12:13 Overview bs 7799 Security and regulators realized their objectives | |
Start survey Controllers Security and realized their objectives. Regulators general We now proceed to consider the ten groups of security controls identified in the standard BS 7799. The first group attributed the fact that due to security policy, namely:
The purpose of this group of regulators - to determine the strategy for security management and ensure its support. The second group of regulators of safety concerns aspects of the enterprise. Compared with the first it is more plentiful and has the internal structure. Her first subgroup - Infrastructure security - aims to control security in the organization and includes the following adjustments:
Regulators second subgroup - security access third-party organizations - are designed to ensure the security of computing and information resources accessed by third parties. These regulators are two: identification of risks associated with connecting third-party organizations, and implementation of appropriate protective measures; development of safety requirements for inclusion in contracts with outside organizations. Objective third subgroup - ensuring information security when using external services. It is proposed to develop safety standards for inclusion in contracts with providers of information services. Very important is the third group of regulators of security - the classification of assets and management. Necessary to ensure adequate protection of assets is their identification and classification. Should be developed classification criteria according to which assets to, or otherwise receive a security label. Controllers fourth group - security personnel - covering all phases of personnel work, and the first one - documenting the roles and responsibilities in the field of information security in determining the requirements for all positions. In accordance with these requirements should be made the selection of new staff, concluded confidentiality agreements, stipulated in the contract the other conditions. To maintain a conscious mode of information security training is needed for all users, regular professional development. Along with the proactive, standard and provides a response to security incidents to minimize the damage and draw lessons for the future. Provided notification (reports) about the incident and noticed vulnerabilities, abnormal operation of the software. Should develop mechanisms to assess damage from the incidents and failures and discipline offending officers. The fifth group of regulators aimed at ensuring the physical safety and the environment. It includes three subgroups:
For the organization of the protected areas required to determine the perimeters of security, control entry to secure areas and work in them, to protect the production facilities (especially those with special security requirements) and the place of loading / unloading, which, if possible, be isolated from industrial premises. To prevent loss, damage or unauthorized modification of equipment is recommended to place it in protected areas, establish an uninterrupted power supply, to protect the cabling, arrange maintenance of equipment, move the device (including those outside the organization) only with the permission of, delete the information before decommissioning or a change in the nature of the equipment. Among the general measures belong to the policy of clean desktop and a blank screen, as well as destruction of assets - hardware, software and data - only with the permission of management. Sincerely Confido Security | |
|
Total comments: 0 | |