ISO 27002 Standard of Information Security

ISO 27002 STANDARD OF INFORMATION SECURITY

Bohdan Martynenko, Ivan Kysylenko

Institute of Special Communications and Information Security, NTUU “KPI”

 

Information security is the main problem of many companies all over the world. To avoid risks, taking damage by the user, there are several standards that are controlling this sphere, but not all of them are in use in Ukraine. So the theme of our report is “Physical and Environmental Security Using Standard T-REC-X.1051-200802. Information Security Management Guidelines for Telecommunications Organizations Based on ISO 27002”. This standard is in project as Ukrainian standard.

We have chosen such theme because the main problem of any existing information system is not something linked to information technologies – it is almost “human” problems, such as physical loss of information via people that do not have any permission to use it or enter some working areas in company. And the second problem is the equipment – the most important feature of every information system. More than 70 % of information loss is due to the failure of equipment security.

As we told earlier, physical and environmental security includes:

  • Secure areas
  • Equipment security

The objective of the first point is to prevent unauthorized physical access, damage, and intrusion to the organization’s premises and information. The provided protection should be commensurate with the identified risks. Also it has such points:

  • Physical security perimeter (such as walls, card controlled entry gates etc.) – utilized for protection areas containing information and information processing facilities.
  • Physical entry controls – secure areas should be protected by appropriate entry controls to ensure that only authorized personnel have access.
  • Securing offices, rooms, and facilities – physical security in offices, rooms and facilities should be developed and applied.
  • Protection against external and environmental threats –physical security from damaging by the natural and human factor disasters should be developed and applied.
  • Working in secure areas –physical security and guidelines for working in secure areas should be developed.
  • Public access, delivery, and loading areas – to avoid unauthorized access, access points, for example, delivery and loading areas, and other points, which can be utilised by unauthorized users to enter working areas, must be controlled and isolated from information processing tools.

The objective of the second point is to prevent loss, damage, theft or compromise of assets and intrusion into the organization’s activities. Protection of equipment (including those used off-site, and the removal of property) is necessary to decrease the risk of unauthorized access to information and to protect against its loss or damage. This should also consider equipment siting and disposal. Special control is required to protect against physical threats, and to safeguard supporting facilities, e.g. electrical power supplies, cabling infrastructure.

  • Equipment siting and protection – equipment should be sited or protected to decrease the risks from environmental threats and hazards, and possibilities for unauthorized access.
  • Supporting utilities – equipment should be protected from power failures and other disruptions caused by failures in supporting utilities.
  • Cabling security – power and telecommunications cable data networks or supporting information services must be secured from interception or damaging.
  • Equipment maintenance – equipment must be served in a proper way to provide its permanent availability and integrity.
  • Security of equipment off-premises – such security that is taking into account various risks of working premises must be used to the off-premises equipment.
  • Secure disposal or reuse of equipment – the elements of equipment that have storage devices, must be checked to provide that any sensitive data or licensed software were deleted or rewritten in safe way before deleting.
  • Removal of property – equipment, information or software must not be moved out without authorization of this action.

As a result a number of above mentioned steps has to be followed to accomplish informational security. Nowadays, the issue of informational security is a top discussion topic as enormous funds are invested into data protection. However, it should be noted that safety provision is highly dependent not only on monetary resources, but can also be stimulated through strict supervision of the data utilized on a certain territory. These issues should be taken into consideration.

Reference:

  1. T-REC-X.1051-200802. “Information security management  guidelines for telecommunications organizations based on ISO 27002”
  2. ISO 27002 (Ukrainian translation and interpretation)
  3. ISO 27001 (Ukrainian translation and interpretation)

 

PowerPoint Presentation — click to download

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *

Можно использовать следующие HTML-теги и атрибуты: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>