Information security management system of a corporate network
Дипломная работа - Компьютеры, программирование
Другие дипломы по предмету Компьютеры, программирование
ards for management systems provide a model to follow in setting up and operating a management system. This model incorporates the features on which experts in the field have reached a consensus as being the international state of the art. ISO/IEC JTC 1 SC 27 maintains an expert committee dedicated to the development of international management systems standards for information security, otherwise known as the Information Security Management System (ISMS) family of standards.the use of the ISMS family of standards, organisations can develop and implement a framework for managing the security of their information assets and prepare for an independent assessment of their ISMS applied to the protection of information, such as financial information, intellectual property, and employee details, or information entrusted to them by customers or third parties.ISMS family of standards is intended to assist organisations of all types and sizes to implement and operate an ISMS. The ISMS family of standards consists of the following International Standards, under the general title Information technology - Security techniques.
1.1.2 The ISO/IEC 27001
ISO/IEC 27001 is the formal set of specifications against which organisations may seek independent certification of their Information Security Management System (ISMS). The standard specifies requirements for the establishment, implementation, monitoring and review, maintenance and improvement of a management system - an overall management and control framework - for managing an organisations information security risks. It does not mandate specific information security controls but stops at the level of the management system.standard covers all types of organisations (e.g. commercial enterprises, government agencies and non-profit organisations) and all sizes from micro-businesses to huge multinationals. This is clearly a very wide brief.information security under management control is a prerequisite for sustainable, directed and continuous improvement. An ISO/IEC 27001 ISMS therefore incorporates several Plan-Do-Check-Act (PDCA) cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities and impacts of information security failures, using review and improvement activities specified within the management system.to JTC1/SC27, the ISO/IEC committee responsible for ISO27k and related standards, ISO/IEC 27001 is intended to be suitable for several different types of use, including the following.
1.Use within organisations to formulate security requirements and objectives;
2.Use within organisations as a way to ensure that security risks are cost-effectively managed;
.Use within organisations to ensure compliance with laws and regulations;
.Use within an organisation as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organisation are met;
.The definition of new information security management processes;
.Identification and clarification of existing information security management processes;
.Use by the management of organisations to determine the status of information security management activities;
.Use by the internal and external auditors of organisations to demonstrate the information security policies, directives and standards adopted by an organisation and determine the degree of compliance with those policies, directives and standards;
.Use by organisations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organisations that they interact with for operational or commercial reasons;
.Implementation of a business enabling information security;
.Use by organisations to provide relevant information about information security to customers.document [10] provides the history of the ISO/IEC 27001 development.standard works in the following way. Most organisations have a number of information security controls. Without an ISMS however, the controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Maturity models typically refer to this stage as "ad hoc". The security controls in operation typically address certain aspects of IT or data security, specifically, leaving non-IT information assets (such as paperwork and proprietary knowledge) less well protected on the whole. Business continuity planning and physical security, for examples, may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organisation./IEC 27001 imposes the following requirements on the management.
1.Systematically examine the organisation's information security risks, taking account of the threats, vulnerabilities and impacts;
2.Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable;
.Adopt an overarching management process to ensure that the information security controls continue to meet the organisation's information security needs on an ongoing basis.
1.1.3 The ISO/IEC 27002
ISO/IEC 27002 is entitled Information technology - Security techniques - Code of practice for information security management. The standard provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad: the preservation of confidentiality (ensuring that information is accessible only to those authorised to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorised users have access to information and associated assets when required)./IEC 27002:2005 has developed from BS7799, published in the mid-1990's. The British Standard was adopted by ISO/IEC as ISO/IEC 17799:2000, revised in 2005, and renumbered in 2007 to align with the other ISO/IEC 27000-series standards. The document [11] provides the history of the ISO/IEC 27002 development./IEC 27001 formally defines the mandatory requirements for an Information Security Management System (ISMS). It uses ISO/IEC 27002 to indicate suitable information security controls within the ISMS, but since ISO/IEC 27002 is merely a code of practice/guideline rather than a certification standard, organisations are free to select and implement other controls, or indeed adopt alternative complete suites of information security controls) as they see fit. ISO/IEC 27001 incorporates a summary (little more that than the section titles in fact) of controls from ISO/IEC 27002 under its Annex A. In practice, organisations that adopt ISO/IEC 27001 also substantially adopt ISO/IEC 27002./IEC 27002 is a code of practice - a generic, advisory document, not truly a standard or formal specification such as ISO/IEC 27001. It lays out a reasonably well structured set of suggested controls to address information security risks, covering confidentiality, integrity and availability aspects. Organisations that adopt ISO/IEC 27002 must assess their own information security risks and apply suitable controls, using the standard for guidance. Strictly speaking, none of the controls are mandatory but if an organisation chooses not to adopt something as common as, say, antivirus controls, they should certainly be prepared to demonstrate that this decision was reached through a rational risk management decision process, not just an oversight, if they anticipate being certified compliant to ISO/IEC 27001.governance, information security is a broad topic with ramifications in all parts of the modern organisation. Information security, and hence ISO/IEC 27002, is relevant to all types of organisation including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, government departments and quasi-autonomous bodies - in fact any organisation that handles and depends on information. The specific information security requirements may be different in each case but the whole point of ISO27k is that there is a lot of common ground.standard is explicitly concerned with information security, meaning the security of information assets, and not just IT/systems security. The IT department usually contains a good proportion of the organisations information assets and is commonly charged with securing them by the information asset owners - the business managers who are accountable for the assets. However a large proportion of written and intangible information (e.g. the knowledge and experience of non-IT workers) is irrelevant to IT.
1.1.4 The national peculiarities of the IS management standards
As the international standards were introduced in Ukraine by the National bank and renamed to branch standards of Ukraine, certain changes were made in a standard, predefined by the legal requirements and concrete necessities of banking industry. Technical divergences and additional information were attached directly to the sections which they refer to. These attachments are entitled „National divergence, „National explanation or „National remark.
The national insertions primarily explain references to other international sta