INTERNATIONAL ISO/IEC STANDARD 18028-1

More documents

Recommendations

Info

ISO/IEC 18028-1:2006(E)— Technical Vulnerability Management,— Identification and Authentication,— Network Audit Logging and Monitoring,— Intrusion Detection,— Protection Against Malicious Code,— Common Infrastructure Cryptographic Based Services, and— Business Continuity Management 1 ).Implementation and operation of security controls, and monitoring and reviewing the implementation, are thendealt with.6 AimThe aim of this document is to provide:— direction for the identification and analysis of the communications related factors that should be taken intoaccount to establish network security requirements, and— an indication of the potential control areas, including those dealt with in detail in ISO/IEC 18028-2 toISO/IEC 18028-5.7 Overview7.1 BackgroundMost government and commercial organizations' information systems are connected by networks, with theconduct of electronic business on a global basis increasing all the time. These network connections can bewithin the organization, between different organizations, and between the organization and the general public.Indeed, rapid developments in publicly available network technology, in particular with the Internet and theassociated World Wide Web, present great opportunities for business and for the provision of on-line publicservices. These opportunities range from the provision of lower cost data communications, using the Internetsimply as a global means of connection, to more sophisticated ISP services. This means the use of relativelylow cost local attachment points at each end of the circuit, to full scale on-line electronic trading and servicedelivery systems, using Web-based applications and services. In addition the new technologies, including theintegration of data and voice, increase the opportunities for telecommuting style business models. Thisenables employees to operate away from base for much of the time, maintaining contact by using remotefacilities, such as dial-in, or increasingly wireless LAN connections, to establish contact with the corporatenetwork and gain access to business support information and services.Thus, whilst this environment brings business benefits, it also brings new security risks to be managed. Withorganizations relying heavily on the use of information to conduct their business activities, the loss ofconfidentiality, integrity, availability, non-repudiation, accountability, authenticity and reliability of informationand services can have an adverse impact on business operations. Consequently, there is a criticalrequirement to protect information and to manage the security of information systems within organizations.1) This includes IT Disaster Recovery Planning.10 © ISO/IEC 2006 - All rights reserved
ISO/IEC FDIS 18028-1:2006(E)An example of a typical networking scenario, which can be observed in many organizations today, is shown inFigure 1 below.Figure 1 — Typical Networking EnvironmentThe Intranet specifies the network an organization relies on and maintains internally. Typically, only personsworking for the organization have direct physical access to this network, and since the network is locatedwithin premises owned by the organization, a level of physical protection could easily be achieved. In mostcases the Intranet is not homogenous with regard to the technologies used and security requirements; theremay be infrastructures which have a need for a higher protection level than given by the Intranet itself. Suchinfrastructures, for example the essential parts of a PKI environment, may be operated in a dedicatedsegment of the Intranet. On the other hand, certain technologies may require some isolation because theyintroduce additional risks, e.g. WLAN infrastructures. For both cases, internal security gateways may be usedto implement this segmentation.The business needs of the majority of organizations today necessitate communications and data exchangewith external partners and other organizations. Often the most important business partners are connected in away directly extending the Intranet towards the network of the partner organization; the term Extranet iscommonly used for such extensions. Since trust in the connected partner organizations is in most cases lowerthan within the organization, extranet security gateways are used to cover the risks introduced with theseconnections.Public networks, mainly the Internet, are further used today to provide cost optimized communications anddata exchange facilities with partners and customers (including the public), and to provide various forms ofextensions of the Intranet. Due to the low trust level in public networks, especially the Internet, sophisticatedsecurity gateways are needed to help manage the associated risks. These security gateways include specificcomponents to address the requirements of the various forms of Intranet extension as well as partner andcustomer connections.Remote users may be connected through VPN technology, and they may further use wireless connectionfacilities like public WLAN hotspots for accessing the Internet. Alternatively, remote users may use the©ISO/IEC 2006-All rights reserved 11
Page 1 and 2: INTERNATIONAL ISO/IECSTANDARD 18028
Page 3 and 4: ISO/IEC18028-1:2006(E)ContentsPageF
Page 5 and 6: ISO/IEC 18028-1:2006(E)ForewordISO
Page 7 and 8: INTERNATIONAL STANDARDISO/IEC 18028
Page 9 and 10: ISO/IEC FDIS 18028-1:2006(E)3.2.9de
Page 11 and 12: ISO/IEC FDIS 18028-1:2006(E)3.2.30n
Page 13 and 14: ISO/IEC FDIS 18028-1:2006(E)4 Abbre
Page 15: ISO/IEC FDIS 18028-1:2006(E)5 Struc
Page 19 and 20: ISO/IEC FDIS 18028-1:2006(E)— det
Page 21 and 22: ISO/IEC FD1S 18028-1:2006(E)8 Consi
Page 23 and 24: ISO/IEC FDIS 18028-1:2006(E)9.4 Net
Page 25 and 26: ISO/IEC 18028-1:2006(E)© ISO/IEC 2
Page 27 and 28: ISO/IEC18028-1:2006(E)Table 2 — I
Page 29 and 30: IS0/IEC18028-1:2006(E)A conceptual
Page 31 and 32: ISO/IEC 18028-1:2006(E)Using the se
Page 33 and 34: ISO/IEC 18028-1:2006(E)13 Identify
Page 35 and 36: ISO/IEC 18028-1:2006(E)These Securi
Page 37 and 38: ISO/IEC 18028-1:2006(E)13.2.3 Wide
Page 39 and 40: ISO/IEC 18028-1:2006(E)— flawed S
Page 41 and 42: ISO/IEC18028-1:2006(E)13.2.5.3 Secu
Page 43 and 44: ISO/IEC 18028-1:2006(E)With all sec
Page 45 and 46: ISO/IEC18028-1:2006(E)• uncertain
Page 47 and 48: ISO/IEC 18028-1:2006(E)— IDS shou
Page 49 and 50: ISO/IEC18028-1:2006{E)— exploitat
Page 51 and 52: ISO/IEC 18028-1:2006(E)The content
Page 53 and 54: ISO/IEC18028-1:2006(E)— web-based
Page 55 and 56: ISO/IEC 18028-1:2006(E)13.4.4 Netwo
Page 57 and 58: ISO/IEC18028-1:2006(E)13.6.5 Secure
Page 59 and 60: ISO/IEC 18028-1:2006(E)use rules to
Page 61 and 62: IS0/IEC18028-1:2006(E)Where it is i
Page 63 and 64: IS0/IEC18028-1:2006(E)13.10.5.2 Sec
Page 65 and 66: IS0/IEC18028-1:2006(E)Bibliography[

INTERNATIONAL ISO/IEC STANDARD 18028-1

Create successful ePaper yourself

Delete template?

Save as template?