One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 4159240 |
| Date de publication | 2022-02-21 20:23:11 (vue: 2022-02-21 08:05:26) |
| Titre | ISO/IEC 27002 update |
| Texte | The newly-published third edition of ISO/IEC 27002 is a welcome update to the primary ISO27k controls catalogue (officially, a 'reference set of generic information security controls'). Aside from restructuring and generally updating the controls from the 2013 second edition, the committee (finally!) seized the opportunity to beef-up the coverage of information security for cloud computing with new control 5.23, plus ten other new ones, mostly in section 8 (technological controls): Configuration management (8.9) - concerns the need to manage security and other configuration details for [IT] hardware, software, [information] services and networks.Data leakage prevention (8.12) - DLP is required to protect sensitive information against unauthorized disclosure/extraction.Data masking (8.11) - in line with the organisation's access control policy, plus other business requirements and compliance obligations, scurity controls are apropriate to mitigate the risk of disclosing sensitive personal and proprietary information. ICT readiness for business continuity (5.30) - organisations need to prepare themselves to handle serious incidents affecting/involving critical ICT e.g. through disaster recovery.Physical security monitoring (7.4) - intruder alarms, CCTV, guards etc. for business premises [such a basic control, it's very hard to believe it wasn't in the second edition ...].Information deletion (8.10) - at face value, another 'obvious' control: data should of course be deleted when no longer required to prevent unnecessary disclosure and for compliance reasons. The fine details, however, do matter in practice.Monitoring activities (8.16) - 'anomalies' on IT networks, systems and apps should be detected and responded to, to mitigate the associated risks.Secure coding (8.28) - software should be [designed and] coded securely, reducing the number and severity of exploitable vulnerabilities arising from [design flaws and] bugs. This control almost - but not quite - nailed the widely respected principle of 'secure by design'.Threat intelligence (5.7) - gathering relevant, actionable intelligence about threats to the organization's information, feeding it into the information risk management process. Web filtering (8.23) - limiting our access to inappropriate, unsavoury or plain risky websites is, apparently, an important security control.We've been busy updating the SecAware ISMS templates such as the detailed security controls maturity metric/checklist: |
| Envoyé | Oui |
| Condensat | aside 2013 27002 : configuration abeit about access actionable activities advice affecting/involving against alarms almost already anomalies another apparently apps apropriate are areas arising aspects assessment associated audit basic basis beef been believe benefits bound bringing bugs business busy but capabilities catalogue cctv check cloud coded coding committee committees compliance computing concerns configuration contingency continuity control control: controls course coverage criteria critical currently data deleted deletion design designed detailed details detected disaster disclosing disclosure disclosure/extraction dlp edition etc exploitable extensive face feeding field filtering finalising finally fine flaws follow from gathering generally generic given going good guards handle hard hardware hopefully however ict immaure important inappropriate incidents information instance intelligence internet intruder iot isms iso iso/iec iso27k leakage limited limiting line longer manage management masking matter maturity measure metric/checklist: mitigate monitoring mostly nailed need networks new newly not number obligations obvious offer officially ones opportunity organisation organisations organization other out own partners personal physical plain plus policy practice practices premises prepare prevent prevention primary principle problematic process processing proliferating proprietary prospective protect published quickly quite rational readiness really reasons recovery reducing reference relevant required requirements resilience respected responded restructuring review revised risk risks risky said sc27 scurity secaware second section secure securely security seized sensitive serious services set severity shared should software some specific stack standard standardisation storage structure such suite supplement supplementary suppliers surprising systems technological technology templates ten terms themselves things third those threat threats through topic unauthorized unnecessary unsavoury update updating value very vulnerabilities wasn weak web websites welcome when whether widely within work your |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.