: ISO/IEC , Information technology – Security techniques – Management of information and communications technology security – Part. Title: ISO/IEC – Information technology — Security techniques — Management of information and communications technology security — Part 1. International Organization for Standardization’s (ISO)  standards and guides for conformity The ISO/IEC  standard is dedicated in providing.
|Published (Last):||10 October 2018|
|PDF File Size:||8.93 Mb|
|ePub File Size:||18.10 Mb|
|Price:||Free* [*Free Regsitration Required]|
An appropriate selection of safeguards is essential for a properly implemented security program. Threats may be qualified in terms such as High, Medium, and Low, depending on the outcome of threat assessment.
High, Medium, and Low. The more an organization relies on ICT, the more important ICT security is, to help ensure that the business objectives are met. The corporate ICT security policy should reflect the essential ICT security principles and directives applicable to the corporate security policy and information security policy, and the general use of ICT systems within the organization.
The conduct of these duties may be supplemented by the use of external consultants. Also, important business objectives and their relation to security should be considered when assessing ICT security objectives. This issue may have a considerable infiuence on the approach adopted. In this case, a strategy topic could be security validation by a recognized third party.
Part of judging whether the security is appropriate to the needs of the organization is the acceptance of the residual risk. In such cases, independent review is important to avoid confiict of interest and to ensure appropriate separation of roles.
The corporate ICT security officer should act as the focus for all ICT security aspects within the organization; however, the corporate ICT security officer may delegate some aspects of the role. Then the question of what vulnerabilities or weaknesses might be exploited by the ixo to cause the impact is addressed, i. At least five scenarios are feasible and are 1335-1 in Figure 1.
ISO/IEC Standard — ENISA
It is not the intent of this International Standard to suggest a particular management approach to ICT security. Threats may exploit vulnerabilities to cause harm to the ICT system or business objectives.
A threat may arise from within the organization, for example, sabotage by an employee, or from outside, for example, malicious hacking or industrial espionage. Technical standards need to be complemented by rules and guidelines on their implementation and use.
As an example of a broader topic, an organization could have an ICT security objective, because its business is selling its ICT services, that the security of its own systems be proven to potential customers.
The organization should provide clear lines of communication, responsibility, and authority for the corporate ICT security officer, and the duties should be approved by the ICT security forum.
The following sub-clauses describe at a high level the major security elements and their relationships that are involved in security management, in view of the fundamental security principles. Whilst security is most effective if it is integrated into new systems from the beginning, legacy systems and business activities benefit from the integration of security at any point in time. Effective security usually requires a combination of different safeguards to provide layers of security to protect assets.
Possible indirect impact includes financial losses, and the loss of market share or company image. It is particularly important, to ensure such consistency, that objectives, strategies and policies be included as an integral part of security training and awareness programmes.
ICT security should be a continuous process with many feedbacks within and between an ICT system’s lifecycle phases. Knowledge and skills from all these areas are needed to develop a practical corporate ICT security policy. This assessment must take into account the environment and existing safeguards. Government and commercial organizations rely heavily on the use of information to conduct their business activities.
Single or multiple threats may exploit single or multiple vulnerabilities. Periodically, existing and new constraints should be reviewed and any changes identified. Often, several safeguards are required to reduce the residual risks to an acceptable level. The assessment of impacts is an important element in the assessment of risks and the selection of safeguards.
In such cases they may cause different impacts depending on which assets are affected. The role of an ICT security project officer includes: Roles and responsibilities for ICT security should be clarified and communicated. The probability of occurrence of an incident needs to be taken into account. Options for risk treatment include risk avoidance, risk reduction, risk transfer and risk acceptance. Testing should be regularly scheduled during the operational lifetime of the system.
These may include, without being limited to: Management should be responsible for all aspects of security management including risk-management decision-making.
BS ISO/IEC 13335-1:2004
As an ICT system is used to perform its intended mission, it must be maintained, and it typically will also undergo a series of upgrades that include the purchase of new hardware components or the modification or addition of software. Not publicly available ISO standard, which can be voluntarily implemented. The corporate ICT security policy ido address the following general areas: Standard containing generally accepted descriptions of concepts and models for information and communications technology security management.
The impact is first determined regardless of which threats might occur to ixo the impact, to be sure of identifying the real values. Each employee and contractor should know his or her role and responsibility, contribution to ICT security and should be entrusted to achieving such goals.