國際信息安全技術(shù)標(biāo)準(zhǔn)發(fā)展英文

國際信息安全技術(shù)標(biāo)準(zhǔn)發(fā)展

ISO/IECJTC1/SC27/WG4江明灶Meng-ChowKang,CISSP,CISAConvener,SecurityControls&ServicesWorkingGroup(WG4),ISO/IECJTC1SC27(SecurityTechniques)ChiefSecurityAdvisorMicrosoftGreatChinaRegionWG1ISMSStandardsChairTedHumphreysVice-ChairAngelikaPlateWG4SecurityControls&ServicesChairMeng-ChowKangWG2SecurityTechniquesChairProf.KNaemuraWG3SecurityEvaluationChairMatsOhlinWG5PrivacyTechnology,IDmanagementandBiometricsChairKaiRannenbergISO/IECJTC1SC27ChairWalterFumyViceChairMarijikedeSoeteSecretaryKrystynaPassia27000Fundamental&Vocabulary27004ISMSMeasurement27005ISMSRiskManagement27006AccreditationRequirements27001ISMSRequirements27003ISMSImplementationGuidanceInformationSecurityManagementSystems(ISMS)27002CodeofPracticeISMSFamilyRiskmanage;Preventoccurrence;ReduceimpactofoccurrencePreparetorespond;eliminateorreduceimpactSC27WG4RoadmapFrameworkInvestigatetoestablishfactsaboutbreaches;identifywhodoneitandwhatwentwrongUnknownandemergingsecurityissuesKnownsecurityissuesSecuritybreachesandcompromisesNetworkSecurity(27033)TTPServicesSecurityICTReadinessforBusinessContinuity(27031)SC27WG4RoadmapApplicationSecurity(27034)ForensicInvestigationCybersecurity(27032)IncludesISO/IEC24762,VulnerabilityMgmt,IDS,&IncidentResponserelatedstandardsAnti-Spyware,Anti-SPAM,Anti-Phishing,Cybersecurity-eventcoordination&informationsharingISO18028revision;WDfornewPart1,2&3;NewStudyPeriodonHomeNetworkSecurity1stWDavailableforcommentsFutureNPNewStudyPeriodproposed;Includesoutsourcingandoff-shoringsecurityGapsbetweenReadiness&Response

ITSecurity,BCP,andDRPPlanning&ExecutionProtectDetectReact/ResponseITSecurityPlanningActivateBCPActivateDCRPPlanPrepare&TestPlanPrepare&TestBusinessContinuityPlanningDisasterContingency&RecoveryPlanningDisasterEventsITSystemsFailuresICTReadinessforBusinessContinuityWhatisICTReadiness?PrepareorganizationICTtechnology(infrastructure,operation,applications),process,andpeopleagainstunforeseeablefocusingeventsthatcouldchangetheriskenvironmentLeverageandstreamlineresourcesamongtraditionalbusinesscontinuity,disasterrecovery,emergencyresponse,andITsecurityincidentresponseandmanagementWhyICTReadinessfocusonBusinessContinuity?ICTsystemsareprevalentinorganizationsICTsystemsarenecessarytosupportincident,businesscontinuity,disaster,andemergencyresponseandmanagementneedsBusinesscontinuityisincompletewithoutconsideringICTsystemsreadinessRespondingtosecurityincident,disasters,andemergencysituationsareaboutbusinesscontinuityImplicationsofICTReadinessOperationalStatusTimeIncidentCurrentIHM,BCMandDRPfocusonshorteningperiodofdisruptionandreducingtheimpactofanincidentbyriskmitigationandrecoveryplanning.T=0T=iT=kT=lT=j100%x%y%z%Earlydetectionandresponsecapabilitiestopreventsuddenanddrasticfailure,enablegradualdeteriorationofoperationalstatusandfurthershortenrecoverytime.BeforeimplementationofIHM,BCM,and/orDRPAfterimplementationofIHM,BCM,and/orDRPAfterimplementationofICTReadinessforBCICTReadinessforBusinessContinuityRe-proposedassingle-partstandard(Nov‘07)Structure(DRAFT,DocumentSC27N6274)IntroductionScopeNormativeReferencesTermsandDefinitionsOverview(ofICTReadinessforBusinessContinuity)ApproachBasedonPDCAcyclicalmodelExtendBCPapproach

(usingRA,andBIA)IntroduceFailureScenarioAssessment(withFMEA)FocusonTriggeringEventsManagementofIRBCProgramP2PFileSharingInstantMessagingBloggingWeb2.0CybersecurityIssuesSplogs,SPAM,SearchEnginePoisoningSpywareTrojansVirus/WormsSPAMExploitURLsPhishingTrojansVoIP/VideoPrivacy&InformationBreachGlobalThreatLandscapePrevalenceofMaliciousSoftware––byCategoryWhatisCybersecurityDefinitionofCybersecurityoverlapsInternet/networksecurityNatureCybersecurityissuesOccursontheInternet(Cyberspace)Globalnature,multiplecountries,differentpolicyandregulations,differentfocusMultipleentities,simpleclientsystemtocomplexinfrastructureWeakestlinkandlowestcommondenominatorprevailHighlycreativelandscape––alwayschangingCybersecurityCybersecurityconcernstheprotectionofassetsbelongingtobothorganizationsandusersinthecyberenvironment.Thecyberenvironmentinthiscontextisdefinedasthepublicon-lineenvironment(generallytheInternet)asdistinctfrom““enterprisecyberspace”(closedinternalnetworksspecifictoindividualorganizationsorgroupsoforganizations).GuidelinesforCybersecurity“Bestpractice””guidanceinachievingandmaintainingsecurityinthecyberenvironmentforaudiencesasdefinedbelow.Addresstherequirementforahighlevelofco-operation,information-sharingandjointactionintacklingthetechnicalissuesinvolvedincybersecurity.Thisneedstobeachievedbothbetweenindividualsandorganizationsatanationallevelandinternationally.Theprimaryaudiencesforthestandardare:CyberspaceserviceproviderssuchasInternetServiceProviders(ISPs),webserviceproviders,outsourcinganddataback-upserviceproviders,on-linepaymentbureaux,on-linecommerceoperators,entertainmentserviceprovidersandothers.Enterprisesincludingnotonlycommercialorganizationsbutalsonon-profitbodiesandotherorganizationsinfieldssuchashealthcareandeducation.Governments.Endusers,whilehighlyimportant,arenotseenasakeytargetaudienceastheyarenotingeneraldirectusersofinternationalstandards.Thestandardwillnotoffertechnicalsolutionstoindividualcybersecurityissues,whicharealreadybeingdevelopedbyotherbodiesasdescribedbelow.NetworkSecurityRevisionofISO/IEC18028Re-focus,re-scoping,andnewpartsPart1–Guidelines(Overview,Concepts,Principles)Part2–GuidelinesforDesignandImplementationPart3–ReferenceNetworkingScenarios:Risks,Design,Techniques,andControlIssuesPart4–SecuritycommunicationsbetweennetworksusingsecuritygatewaysPart5–SecuringremoteaccessPart6–SecuritycommunicationsbetweennetworksusingVirtualprivatenetworkPart7–to-be-named““technology””topicSoftwareVulnerabilityDisclosuresOSversusapplicationvulnerabilitiesApplicationvulnerabilitiescontinuedtogrowrelativetooperatingsystemvulnerabilitiesasapercentageofalldisclosuresduring2006SupportstheobservationthatsecurityvulnerabilityresearchersmaybefocusingmoreonapplicationsthaninthepastGuidelinesforApplicationSecurityReducesecurityproblemsattheapplicationlayersEliminatecommonweaknessesatcodeandprocesslevelsStrengthensecurityofcodebaseimproveapplicationsecurityandreliabilityMulti-partsstandards,includingCodeSecurityCertificationProcessSecurityCertificationCodeSecurityTestingandcertificationpermajorreleaseofapplicationProcessSecuritySecurityDevelopmentLifecycleAssuresecurityofcodefromdesigntooperation,includingminorreleases,patchdevelopment&releaseFocusonWeb-basedapplications(majorproblemareas)GuidelinesforApplicationSecuritySpecifyanapplicationsecuritylifecycle,incorporatingthesecurityactivitiesandcontrolsforuseaspartofanapplicationlifecycle,coveringapplicationsdevelopedthroughinternaldevelopment,externalacquisition,outsourcing/offshoring1,orahybridoftheseapproaches.ProvideguidancetobusinessandITmanagers,developers,auditors,andend-userstoensurethatthedesiredlevelofsecurityisattainedinbusinessapplicationsinlinewiththerequirementsoftheorganization’sInformationSecurityManagementSystems(ISMS).Applicationsecurityaddressesallaspectsofsecurityrequiredtodeterminetheinformationsecurityrequirements,andensureadequateprotectionofinformationaccessedbyanapplicationaswellastopreventunauthorizeduseoftheapplicationandunauthorizedactionsofanapplication.Informationalsecurityconcernsinbusinessapplicationsaretobeaddressedinallphasesoftheapplicationlifecycle,asguidedbytheorganization’sriskmanagementprinciplesandtheISMSadopted.GuidelinesforApplicationSecurityStructure(DRAFT)Part1––Overview,definition,concepts,andprinciplesPart2––SecureApplicationLifecyclePart3––SecureApplicationArchitecturePart4––ProtocolsandDataStructure,Input,Processes,andOutputSecurityPart5––ApplicationSecurityAssurancePart6–N-TiersandWebApplicationsSecurity…9、靜夜四無無鄰，荒居居舊業(yè)貧。。。12月-2212月-22Thursday,December29,202210、雨中中黃葉葉樹，，燈下下白頭頭人。。。09:01:3109:01:3109:0112/29/20229:01:31AM11、以我獨沈久久，愧君相見見頻。。12月-2209:01:3209:01Dec-2229-Dec-2212、故故人人江江海海別別，，幾幾度度隔隔山山川川。。。。09:01:3209:01:3209:01Thursday,December29,202213、乍見翻翻疑夢，，相悲各各問年。。。12月-2212月-2209:01:3209:01:32December29,202214、他鄉(xiāng)生生白發(fā)，，舊國見見青山。。。29十十二月20229:01:32上午午09:01:3212月-2215、比比不不了了得得就就不不比比，，得得不不到到的的就就不不要要。。。。。十二二月月229:01上上午午12月月-2209:01December29,202216、行動出成成果，工作作出財富。。。2022/12/299:01:3209:01:3229December202217、做前，，能夠環(huán)環(huán)視四周周；做時時，你只只能或者者最好沿沿著以腳腳為起點點的射線線向前。。。9:01:32上午午9:01上午午09:01:3212月-229、沒有失失敗，只只有暫時時停止成成功！。。12月-2212月月-22Thursday,December29,202210、很多事情情努力了未未必有結(jié)果果，但是不不努力卻什什么改變也也沒有。。。09:01:3209:01:3209:0112/29/20229:01:32AM11、成功就是日日復(fù)一日那一一點點小小努努力的積累。。。12月-2209:01:3209:01Dec-2229-Dec-2212、世世間間成成事事，，不不求求其其絕絕對對圓圓滿滿，，留留一一份份不不足足，，可可得得無無限限完完美美。。。。09:01:3209:01:3209:01Thursday,December29,202213、不不知知香香積積寺寺，，數(shù)數(shù)里里入入云云峰峰。。。。12月月-2212月月-2209:01:3209:01:32December29,202214、意志堅強強的人能把把世界放在在手中像泥泥塊一樣任任意揉捏。。29十二二月20229:01:32上上午09:01:3212月-2215、楚塞塞三湘湘接，，荊門門九派派通。。。。十二月月229:01上上午午12月月-2209:01December29,202216、少年十五二二十時，步行行奪得胡馬騎騎。。2022/12/299:01:3309:0