INTERNATIONAL ISO/IEC STANDARD 18028-1

More documents

Recommendations

Info

IS0/IEC18028-1:2006(E)— robust application software implemented, where code has been checked for structure, that is logicallycorrect, and uses approved authentication software.It should also be noted that business continuity management issues are often not fully considered whendesigning a web site. Full business continuity management activities should be conducted in relation to websites. (For more information on business continuity management reference should be made to Clause 13.11below.)13.3 Secure Service Management Framework13.3.1 Management ActivitiesA key security requirement for any networking is that it is supported by secure service management activities,which will initiate and control the implementation, and operation, of security. These activities should take placeto ensure the security of all of an organization's or a community's information systems. With regard to networkconnections, management activities should include:— definition of all responsibilities related to the security of networking, and designation of a securitymanager with overall responsibility,— documented networking security policy, and accompanying documented technical security architecture,— documented SecOPs,— the conduct of security compliance checking, including security testing, to ensure security is maintained atthe required level,— documented security conditions for connection to be adhered to before connection is permitted byoutside organizations or people,— documented security conditions for users of network services,— a security incident management scheme,— documented and tested business continuity/disaster recovery plans.It should be noted that this clause builds upon aspects described in ISO/IEC 17799, and which will bedescribed in ISO/IEC 13335-2 when published. Only those of the above topics that are especially importantwith regard to the use of networking are further described in this document. Thus for further information, forexample on the content of networking security policy and security operating procedures, and on topics notmentioned further here, the reader should thus consult ISO/IEC 17799. ISO/IEC 13335-2, when published,will also provide further information.13.3.2 Networking Security PolicyIt is the responsibility of management to visibly accept and support the organization's networking securitypolicy (as referred to in ISO/IEC 17799). This network security policy should flow from, and be consistent with,the organization's information security policy. The policy should be capable of implementation, readilyavailable to authorized members of the organization, and encompass clear statements on the:— organization's stance with respect to acceptable network usage,— explicit rules for the secure use of specific network resources, services and applications,— consequences of failure to comply with security rules,— organization's attitude towards network abuse,— rationale(s) for the policy, and for any specific security rules.(In some circumstances these clear statements may be incorporated into the information security policy, if thisis more convenient for the organization and/or it would be clearer for its personnel.)44 © ISO/IEC 2006 - All rights reserved
ISO/IEC 18028-1:2006(E)The content of the networking security policy should usually include a summary of the results from the securityrisk assessment and management review (s) (which provide the justification for spend on controls), includingdetail of all security controls selected commensurate with the assessed risks (see Clause 12 above).13.3.3 Security Operating ProceduresIn support of the networking security policy, SecOPs documents should be developed and maintained,covering each network connection as appropriate. They should contain details of the day-to-day operatingprocedures associated with security, and who is responsible for their use and management.13.3.4 Security Compliance CheckingFor all network connections, security compliance checking should take place against a comprehensivechecklist constructed from the controls specified in the:— networking security policy— related SecOPs,— technical security architecture,— security gateway service access (security) policy,— business continuity plan(s),— where relevant, security conditions for connection.This should occur prior to live operation of any network connection, prior to a major new release (related tosignificant business or network related change), and otherwise annually.This should include the conduct of security testing to recognized standards, with a security testing strategyand related plans produced beforehand setting out exactly what tests are to be conducted, with what, whereand when. Normally this should encompass a combination of vulnerability scanning and penetration testing.Prior to the commencement of any such testing, the testing plan should be checked to ensure that the testingwill be conducted in a manner fully compatible with relevant legislation. When carrying out this checking itshould not be forgotten that a network may not just be confined to one country - it may be distributed throughdifferent countries with different legislation. Following the testing, the reports should indicate the specifics ofthe vulnerabilities encountered and the fixes required and in what priority.13.3.5 Security Conditions for ConnectionUnless security conditions for connection are in place and contractually agreed, an organization is in effectaccepting the risks associated with the other end of a network connection outside of its domain. Such risksmay include those related to privacy/data protection, where a connection may be used to exchange personaldata subject to national legislation at one or both ends, and, where the other end of a network connection(outside an organization's domain) is in another country, the legislation may be different.As an example, organization A may require that before organization B can be connected to its systems via anetwork connection, B should maintain and demonstrate a specified level of security for its system involved inthat connection. In this way A can be assured that B is managing its risks in a way that is acceptable. In suchcases A should produce a security conditions for connection document that details the controls to be presentat B's end. These should be implemented by B, followed by that organization signing a binding statement tothat effect and that security will be maintained. A would reserve the right to commission or conduct acompliance check on B.There will also be cases where organizations in a community mutually agree a 'security conditions forconnection' document which records obligations and responsibilities for all parties, including reciprocalcompliance checking.© ISO/I E C 2006 - All rig hts reserved 45
Page 1 and 2: INTERNATIONAL ISO/IECSTANDARD 18028
Page 3 and 4: ISO/IEC18028-1:2006(E)ContentsPageF
Page 5 and 6: ISO/IEC 18028-1:2006(E)ForewordISO
Page 7 and 8: INTERNATIONAL STANDARDISO/IEC 18028
Page 9 and 10: ISO/IEC FDIS 18028-1:2006(E)3.2.9de
Page 11 and 12: ISO/IEC FDIS 18028-1:2006(E)3.2.30n
Page 13 and 14: ISO/IEC FDIS 18028-1:2006(E)4 Abbre
Page 15 and 16: ISO/IEC FDIS 18028-1:2006(E)5 Struc
Page 17 and 18: ISO/IEC FDIS 18028-1:2006(E)An exam
Page 19 and 20: ISO/IEC FDIS 18028-1:2006(E)— det
Page 21 and 22: ISO/IEC FD1S 18028-1:2006(E)8 Consi
Page 23 and 24: ISO/IEC FDIS 18028-1:2006(E)9.4 Net
Page 25 and 26: ISO/IEC 18028-1:2006(E)© ISO/IEC 2
Page 27 and 28: ISO/IEC18028-1:2006(E)Table 2 — I
Page 29 and 30: IS0/IEC18028-1:2006(E)A conceptual
Page 31 and 32: ISO/IEC 18028-1:2006(E)Using the se
Page 33 and 34: ISO/IEC 18028-1:2006(E)13 Identify
Page 35 and 36: ISO/IEC 18028-1:2006(E)These Securi
Page 37 and 38: ISO/IEC 18028-1:2006(E)13.2.3 Wide
Page 39 and 40: ISO/IEC 18028-1:2006(E)— flawed S
Page 41 and 42: ISO/IEC18028-1:2006(E)13.2.5.3 Secu
Page 43 and 44: ISO/IEC 18028-1:2006(E)With all sec
Page 45 and 46: ISO/IEC18028-1:2006(E)• uncertain
Page 47 and 48: ISO/IEC 18028-1:2006(E)— IDS shou
Page 49: ISO/IEC18028-1:2006{E)— exploitat
Page 53 and 54: ISO/IEC18028-1:2006(E)— web-based
Page 55 and 56: ISO/IEC 18028-1:2006(E)13.4.4 Netwo
Page 57 and 58: ISO/IEC18028-1:2006(E)13.6.5 Secure
Page 59 and 60: ISO/IEC 18028-1:2006(E)use rules to
Page 61 and 62: IS0/IEC18028-1:2006(E)Where it is i
Page 63 and 64: IS0/IEC18028-1:2006(E)13.10.5.2 Sec
Page 65 and 66: IS0/IEC18028-1:2006(E)Bibliography[

INTERNATIONAL ISO/IEC STANDARD 18028-1

Create successful ePaper yourself

Delete template?

Save as template?