国际信息安全技术标准发展英文

国际信息安全技术标准发展

ISO/IECJTC1/SC27/WG4江明灶Meng-ChowKang,CISSP,CISAConvener,SecurityControls&ServicesWorkingGroup(WG4),ISO/IECJTC1SC27(SecurityTechniques)ChiefSecurityAdvisorMicrosoftGreatChinaRegionWG1ISMSStandardsChairTedHumphreysVice-ChairAngelikaPlateWG4SecurityControls&ServicesChairMeng-ChowKangWG2SecurityTechniquesChairProf.KNaemuraWG3SecurityEvaluationChairMatsOhlinWG5PrivacyTechnology,IDmanagementandBiometricsChairKaiRannenbergISO/IECJTC1SC27ChairWalterFumyViceChairMarijikedeSoeteSecretaryKrystynaPassia27000Fundamental&Vocabulary27004ISMSMeasurement27005ISMSRiskManagement27006AccreditationRequirements27001ISMSRequirements27003ISMSImplementationGuidanceInformationSecurityManagementSystems(ISMS)27002CodeofPracticeISMSFamilyRiskmanage;Preventoccurrence;ReduceimpactofoccurrencePreparetorespond;eliminateorreduceimpactSC27WG4RoadmapFrameworkInvestigatetoestablishfactsaboutbreaches;identifywhodoneitandwhatwentwrongUnknownandemergingsecurityissuesKnownsecurityissuesSecuritybreachesandcompromisesNetworkSecurity(27033)TTPServicesSecurityICTReadinessforBusinessContinuity(27031)SC27WG4RoadmapApplicationSecurity(27034)ForensicInvestigationCybersecurity(27032)IncludesISO/IEC24762,VulnerabilityMgmt,IDS,&IncidentResponserelatedstandardsAnti-Spyware,Anti-SPAM,Anti-Phishing,Cybersecurity-eventcoordination&informationsharingISO18028revision;WDfornewPart1,2&3;NewStudyPeriodonHomeNetworkSecurity1stWDavailableforcommentsFutureNPNewStudyPeriodproposed;Includesoutsourcingandoff-shoringsecurityGapsbetweenReadiness&Response

ITSecurity,BCP,andDRPPlanning&ExecutionProtectDetectReact/ResponseITSecurityPlanningActivateBCPActivateDCRPPlanPrepare&TestPlanPrepare&TestBusinessContinuityPlanningDisasterContingency&RecoveryPlanningDisasterEventsITSystemsFailuresICTReadinessforBusinessContinuityWhatisICTReadiness?PrepareorganizationICTtechnology(infrastructure,operation,applications),process,andpeopleagainstunforeseeablefocusingeventsthatcouldchangetheriskenvironmentLeverageandstreamlineresourcesamongtraditionalbusinesscontinuity,disasterrecovery,emergencyresponse,andITsecurityincidentresponseandmanagementWhyICTReadinessfocusonBusinessContinuity?ICTsystemsareprevalentinorganizationsICTsystemsarenecessarytosupportincident,businesscontinuity,disaster,andemergencyresponseandmanagementneedsBusinesscontinuityisincompletewithoutconsideringICTsystemsreadinessRespondingtosecurityincident,disasters,andemergencysituationsareaboutbusinesscontinuityImplicationsofICTReadinessOperationalStatusTimeIncidentCurrentIHM,BCMandDRPfocusonshorteningperiodofdisruptionandreducingtheimpactofanincidentbyriskmitigationandrecoveryplanning.T=0T=iT=kT=lT=j100%x%y%z%Earlydetectionandresponsecapabilitiestopreventsuddenanddrasticfailure,enablegradualdeteriorationofoperationalstatusandfurthershortenrecoverytime.BeforeimplementationofIHM,BCM,and/orDRPAfterimplementationofIHM,BCM,and/orDRPAfterimplementationofICTReadinessforBCICTReadinessforBusinessContinuityRe-proposedassingle-partstandard(Nov‘07)Structure(DRAFT,DocumentSC27N6274)IntroductionScopeNormativeReferencesTermsandDefinitionsOverview(ofICTReadinessforBusinessContinuity)ApproachBasedonPDCAcyclicalmodelExtendBCPapproach

(usingRA,andBIA)IntroduceFailureScenarioAssessment(withFMEA)FocusonTriggeringEventsManagementofIRBCProgramP2PFileSharingInstantMessagingBloggingWeb2.0CybersecurityIssuesSplogs,SPAM,SearchEnginePoisoningSpywareTrojansVirus/WormsSPAMExploitURLsPhishingTrojansVoIP/VideoPrivacy&InformationBreachGlobalThreatLandscapePrevalenceofMaliciousSoftware––byCategoryWhatisCybersecurityDefinitionofCybersecurityoverlapsInternet/networksecurityNatureCybersecurityissuesOccursontheInternet(Cyberspace)Globalnature,multiplecountries,differentpolicyandregulations,differentfocusMultipleentities,simpleclientsystemtocomplexinfrastructureWeakestlinkandlowestcommondenominatorprevailHighlycreativelandscape––alwayschangingCybersecurityCybersecurityconcernstheprotectionofassetsbelongingtobothorganizationsandusersinthecyberenvironment.Thecyberenvironmentinthiscontextisdefinedasthepublicon-lineenvironment(generallytheInternet)asdistinctfrom““enterprisecyberspace”(closedinternalnetworksspecifictoindividualorganizationsorgroupsoforganizations).GuidelinesforCybersecurity“Bestpractice””guidanceinachievingandmaintainingsecurityinthecyberenvironmentforaudiencesasdefinedbelow.Addresstherequirementforahighlevelofco-operation,information-sharingandjointactionintacklingthetechnicalissuesinvolvedincybersecurity.Thisneedstobeachievedbothbetweenindividualsandorganizationsatanationallevelandinternationally.Theprimaryaudiencesforthestandardare:CyberspaceserviceproviderssuchasInternetServiceProviders(ISPs),webserviceproviders,outsourcinganddataback-upserviceproviders,on-linepaymentbureaux,on-linecommerceoperators,entertainmentserviceprovidersandothers.Enterprisesincludingnotonlycommercialorganizationsbutalsonon-profitbodiesandotherorganizationsinfieldssuchashealthcareandeducation.Governments.Endusers,whilehighlyimportant,arenotseenasakeytargetaudienceastheyarenotingeneraldirectusersofinternationalstandards.Thestandardwillnotoffertechnicalsolutionstoindividualcybersecurityissues,whicharealreadybeingdevelopedbyotherbodiesasdescribedbelow.NetworkSecurityRevisionofISO/IEC18028Re-focus,re-scoping,andnewpartsPart1–Guidelines(Overview,Concepts,Principles)Part2–GuidelinesforDesignandImplementationPart3–ReferenceNetworkingScenarios:Risks,Design,Techniques,andControlIssuesPart4–SecuritycommunicationsbetweennetworksusingsecuritygatewaysPart5–SecuringremoteaccessPart6–SecuritycommunicationsbetweennetworksusingVirtualprivatenetworkPart7–to-be-named““technology””topicSoftwareVulnerabilityDisclosuresOSversusapplicationvulnerabilitiesApplicationvulnerabilitiescontinuedtogrowrelativetooperatingsystemvulnerabilitiesasapercentageofalldisclosuresduring2006SupportstheobservationthatsecurityvulnerabilityresearchersmaybefocusingmoreonapplicationsthaninthepastGuidelinesforApplicationSecurityReducesecurityproblemsattheapplicationlayersEliminatecommonweaknessesatcodeandprocesslevelsStrengthensecurityofcodebaseimproveapplicationsecurityandreliabilityMulti-partsstandards,includingCodeSecurityCertificationProcessSecurityCertificationCodeSecurityTestingandcertificationpermajorreleaseofapplicationProcessSecuritySecurityDevelopmentLifecycleAssuresecurityofcodefromdesigntooperation,includingminorreleases,patchdevelopment&releaseFocusonWeb-basedapplications(majorproblemareas)GuidelinesforApplicationSecuritySpecifyanapplicationsecuritylifecycle,incorporatingthesecurityactivitiesandcontrolsforuseaspartofanapplicationlifecycle,coveringapplicationsdevelopedthroughinternaldevelopment,externalacquisition,outsourcing/offshoring1,orahybridoftheseapproaches.ProvideguidancetobusinessandITmanagers,developers,auditors,andend-userstoensurethatthedesiredlevelofsecurityisattainedinbusinessapplicationsinlinewiththerequirementsoftheorganization’sInformationSecurityManagementSystems(ISMS).Applicationsecurityaddressesallaspectsofsecurityrequiredtodeterminetheinformationsecurityrequirements,andensureadequateprotectionofinformationaccessedbyanapplicationaswellastopreventunauthorizeduseoftheapplicationandunauthorizedactionsofanapplication.Informationalsecurityconcernsinbusinessapplicationsaretobeaddressedinallphasesoftheapplicationlifecycle,asguidedbytheorganization’sriskmanagementprinciplesandtheISMSadopted.GuidelinesforApplicationSecurityStructure(DRAFT)Part1––Overview,definition,concepts,andprinciplesPart2––SecureApplicationLifecyclePart3––SecureApplicationArchitecturePart4––ProtocolsandDataStructure,Input,Processes,andOutputSecurityPart5––ApplicationSecurityAssurancePart6–N-TiersandWebApplicationsSecurity…9、静夜四无无邻，荒居居旧业贫。。。12月-2212月-22Thursday,December29,202210、雨中中黄叶叶树，，灯下下白头头人。。。09:01:3109:01:3109:0112/29/20229:01:31AM11、以我独沈久久，愧君相见见频。。12月-2209:01:3209:01Dec-2229-Dec-2212、故故人人江江海海别别，，几几度度隔隔山山川川。。。。09:01:3209:01:3209:01Thursday,December29,202213、乍见翻翻疑梦，，相悲各各问年。。。12月-2212月-2209:01:3209:01:32December29,202214、他乡生生白发，，旧国见见青山。。。29十十二月20229:01:32上午午09:01:3212月-2215、比比不不了了得得就就不不比比，，得得不不到到的的就就不不要要。。。。。十二二月月229:01上上午午12月月-2209:01December29,202216、行动出成成果，工作作出财富。。。2022/12/299:01:3209:01:3229December202217、做前，，能够环环视四周周；做时时，你只只能或者者最好沿沿着以脚脚为起点点的射线线向前。。。9:01:32上午午9:01上午午09:01:3212月-229、没有失失败，只只有暂时时停止成成功！。。12月-2212月月-22Thursday,December29,202210、很多事情情努力了未未必有结果果，但是不不努力却什什么改变也也没有。。。09:01:3209:01:3209:0112/29/20229:01:32AM11、成功就是日日复一日那一一点点小小努努力的积累。。。12月-2209:01:3209:01Dec-2229-Dec-2212、世世间间成成事事，，不不求求其其绝绝对对圆圆满满，，留留一一份份不不足足，，可可得得无无限限完完美美。。。。09:01:3209:01:3209:01Thursday,December29,202213、不不知知香香积积寺寺，，数数里里入入云云峰峰。。。。12月月-2212月月-2209:01:3209:01:32December29,202214、意志坚强强的人能把把世界放在在手中像泥泥块一样任任意揉捏。。29十二二月20229:01:32上上午09:01:3212月-2215、楚塞塞三湘湘接，，荆门门九派派通。。。。十二月月229:01上上午午12月月-2209:01December29,202216、少年十五二二十时，步行行夺得胡马骑骑。。2022/12/299:01:3309:0