One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 3534956 |
| Date de publication | 2021-10-20 16:00:00 (vue: 2021-10-20 04:05:18) |
| Titre | Topic-specific policy 8/11: cryptography and key management |
| Texte | Maybe this particular policy was mentioned in previous editions of ISO/IEC 27002 and picked as a topic-specific policy example for the forthcoming 3rd edition in order to include something directly relevant to governmental organisations, although to be fair crypto is a consideration for all of us these days. Many (most?) websites are now using HTTPS with TLS for encryption, for example, while cryptographic methods are commonly used for file and message integrity checks, such as application/patch installers that integrity-check themselves before proceeding, and password hashing.Here's a glimpse of one I prepared earlier: Like all our templates, this one is generic. Organisations with specific legal or contractual obligations in this area (such as governmental and defense companies bound to employ particular algorithms, key lengths and technologies such as physically secure hardware crypto modules, or companies bound by PCI-DSS) would need to adapt it accordingly. You'll see that it mentions the Information Classification Policy: I'll have more to blog about classification tomorrow.If you've been tagging along on my tiki-tour of the topic-specific policy examples in ISO/IEC 27002:2022, and if you read that LinkeDin piece by Chris Hall that I recommended, you will probably by now recognise the standard document structure we've adopted for all our policy templates. The main elements are:Page header with a logo (our logo in the template, yours to download and customise) and a short, pithy, catchy policy title.Information security policy up-front to be crystal clear about the nature and ownership of the policy, since some topics could equally belong to other corporate functions (e.g. our "Fraud" policy template is, in fact, an information security policy addressing the information risks associated with fraud, misrepresentation and so on, not an HR or legal policy about disciplinary procedures and compliance). Policy title, big and bold to stand out. The precise wording is important here (I'll return to that point in another blog piece).Policy summary, outlining |
| Envoyé | Oui |
| Condensat | policy the applicability as detailed policy would you 27002 27002:2022 3rd 8/11: about accordingly accumulate acquired across actual adapt addressing adopted after aim algorithms all along also although amount amplify another any applicable application/patch apply appropriate archaic are are:page area arial art/good articles aspect assigned associated audiences audit auditing authors awareness axioms been before being belong benefit between big blog bold borders bound breadth brief briefly but can cases catchy change changes check checks chris clarify classification clauses clear closer colours commonly companies complexity compliance concern concerned consideration consistency/integrity consistent consultants content continually contractors contracts contractual corporate could couple course covering crypto cryptographic cryptography crystal crytpographic curiously current customers customise cut days decades defense degree departments depending deprecated depth descriptions despite dictate differences different direct directly disciplinary document download dss earlier:like earns easier easily edition editions elements employ employees employment/service encryption english ensure entire equally eschewed even every evolving example examples expand expecting experienced explain fact fair familiar far field file find following fonts form formal formality formally formatting forth forthcoming four fraud from front full functions generic given glimpse goals governmental gradually groups guidance guide guidelines guides guiding half hall handful hardware hashing have having header helps hence here heretofore hereunder high highest hopefully https i review immensely important inch include including indicate individuals inevitable inevitably information installers instructions integrity intrigued involves iso/iec its job/role just justify keep key laborious language last laws layout lays least legal lengths less level limited link linkedin logo main maintain maintenance make management many materials mature maturity may maybe meaning mentioned mentions merely message methods mind misrepresentation modules more most naive named natural nature navigate need not now numerous obligations officer officious one ones open opportunity order organisation organisations organization other others ought out outline outlining own ownership page pages paid paper papers paragraph parallel particular parties password pci people personally phrasing physically picked piece pithy plain point policies policy policy up policy: practice practices pragmatic precise preferably prepared previous principles priorities privacy probably procedures proceeding pseudo quality quick range rather rational rationale/purpose read read/study readers readily recognise recommended reducing refining reflect relevant reminder replacing reports requirements resist responsibilities return risks role roles said scene scope secaware secure security see sentences set short should simply since single size some something specific split staffing stand standard standards state stated statements stilted structure style styles subsections:background substantial such suffered sufficiently suite summaries: summary surprise systematically tagging task technologies template template is templates terms than them themselves then these these bloggings think thinkers third though thousands three through thrust tiki title tls tomorrow topic topics tour two under unhelpful unsure updating updating the use used using usually various way ways websites well what whatever when whether who will within word worded wording work workers writing written years you yours ~80 |
| Tags | |
| Stories | APT 17 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.