Contents

Foreword
Introduction

1 Scope

2 Normative references

3 Terms and definitions

4 Concepts and justification

• Introduction
• Information sharing communities
• Community management
• Supporting entities
• Inter-sector communication
• Conformity
• Communications model

5 Information security policies

Management direction for information security

• Policies for information security
• Review of the policies for information security

6 Organization of information security

7 Human resource security

Prior to employment

• Screening
• Terms and conditions of employment

During employment

Termination and change of employment

8 Asset management

Responsibility for assets

• Inventory of assets
• Ownership of assets
• Acceptable use of assets
• Return of assets

Information classification

• Classification of information
• Labelling of information
• Handling of assets

Media handling

Information exchanges protection

• Information dissemination
• Information disclaimers
• Information credibility
• Information sensitivity reduction
• Anonymous source protection
• Anonymous recipient protection
• Onwards release authority

9 Access control

10 Cryptography

Cryptographic controls

• Policy on the use of cryptographic controls
• Key management

11 Physical and environmental security

12 Operations security

Operational procedures and responsibilities

Protection from malware

• Controls against malware

Backup

Logging and monitoring

• Event logging
• Protection of log information
• Administrator and operator logs
• Clock synchronization

Control of operational software

Technical vulnerability management

Information systems audit considerations

• Information systems audit controls
• Community audit rights

13 Communications security

Network security management

Information transfer

• Information transfer policies and procedures
• Agreements on information transfer
• Electronic messaging
• Confidentiality or non-disclosure agreements

14 System acquisition, development and maintenance

15 Supplier relationships

Information security in supplier relationships

• Information security policy for supplier relationships
• Addressing security within supplier agreements
• Information and communication technology supply chain

Supplier service delivery management

16 Information security incident management

Management of information security incidents and improvements

• Responsibilities and procedures
• Reporting information security events
• Reporting information security weaknesses
• Assessment of, and decision on, information security events
• Response to information security incidents
• Learning from information security incidents
• Collection of evidence
• Early warning system

17 Information security aspects of business continuity management

Information security continuity

• Planning information security continuity
• Implementing information security continuity
• Verify, review and evaluate information security continuity

Redundancies

18 Compliance

Compliance with legal and contractual requirements

• Identification of applicable legislation and contractual requirements
• Intellectual property rights
• Protection of records
• Privacy and protection of personally identifiable information
• Regulation of cryptographic controls
• Liability to the information sharing community

Information security reviews

1 Sharing sensitive information (informative)

• Introduction
• Challenges
• Potential benefits
• Applicability
• Defining and operating an information sharing community
• Information exchange agreements
• Success factors
• Scope of the ISMS for an information sharing community

2 stablishing trust in information exchanges (informative)

• Statement of trust
• Technological support
• Introduction
  • Anonymity and pseudo-anonymity
  • Reputation engines
• Assessing trustworthiness of information

3 The Traffic Light Protocol (informative)

4 Models for organizing an information sharing community (informative)

Introduction

Trusted Information Communication EntitiesUnterkapitel anzeigen

Warning, Advice and Reporting Points

• Introduction
• TICE organizational considerationsUnterkapitel ausblenden
  • Subject matter experts
  • Organizational structure
  • Community member management
  • Organizational model
• TICE core and optional services
• Conclusion

Bibliography