Security Expert
Páginas: 99 (24536 palabras)
Publicado: 23 de febrero de 2013
TECHNICAL REPORT
ISO/IEC TR 13335-3
First edition 1998-06-15
Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security
Technologies de l'information — Lignes directrices pour la gestion de sécurité IT — Partie 3: Techniques pour la gestion de sécurité IT
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Storeorder #: 533050/Downloaded: 2003-02-24 Single user licence only, copying and networking prohibited
BC
Reference number ISO/IEC TR 13335-3:1998(E)
ISO/IEC TR 13335-3:1998(E)
Contents
1 Scope 2 References 3 Definitions 4 Structure 5 Aim 6 Techniques for the Management of IT Security 7 IT Security Objectives, Strategy and Policies 7.1 IT Security Objectives and Strategy 7.2 Corporate ITSecurity Policy 8 Corporate Risk Analysis Strategy Options 8.1 Baseline Approach 8.2 Informal Approach 8.3 Detailed Risk Analysis 8.4 Combined Approach 9 Combined Approach 9.1 High Level Risk Analysis 9.2 Baseline Approach 9.3 Detailed Risk Analysis 9.3.1 Establishment of Review Boundary 9.3.2 Identification of Assets 9.3.3 Valuation of Assets and Establishment of Dependencies Between Assets 9.3.4Threat Assessment 9.3.5 Vulnerability Assessment 9.3.6 Identification of Existing/Planned Safeguards 9.3.7 Assessment of Risks 9.4 Selection of Safeguards 9.4.1 Identification of Safeguards 9.4.2 IT Security Architecture 9.4.3 Identification/Review of Constraints 9.5 Risk Acceptance 9.6 IT System Security Policy 9.7 IT Security Plan 10 Implementation of the IT Security Plan 10.1 Implementation ofSafeguards 10.2 Security Awareness 10.2.1 Needs Analysis 10.2.2 Programme Delivery 10.2.3 Monitoring of Security Awareness Programmes 10.3 Security Training 10.4 Approval of IT Systems 11 Follow-up 11.1 Maintenance 11.2 Security Compliance Checking
© ISO/IEC 1998 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,electronic or mechanical, including photocopying and microfilm, without permission in writing from the publisher. ISO/IEC Copyright Office • Case postale 56 • CH-1211 Genève 20 • Switzerland Printed in Switzerland
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 533050/Downloaded: 2003-02-24 Single user licence only, copying and networking prohibited
1 1 1 1 1 2 3 4 5 77 8 8 9 10 10 10 11 12 13 13 14 15 16 17 17 17 19 20 21 21 22 23 23 24 25 25 25 26 27 28 28 28
ii
©
ISO/IEC
ISO/IEC TR 13335-3:1998(E)
11.3 Change Management 11.4 Monitoring 11.5 Incident Handling 12 Summary Annex A An Example Contents List for a Corporate IT Security Policy Annex B Valuation of Assets Annex C List of Possible Threat Types Annex D Examples of Common VulnerabilitiesAnnex E Types of Risk Analysis Method
30 30 32 33 34 36 38 40 43
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 533050/Downloaded: 2003-02-24 Single user licence only, copying and networking prohibited
iii
ISO/IEC TR 13335-3:1998(E)
©
ISO/IEC
Foreword
ISO (the International Organization for Standardization) and IEC (the InternationalElectrotechnical Committee) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other internationalorganizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The main task of technical committees is to prepare International Standards, but in exceptional circumstances a technical committee may propose the publication of a Technical...
ISO/IEC TR 13335-3
First edition 1998-06-15
Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security
Technologies de l'information — Lignes directrices pour la gestion de sécurité IT — Partie 3: Techniques pour la gestion de sécurité IT
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Storeorder #: 533050/Downloaded: 2003-02-24 Single user licence only, copying and networking prohibited
BC
Reference number ISO/IEC TR 13335-3:1998(E)
ISO/IEC TR 13335-3:1998(E)
Contents
1 Scope 2 References 3 Definitions 4 Structure 5 Aim 6 Techniques for the Management of IT Security 7 IT Security Objectives, Strategy and Policies 7.1 IT Security Objectives and Strategy 7.2 Corporate ITSecurity Policy 8 Corporate Risk Analysis Strategy Options 8.1 Baseline Approach 8.2 Informal Approach 8.3 Detailed Risk Analysis 8.4 Combined Approach 9 Combined Approach 9.1 High Level Risk Analysis 9.2 Baseline Approach 9.3 Detailed Risk Analysis 9.3.1 Establishment of Review Boundary 9.3.2 Identification of Assets 9.3.3 Valuation of Assets and Establishment of Dependencies Between Assets 9.3.4Threat Assessment 9.3.5 Vulnerability Assessment 9.3.6 Identification of Existing/Planned Safeguards 9.3.7 Assessment of Risks 9.4 Selection of Safeguards 9.4.1 Identification of Safeguards 9.4.2 IT Security Architecture 9.4.3 Identification/Review of Constraints 9.5 Risk Acceptance 9.6 IT System Security Policy 9.7 IT Security Plan 10 Implementation of the IT Security Plan 10.1 Implementation ofSafeguards 10.2 Security Awareness 10.2.1 Needs Analysis 10.2.2 Programme Delivery 10.2.3 Monitoring of Security Awareness Programmes 10.3 Security Training 10.4 Approval of IT Systems 11 Follow-up 11.1 Maintenance 11.2 Security Compliance Checking
© ISO/IEC 1998 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,electronic or mechanical, including photocopying and microfilm, without permission in writing from the publisher. ISO/IEC Copyright Office • Case postale 56 • CH-1211 Genève 20 • Switzerland Printed in Switzerland
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 533050/Downloaded: 2003-02-24 Single user licence only, copying and networking prohibited
1 1 1 1 1 2 3 4 5 77 8 8 9 10 10 10 11 12 13 13 14 15 16 17 17 17 19 20 21 21 22 23 23 24 25 25 25 26 27 28 28 28
ii
©
ISO/IEC
ISO/IEC TR 13335-3:1998(E)
11.3 Change Management 11.4 Monitoring 11.5 Incident Handling 12 Summary Annex A An Example Contents List for a Corporate IT Security Policy Annex B Valuation of Assets Annex C List of Possible Threat Types Annex D Examples of Common VulnerabilitiesAnnex E Types of Risk Analysis Method
30 30 32 33 34 36 38 40 43
Licensed to UNIVERSIDAD LA SALLE/MARIO FARIAS-ELINOS ISO Store order #: 533050/Downloaded: 2003-02-24 Single user licence only, copying and networking prohibited
iii
ISO/IEC TR 13335-3:1998(E)
©
ISO/IEC
Foreword
ISO (the International Organization for Standardization) and IEC (the InternationalElectrotechnical Committee) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other internationalorganizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The main task of technical committees is to prepare International Standards, but in exceptional circumstances a technical committee may propose the publication of a Technical...
Leer documento completo
Regístrate para leer el documento completo.