f'<strong>ISO</strong>/<strong>IEC</strong><strong>18028</strong>-1:2006(E)event, that have to be addressed. These aspects and requirements should be based on the importance of theconnections to the functioning of the business over time, and the projected adverse business impacts in theevent of a disruption. Whilst connectivity can afford many advantages to an organization, in the event of adisruption, in terms of flexibility and the ability to make use of creative approaches, they can also representpoints of vulnerability and "single points of failure", which could have major disruptive impacts on theorganization.14 Implement and Operate Security ControlsOnce the technical security architecture and the security controls have been identified, documented andagreed, the network security controls should be implemented. Before networking operations are permitted tocommence, the implementation should be reviewed, tested, and any identified security deficiencies dealt with(see also Clause 15 below). Then, once the security has been 'signed off', live operations should commence.Over time, and if significant change occurs, then further implementation reviews should be conducted (seealso Clause 15 below).15 Monitor and Review ImplementationAs reflected in Clause 14 above, the first implementation should be reviewed for compliance with thedocumented technical security architecture and required security controls specified in the followingdocuments:— technical security architecture,— networking security policy,— related SecOPs,— security gateway service access (security) policy,— business continuity plan(s),— where relevant, security conditions for connection.The compliance review should be completed prior to live operation. The review is complete when alldeficiencies have been identified, fixed, and signed off by senior management. Post live operation, ongoingmonitoring and review activities should also be conducted, particularly including prior to a major new releaserelated to significant changes in business needs, technology, security solutions, etc., and otherwise annually.It is emphasized that this should include the conduct of security testing to recognized standards, with asecurity testing strategy and related plans produced beforehand setting out exactly what tests are to beconducted, with what, where and when. Normally this should encompass a combination of vulnerabilityscanning and penetration testing. Prior to the commencement of any such testing, the testing plan should bechecked to ensure that the testing will be conducted in a manner fully compatible with relevant legislation andregulation. When carrying out this checking it should not be forgotten that a network may not just be confinedto one country - it may be distributed through different countries with different legislation. Following thetesting, the reports should indicate the specifics of the vulnerabilities encountered and the fixes required andin what priority, with an addendum confirming that all agreed fixes have been applied. Such reports should besigned off by senior management.58 © <strong>ISO</strong>/<strong>IEC</strong> 2006 - All rights reserved
IS0/<strong>IEC</strong><strong>18028</strong>-1:2006(E)Bibliography[I]<strong>ISO</strong>/<strong>IEC</strong> TR 14516:2002, Information technology — Security techniques — Guidelines for the use andmanagement of Trusted Third Party services[2] <strong>ISO</strong>/<strong>IEC</strong> 13888 (all parts), IT security techniques — Non-repudiation[3] <strong>ISO</strong>/<strong>IEC</strong> 7498-1:1994, Information technology — Open Systems Interconnection — Basic ReferenceModel: The Basic Model[4] <strong>ISO</strong> 7498-2:1989, Information processing systems — Open Systems Interconnection — BasicReference Model — Part 2: Security Architecture[5] <strong>ISO</strong>/<strong>IEC</strong> 7498-3:1997, Information technology — Open Systems Interconnection — Basic ReferenceModel: Naming and addressing[6] <strong>ISO</strong>/<strong>IEC</strong> 7498-4:1989, Information processing systems — Open Systems Interconnection — BasicReference Model— Part 4: Management framework[7] <strong>ISO</strong>/<strong>IEC</strong> 27005, Information technology — Information security risk management 1 °)[8] <strong>ISO</strong>/<strong>IEC</strong> 27001:2005, Information technology — Security techniques — Information securitymanagement systems — Requirements[9] ITU-T X.810 | <strong>ISO</strong>/<strong>IEC</strong> 10181-1:1996, Information technology — Open Systems Interconnection —Security frameworks for open systems: Overview[10] IETF Site Security Handbook (RFC 2196), September 1997[II] IETF IP Security Document Roadmap (RFC 2411), November 1998.[12] IETF Security Architecture for the Internet Protocol (RFC 2401), November 1998. [13]IETF Address Allocation for Private Internets (RFC 1918), February 1996. [14]IETFSNMP Security Protocols (RFC 1352), July 1992.[15] IETF Internet Security Glossary (RFC 2828), May 2000.http://www. ietf. org/rfc/rfc2828.txt[16] NIST Special Publications 800 series on Computer Security, including:— NIST Special Publication 800-10: Keeping Your Site Comfortably Secure: An Introduction toFirewalls.10) To be published. (Revision of <strong>ISO</strong>/<strong>IEC</strong> TR 13335-3:1998 and <strong>ISO</strong>/<strong>IEC</strong> TR 13335-4:2000.)©<strong>ISO</strong>/<strong>IEC</strong> 2006-All rights reserved 59