: ISO/IEC , Information technology – Security techniques – Management of information and communications technology security – Part. Title: ISO/IEC – Information technology — Security techniques — Management of information and communications technology security — Part 1. International Organization for Standardization’s (ISO)  standards and guides for conformity The ISO/IEC  standard is dedicated in providing.
|Published (Last):||19 November 2015|
|PDF File Size:||8.83 Mb|
|ePub File Size:||9.23 Mb|
|Price:||Free* [*Free Regsitration Required]|
Click to learn more. These are normally known as ICT system security policies. Scenario 2 – A safeguard may be effective in reducing the risks associated with a threat exploiting multiple vulnerabilities. In addition, the culture and environment can have an impact on those that are responsible for the protection of specific parts of the organization. An ICT system lifecycle can be subdivided into four basic phases.
Not publicly available ISO standard, which can be voluntarily implemented. The topics such a strategy should address will depend on the number, type and importance of those objectives, and will normally be those that the organization considers important to address uniformly.
BS ISO/IEC 13335-1:2004
The risk management process is more fully explained in Part 2 of this International Standard. This issue may have a considerable infiuence on the approach adopted. It should take into account all systems within the organization and not be applied to one system in isolation. Then the question of what threats might occur to cause sio impact, and the probability of their occurrence, is addressed, i.
Concepts et modeles pour la gestion de la securite des technologies de l’information et des communications. This person would typically be the corporate ICT security officer, who amongst other things should be responsible for the follow-up activities. Consequently, there is a critical need to protect information and to manage the security of ICT systems within organizations.
The implemented safeguards then reduce the risk, protect against threats and indeed can reduce vulnerabilities. The standard can be implemented in any sector confronted by technology security management. This standard has been withdrawn. In this case, one strategy topic could be directed at minimizing virus infestation through organization- wide installation of anti-virus software.
A threat can only become effective if the asset is vulnerable to it. Effective security usually requires a combination of different safeguards to provide layers of security to protect assets. High, Medium, and Low.
Threats have characteristics that define their relationships with other security elements. Examples of possible delegated functions are as follows: Search the history of over billion web pages on the Internet. ICT security risk should be managed in consideration of the organization’s objectives, strategies and policies. These relationships may be line management or functional.
These areas should mutually support each other and the overall ICT security process by sharing information on security aspects, which can be used to support the management decision-making process.
In many situations, the process of identifying assets and assigning a value can be accomplished at a very high level and may not require a costly, detailed, and time consuming exercise.
Any change to assets, threats, vulnerabilities and safeguards may have significant effects on risks. They are normally expressed using a natural language, but there may be a requirement to express them in a more formal way using some established language.
Although this goal may be achieved through various organizational schemes, dependent upon the size and structure of an organization, the following roles need to be covered in every organization: A threat may arise from within the organization, for example, sabotage by an employee, or from outside, for example, malicious hacking or industrial espionage.
Vulnerabilities associated with assets include weaknesses in physical layout, organization, procedures, personnel, management, administration, hardware, software or information.
ISO/IEC Standard — ENISA
Each of these phases relates to ICT security in the following way: This material 133351 general and applicable to many different styles of management and organizational environments. Authenticity applies to entities such as users, processes, systems and information 2.
These characteristics may include the following: A threat needs to exploit an existing vulnerability of the asset in order to harm the asset. This Indian Standard has been developed from Doc No.: Concepts and models for information and communications technology security management. ICT security needs should be addressed during all planning and decision making activities.
An assessment of residual risk is then necessary to determine whether the assets are adequately protected.
Knowledge and skills from all these areas are needed to develop a practical corporate ICT security policy. Within a specific system or organization not all vulnerabilities will be susceptible to a threat.
In such cases they may cause different impacts depending on which assets are affected.