Security standards and best practices
The Standard of Good Practice for Information Security, published by the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains.
The most recent edition is 2016, an update of the 2014 edition.
The 2011 Standard is the most significant update of the standard for four years. It includes information security 'hot topics' such as consumer devices, critical infrastructure, cybercrime attacks, office equipment, spreadsheets and databases and cloud computing.
The 2011 Standard is aligned with the requirements for an Information Security Management System (ISMS) set out in ISO/IEC 27000-seriesstandards, and provides wider and deeper coverage of ISO/IEC 27002 control topics, as well as cloud computing, information leakage, consumer devices and security governance.
In addition to providing a tool to enable ISO 27001 certification, the 2011 Standard provides full coverage of COBIT v4 topics, and offers substantial alignment with other relevant standards and legislation such as PCI DSS and the Sarbanes Oxley Act, to enable compliance with these standards too.
The Standard is used by Chief Information Security Officers (CISOs), information security managers, business managers, IT managers, internal and external auditors, IT service providers in organizations of all sizes.
The 2011 Standard is available free of charge to members of the ISF. Non-members are able to purchase a copy of the standard directly from the ISF.
IT Governance Standards and Best Practices
ISO/IEC 27000 family of Information Security Management Systems - This document provides an overview of ISO/IEC 27000 family of Information Security Management Systems which consists of inter-related standards and guidelines, already published or under development, and contains a number of significant structural components.
ISO 27001 - This document provides the ISO standards of the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
ISO 27002 - This document introduces the code of practice for information security controls.
British Standard 7799 Part 3 - This set of guidelines is published by BSI Group for the information security risk management.
COBIT - The Control Objectives for Information and related Technology (COBIT) is published by the Standards Board of Information Systems Audit and Control Association (ISACA) providing a control framework for the governance and management of enterprise IT.
Common Criteria (also known as ISO/IEC 15408) - This set of evaluation criterias is developed by and aligned with national security standards organisations of Australia, Canada, France, Germany, Japan, Netherlands, New Zealand, Spain, UK and US.
ITIL (or ISO/IEC 20000 series) - This document introduces a collection of best practices in IT service management (ITSM), and focuses on the service processes of IT and considers the central role of the user.
National Information Security Technology Standard Specification - This webpage introduces a collection of national information security standards formulated by the National Information Security Standards Technical Committee. These standards include information security management, information security evaluation, authentication and authorisation, etc.
Asset classification and control
Information security is the preservation of CIA of an organization's assets. The level of security assurance required is determined by the type of asset and its value.
Information is a business asset that adds value to an organization. Asset classification identifies the type of information asset based on the value, sensitivity, and degree of assurance required. This enables us to devise suitable controls.
The following concepts are applicable to information assets:
Classification criteria—Information assets are generally classified based on their value, age, useful life, and personnel association based on privacy requirements.
Owner—The owner of the information is responsible for its protection. The owner plays the role of determining the classification level, periodical review, and delegation.
Custodian—A custodian is the one delegated by the owner to maintain the information. A custodian's role includes backup and restoration of the information and maintaining the records.
User—A user is the person who uses the information. A user may be an employee, an operator, or any third...
Control of hardware equipment by
1.identifying
2.Recording
3classifying
4.Inventory control
5.Monitoring
Recoding the hardware equipment by
Barcode
A barcode (also bar code) is an optical, machine-readable, representation of data; the data usually describes something about the object that carries the barcode. Traditional barcodes systematically represent data by varying the widths and spacings of parallel lines, and may be referred to as linear or one-dimensional (1D). Later, two-dimensional (2D) variants were developed, using rectangles, dots, hexagons and other geometric patterns, called matrix codes or 2D barcodes, although they do not use bars as such. Initially, barcodes were only scanned by special optical scanners called barcode readers. Later application software became available for devices that could read images, such as smartphones with cameras.
An early use of one type of barcode in an industrial context was sponsored by the Association of American Railroads in the late 1960s. Developed by General Telephone and Electronics (GTE) and called KarTrak ACI (Automatic Car Identification), this scheme involved placing colored stripes in various combinations on steel plates which were affixed to the sides of railroad rolling stock. Two plates were used per car, one on each side, with the arrangement of the colored stripes encoding information such as ownership, type of equipment, and identification number. The plates were read by a trackside scanner, located for instance, at the entrance to a classification yard, while the car was moving past. The project was abandoned after about ten years because the system proved unreliable after long-term use
RFID circuit
RFID or Radio Frequency Identification System is a technology based identification system which helps identifying objects just through the tags attached to them, without requiring any light of sight between the tags and the tag reader. All that is needed is radio communication between the tag and the reader
IT Asset Management
IT Asset Management (ITAM) is “a set of business practices that incorporates IT assets across the business units within the organization. It joins the financial, inventory, contractual and risk management responsibilities to manage the overall life cycle of these assets including tactical and strategic decision making”. Assets include all elements of software and hardware that are found in the business environment.
IT asset management is sometimes referred to as IT inventory management because it typically involves gathering detailed hardware and software inventory information which is then used to make decisions about purchases and how assets are used. Having an accurate IT asset inventory helps companies use their assets more effectively and avoid unnecessary asset purchases by re-using existing resources. IT asset management also enables organizations to lower the risks costs of unknowingly building new IT projects on outdated (or unknown) infrastructure foundations.
IT Asset management is made effective using metadata and electronic records to track and categorize the organization’s assets. Metadata is the description of the physical or digital asset and any supporting information that is needed to inform asset management decisions. The metadata depth can vary depending on the needs of the organization.
The Standard of Good Practice for Information Security, published by the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains.
The most recent edition is 2016, an update of the 2014 edition.
The 2011 Standard is the most significant update of the standard for four years. It includes information security 'hot topics' such as consumer devices, critical infrastructure, cybercrime attacks, office equipment, spreadsheets and databases and cloud computing.
The 2011 Standard is aligned with the requirements for an Information Security Management System (ISMS) set out in ISO/IEC 27000-seriesstandards, and provides wider and deeper coverage of ISO/IEC 27002 control topics, as well as cloud computing, information leakage, consumer devices and security governance.
In addition to providing a tool to enable ISO 27001 certification, the 2011 Standard provides full coverage of COBIT v4 topics, and offers substantial alignment with other relevant standards and legislation such as PCI DSS and the Sarbanes Oxley Act, to enable compliance with these standards too.
The Standard is used by Chief Information Security Officers (CISOs), information security managers, business managers, IT managers, internal and external auditors, IT service providers in organizations of all sizes.
The 2011 Standard is available free of charge to members of the ISF. Non-members are able to purchase a copy of the standard directly from the ISF.
IT Governance Standards and Best Practices
ISO/IEC 27000 family of Information Security Management Systems - This document provides an overview of ISO/IEC 27000 family of Information Security Management Systems which consists of inter-related standards and guidelines, already published or under development, and contains a number of significant structural components.
ISO 27001 - This document provides the ISO standards of the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
ISO 27002 - This document introduces the code of practice for information security controls.
British Standard 7799 Part 3 - This set of guidelines is published by BSI Group for the information security risk management.
COBIT - The Control Objectives for Information and related Technology (COBIT) is published by the Standards Board of Information Systems Audit and Control Association (ISACA) providing a control framework for the governance and management of enterprise IT.
Common Criteria (also known as ISO/IEC 15408) - This set of evaluation criterias is developed by and aligned with national security standards organisations of Australia, Canada, France, Germany, Japan, Netherlands, New Zealand, Spain, UK and US.
ITIL (or ISO/IEC 20000 series) - This document introduces a collection of best practices in IT service management (ITSM), and focuses on the service processes of IT and considers the central role of the user.
National Information Security Technology Standard Specification - This webpage introduces a collection of national information security standards formulated by the National Information Security Standards Technical Committee. These standards include information security management, information security evaluation, authentication and authorisation, etc.
Asset classification and control
Information security is the preservation of CIA of an organization's assets. The level of security assurance required is determined by the type of asset and its value.
Information is a business asset that adds value to an organization. Asset classification identifies the type of information asset based on the value, sensitivity, and degree of assurance required. This enables us to devise suitable controls.
The following concepts are applicable to information assets:
Classification criteria—Information assets are generally classified based on their value, age, useful life, and personnel association based on privacy requirements.
Owner—The owner of the information is responsible for its protection. The owner plays the role of determining the classification level, periodical review, and delegation.
Custodian—A custodian is the one delegated by the owner to maintain the information. A custodian's role includes backup and restoration of the information and maintaining the records.
User—A user is the person who uses the information. A user may be an employee, an operator, or any third...
Control of hardware equipment by
1.identifying
2.Recording
3classifying
4.Inventory control
5.Monitoring
Recoding the hardware equipment by
Barcode
A barcode (also bar code) is an optical, machine-readable, representation of data; the data usually describes something about the object that carries the barcode. Traditional barcodes systematically represent data by varying the widths and spacings of parallel lines, and may be referred to as linear or one-dimensional (1D). Later, two-dimensional (2D) variants were developed, using rectangles, dots, hexagons and other geometric patterns, called matrix codes or 2D barcodes, although they do not use bars as such. Initially, barcodes were only scanned by special optical scanners called barcode readers. Later application software became available for devices that could read images, such as smartphones with cameras.
An early use of one type of barcode in an industrial context was sponsored by the Association of American Railroads in the late 1960s. Developed by General Telephone and Electronics (GTE) and called KarTrak ACI (Automatic Car Identification), this scheme involved placing colored stripes in various combinations on steel plates which were affixed to the sides of railroad rolling stock. Two plates were used per car, one on each side, with the arrangement of the colored stripes encoding information such as ownership, type of equipment, and identification number. The plates were read by a trackside scanner, located for instance, at the entrance to a classification yard, while the car was moving past. The project was abandoned after about ten years because the system proved unreliable after long-term use
RFID circuit
RFID or Radio Frequency Identification System is a technology based identification system which helps identifying objects just through the tags attached to them, without requiring any light of sight between the tags and the tag reader. All that is needed is radio communication between the tag and the reader
IT Asset Management
IT Asset Management (ITAM) is “a set of business practices that incorporates IT assets across the business units within the organization. It joins the financial, inventory, contractual and risk management responsibilities to manage the overall life cycle of these assets including tactical and strategic decision making”. Assets include all elements of software and hardware that are found in the business environment.
IT asset management is sometimes referred to as IT inventory management because it typically involves gathering detailed hardware and software inventory information which is then used to make decisions about purchases and how assets are used. Having an accurate IT asset inventory helps companies use their assets more effectively and avoid unnecessary asset purchases by re-using existing resources. IT asset management also enables organizations to lower the risks costs of unknowingly building new IT projects on outdated (or unknown) infrastructure foundations.
IT Asset management is made effective using metadata and electronic records to track and categorize the organization’s assets. Metadata is the description of the physical or digital asset and any supporting information that is needed to inform asset management decisions. The metadata depth can vary depending on the needs of the organization.
No comments:
Post a Comment