the external connections and the services supported by those connections, and additional safeguards required for the IT systems because of the connections. v
TECHNICAL REPORT ISO/IEC ISO/IEC TR 13335-3:1998(E) Information technology Guidelines for the management of IT Security Part 3: Techniques for the management of IT Security 1 Scope This part of ISO/IEC TR 13335 provides techniques for the management of IT security. The techniques are based on the general guidelines laid out in ISO/IEC TR 13335-1 and ISO/IEC TR 13335-2. These guidelines are designed to assist the implementation of IT security. Familiarity with the concepts and models introduced in ISO/IEC TR 13335-1 and the material concerning the management and planning of IT security in ISO/IEC TR 13335-2 is important for a complete understanding of this part of ISO/IEC TR 13335. 2 References ISO/IEC TR 13335-1:1996, Guidelines for the management of IT Security Part 1: Concepts and models for IT Security. ISO/IEC TR 13335-2:1997, Guidelines for the management of IT Security Part 2: Managing and planning IT Security. 1