First published on March 21, Home Page. Our Libraries. A to Z Index. Our Customers. How to Order. Our Products. Our Prices.
Our Guarantee. Praxiom Research Group Limited help praxiom. Legal Restrictions on the Use of this Page Thank you for visiting this page. You are, of course, welcome to view our material as often as you wish, free of charge. And as long as you keep intact all copyright notices, you are also welcome to print or make one copy of this page for your own personal, noncommercial , home use. But, you are not legally authorized to print or produce additional copies or to copy and paste any of our material onto another web site or to republish it in any way.
Other information Provides further information that may need to be considered, for example legal considerations and references to other standards. If there is no other information to be provided this part is not shown. Tags: Information technology.
ASME standards. Personal comments. Its lineage stretches back more than 30 years to the precursors of BS Like governance and risk management, information security management is a broad topic with ramifications for all organizations.
The specific information risk and control requirements may differ in detail but there is a lot of common ground, for instance most organizations need to address the information risks relating to their employees plus contractors, consultants and third party suppliers of various information and IT services.
The standard is explicitly concerned with information security, meaning the security of all forms of information e. However, organizations are free to implement whichever controls they feel are appropriate for their information risks, and may prefer entirely different control suites. It recommends information security controls addressing information security control objectives arising from risks to the confidentiality, integrity and availability of information.
The standard is structured logically around groups of related security controls. Many controls could have been put in several sections but, to avoid duplication and conflict, they were arbitrarily assigned to one and, in some cases, cross-referenced from elsewhere.
This has resulted in a few oddities such as section 6. It may not be perfect but it is good enough on the whole. The areas of the blocks roughly reflects the sizes of the sections. Click the diagram to jump to the relevant description. The standard gives recommendations for those who are responsible for selecting, implementing and managing information security.
However, various other standards are mentioned in the standard, and there is a bibliography. Of the 21 sections or chapters of the standard, 14 specify control objectives and controls.
There is a standard structure within each control clause: one or more first-level subsections, each one stating a control objective, and each control objective being supported in turn by one or more stated controls, each control followed by the associated implementation guidance and, in some cases, additional explanatory notes.
The amount of detail is responsible for the standard being nearly 90 A4 pages in length. Few professionals would seriously dispute the validity of the control objectives, or, to put that another way, it would be difficult to argue that an organization need not satisfy the stated control objectives in general. However, some control objectives are not applicable in every case and their generic wording is unlikely to reflect the precise requirements of every organization, especially given the very wide range of organizations and industries to which the standard applies.
Each of the control objectives is supported by at least one control , giving a total of However, the headline figure is somewhat misleading since the implementation guidance recommends numerous actual controls in the details. The control objective relating to the relatively simple sub-subsection 9. Whether you consider that to be one or several controls is up to you. Furthermore, the wording throughout the standard clearly states or implies that this is not a totally comprehensive set.
A hospital operating theater, for instance, is not the ideal place to be messing around with logins, passwords and all that jazz. Information risk and security is context-dependent. Management should define a set of policies to clarify their direction of, and support for, information security. The organization should lay out the roles and responsibilities for information security, and allocate them to individuals. Where relevant, duties should be segregated across roles and individuals to avoid conflicts of interest and prevent inappropriate activities.
There should be contacts with relevant external authorities such as CERTs and special interest groups on information security matters. Information security should be an integral part of the management of all types of project. Information security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff e.
Managers should ensure that employees and contractors are made aware of and motivated to comply with their information security obligations. A formal disciplinary process is necessary to handle information security incidents allegedly caused by workers. All information assets should be inventoried and owners should be identified to be held accountable for their security.
0コメント