版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)
文檔簡(jiǎn)介
國際信息安全技術(shù)標(biāo)準(zhǔn)發(fā)展
ISO/IECJTC1/SC27/WG4江明灶Meng-ChowKang,CISSP,CISAConvener,SecurityControls&ServicesWorkingGroup(WG4),ISO/IECJTC1SC27(SecurityTechniques)ChiefSecurityAdvisorMicrosoftGreatChinaRegionWG1ISMSStandardsChairTedHumphreysVice-ChairAngelikaPlateWG4SecurityControls&ServicesChairMeng-ChowKangWG2SecurityTechniquesChairProf.KNaemuraWG3SecurityEvaluationChairMatsOhlinWG5PrivacyTechnology,IDmanagementandBiometricsChairKaiRannenbergISO/IECJTC1SC27ChairWalterFumyViceChairMarijikedeSoeteSecretaryKrystynaPassia27000Fundamental&Vocabulary27004ISMSMeasurement27005ISMSRiskManagement27006AccreditationRequirements27001ISMSRequirements27003ISMSImplementationGuidanceInformationSecurityManagementSystems(ISMS)27002CodeofPracticeISMSFamilyRiskmanage;Preventoccurrence;ReduceimpactofoccurrencePreparetorespond;eliminateorreduceimpactSC27WG4RoadmapFrameworkInvestigatetoestablishfactsaboutbreaches;identifywhodoneitandwhatwentwrongUnknownandemergingsecurityissuesKnownsecurityissuesSecuritybreachesandcompromisesNetworkSecurity(27033)TTPServicesSecurityICTReadinessforBusinessContinuity(27031)SC27WG4RoadmapApplicationSecurity(27034)ForensicInvestigationCybersecurity(27032)IncludesISO/IEC24762,VulnerabilityMgmt,IDS,&IncidentResponserelatedstandardsAnti-Spyware,Anti-SPAM,Anti-Phishing,Cybersecurity-eventcoordination&informationsharingISO18028revision;WDfornewPart1,2&3;NewStudyPeriodonHomeNetworkSecurity1stWDavailableforcommentsFutureNPNewStudyPeriodproposed;Includesoutsourcingandoff-shoringsecurityGapsbetweenReadiness&Response
ITSecurity,BCP,andDRPPlanning&ExecutionProtectDetectReact/ResponseITSecurityPlanningActivateBCPActivateDCRPPlanPrepare&TestPlanPrepare&TestBusinessContinuityPlanningDisasterContingency&RecoveryPlanningDisasterEventsITSystemsFailuresICTReadinessforBusinessContinuityWhatisICTReadiness?PrepareorganizationICTtechnology(infrastructure,operation,applications),process,andpeopleagainstunforeseeablefocusingeventsthatcouldchangetheriskenvironmentLeverageandstreamlineresourcesamongtraditionalbusinesscontinuity,disasterrecovery,emergencyresponse,andITsecurityincidentresponseandmanagementWhyICTReadinessfocusonBusinessContinuity?ICTsystemsareprevalentinorganizationsICTsystemsarenecessarytosupportincident,businesscontinuity,disaster,andemergencyresponseandmanagementneedsBusinesscontinuityisincompletewithoutconsideringICTsystemsreadinessRespondingtosecurityincident,disasters,andemergencysituationsareaboutbusinesscontinuityImplicationsofICTReadinessOperationalStatusTimeIncidentCurrentIHM,BCMandDRPfocusonshorteningperiodofdisruptionandreducingtheimpactofanincidentbyriskmitigationandrecoveryplanning.T=0T=iT=kT=lT=j100%x%y%z%Earlydetectionandresponsecapabilitiestopreventsuddenanddrasticfailure,enablegradualdeteriorationofoperationalstatusandfurthershortenrecoverytime.BeforeimplementationofIHM,BCM,and/orDRPAfterimplementationofIHM,BCM,and/orDRPAfterimplementationofICTReadinessforBCICTReadinessforBusinessContinuityRe-proposedassingle-partstandard(Nov‘07)Structure(DRAFT,DocumentSC27N6274)IntroductionScopeNormativeReferencesTermsandDefinitionsOverview(ofICTReadinessforBusinessContinuity)ApproachBasedonPDCAcyclicalmodelExtendBCPapproach
(usingRA,andBIA)IntroduceFailureScenarioAssessment(withFMEA)FocusonTriggeringEventsManagementofIRBCProgramP2PFileSharingInstantMessagingBloggingWeb2.0CybersecurityIssuesSplogs,SPAM,SearchEnginePoisoningSpywareTrojansVirus/WormsSPAMExploitURLsPhishingTrojansVoIP/VideoPrivacy&InformationBreachGlobalThreatLandscapePrevalenceofMaliciousSoftware––byCategoryWhatisCybersecurityDefinitionofCybersecurityoverlapsInternet/networksecurityNatureCybersecurityissuesOccursontheInternet(Cyberspace)Globalnature,multiplecountries,differentpolicyandregulations,differentfocusMultipleentities,simpleclientsystemtocomplexinfrastructureWeakestlinkandlowestcommondenominatorprevailHighlycreativelandscape––alwayschangingCybersecurityCybersecurityconcernstheprotectionofassetsbelongingtobothorganizationsandusersinthecyberenvironment.Thecyberenvironmentinthiscontextisdefinedasthepublicon-lineenvironment(generallytheInternet)asdistinctfrom““enterprisecyberspace”(closedinternalnetworksspecifictoindividualorganizationsorgroupsoforganizations).GuidelinesforCybersecurity“Bestpractice””guidanceinachievingandmaintainingsecurityinthecyberenvironmentforaudiencesasdefinedbelow.Addresstherequirementforahighlevelofco-operation,information-sharingandjointactionintacklingthetechnicalissuesinvolvedincybersecurity.Thisneedstobeachievedbothbetweenindividualsandorganizationsatanationallevelandinternationally.Theprimaryaudiencesforthestandardare:CyberspaceserviceproviderssuchasInternetServiceProviders(ISPs),webserviceproviders,outsourcinganddataback-upserviceproviders,on-linepaymentbureaux,on-linecommerceoperators,entertainmentserviceprovidersandothers.Enterprisesincludingnotonlycommercialorganizationsbutalsonon-profitbodiesandotherorganizationsinfieldssuchashealthcareandeducation.Governments.Endusers,whilehighlyimportant,arenotseenasakeytargetaudienceastheyarenotingeneraldirectusersofinternationalstandards.Thestandardwillnotoffertechnicalsolutionstoindividualcybersecurityissues,whicharealreadybeingdevelopedbyotherbodiesasdescribedbelow.NetworkSecurityRevisionofISO/IEC18028Re-focus,re-scoping,andnewpartsPart1–Guidelines(Overview,Concepts,Principles)Part2–GuidelinesforDesignandImplementationPart3–ReferenceNetworkingScenarios:Risks,Design,Techniques,andControlIssuesPart4–SecuritycommunicationsbetweennetworksusingsecuritygatewaysPart5–SecuringremoteaccessPart6–SecuritycommunicationsbetweennetworksusingVirtualprivatenetworkPart7–to-be-named““technology””topicSoftwareVulnerabilityDisclosuresOSversusapplicationvulnerabilitiesApplicationvulnerabilitiescontinuedtogrowrelativetooperatingsystemvulnerabilitiesasapercentageofalldisclosuresduring2006SupportstheobservationthatsecurityvulnerabilityresearchersmaybefocusingmoreonapplicationsthaninthepastGuidelinesforApplicationSecurityReducesecurityproblemsattheapplicationlayersEliminatecommonweaknessesatcodeandprocesslevelsStrengthensecurityofcodebaseimproveapplicationsecurityandreliabilityMulti-partsstandards,includingCodeSecurityCertificationProcessSecurityCertificationCodeSecurityTestingandcertificationpermajorreleaseofapplicationProcessSecuritySecurityDevelopmentLifecycleAssuresecurityofcodefromdesigntooperation,includingminorreleases,patchdevelopment&releaseFocusonWeb-basedapplications(majorproblemareas)GuidelinesforApplicationSecuritySpecifyanapplicationsecuritylifecycle,incorporatingthesecurityactivitiesandcontrolsforuseaspartofanapplicationlifecycle,coveringapplicationsdevelopedthroughinternaldevelopment,externalacquisition,outsourcing/offshoring1,orahybridoftheseapproaches.ProvideguidancetobusinessandITmanagers,developers,auditors,andend-userstoensurethatthedesiredlevelofsecurityisattainedinbusinessapplicationsinlinewiththerequirementsoftheorganization’sInformationSecurityManagementSystems(ISMS).Applicationsecurityaddressesallaspectsofsecurityrequiredtodeterminetheinformationsecurityrequirements,andensureadequateprotectionofinformationaccessedbyanapplicationaswellastopreventunauthorizeduseoftheapplicationandunauthorizedactionsofanapplication.Informationalsecurityconcernsinbusinessapplicationsaretobeaddressedinallphasesoftheapplicationlifecycle,asguidedbytheorganization’sriskmanagementprinciplesandtheISMSadopted.GuidelinesforApplicationSecurityStructure(DRAFT)Part1––Overview,definition,concepts,andprinciplesPart2––SecureApplicationLifecyclePart3––SecureApplicationArchitecturePart4––ProtocolsandDataStructure,Input,Processes,andOutputSecurityPart5––ApplicationSecurityAssurancePart6–N-TiersandWebApplicationsSecurity…9、靜夜四無無鄰,荒居居舊業(yè)貧。。。12月-2212月-22Thursday,December29,202210、雨中中黃葉葉樹,,燈下下白頭頭人。。。09:01:3109:01:3109:0112/29/20229:01:31AM11、以我獨(dú)沈久久,愧君相見見頻。。12月-2209:01:3209:01Dec-2229-Dec-2212、故故人人江江海海別別,,幾幾度度隔隔山山川川。。。。09:01:3209:01:3209:01Thursday,December29,202213、乍見翻翻疑夢(mèng),,相悲各各問年。。。12月-2212月-2209:01:3209:01:32December29,202214、他鄉(xiāng)生生白發(fā),,舊國見見青山。。。29十十二月20229:01:32上午午09:01:3212月-2215、比比不不了了得得就就不不比比,,得得不不到到的的就就不不要要。。。。。十二二月月229:01上上午午12月月-2209:01December29,202216、行動(dòng)出成成果,工作作出財(cái)富。。。2022/12/299:01:3209:01:3229December202217、做前,,能夠環(huán)環(huán)視四周周;做時(shí)時(shí),你只只能或者者最好沿沿著以腳腳為起點(diǎn)點(diǎn)的射線線向前。。。9:01:32上午午9:01上午午09:01:3212月-229、沒有失失敗,只只有暫時(shí)時(shí)停止成成功!。。12月-2212月月-22Thursday,December29,202210、很多事情情努力了未未必有結(jié)果果,但是不不努力卻什什么改變也也沒有。。。09:01:3209:01:3209:0112/29/20229:01:32AM11、成功就是日日復(fù)一日那一一點(diǎn)點(diǎn)小小努努力的積累。。。12月-2209:01:3209:01Dec-2229-Dec-2212、世世間間成成事事,,不不求求其其絕絕對(duì)對(duì)圓圓滿滿,,留留一一份份不不足足,,可可得得無無限限完完美美。。。。09:01:3209:01:3209:01Thursday,December29,202213、不不知知香香積積寺寺,,數(shù)數(shù)里里入入云云峰峰。。。。12月月-2212月月-2209:01:3209:01:32December29,202214、意志堅(jiān)強(qiáng)強(qiáng)的人能把把世界放在在手中像泥泥塊一樣任任意揉捏。。29十二二月20229:01:32上上午09:01:3212月-2215、楚塞塞三湘湘接,,荊門門九派派通。。。。十二月月229:01上上午午12月月-2209:01December29,202216、少年十五二二十時(shí),步行行奪得胡馬騎騎。。2022/12/299:01:3309:0
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 人人文庫網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
- 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。
最新文檔
- GB/T 45013-2024精細(xì)陶瓷基片的熱疲勞試驗(yàn)方法
- 黃水瘡的臨床護(hù)理
- 《使用布局管理器》課件
- 頜骨膨隆的臨床護(hù)理
- 減鹽控壓培訓(xùn)課件
- 函數(shù)知識(shí)點(diǎn)復(fù)習(xí)課件
- 孕期肚子陣痛的健康宣教
- 孕期白帶黏稠的健康宣教
- 變應(yīng)性肉芽腫血管炎的健康宣教
- 絕經(jīng)的健康宣教
- 國家電投《新能源電站單位千瓦造價(jià)標(biāo)準(zhǔn)值(2024)》
- 小兒全麻患者術(shù)后護(hù)理
- 山東省臨沂市2023-2024學(xué)年高二上學(xué)期期末考試政治試題 含答案
- 黑龍江省哈爾濱市2023-2024學(xué)年八年級(jí)上學(xué)期語文期末模擬考試試卷(含答案)
- 2024至2030年不銹鋼水龍頭項(xiàng)目投資價(jià)值分析報(bào)告
- 風(fēng)險(xiǎn)投資協(xié)議書范本標(biāo)準(zhǔn)版
- 2024年百科知識(shí)競(jìng)賽題庫及答案(共三套)
- JGJ-T490-2021鋼框架內(nèi)填墻板結(jié)構(gòu)技術(shù)標(biāo)準(zhǔn)
- 《高壓電動(dòng)機(jī)保護(hù)》PPT課件.ppt
- 在全市油氣輸送管道安全隱患整治工作領(lǐng)導(dǎo)小組第一次會(huì)議上的講話摘要
- 小學(xué)英語后進(jìn)生的轉(zhuǎn)化工作總結(jié)3頁
評(píng)論
0/150
提交評(píng)論