1 iso/iec 13335 information technology – guidelines for the management of it security...
TRANSCRIPT
1
ISO/IEC 13335
Information Technology – Guidelines for the Management of IT Security
普華資安股份有限公司報告人:蔡興樺
2
ISO 13335 part 1
ISO 13335 part 2
ISO 13335 part 3
ISO 13335 part 4
報告大綱
3
Concepts for the
Management of IT
Security
Security Elements
Processes for the
Management of IT
Security
ISO 13335 Part 1
4
Approach
Objectives, Strategies and Policies
Concepts for the Management of IT Security
5
Assets Threat Vulnerability Impact
Risk Safeguard Residual Risk Constraints
Security Elements
6
Configuration Management
Change Management Risk Management Risk Analysis
Accountability Security Awareness Monitoring Contingency Plans and
Disaster Recovery
Processes for the Management of IT Security
7
Management of IT Security
Corporate IT Security Policy
Organizational Aspects of IT
Security
Corporate Risk Analysis
Strategy Options
IT Security Recommendations
ISO 13335 Part 2
8
IT System Security Policy
IT Security Plan
Implementation of
Safeguards
Security Awareness
Follow-up
ISO 13335 Part 2 (cont.)
9
Management of IT Security
Planning and Management Process Overview
Risk Management Overview Implementation Overview Follow-up Overview
10
Corporate IT Security Policy
Objective Management Commitment Policy Relationships Corporate IT Security Policy Elements
11
Organizational Aspects of IT Security
Roles and Responsibilities Commitment Consistent Approach
12
Corporate Risk Analysis Strategy Options
Baseline Approach Information Approach Detailed Risk Analysis Combined Approach
13
IT Security Recommendations
Safeguard Selection
Risk Acceptance
14
ISO 13335 Part 3
Techniques for the Management of IT Security
IT Security Objectives, Strategy Options
Corporate Risk Analysis Strategy Options
15
ISO 13335 Part 3(Cont.)
Combined Approach
Implementation of the
IT Security Plan
Follow-up
16
IT Security Objectives, Strategy Options
IT Security Objectives, Strategy and Policies
Corporate IT Security Policy
17
Corporate Risk Analysis Strategy Options
Baseline Approach Information Approach Detailed Risk Analysis Combined Approach
18
Combined Approach
High Level Risk Analysis Baseline Approach Detailed Risk Analysis Selection of Safeguards Risk Acceptance IT System Policy Security IT Security Plan
19
Implementation of the IT Security Plan
Implementation of Safeguards Security Awareness Security Training Approach of IT System
20
Follow-up
Maintenance Security Compliance Checking Change Management Monitoring Incident Handling
21
ISO 13335 Part 4
Introduction to Safeguard Selection and the Concept of Baseline
Basic Assessments Safeguards Baseline Approach :
Selection of Safeguards According to the Type of IT System
22
ISO 13335 Part 4 (Cont.)
Selection of Safeguards According to Security Concerns and Threats
Selection of Safeguards According to Detail Assessment
Development of an Organization-wide Baseline
23
Basic Assessment
Identification of the type of IT System Identification of Physical/Environment
Conditions Assessment of Existing/planned Safeguards
24
Safeguards
Organizational and Physical Safeguards IT System Specific Safeguards
25
Selection of Safeguards According to the type of IT System
General Applicable Safeguards IT System Specific Safeguards
26
Selection of Safeguards According to security Concerns and Threat
Assessment of Security Concerns Safeguards for Confidentiality Safeguards for Integrity Safeguards for Availability Safeguards for Accountability,
Authenticity, Reliability
27
Selection of Safeguards According to Detailed Assessment
Relation Between Part 3 and Part 4 of this Technical Report
Principles of Selection
