Risico’s van een gevirtualiseerde IT-omgeving

More documents

Recommendations

Info

Risico’s van een gevirtualiseerde IT-omgeving Possen & Ulrich----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ProcessnumberDS04DS04DS05DS05DS05ProcessEnsure continuousserviceEnsure continuousserviceEnsure systemssecurityEnsure systemssecurityEnsure systemssecurityControlobjectivenumberControl objectiveControl objective descriptionDS4.9 Offsite Backup Storage Store offsite all critical backup media, documentation and other IT resourcesnecessary for IT recovery and business continuity plans. Determine thecontent of backup storage in collaboration between business process ownersand IT personnel. Management of the offsite storage facility should respondto the data classification policy and the enterprise’s media storage practices.IT management should ensure that offsite arrangements are periodicallyassessed, at least annually, for content, environmental protection and security.Ensure compatibility of hardware and software to restore archived data, andperiodically test and refresh archived data.DS4.10 Post-resumption Review Determine whether IT management has established procedures for assessingthe adequacy of the plan in regard to the successful resumption of the ITfunction after a disaster, and update the plan accordingly.DS5.1 Management of IT Security: Manage IT security at the highest appropriate organisational level, so themanagement of security actions is in line with business requirements.DS5.2 IT Security Plan Translate business, risk and compliance requirements into an overall ITsecurity plan, taking into consideration the IT infrastructure and the securityculture. Ensure that the plan is implemented in security policies andprocedures together with appropriate investments in services, personnel,software and hardware. Communicate security policies and procedures tostakeholders and users.DS5.3 Identity Management Ensure that all users (internal, external and temporary) and their activity on ITsystems (business application, IT environment, system operations,development and maintenance) are uniquely identifiable. Enable useridentities via authentication mechanisms. Confirm that user access rights tosystems and data are in line with defined and documented business needs andthat job requirements are attached to user identities. Ensure that user accessrights are requested by user management, approved by system owners andimplemented by the security-responsible person. Maintain user identities andaccess rights in a central repository. Deploy cost-effective technical andprocedural measures, and keep them current to establish user identification,implement authentication and enforce access rights.----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Pagina 118
Risico’s van een gevirtualiseerde IT-omgeving Possen & Ulrich----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ProcessnumberDS05DS05DS05DS05DS05DS05DS05ProcessEnsure systemssecurityEnsure systemssecurityEnsure systemssecurityEnsure systemssecurityEnsure systemssecurityEnsure systemssecurityEnsure systemssecurityControlobjectivenumberControl objectiveControl objective descriptionDS5.4 User Account Management Address requesting, establishing, issuing, suspending, modifying and closinguser accounts and related user privileges with a set of user accountmanagement procedures. Include an approval procedure outlining the data orsystem owner granting the access privileges. These procedures should applyfor all users, including administrators (privileged users) and internal andexternal users, for normal and emergency cases. Rights and obligationsrelative to access to enterprise systems and information should becontractually arranged for all types of users. Perform regular managementDS5.5Security Testing, Surveillanceand Monitoringreview of all accounts and related privileges.Test and monitor the IT security implementation in a proactive way. ITsecurity should be reaccredited in a timely manner to ensure that the approvedenterprise’s information security baseline is maintained. A logging andmonitoring function will enable the early prevention and/or detection andsubsequent timely reporting of unusual and/or abnormal activities that mayneed to be addressed.DS5.6 Security Incident Definition Clearly define and communicate the characteristics of potential securityincidents so they can be properly classified and treated by the incident andproblem management process.DS5.7DS5.8DS5.9Protection of SecurityTechnologyCryptographic KeyManagementMalicious SoftwarePrevention, Detection andCorrectionMake security-related technology resistant to tampering, and do not disclosesecurity documentation unnecessarily.Determine that policies and procedures are in place to organise thegeneration, change, revocation, destruction, distribution, certification, storage,entry, use and archiving of cryptographic keys to ensure the protection ofkeys against modification and unauthorised disclosure.Put preventive, detective and corrective measures in place (especially up-todatesecurity patches and virus control) across the organisation to protectinformation systems and technology from malware (e.g., viruses, worms,spyware, spam).DS5.10 Network Security Use security techniques and related management procedures (e.g., firewalls,security appliances, network segmentation, intrusion detection) to authoriseaccess and control information flows from and to networks.----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Pagina 119
Page 1:
Risico’s van een gevirtualiseerde
Page 4 and 5:
Possen & UlrichRisico’s van een g
Page 6 and 7:
Page 8 and 9:
Page 10 and 11:
Page 12 and 13:
Page 14 and 15:
Page 16 and 17:
Page 18 and 19:
Page 20 and 21:
Page 22 and 23:
Page 24 and 25:
Page 26 and 27:
Page 28 and 29:
Page 30 and 31:
Page 32 and 33:
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71: Possen & UlrichRisico’s van een g
Page 84 and 85: Risico’s van een gevirtualiseerde
Page 128: Possen & UlrichRisico’s van een g
show all

Risico’s van een gevirtualiseerde IT-omgeving

Create successful ePaper yourself

Delete template?

Save as template?