ISO/IEC 21827

More documents

Recommendations

Info

ISO/IEC 21827:2002(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. © ISO/IEC 2002 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyright@iso.ch Web www.iso.ch Printed in Switzerland ii © ISO/IEC 2002 – All rights reserved
ISO/IEC 21827:2002(E) Contents Foreword .......................................................................................................................................................................... v Introduction ...................................................................................................................................................................... vi 1 Scope ......................................................................................................................................................................... 1 2 Normative references ................................................................................................................................................. 1 3 Terms and definitions ................................................................................................................................................. 2 4 Background ................................................................................................................................................................ 5 4.1 Reason for Development .................................................................................................................................... 5 4.2 The Importance of Security Engineering ............................................................................................................. 6 4.3 Consensus .......................................................................................................................................................... 6 5 Structure of the Document ......................................................................................................................................... 7 6 Model Architecture ..................................................................................................................................................... 7 6.1 Security Engineering ........................................................................................................................................... 7 6.2 Security Engineering Process Overview ............................................................................................................. 9 6.3 SSE-CMM® Architecture Description ............................................................................................................... 12 6.4 Summary Chart ................................................................................................................................................. 20 7. Security Base Practices ........................................................................................................................................... 20 7.1 PA01 - Administer Security Controls ................................................................................................................ 21 7.2 PA02 - Assess Impact ...................................................................................................................................... 24 7.3 PA03 - Assess Security Risk ............................................................................................................................ 28 7.4 PA04 - Assess Threat ....................................................................................................................................... 31 7.5 PA05 - Assess Vulnerability .............................................................................................................................. 34 7.6 PA06 - Build Assurance Argument ................................................................................................................... 37 7.7 PA07 - Coordinate Security .............................................................................................................................. 40 7.8 PA08 - Monitor Security Posture ....................................................................................................................... 42 7.9 PA09 - Provide Security Input ........................................................................................................................... 47 7.10PA10 - Specify Security Needs ......................................................................................................................... 50 7.11PA11 - Verify and Validate Security .................................................................................................................. 54 Annex A(normative)Generic Practices ............................................................................................................................ 57 A.1 General ...................................................................................................................................................... 57 A.2 Capability Level 1 - Performed Informally .................................................................................................. 57 A.3 Capability Level 2 - Planned and Tracked ........................................................................................................ 58 A.4 Capability Level 3 - Well Defined ...................................................................................................................... 63 A.5 Capability Level 4 - Quantitatively Controlled ................................................................................................... 68 A.6 Capability Level 5 - Continuously Improving ..................................................................................................... 70 © ISO/IEC 2002 – All rights reserved iii
Page 1: INTERNATIONAL STANDARD ISO/IEC 2182
Page 5 and 6: © ISO/IEC 2002 - All rights reserv
Page 7 and 8: ISO/IEC 21827:2002(E) Specific Indu
Page 9 and 10: INTERNATIONAL STANDARD ISO/IEC 2182
Page 11 and 12: ISO/IEC 21827:2002(E) 3.11 Baseline
Page 13 and 14: ISO/IEC 21827:2002(E) 3.36 Validati
Page 15 and 16: ISO/IEC 21827:2002(E) 5 Structure o
Page 17 and 18: ISO/IEC 21827:2002(E) • Communica
Page 19 and 20: ISO/IEC 21827:2002(E) Figure 3 - Se
Page 21 and 22: ISO/IEC 21827:2002(E) Figure 5 - Th
Page 23 and 24: ISO/IEC 21827:2002(E) Subsequent co
Page 25 and 26: ISO/IEC 21827:2002(E) • Level 1,
Page 27 and 28: ISO/IEC 21827:2002(E) Table 3 - 218
Page 29 and 30: ISO/IEC 21827:2002(E) of which cont
Page 31 and 32: ISO/IEC 21827:2002(E) • security
Page 33 and 34: ISO/IEC 21827:2002(E) 7.2.1.2 Goals
Page 35 and 36: ISO/IEC 21827:2002(E) 7.2.5.1 Descr
Page 37 and 38: ISO/IEC 21827:2002(E) information f
Page 39 and 40: ISO/IEC 21827:2002(E) 7.3.7 BP.03.0
Page 41 and 42: ISO/IEC 21827:2002(E) 7.4.4.3 Notes
Page 43 and 44: ISO/IEC 21827:2002(E) of existing s
Page 45 and 46: ISO/IEC 21827:2002(E) 7.5.5.1 Descr
Page 47 and 48: ISO/IEC 21827:2002(E) acceptable le
Page 49 and 50: ISO/IEC 21827:2002(E) 7.7.2 BP.07.0
Page 51 and 52: ISO/IEC 21827:2002(E) 7.8.1.3 Base
Page 53 and 54:
ISO/IEC 21827:2002(E) response shou
Page 55 and 56:
ISO/IEC 21827:2002(E) 7.9 PA09 - Pr
Page 57 and 58:
ISO/IEC 21827:2002(E) rules and pra
Page 59 and 60:
ISO/IEC 21827:2002(E) 7.10.1.3 Base
Page 61 and 62:
ISO/IEC 21827:2002(E) information f
Page 63 and 64:
ISO/IEC 21827:2002(E) In the intere
Page 65 and 66:
ISO/IEC 21827:2002(E) Annex A (norm
Page 67 and 68:
ISO/IEC 21827:2002(E) A.3.2.1 Commo
Page 69 and 70:
ISO/IEC 21827:2002(E) A.3.2.7.2 Not
Page 71 and 72:
ISO/IEC 21827:2002(E) A.3.5 Common
Page 73 and 74:
ISO/IEC 21827:2002(E) A.4.2.2.3 Rel
Page 75 and 76:
ISO/IEC 21827:2002(E) A.4.4.2.1 Des
Page 77 and 78:
ISO/IEC 21827:2002(E) A.5.2.2.2 Not
Page 79 and 80:
ISO/IEC 21827:2002(E) A.6.2.2.2 Not
Page 81 and 82:
ISO/IEC 21827:2002(E) Annex B (norm
Page 83 and 84:
ISO/IEC 21827:2002(E) B.3.2.1 Descr
Page 85 and 86:
ISO/IEC 21827:2002(E) parameters;
Page 87 and 88:
ISO/IEC 21827:2002(E) B.4.1.5 Proce
Page 89 and 90:
ISO/IEC 21827:2002(E) B.4.5.1 Descr
Page 91 and 92:
ISO/IEC 21827:2002(E) B.5.2.3 Notes
Page 93 and 94:
ISO/IEC 21827:2002(E) B.5.7 BP.14.0
Page 95 and 96:
ISO/IEC 21827:2002(E) B.6.4.2 Examp
Page 97 and 98:
ISO/IEC 21827:2002(E) BP.16.08 BP.1
Page 99 and 100:
ISO/IEC 21827:2002(E) B.7.6.1 Descr
Page 101 and 102:
ISO/IEC 21827:2002(E) B.7.10.2 Exam
Page 103 and 104:
ISO/IEC 21827:2002(E) • process a
Page 105 and 106:
ISO/IEC 21827:2002(E) B.9.1.2 Summa
Page 107 and 108:
ISO/IEC 21827:2002(E) B.9.5.2 Examp
Page 109 and 110:
ISO/IEC 21827:2002(E) B.10.4.2 Exam
Page 111 and 112:
ISO/IEC 21827:2002(E) B.11.2.1 Desc
Page 113 and 114:
ISO/IEC 21827:2002(E) performance.
Page 115 and 116:
ISO/IEC 21827:2002(E) B.12.3 BP.21.
Page 117 and 118:
ISO/IEC 21827:2002(E) B.12.7 BP.21.
Page 119 and 120:
ISO/IEC 21827:2002(E) B.13.2.1 Desc
Page 121 and 122:
ISO/IEC 21827:2002(E) • communica
Page 123 and 124:
ISO/IEC 21827:2002(E) produce the d
Page 125 and 126:
ISO/IEC 21827:2002(E) C.5.2 Organiz
Page 127 and 128:
ISO/IEC 21827:2002(E) C.5.12 Instit
Page 129 and 130:
ISO/IEC 21827:2002(E) Security Engi
Page 131 and 132:
ISO/IEC 21827:2002(E) GOODENOUGH93B
show all

ISO/IEC 21827

Create successful ePaper yourself

Delete template?

Save as template?