4/A4
advertisement
Dals
standardy vydane
ISO/IEC/JTC1/SC 27/WG1
2
Standardy (normy) a legislativa
informacn
bezpecnosti,
Dodatek
ISO/IEC TR 15945,
Specication of TTP services to support the application of
digital signatures
X spolecny standard s doporucenm X.843 ITU-T
2
PV 017 Bezpecnost
IT
Jan Staudek
http://www..muni.cz/usr/staudek/vyuka/
}
ISO/IEC TR 18043,
System deployment a operations of intrusion detection
systems { IDS
X technicka zprava
s metodickym
navodem
jak zahrnout IDS do
IT infrastruktury
2
w
A|
y
<
5
4
23
1
0
/
-.
,
)+
(
%&'
$
#
!"
Æ
ISO/IEC TR 18044,
Information security incident management
X technicka zprava
s metodickym
navodem
pro spravu
reakce na
bezpecnostn incident
Verze : podzim 2015
Jan Staudek, FI MU Brno
Dals
standardy vydane
ISO/IEC/JTC1/SC 27/WG1
2
ISO/IEC TR 18028,
IT Network security
1
Orientace { kryptogracke a autentizacn techniky a mechanismy
X ISO/IEC 9796, 2000{2002, Digital signature schemes
giving message recovery
X ISO/IEC 9797, 1999{2002, MACs, Message authentication Codes
X ISO/IEC 9798, 1997{2000, Entity Authentication
X ISO/IEC 10116, 1997, Modes of operation for
bezpecny vzdalen
y prstup, VPN { Virtual Private Networks
ISO/IEC 9979, 1999
Procedures for registration of cryptographic algorithms
Jan Staudek, FI MU Brno
PV017 { Standardy (normy) informacn
bezpecnosti
Typy standardu
vydanych
ISO/IEC/JTC1/SC 27/WG2
X sprava
a architektura st'ove bezpecnosti, bezpecnostn brany,
2
|
|
PV017 { Standardy (normy) informacn
bezpecnosti
X
X
X
X
X
X
X
2
n-bit block cipher algorithm
ISO/IEC 10118, 1998{2000, Hash function
ISO/IEC 11770, 1996{1999, Key management
ISO/IEC 13888, 1997{1998, Non-repudation
ISO/IEC 14888, 1998{1999, Digital signature schemes with appendix
ISO/IEC 15946, Cryptographic techniques based on elliptic curves
ISO/IEC 18014, 2002, Time stamping services
ISO/IEC 18033, Ecryption algorithms
Jan Staudek, FI MU Brno
|
PV017 { Standardy (normy) informacn
bezpecnosti
3
Standard vydany
ISO/IEC/JTC1/SC 27/WG3
2
Standardy ISO/TC 68 Financial Services
ISO/IEC 15408
Evaluation criteria for IT security
X
X
X
X
X
2
Soucasna struktura TC 68
X SC2: Security management a general banking operations
ISO/IEC 15408-1: Part 1: Introduction and general model
ISO/IEC 15408-2: Part 2: Security functional requirements
ISO/IEC 15408-3: Part 3: Security assurance requirements
vsechny 3 c asti
byly publikovane v r. 2005
vce v samostatne predna
sce
X
X
X
X
Jan Staudek, FI MU Brno
|
PV017 { Standardy (normy) informacn
bezpecnosti
4
2
Zastresuj CEN a ETSI
Hlavn iniciativa {
CEN/ISSS, Information Society Standardization System
X vznik koncem 90. let, uzk
a navaznost
na CEN, ETSI, CENELEC
X cl: zkracen
ISO{doby tvorby ISO standardu (tou je 5 let)
X zavad
se velmi pruzny princip prijman
pracovnch (de facto)
standardu formou vysledn
ych
dokumentu standardizacnch workshopu
(WS) ustanovovanych
podle potreby,
tzv. CEN Workshop Agreements, CWA
2
prklady CEN/ISSS workshopu
X
X
X
X
Electronics Signatures, E-Sign
eAuthentication
Data protection and Privacy, DPP
Electronic Commerce,EC, . . .
Jan Staudek, FI MU Brno
|
PV017 { Standardy (normy) informacn
bezpecnosti
Jan Staudek, FI MU Brno
|
PV017 { Standardy (normy) informacn
bezpecnosti
Standard NIST, rodina SP 800, p
r klady
Evropske
iniciativy ve standardizaci informacn
bezpecnosti
2
{ hlavn pusobi
ste standardizace bezpecnosti IT
{ WG4 Information security guidelines fo banking
{ WG6 Framework for IT security for nancial institutions
{ WG10 Biometric information security
{ WG11 Encryption algorithm used in banking applications
{ WG12 Security in retail banking
{ WG14 Cryptographic syntax scheme for nancial services
SC4: Securities and realted nancial instruments
SC6: Retail nancial services
SC7: Core banking
WG2: International bank account number
6
5
(SP – Special Publication)
X SP 800-12 : An Introduction to Computer Security:
The NIST Handbook
X SP 800-14 : Generally Accepted Principles and Practices for
Securing Information Technology Systems
X SP 800-27 : Engineering Principles for IT Security
X SP 800-30 : Risk Management Guide for
Information Technology Systems
X SP 800-45 : Electronic Mail Security
X SP 800-50 : Building an Inf. Techn. Security Awareness
and Training Program
X SP 800-63 : Electronic Authentication Guidelines
X SP 800-94 : Guide to Intrusion Detection and
Prevention Systems (IDPS)
X SP 800-95 : Guidelines for Secure Web Services
X SP 800-100 : Information Security Handbook: A Guide for Mngrs
Jan Staudek, FI MU Brno
|
PV017 { Standardy (normy) informacn
bezpecnosti
7
Standard ISACA, COBIT
2
2
Standard ISACA, COBIT, detailneji
COBIT { Control Objectives for Information and related Techn.
34 procesu,
230 r dicch nastroj
u v oblastech { v domen
ach
2
X
X
X
X
X
X
X
X
X
X
X Plan and Organize
jak mu
ze IT pomoc organizaci dosahnout
stanovenych
clu
X Acquire and Implement
identikace pozadavku na IT a jejich implementace do stavaj
cch
podnikatelskych
procesu organizace
X Deliver and Support
procesy umoznuj
c efektivn beh systemu
X Monitor and Evaluate
strategie posuzovan
potreb organizace, prokaz
an
, zda stavaj
cc
system
stale
splnuje
cle, pro ktere byl navrzeny
2
Planov
an
a organizace (Plan and Organize PO)
s irs zab
er nez ISO/IEC 27002, doplnuj
se, nekonkuruj si
Jan Staudek, FI MU Brno
|
PV017 { Standardy (normy) informacn
bezpecnosti
8
Jan Staudek, FI MU Brno
Akvizice a implementace (Acquire and Implement AI)
X
X
X
X
X
X
X
2
AI1 Identify automated solution.
AI2 Acquire and maintain application software
AI3 Acquire and maintain technology infrastructure
AI4 Enable operation and use
AI5 Procure IT resources
AI6 Manage changes
AI7 Install and accredit solutions and changes
Jan Staudek, FI MU Brno
|
PV017 { Standardy (normy) informacn
bezpecnosti
|
PV017 { Standardy (normy) informacn
bezpecnosti
9
Standard ISACA, COBIT, detailneji
Standard ISACA, COBIT, detailneji
2
PO1 Dene a strategic IT plan
PO2 Dene the information architecture
PO3 Determine technological direction
PO4 Dene the IT processes, organisation and relationships
PO5 Manage the IT investment
PO6 Communicate management aims and direction
PO7 Manage IT human resources
PO8 Manage quality
PO9 Assess and manage IT risks
PO10 Manage projects
Dodavka
a podpora (Deliver and Support DS)
X
X
X
X
X
X
X
X
X
X
X
X
10
DS1 Dene and manage service levels
DS2 Manage third-party service
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and allocate costs
DS7 Educate and train users
DS8 Manage service desk and incidents
DS9 Manage the conguration. DS10 Manage problems
DS11 Manage data
DS12 Manage the physical environment
DS13 Manage operations
Jan Staudek, FI MU Brno
|
PV017 { Standardy (normy) informacn
bezpecnosti
11
Standard ISACA, COBIT, detailneji
2
Standard ISF, SoGP
Monitoring a evaluace (Monitor and Evalue ME )
2
ME1 Monitor and evaluate IT performance.
ME2 Monitor and evaluate internal control.
ME3 Ensure compliance with external requirements.
ME4 Provide IT governance.
2
X
X
X
X
X
X
X
X
X
X
2
Jan Staudek, FI MU Brno
|
PV017 { Standardy (normy) informacn
bezpecnosti
SoGP { Standard of Good Practice for Information Security
s est klc ovych
aspektu
12
Security management { r zen bezpecnosti
Critical business applications { provozovan
aplikac
Computer installations { IT infrastruktura
Networks { IT infrastruktura
Systems development { vyvoj
novych
aplikac
End user environment { prostred koncovych
uzivatelu
popisy principu a clu,
doporucen pokryvaj
c implementaci
Jan Staudek, FI MU Brno
|
PV017 { Standardy (normy) informacn
bezpecnosti
13
