INTERNATIONAL ISO/IEC STANDARD 18028-1

More documents

Recommendations

Info

ISO/I EC 18028-1:2006(E)Figure 2 — Management Process in the Context of Network SecurityIn Figure 2 the solid black lines represent the main path of the process, and the dotted black line where thetypes of security risk may be determined with the aid of results from a security risk assessment andmanagement review.In addition to the main path of the process, in certain steps there should be a need to re-visit the results ofearlier steps to ensure consistency, in particular the steps "Review Corporate Information Security Policy" and"Review Network Architectures and Applications". For example,— after types of security risk have been determined there may be a need to review corporate informationsecurity policy because something has arisen that is in fact not covered at that policy level,— in identifying potential control areas, the corporate information security policy should be taken intoaccount, because it may, for example, specify that a particular control has to be implemented across theorganization regardless of the risks, and— in reviewing security architecture options, to ensure compatibility the network architectures andapplications should be considered.14 © ISO/IEC2006 - All rights reserved
ISO/IEC FD1S 18028-1:2006(E)8 Consider Corporate Information Security Policy RequirementsAn organization's corporate information security policy may include statements on the need for confidentiality,integrity, availability, non-repudiation, accountability, authenticity and reliability, as well as views on types ofthreat, and control requirements, that relate directly to network connections.For example, such a policy could state that:— availability of certain types of information or services is a major concern,— no connections via dial-up lines are permitted,— all connections to the Internet should be made through a security gateway,— a particular type of security gateway should be used, and— no payment instruction is valid without a digital signature.Such statements, views and requirements, being applicable organization or community-wide, should beaccounted for in the determination of the types of security risk (see Clause 12 below) and the identification ofpotential control areas for network connections (see Clause 13 below). If there are any such securityrequirements then these should be documented in the draft list of potential control areas, and as necessaryreflected in security architecture options. Guidance on the positioning of a corporate information securitypolicy document within an organization's approach to information security, and on its content and relationshipswith other security documentation, is provided in ISO/IEC 13335-1 and ISO/IEC 17799. Guidance will also beprovided in ISO/IEC 13335-2, when published.9 Review Network Architectures and Applications9.1 BackgroundAs referred to earlier in this standard, the steps to achieve confirmation of the potential controls required for anetwork are:— identification of the type(s) of network connection to be used,— identification of the networking characteristics and associated trust relationships involved,— determination of the security risks,— development of the list of required control areas e \ and the related designs.Following these steps should always be accomplished in the context of the network architecture andapplications that already exist or are planned.Thus detail should be obtained of the relevant network architecture and applications, and this should bereviewed to provide the necessary understanding and context for the process steps that follow.By clarifying these aspects at the earliest possible stage, the process of identifying the relevant securityrequirement identification criteria, identifying control areas, and reviewing the technical security architectureoptions and deciding which one should be adopted, should become more efficient and eventually result in amore workable security solution.The consideration of network and application architectural aspects at an early stage should allow time forthose architectures to be reviewed and possibly revised if an acceptable security solution cannot berealistically achieved within the current architecture.6) Including those control areas associated with the use of cryptography for such as confidentiality, integrity andauthentication.© ISO/IEC 2006 - All rights reserved 15
Page 1 and 2: INTERNATIONAL ISO/IECSTANDARD 18028
Page 3 and 4: ISO/IEC18028-1:2006(E)ContentsPageF
Page 5 and 6: ISO/IEC 18028-1:2006(E)ForewordISO
Page 7 and 8: INTERNATIONAL STANDARDISO/IEC 18028
Page 9 and 10: ISO/IEC FDIS 18028-1:2006(E)3.2.9de
Page 11 and 12: ISO/IEC FDIS 18028-1:2006(E)3.2.30n
Page 13 and 14: ISO/IEC FDIS 18028-1:2006(E)4 Abbre
Page 15 and 16: ISO/IEC FDIS 18028-1:2006(E)5 Struc
Page 17 and 18: ISO/IEC FDIS 18028-1:2006(E)An exam
Page 19: ISO/IEC FDIS 18028-1:2006(E)— det
Page 23 and 24: ISO/IEC FDIS 18028-1:2006(E)9.4 Net
Page 25 and 26: ISO/IEC 18028-1:2006(E)© ISO/IEC 2
Page 27 and 28: ISO/IEC18028-1:2006(E)Table 2 — I
Page 29 and 30: IS0/IEC18028-1:2006(E)A conceptual
Page 31 and 32: ISO/IEC 18028-1:2006(E)Using the se
Page 33 and 34: ISO/IEC 18028-1:2006(E)13 Identify
Page 35 and 36: ISO/IEC 18028-1:2006(E)These Securi
Page 37 and 38: ISO/IEC 18028-1:2006(E)13.2.3 Wide
Page 39 and 40: ISO/IEC 18028-1:2006(E)— flawed S
Page 41 and 42: ISO/IEC18028-1:2006(E)13.2.5.3 Secu
Page 43 and 44: ISO/IEC 18028-1:2006(E)With all sec
Page 45 and 46: ISO/IEC18028-1:2006(E)• uncertain
Page 47 and 48: ISO/IEC 18028-1:2006(E)— IDS shou
Page 49 and 50: ISO/IEC18028-1:2006{E)— exploitat
Page 51 and 52: ISO/IEC 18028-1:2006(E)The content
Page 53 and 54: ISO/IEC18028-1:2006(E)— web-based
Page 55 and 56: ISO/IEC 18028-1:2006(E)13.4.4 Netwo
Page 57 and 58: ISO/IEC18028-1:2006(E)13.6.5 Secure
Page 59 and 60: ISO/IEC 18028-1:2006(E)use rules to
Page 61 and 62: IS0/IEC18028-1:2006(E)Where it is i
Page 63 and 64: IS0/IEC18028-1:2006(E)13.10.5.2 Sec
Page 65 and 66: IS0/IEC18028-1:2006(E)Bibliography[

INTERNATIONAL ISO/IEC STANDARD 18028-1

Create successful ePaper yourself

Delete template?

Save as template?