MUST READ and REFER: "ISO/IEC 27032:2012"


Introduction

The Cyberspace is a complex environment resulting from the interaction of people, software and services on the Internet, supported by worldwide distributed physical information and communications technology (ICT) devices and connected networks. However there are security issues that are not covered by current information security, Internet security, network security and ICT security best practices as there are gaps between these domains, as well as a lack of communication between organizations and providers in the Cyberspace. This is because the devices and connected networks that have supported the Cyberspace have multiple owners, each with their own business, operational and regulatory concerns. The different focus placed by each organization and provider in the Cyberspace on relevant security domains where little or no input is taken from another organization or provider has resulted in a fragmented state of security for the Cyberspace.
As such, the first area of focus of this International Standard is to address Cyberspace security or Cybersecurity issues which concentrate on bridging the gaps between the different security domains in the Cyberspace. In particular this International Standard provides technical guidance for addressing common Cybersecurity risks, including:
— social engineering attacks;
— hacking;
— the proliferation of malicious software (“malware”);
— spyware; and
— other potentially unwanted software.
The technical guidance provides controls for addressing these risks, including controls for:
— preparing for attacks by, for example, malware, individual miscreants, or criminal organizations on the Internet;
— detecting and monitoring attacks; and
— responding to attacks.
The second area of focus of this International Standard is collaboration, as there is a need for efficient and effective information sharing, coordination and incident handling amongst stakeholders in the Cyberspace.
This collaboration must be in a secure and reliable manner that also protects the privacy of the individuals concerned. Many of these stakeholders can reside in different geographical locations and time zones, and are likely to be governed by different regulatory requirements. Stakeholders include:
— consumers, which can be various types of organizations or individuals; and
— providers, which include service providers.
Thus, this International Standard also provides a framework for
— information sharing,
— coordination, and
— incident handling.
The framework includes
— key elements of considerations for establishing trust,
— necessary processes for collaboration and information exchange and sharing, as well as
— technical requirements for systems integration and interoperability between different stakeholders.
Given the scope of this International Standard, the controls provided are necessarily at a high level. Detailed technical specification standards and guidelines applicable to each area are referenced within this International Standard for further guidance.

Source:
Introduction page of the ISO/IEC 27032:2012

0 yorum: