INTERNATIONAL ISO/IEC STANDARD 18028-1

More documents

Recommendations

Info

IS0/IEC18028-1:2006(E)12 Identify the Information Security RisksAs reflected earlier, the majority of organizations today are dependent on the use of information systems andnetworks to support their business operations. Further, in many cases there is a definite business requirementfor the use of network connections between the information systems at each organization's location, and toother locations both within and outside the organization, including to/from the general public. When aconnection is made to another network, considerable care should be taken to ensure that the connectingorganization is not exposed to additional risks (from potential threats exploiting vulnerabilities). These riskscould, for example, result from the connection itself or from network connections at the other end.Some of these risks may be related to ensuring adherence to relevant legislation and regulation. (Particularattention should be given to privacy and data protection legislation. Several countries have legislation placingcontrols on the collection, processing and transmission of personal data, i.e. data that can be related to aspecific person or persons. Depending on the respective national legislation, such controls may impose dutieson those collecting, processing and disseminating personal information through networks and may evenrestrict the ability to transfer that data to certain other countries, yielding additional important securityconcerns. Less obvious examples of data that may be subject to such legislation are some hardware and IPaddresses.)The types of risk reflected in this clause relate to concerns about unauthorized access to information,unauthorized sending of information, the introduction of malicious code, denial of receipt or origin, denial ofservice connection, and unavailability of information and service. Thus the types of security risk that anorganization might face relate to loss of:— confidentiality of information and code (in networks and in systems connected to networks),— integrity of information and code (in networks and in systems connected to networks),— availability of information and network services (and systems connected to networks),— non-repudiation of network transactions (commitments),— accountability of network transactions,— authenticity of information (as well of course of network users and administrators),— reliability of information and code (in networks and in systems connected to networks),— ability to control unauthorized use and exploitation of network resources, including in the contexts oforganization policy (e.g. selling bandwidth or using bandwidth for own benefits) and responsibilities inrelation to legislation and regulation (e.g. storing child pornography).Not all of the types of security risk will apply to every location, or to every organization. However, the relevanttypes of security risk should be identified so that potential control areas can be identified (and eventuallycontrols selected, designed, implemented and maintained).22 ©ISO/IEC 2006 - All rights reserved
IS0/IEC18028-1:2006(E)A conceptual model of network security showing where the types of security risk may occur is shownin Figure 3.Information should be gathered on the implications to business operations related to the types of securityrisk referred to above, with due consideration of the sensitivity or value of information involved(expressed as potential adverse business impacts) and related potential threats and vulnerabilities.Related to this, if there is likely to be more than a minor adverse impact on the business operations of theorganization, then reference should be made to the matrix in Table 5 below.It is emphasized that in completing this task, use should be made of the results from security riskassessment and management review(s) 7 ) conducted with regard to the network connection(s). Theseresults will enable a focus, to whatever level of detail the review(s) have been conducted, on thepotential adverse business impacts associated with the types of security risk listed above, as well as thethreat types, vulnerabilities and hence risks of concern.When considering network vulnerabilities during a security risk assessment and management review, itmay be necessary to consider a number of network facets separately. Table 4 below lists the types ofvulnerability that could be exploited at each network facet.7) Guidance on security risk assessment and management approaches is provided in ISO/IEC 17799, and will bein ISO/IEC 13335-2 when published.© ISO/IEC 2006 - All rights reserved 23
Page 1 and 2: INTERNATIONAL ISO/IECSTANDARD 18028
Page 3 and 4: ISO/IEC18028-1:2006(E)ContentsPageF
Page 5 and 6: ISO/IEC 18028-1:2006(E)ForewordISO
Page 7 and 8: INTERNATIONAL STANDARDISO/IEC 18028
Page 9 and 10: ISO/IEC FDIS 18028-1:2006(E)3.2.9de
Page 11 and 12: ISO/IEC FDIS 18028-1:2006(E)3.2.30n
Page 13 and 14: ISO/IEC FDIS 18028-1:2006(E)4 Abbre
Page 15 and 16: ISO/IEC FDIS 18028-1:2006(E)5 Struc
Page 17 and 18: ISO/IEC FDIS 18028-1:2006(E)An exam
Page 19 and 20: ISO/IEC FDIS 18028-1:2006(E)— det
Page 21 and 22: ISO/IEC FD1S 18028-1:2006(E)8 Consi
Page 23 and 24: ISO/IEC FDIS 18028-1:2006(E)9.4 Net
Page 25 and 26: ISO/IEC 18028-1:2006(E)© ISO/IEC 2
Page 27: ISO/IEC18028-1:2006(E)Table 2 — I
Page 31 and 32: ISO/IEC 18028-1:2006(E)Using the se
Page 33 and 34: ISO/IEC 18028-1:2006(E)13 Identify
Page 35 and 36: ISO/IEC 18028-1:2006(E)These Securi
Page 37 and 38: ISO/IEC 18028-1:2006(E)13.2.3 Wide
Page 39 and 40: ISO/IEC 18028-1:2006(E)— flawed S
Page 41 and 42: ISO/IEC18028-1:2006(E)13.2.5.3 Secu
Page 43 and 44: ISO/IEC 18028-1:2006(E)With all sec
Page 45 and 46: ISO/IEC18028-1:2006(E)• uncertain
Page 47 and 48: ISO/IEC 18028-1:2006(E)— IDS shou
Page 49 and 50: ISO/IEC18028-1:2006{E)— exploitat
Page 51 and 52: ISO/IEC 18028-1:2006(E)The content
Page 53 and 54: ISO/IEC18028-1:2006(E)— web-based
Page 55 and 56: ISO/IEC 18028-1:2006(E)13.4.4 Netwo
Page 57 and 58: ISO/IEC18028-1:2006(E)13.6.5 Secure
Page 59 and 60: ISO/IEC 18028-1:2006(E)use rules to
Page 61 and 62: IS0/IEC18028-1:2006(E)Where it is i
Page 63 and 64: IS0/IEC18028-1:2006(E)13.10.5.2 Sec
Page 65 and 66: IS0/IEC18028-1:2006(E)Bibliography[

INTERNATIONAL ISO/IEC STANDARD 18028-1

Create successful ePaper yourself

Delete template?

Save as template?