<strong>ISO</strong>/<strong>IEC</strong><strong>18028</strong>-1:2006(E)13.4.3 Roles and ResponsibilitiesThe roles and responsibilities that should be instigated associated with network security management are asfollows. (It should be noted that, depending upon the size of the organization, these roles may be combined.)Senior management:— define the organization's security objectives,— initiate, approve, publish, and impose the organization's security policy, procedures and rules,— initiate, approve, publish, and impose the organization's acceptable usage policy,— ensure security and acceptable usage policies are enforced,Network management:— develop detailed network security policy,— implement the network security policy,— implement the acceptable usage policy,— manage the interface with external stakeholders / external service providers to ensure conformance withinternal and external network security policies,Network Security team:— acquire, develop, test, check and maintain security components and tools,— maintain security tools and components to follow closely the evolution of threats (e.g. updating virussignature files),— update security relevant configurations (e.g. access control lists ) according to changing business needs,Network administrators:— install, update, use and protect network security services and components,— carry out the necessary daily tasks to apply the security specifications, rules, and parameters required bythe security policies in force,— take appropriate measures to assure the protection of network security components (e.g. back-ups,monitoring network activity, responding to security incidents or alarms, etc.),Network users:— communicate their security requirements,— comply with corporate security policy,— comply with corporate acceptable usage policies for network resources,— report network security incidents,— provide feedback on network security effectiveness,Auditors (internal and/or external):— review and audit (e.g. periodically test the effectiveness of network security),— check compliance of systems with network security policy,— check and test compatibility of operating security rules with the current business requirements and legalrestrictions (e.g. lists granted for network accesses).48 © <strong>ISO</strong>/<strong>IEC</strong> 2006 - All rights reserved
<strong>ISO</strong>/<strong>IEC</strong> <strong>18028</strong>-1:2006(E)13.4.4 Network MonitoringNetwork monitoring is a very important part of network security management. This is dealt with in Clause 13.7below.13.4.5 Evaluating Network SecurityNetwork security is a dynamic concept. Security staff should keep up to date with developments in the fieldand ensure that any network continues to work with the most current security patches and fixes available fromvendors. Steps should be taken periodically to audit existing security controls against establishedbenchmarks, including by security testing - vulnerability scanning, etc. Security should be a primaryconsideration in evaluating new network technology.13.5 Technical Vulnerability ManagementNetwork environments, as other complex systems, are not free of errors. Technical vulnerabilities are presentin, and are published for, components frequently used in networks. The exploitation of these technicalvulnerabilities can have severe impact on the security of a network, most often observed in the areas ofavailability and confidentiality. Thus technical vulnerability management should be present covering allcomponents of a network, and should include:— obtaining timely information about technical vulnerabilities,— evaluating the exposure of the network to such vulnerabilities,— defining appropriate controls to address the associated risks, and— the implementation and verification of the defined controls.A prerequisite for technical vulnerability management should be the availability of a current and completeinventory of all network components, providing the necessary technical information, e.g. type of device,vendor, version numbers of hardware, firmware or software, and also organizational information, e.g. theresponsible administrative persons.If the organization has already set up an overall technical vulnerability management program, the integrationof the technical vulnerability management for network components into the overall task should be thepreferred solution. (Further information on technical vulnerability management, including implementationguidance, can be found in <strong>ISO</strong>/<strong>IEC</strong> 17799.)13.6 Identification and Authentication13.6.1 BackgroundIt is important to ensure that the security of network service and related information is preserved by restrictingaccess through connections to authorized personnel (whether internal or external to the organization).Requirements for these are not exclusive to the use of network connections, and thus detail appropriate to theuse of a network connection should be obtained by using <strong>ISO</strong>/<strong>IEC</strong> 17799. <strong>ISO</strong>/<strong>IEC</strong> 13335-2, when published,will also provide relevant detail.Four control areas that could be relevant to the use of network connections, and the information systemsdirectly related to such connections, are introduced in Clauses 13.6.2 to 13.6.5 below.13.6.2 Remote Log-inRemote log-ins, whether from authorized personnel working away from the organization, from remotemaintenance engineers, or personnel from other organizations, are accomplished either via dial-ups to theorganization, Internet connections, dedicated trunks from other organizations, or shared access through theInternet. They are connections established at need by either internal systems or contractual partners using©<strong>ISO</strong>/<strong>IEC</strong>2006-All rights reserved 49