INTERNATIONAL ISO/IEC STANDARD 18028-1

More documents

Recommendations

Info

ISO/IEC18028-1:2006(E)13.4.3 Roles and ResponsibilitiesThe roles and responsibilities that should be instigated associated with network security management are asfollows. (It should be noted that, depending upon the size of the organization, these roles may be combined.)Senior management:— define the organization's security objectives,— initiate, approve, publish, and impose the organization's security policy, procedures and rules,— initiate, approve, publish, and impose the organization's acceptable usage policy,— ensure security and acceptable usage policies are enforced,Network management:— develop detailed network security policy,— implement the network security policy,— implement the acceptable usage policy,— manage the interface with external stakeholders / external service providers to ensure conformance withinternal and external network security policies,Network Security team:— acquire, develop, test, check and maintain security components and tools,— maintain security tools and components to follow closely the evolution of threats (e.g. updating virussignature files),— update security relevant configurations (e.g. access control lists ) according to changing business needs,Network administrators:— install, update, use and protect network security services and components,— carry out the necessary daily tasks to apply the security specifications, rules, and parameters required bythe security policies in force,— take appropriate measures to assure the protection of network security components (e.g. back-ups,monitoring network activity, responding to security incidents or alarms, etc.),Network users:— communicate their security requirements,— comply with corporate security policy,— comply with corporate acceptable usage policies for network resources,— report network security incidents,— provide feedback on network security effectiveness,Auditors (internal and/or external):— review and audit (e.g. periodically test the effectiveness of network security),— check compliance of systems with network security policy,— check and test compatibility of operating security rules with the current business requirements and legalrestrictions (e.g. lists granted for network accesses).48 © ISO/IEC 2006 - All rights reserved
ISO/IEC 18028-1:2006(E)13.4.4 Network MonitoringNetwork monitoring is a very important part of network security management. This is dealt with in Clause 13.7below.13.4.5 Evaluating Network SecurityNetwork security is a dynamic concept. Security staff should keep up to date with developments in the fieldand ensure that any network continues to work with the most current security patches and fixes available fromvendors. Steps should be taken periodically to audit existing security controls against establishedbenchmarks, including by security testing - vulnerability scanning, etc. Security should be a primaryconsideration in evaluating new network technology.13.5 Technical Vulnerability ManagementNetwork environments, as other complex systems, are not free of errors. Technical vulnerabilities are presentin, and are published for, components frequently used in networks. The exploitation of these technicalvulnerabilities can have severe impact on the security of a network, most often observed in the areas ofavailability and confidentiality. Thus technical vulnerability management should be present covering allcomponents of a network, and should include:— obtaining timely information about technical vulnerabilities,— evaluating the exposure of the network to such vulnerabilities,— defining appropriate controls to address the associated risks, and— the implementation and verification of the defined controls.A prerequisite for technical vulnerability management should be the availability of a current and completeinventory of all network components, providing the necessary technical information, e.g. type of device,vendor, version numbers of hardware, firmware or software, and also organizational information, e.g. theresponsible administrative persons.If the organization has already set up an overall technical vulnerability management program, the integrationof the technical vulnerability management for network components into the overall task should be thepreferred solution. (Further information on technical vulnerability management, including implementationguidance, can be found in ISO/IEC 17799.)13.6 Identification and Authentication13.6.1 BackgroundIt is important to ensure that the security of network service and related information is preserved by restrictingaccess through connections to authorized personnel (whether internal or external to the organization).Requirements for these are not exclusive to the use of network connections, and thus detail appropriate to theuse of a network connection should be obtained by using ISO/IEC 17799. ISO/IEC 13335-2, when published,will also provide relevant detail.Four control areas that could be relevant to the use of network connections, and the information systemsdirectly related to such connections, are introduced in Clauses 13.6.2 to 13.6.5 below.13.6.2 Remote Log-inRemote log-ins, whether from authorized personnel working away from the organization, from remotemaintenance engineers, or personnel from other organizations, are accomplished either via dial-ups to theorganization, Internet connections, dedicated trunks from other organizations, or shared access through theInternet. They are connections established at need by either internal systems or contractual partners using©ISO/IEC2006-All rights reserved 49
Page 1 and 2:
INTERNATIONAL ISO/IECSTANDARD 18028
Page 3 and 4: ISO/IEC18028-1:2006(E)ContentsPageF
Page 5 and 6: ISO/IEC 18028-1:2006(E)ForewordISO
Page 7 and 8: INTERNATIONAL STANDARDISO/IEC 18028
Page 9 and 10: ISO/IEC FDIS 18028-1:2006(E)3.2.9de
Page 11 and 12: ISO/IEC FDIS 18028-1:2006(E)3.2.30n
Page 13 and 14: ISO/IEC FDIS 18028-1:2006(E)4 Abbre
Page 15 and 16: ISO/IEC FDIS 18028-1:2006(E)5 Struc
Page 17 and 18: ISO/IEC FDIS 18028-1:2006(E)An exam
Page 19 and 20: ISO/IEC FDIS 18028-1:2006(E)— det
Page 21 and 22: ISO/IEC FD1S 18028-1:2006(E)8 Consi
Page 23 and 24: ISO/IEC FDIS 18028-1:2006(E)9.4 Net
Page 25 and 26: ISO/IEC 18028-1:2006(E)© ISO/IEC 2
Page 27 and 28: ISO/IEC18028-1:2006(E)Table 2 — I
Page 29 and 30: IS0/IEC18028-1:2006(E)A conceptual
Page 31 and 32: ISO/IEC 18028-1:2006(E)Using the se
Page 33 and 34: ISO/IEC 18028-1:2006(E)13 Identify
Page 35 and 36: ISO/IEC 18028-1:2006(E)These Securi
Page 37 and 38: ISO/IEC 18028-1:2006(E)13.2.3 Wide
Page 39 and 40: ISO/IEC 18028-1:2006(E)— flawed S
Page 41 and 42: ISO/IEC18028-1:2006(E)13.2.5.3 Secu
Page 43 and 44: ISO/IEC 18028-1:2006(E)With all sec
Page 45 and 46: ISO/IEC18028-1:2006(E)• uncertain
Page 47 and 48: ISO/IEC 18028-1:2006(E)— IDS shou
Page 49 and 50: ISO/IEC18028-1:2006{E)— exploitat
Page 51 and 52: ISO/IEC 18028-1:2006(E)The content
Page 53: ISO/IEC18028-1:2006(E)— web-based
Page 57 and 58: ISO/IEC18028-1:2006(E)13.6.5 Secure
Page 59 and 60: ISO/IEC 18028-1:2006(E)use rules to
Page 61 and 62: IS0/IEC18028-1:2006(E)Where it is i
Page 63 and 64: IS0/IEC18028-1:2006(E)13.10.5.2 Sec
Page 65 and 66: IS0/IEC18028-1:2006(E)Bibliography[
show all

INTERNATIONAL ISO/IEC STANDARD 18028-1

Create successful ePaper yourself

Delete template?

Save as template?