Mathias Fischer Summer term Security Management. 03: ISO 2700x

Similar documents
Advent IM Ltd ISO/IEC 27001:2013 vs

WELCOME ISO/IEC 27001:2017 Information Briefing

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Information technology Security techniques Information security controls for the energy utility industry

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

An Introduction to the ISO Security Standards

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

ISO/IEC Information technology Security techniques Code of practice for information security management

ISO/IEC TR TECHNICAL REPORT

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

_isms_27001_fnd_en_sample_set01_v2, Group A

Information Security Management

Information technology Security techniques Information security controls for the energy utility industry

Information Security Policy

The Common Controls Framework BY ADOBE

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

ISO/IEC Information technology Security techniques Code of practice for information security controls

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

Security Policies and Procedures Principles and Practices

University of Pittsburgh Security Assessment Questionnaire (v1.7)

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

General Data Protection Regulation

ISMS Essentials. Version 1.1

MEETING ISO STANDARDS

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Physical and Environmental Security Standards

ISO/IEC TR TECHNICAL REPORT. Information technology Security techniques Information security management guidelines for financial services

Version 1/2018. GDPR Processor Security Controls

This document is a preview generated by EVS

First edition Reference number ISO/IEC 27018:2014(E) ISO/IEC 2014

Information Technology General Control Review

ISO/IEC INTERNATIONAL STANDARD

ISO A Business Critical Framework For Information Security Management

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

ISO & ISO & ISO Cloud Documentation Toolkit

Information Security Management System

TEL2813/IS2820 Security Management

EXHIBIT A. - HIPAA Security Assessment Template -

Checklist: Credit Union Information Security and Privacy Policies

Mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013

Introduction to ISO/IEC 27001:2005

ISO27001 Preparing your business with Snare

Physical and Environmental Security Policy Document Number: OIL-IS-POL-PES

ISO/IEC FDIS INTERNATIONAL STANDARD FINAL DRAFT. Information technology Security techniques Information security management systems Requirements

ISAE 3402-II. LESSOR Group. April 2016

Security Management Models And Practices Feb 5, 2008

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

ADIENT VENDOR SECURITY STANDARD

This document is a preview generated by EVS

Trust Services Principles and Criteria

PHYSICAL AND ENVIRONMENTAL SECURITY

Baseline Information Security and Privacy Requirements for Suppliers

ISO based Written Information Security Program (WISP) (a)(1)(i) & (a)(3)(i) & (ii) & (A) (A)(5)(ii) & (ii)(a)

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

EXAM PREPARATION GUIDE

Apex Information Security Policy

Security analysis and assessment of threats in European signalling systems?

LESSOR Group CVR no.:

Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001

SECURITY & PRIVACY DOCUMENTATION

Security Controls in Service Management

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Data Security and Privacy Principles IBM Cloud Services

EXAM PREPARATION GUIDE

INFORMATION ASSET MANAGEMENT POLICY

LESSOR Group CVR no.:

Information technology Security techniques Code of practice for personally identifiable information protection

7.16 INFORMATION TECHNOLOGY SECURITY

BS ISO IEC SANS Checklist

Certified Information Systems Auditor (CISA)

John Snare Chair Standards Australia Committee IT/12/4

EXAM PREPARATION GUIDE

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

E-guide Getting your CISSP Certification

Afilias DNSSEC Practice Statement (DPS) Version

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

Information Security Management Criteria for Our Business Partners

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

ISO Implementation

Information Services IT Security Policies L. Network Management

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

BS7799: from initial review to certification. Ing. Leonardo García Rojas CISSP, CISM

CCISO Blueprint v1. EC-Council

INTERNATIONAL STANDARD

QuickBooks Online Security White Paper July 2017

GM Information Security Controls

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Security Audit What Why

Objectives of the Security Policy Project for the University of Cyprus

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

ISO/IEC INTERNATIONAL STANDARD

Altius IT Policy Collection Compliance and Standards Matrix

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Transcription:

Mathias Fischer Summer term 2017 Security Management 03: ISO 2700x 1

ISO / IEC 27000 Family of Security Standards (3) Terminology 27000 Overview Requirements 27001 ISMS Requirements 27006 Accreditation Requirements Guidelines for operation and audit of ISMS 27002 Code of Practice 27003 Implementation 27004 Measurements and Metrics 27005 Risk Management Standards for particular security measures 27007 Audits [ISO 27000] 2

ISO / IEC 27000 Family of Security Standards (1) [ISO27000] Information security management systems Overview and vocabulary Provides overview of information security management systems Defines vocabulary and definitions used in the 27000 standard family [ISO27001] Information security management systems Requirements Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented Information Security Management System. [ISO27002] Code of practice for information security management Provides guidelines for information security management in an organization Contains a list of best-practice security controls. Formerly known as ISO17799. [ISO27003] Information security management system implementation guidance Details process from inception to production of implementation plans of an Information Security Management System specification and design. 3

ISO / IEC 27000 Family of Security Standards (2) [ISO27004] Information security management Measurement Provides guidance to help organizations measure and report on the effectiveness of their Information Security Management System processes and controls. [ISO27005] Information security risk management Provides guidelines on the information security risk management process. It supersedes ISO13335-3/4 [ISO27006] Requirements for bodies providing audit and certification of information security management systems Specifies requirements and provides guidance for these bodies. [ISO 27007] Auditing Guidelines 4

ISO 27000 Short document that summarizes the 27000 family of standards Gives an overview on 27000 family and classifies all respective standards Refers to OECD Guidelines for the Security of Information Systems and Networks Contains basic terms and definitions for the areas: Information security (e.g., confidentiality) Management (e.g., effectivity) Security risks (e.g., vulnerability) Auditing (e.g., Audits) Documentation (e.g., security policy) 5

Evolution of BS 7799 Code of practice BS 7799-1 ISO 17799:2000 ISO17799:2005 ISO27002:2007 ISO27002:2013 ISMS specification BS 7799-2 BS 7799-2:2002 ISO 27001:2005 ISO27001:2013 1995 1998 2000 2005 2007 2013 t 6

ISO 27001 ISMS (Information Security Management System) Standard based on BS 7799-2 Describes the requirements towards an ISMS on the basis of a process-based approach Is, exactly as ISO 9001, a management system standard Basis for certification Generic requirements, no technical details Definition: ISMS that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security NOTE: The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources. 7

Deming Circle (PDCA) for ISMS Plan design Act maintain and improve ISMS Do implement Check monitor Removed from ISO 27001 standard in version 2013 to allow for more flexibility in choosing method for continual improvement. [ISO27001] 8

ISO 27002 Information technology Security techniques Code of practice for information security management»guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization«international»code of practice«for managing information security Volume of version 2013 90 pages, 14 sections (management areas) and 114 management tasks (Controls) Continuous Update No fixed cycles defined, but planned for Not absolutely necessary, as generic formulation 9

ISO 27002 - Risk Assessment and Treatment Defines basic requirements; Refers to ISO/IEC TR 13335-3 for exemplary methods Requirements for the assessment of security risks Systematic approach for assessment of size of risks Process for criteria-based comparison of risks Periodic repetition Well-defined area/scope Requirements for treating security risks Definition of criteria for accepting risks Individual decision on risk treatment for specific risk Avoidance Reduction Acceptance Transfer If necessary implementation of control(s) Total risk Risk Analysis Risk avoidance Security Architecture Safeguards Disaster plan Limitation of Damage Insurances Risk transfer Schaumüller-Bichl 1992 Remaining risk 10

Comparison of different Versions of ISO 27002 Version 2000 Version 2005 Version 2013 Security Policy Security Policy Security Policy Security Organization Organizing Information Security Organization of Information Security Asset Classification & Control Asset Management Human Resources Security Personnel Security Human Resources Security Asset Management Physical & Environmental Security Physical & Environmental Security Access Control Communications & Operations Management Communications & Operations Management Cryptography Access Control Access Control Physical and Environmental Security Systems Development & Maintenance Business Continuity Management Information Systems, Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Operations security Communications Security Information Systems Acquisition, Development, Maintenance Supplier Relationships Compliance Compliance Compliance Information Security Incident Management Information Security Aspects of Business Continuity 11

ISO 27002 - Structure of Controls Controls = Measures Control What? + Implementation Guidance How? + Other Information 12

Example of a Control 8.2.2 in ISO27002:2005 7.2.2 in ISO27002:2013 Information security awareness, education and training Control All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. Implementation guidance An information security awareness programme should aim to make employees and, where relevant, contractors aware of their responsibilities for information security and the means by which those responsibilities are discharged. An information security awareness programme should be established in line with the organization s information security policies and relevant procedures, taking into consideration the organization s information to be protected and the controls that have been implemented to protect the information. The awareness programme should include a number of awareness-raising activities such as campaigns (e.g. an information security day ) and issuing booklets or newsletters. [ ] Other information When composing an awareness programme, it is important not only to focus on the what and how, but also the why. It is important that employees understand the aim of information security and the potential impact, positive and negative, on the organization of their own behaviour. Awareness, education and training can be part of, or conducted in collaboration with, other training activities, for example general IT or general security training. Awareness, education and training activities should be suitable and relevant to the individual s roles, responsibilities and skills. An assessment of the employees understanding could be conducted at the end of an awareness, education and training course to test knowledge transfer. 13

Security policy Defines fundamental position of the organization regarding information security Creation of a policy document Defining information security from the perspective of the organization Goals and principles regarding information security Allocation of responsibilities for information security References to documents that are used for implementation of policy Frequent review and adaption towards new circumstances Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 14

Organization of information security Internal Organization Management framework for implementing information security within organization Controls Roles and responsibilities for information security Segregation of duties Contact with authorities Contact with special interest groups Information security within the project management Mobile devices and teleworking Originally from Access Control (until 2005) Mobile device policy Teleworking Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 15

Human Resources Security Prior to employment Controls Define and document tasks and responsibilities Security check of employees (screening) Check correctness of references, CV, qualification, identity, details Terms and conditions of employment Clause in employment contract that point to adherence of security measures Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 16

Human Resources Security During employment Management responsibilities Information security awareness, education, and training Disciplinary process e.g., password rules Termination and change of employment Define responsibilities for termination Return of company equipment / assets Canceling access permissions Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 17

Asset Management (1) Responsibilities for assets Inventory of assets Information assets Databases, data, system documentation, training material, emergency plans, archived data Software assets Application and system software, development tools, utilities Physical assets Computer technology (incl. Hardware), communication technology (router, fax, telephone system,...), storage media, power supply, air conditioner, furniture, rooms Services Communication and data processing services, general facilities (e.g., heating, light, power, air conditioning) Persons And their qualifications, skills, and experience Intangible assets E.g., good reputation and image of company Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 18

Asset Management (2) Responsibilities for assets (cont.) Ownership for assets All information and assets in connection with information processing facilities should be owned by a particular part of organization Acceptable use of assets Rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented, and implemented Return of assets All employees and external party users should return all of the organizational assets in their possession upon termination of their employment, contract, or agreement Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 19

Asset Management (3) Information classification Identification of necessity and importance of information Controls: Determination of necessary protection level From sensitive/critical unimportant/i don t care No concrete guidelines for classification Taking into account that protection requirements change over time E.g., information on a new product»over-classification«can cause unnecessary costs Media handling Deletion of media that is not used anymore Authorization for deletion and disposal Storage in a safe, secure environment,... Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 20

Access control Business requirements of access control Access control policy User access management User registration and de-registration User access provisioning Management of privileged access rights Management of secret authentication information of users Review of user access rights Removal or adjustment of access rights User responsibilities Use of secret authentication information Behavior when leaving device System and application access control Networks Operating systems Devices Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 21

Cryptography Controls for the right and effective usage of cryptography to protect confidentiality, integrity of data and accountability for entities 2 Controls Policy on the use of cryptographic protocols Key management Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 22

Physical and environmental security Secure areas Controls Physical security perimeter Walls, doors, alarm systems, sensors Physical entry controls Creating visiting areas, Badges Securing offices, rooms, and facilities Audit-Trails of all security relevant events Protecting against external and environmental threats Equipment for fire fighting, Backups Working in secure areas Confidentiality of their existence and tasks Delivery and loading areas Locks, registration of incoming and outgoing commodities e.g., physical protection Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 23

Physical Security: Basic Functions Excursus Observing attacks (eavesdropping): Shielding (electromagnetic emanation, energy consumption independent from the secrets that need to be protected) Modification attacks: Detecting, assessing, delaying and if necessary deleting secret information Delaying (e.g., tough material) Detection (e.g., shock and pressure sensors) shielding, assessing Delete secrets 24

Physical Security: Basic Functions Security Modul Excursus Picture: www.lampertz.de Fire protection Access Control Air conditioning Independent power supply 25

Physical and environmental security (1) Security of equipment: To prevent loss, damage, theft, or compromise of assets and interruption to operation of organization Controls General recommendations»do not eat in front of a computer«supporting utilities UPS, emergency power Cabling security Only patch plug sockets that are actually needed Redundant wiring Use glass fiber Equipment maintenance Sensible data on storage devices, protection from data loss Removal of assets Equipment, information or software should not be taken off-site without prior authorization Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 26

Physical and environmental security (2) Controls for security of equipment (cont.) Security of equipment and assets off-premises Taking into account different risks of working outside the organization s premises Secure disposal or re-use of equipment All items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. Unattended user equipment Users should ensure that unattended equipment has appropriate protection Clear desk and clear screen policy Clear desk: For papers, removable storage media Clear screen: for information processing facilities Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 27

Operations Security (1) Operational procedures and responsibilities Controls Documented operating procedures (processes) Change management Capacity management Deletion of obsolete data, optimization of applications, systems, batch processes, schedules Separation of development, testing, and operational environments Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment. Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 28

Operations Security (2) Protection from Malware One control with numerous guidance; Examples: Antivirus scanner for files, E-Mails Update management Ensuring that warnings are correct e.g., Hoaxes http://www.hoax-info.de/ http://hoaxmap.org/ Backup Define necessary backup level Documented restoration procedures Frequent check of backup media Physical protection of backup media Encrypt backups if required Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 29

Hoaxes Hoaxes Propagation: via human misconception and error Hoax-List: http://www.hoax-info.de/ Von: Doris Külper Datum: 04.03.2004 11:25:12 Betreff: WICHTIGE INFO Handy Fangnummern im Umlauf Für alle zur Info Wenn auf dem Handydisplay die Mitteilung "Anruf in Abwesenheit" und dann die Nummer: +49137799090269 oder +49172332233333 erscheint, nicht zurückrufen. Es handelt sich hierbei um eine Fangnummer, die den Anruf bis zu einer Stunde und länger hält. Der Anrufer selbst hat keine Möglichkeit, den Anruf zu beenden. Bitte geben Sie diese Nummer jedem weiter, den Sie kennen, damit böse Überraschungen im Vorfeld schon vermieden werden. Mit freundlichem Gruss Doris Külper Staatsanwaltschaft Hamburg 30

Operations Security (3) Logging und Monitoring Audit protocols Event logging Protection of log information Administrator and operator logs Clock synchronization Control of operational software Installation of software on operational systems Update management Rollback Technical vulnerability management Management of technical vulnerabilities Restrictions on software installations Information systems audit considerations Information systems audit controls Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 31

Communications security Network security management Network controls (/security measures) Security of network services Segregation in networks Security measures to ensure confidentiality and integrity Encryption during transmission Adequate logging and monitoring Exchange of information Information transfer policies and procedures Agreements on information transfer Transport of storage devices Electronic messaging Confidentiality or non-disclosure agreements Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 32

System Acquisition, Development and Maintenance Controls 1. Defining security requirements of information systems upon their design 2. Security in development and support process Protection of system files (e.g., used libraries) 3. Test data Addresses development of secure systems Affects especially organizations that develop SW on their own Structured development process Shows: Security is a cross-sectional topic! Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 33

Supplier Relationships To ensure protection of the organization s assets that are accessible by suppliers and other external entities Controls Identify risks in combination with external suppliers Addressing security when interacting with customers Addressing security in agreements with third parties Examples Customers Outsourcing, hardware- and software support Cleaning workers Trainees, student workers, contract workers / temporary staff Consultants Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 34

Information Security Incident Management Management of information security incidents and improvements Management responsibilities and procedures Reporting security events and weaknesses Reporting mechanism: e.g., forms Criteria for correct behavior Assessment of and decision on security events Response to security incidents Learning from security incidents Collection of evidence Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 35

Business continuity management Protection from the disruption of business activities: to protect critical business processes from the impact of bigger failures/disturbances of information systems or disasters and to ensure timely restoration Controls Process for information security continuity Redundancies Addresses availability Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 36

Compliance Compliance with legal and contractual requirements Copyright, software law Privacy and data protection Misuse, criminal prosecution,... Review if implemented controls for information security map with security policy (security reviews) If necessary: changes Sec Policy Org of IS HR Security Asset Mgt Access Ctrl Crypto Physical Sec Op Sec Com Sec Dev Sec Supplier Incident Mgt BCM Compliance 37

For which areas is ISO 27002... suitable? Types of organizations / companies Server provider Service provider Organizations as users Software companies ISPs preferentially less Within the organization / company Company management Project management IT management IT Security Officer Administrators Auditors 38

Rating of ISO 27002 (1) Intended audience Organizations and authorities of all sizes However, more suitable for large organizations High effort for small organizations Not suitable for private users Alternative: IT baseline protection of the BSI (IT-Grundschutz) 39

Rating of ISO 27002 (2) System and product types Created for assessing a socio-technological overall system Top-Down approach for establishing information security Mainly generic security measures (controls) Less suitable for the certification of single products Good: Embedding of products in an overall system Problem: When disassembling the system in subsystems there are no suitable recommendations for measures that support the secure assembling of all subsystems 40

Rating of ISO 27002 (3) Usage 1. Usage as reference book for questions regarding single (high-level) measures/controls 2. Setup of an State-of-the-Art Information Security Management Systems (ISMS) 3. Setup of an ISMS that can be certified 2. and 3. require the systematic and complete implementation of recommended controls 41

Rating of ISO 27002 (4) Achievable security level Comprehensive catalogue of controls Defines mainly standard security measures High security requires further measures However: Management of high security is supported by management approach Implementation effort Depends on degree of organization of company High degree of organization less effort Implementation of controls can be supported by tools 42

References [ISO27001] [ISO27002] [ISO27003] [ISO27005] ISO/IEC, ISO/IEC 27001:2005 Information technology Security techniques Information security management systems Requirements, 2005. ISO/IEC, ISO/IEC 27002:2005 Information technology Security techniques Code of practice for information security management, 2005. Formerly known as ISO/IEC 17755:2005. ISO/IEC, ISO/IEC 27002:2010 - Information security management system implementation guidance, 2005 ISO/IEC, ISO/IEC 27005:2008 Information technology Security techniques Information security risk management, 2008. [STBR11] William Stallings and Lawrie Brown, Computer Security Principles and Practice. Hardcover, 816 pages, Pearson, 2nd ed, 2011 43

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback