Information security management system standards

This article presents ISO’s most successful information security standard ISO/IEC 27001 together with the other standards in the family of information security standards — the socalled ISO/IEC 2700x family of information security management system (ISMS) standards and guidelines. We shall take a brief look at the history and progress of these standards, where they originated from and how became the common language of organizations around the world for engaging in business securely. We shall take a tour through the different types of standard at are included in the ISMS family and how the relate and fit together and we will finally conclude with a short presentation of ISMS third party certification. The material used in this article has been derived directly from the many articles and books by Prof. Humphreys on the ISO/IEC 2700x ISMS family and they are implemented and applied in practice in business, commerce and government sectors.     

Information security management standards: Problems and solutions

International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.     

Information security management: An entangled research challenge

In May 2009 the Information Security Group, Royal Holloway, became host to a medical sociologist from St. George’s Hospital, University of London, under EPSRC’s discipline hopping scheme. As part of this knowledge transfer activity, a sociotechnical study group was formed comprising computer scientists, mathematicians, organisational researchers and a sociologist. The focus of this group is to consider different avenues of sociotechnical research in information security. This article briefly outlines some of the areas of research where sociotechnical studies might contribute to information security management.     

Information security governance practices in critical infrastructure organizations: A socio-technical and institutional logic perspective

Achieving a sustainable information protection capability within complex business, legal and technical environments is an integral part of supporting an organization’s strategic and compliance objectives. Despite a growing focus on information security governance (ISG) it remains under-explored requiring greater empirical scrutiny and more contextually attuned theorizing. This study adopts an interpretive case approach and uses analytical lenses drawing from socio-technical systems and institutional logics to examine how ISG arrangements are framed and shaped in practice in fourteen Australian Critical Infrastructure Organizations. Our findings illustrate the heterogeneity and malleability of ISG across different organizations involving intra- and inter-organizational relationships and trust mechanisms. We identify the need to reframe ISG, adopting the new label information protection governance (IPG), to present a more multi-faceted view of information protection incorporating a richly layered set of social and technical aspects, that constitute and are constituted by governance arrangements.     

Data security services,solutions and standards for outsourcing

Globalization has resulted in outsourcing data, software, hardware and various services. However, outsourcing introduces new security vulnerabilities due to the corporation's limited knowledge and control of external providers operating in foreign countries. Security of operation is therefore critical for effectively introducing and maintaining these business relationships without sacrificing product quality. This paper discusses some of these security concerns for outsourcing. In particular, it discusses security issues pertaining to data-as-a-service and software-as-a-service models as well as supply chain security issues. Relevant standards for data outsourcing are also presented. The goal is for the composite system to be secure even if the individual components that are developed by multiple organizations might be compromised.     

Fuzzy OWA model for information security risk management

One of the methods for information security risk assessment is the substantiated choice and realization of countermeasures against threats. A situational fuzzy OWA model of a multicriteria decision making problem concerning the choice of countermeasures for reducing information security risks is proposed. The proposed model makes it possible to modify the associated weights of criteria based on the information entropy with respect to the aggregation situation. The advantage of the model is the continuous improvement of the weights of the criteria and the aggregation of experts’ opinions depending on the parameter characterizing the aggregation situation.     

Managing network security — Part 5: Risk management or risk analysis

Over the last few years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programmes has increasingly become a function of our ability to make prudent management decisions about organizational activities. This series of articles takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.     

Information security: Reality and fiction

Awareness of the need for true information security is steadily evolving in finance, industry and government, although action does not match rhetoric. There is a growing need for sophisticated security measures as evidenced by the increasing incidence of penetrations, at all levels of sophistication, of automated systems. These security measures can be developed and installed based on a procedure of risk analysis, security audit and design of countermeasure.     

信息安全与网络安全关系辨析

随着科学技术和网络信息技术的飞速发展,越来越多的网络信息安全问题逐渐出现.本文主要研究了网络信息安全和网络安全之间的关系,并且对如何创造安全的网络环境提出了几点建议.     

Integrity and security standards based on cryptography

Since the Data Encryption Standard (DES) was published in January, 1977, as a Federal Information Processing Standard (FIPS), it has become the basis for the development of several security and integrity standards. Seven DES based security standards have already been approved, and several others are in development. Five standards making organizations are now involved with DES based standards: the American Bankers Association (ABA), the American National Standards Institute (ANSI), the General Services Administration (GSA), the International Organization for Standardization (ISO), and the National Bureau of Standards (NBS). While these standards are all based on the DES, future standards may make provision for using other cryptographic algorithms. For example, public key cryptographic algorithms could offer some advantages over the traditional, secret key cryptographic algorithms in certain applications. In anticipation of this future requirement NBS has published a Solicitation for Public Key Cryptography Algorithms to be used in special application standards.     

Digital rights management, spyware, and security

In October 2005, Sysinternals' Mark Russinovich discovered a rootkit on his computer, which he later determined stemmed from a Sony-BMG compact disc. In this article, the authors examine the copy-protection software found on those discs and the implications for digital rights management.     

煤矿工业互联网信息安全风险评估

针对煤矿工业互联网信息安全防护手段多应用于较小区域、难以对整体信息安全风险进行评估的问题,提出了一种基于静态和动态2个维度的煤矿工业互联网信息安全风险评估方法。该方法根据《信息安全技术网络安全等级保护基本要求》及GB/T 34679—2017《智慧矿山信息系统通用技术规范》,对煤矿信息系统已实施的安全防护条例进行特征化转换,建立各系统中安全防护要求的关联系数矩阵,进而计算出系统实际实施的安全防护条例数量;再结合威胁发生数和发生更高级风险的概率,建立安全风险评估模型,进而对煤矿工业互联网进行信息安全风险评估。测试结果表明,该方法能有效评估煤矿工业互联网信息安全状况,指导煤矿企业进行信息安全风险分析、安全防护规划设计及实施,从而降低煤矿工业互联网信息安全风险。     

Database management standards: status and applicability

This article presents the current status of existing and emerging ISO, ANSI, and FIPS standards for database management, specifically Database Languages NDL and SQL and Remote Database Access (RDA). It describes the general content of each standard and discusses its applicability, availability, completeness, maturity, stability, existing usage, and known limitations. Where appropriate, it also addresses the availability of conformance test suites and future plans for enhancements and follow-on standardization efforts.     

An integrated cyber security risk management framework and risk predication for the critical infrastructure protection

Neural Computing and Applications - Cyber security risk management plays an important role for today’s businesses due to the rapidly changing threat landscape and the existence of evolving...     

Information sharing and exchange in the context of product lifecycle management: Role of standards

This paper introduces a model of the information flows in Product Life cycle Management (PLM), serving as the basis for understanding the role of standards in PLM support systems. Support of PLM requires a set of complementary and interoperable standards that cover the full range of aspects of the products’ life cycle. The paper identifies a typology of standards relevant to PLM support that addresses the hierarchy of existing and evolving standards and their usage and identifies a suite of standards supporting the exchange of product, process, operations and supply chain information. A case study illustrating the use of PLM standards in a large organization is presented. The potential role of harmonization among PLM support standards is described and a proposal is made for using open standards and open source models for this important activity.     

物联网条件下的信息安全风险防范及立法建议

随着信息技术的发展,物联网在我国得到了广泛的应用。物联网给人们带来巨大便利的同时,也对信息安全造成了巨大的风险。基于对国内外相关立法的比较,文章提出了物联网时代信息安全保护的立法原则、立法体系与结构、立法内容等构想。同时,提出了强化政府的监管作用、逐步统一规范和标准、加大物联网条件下的密码保护力度、提升用户自身安全意识等建议。     

浅析医保网络管理与安全风险防范策略

随着医保信息化发展的不断深入、医保网络越来越庞大,如何通过加强网络安全管理保障医保网络安全稳定运行是我们亟待解决的问题;本文先对医保网络管理的现状做了简单介绍,接着对医保网络存在的安全风险做了简要分析,然后就面临的安全风险探讨了防范策略.     

Information infrastructure,governance, and socio-economic development in developing countries

There is growing interest in the role and contribution of national information infrastructure (NII) to the quality of governance and the socio-economic development of nation states. In this paper, we use publicly available archival data to explore the relationships among NII, governance, and socio-economic development in developing countries. Results substantiate a significant relationship between NII and governance, and NII and socio-economic development. The findings suggest that NII have the capacity to contribute to country development, both directly (via impacts on socio-economic development) and indirectly (via its impacts on governance, which in turn influences socio-economic development).     

The management of information technology, governance, and managerial characteristics

Abstract. Using a sample of Fortune 500 industrial firms, this study hypothesizes that various infra-organizational factors, including those commonly associated with agency, governance and managerial characteristics of the firm, that affect the decision to create a top management executive position for a chief information officer (CIO). Statistically meaningful relationships were observed between the creation of a top executive CIO position and (1) top management's equity interests, (2) the number of outside directors on the board, (3) Chief Executive Officer (CEO) age, and (4) CEO Experience.