- Name:
- ISO/IEC TS 27008
- Titel (Deutsch):
- Informationstechnik - Sicherheitsverfahren - Leitfaden zur Bewertung von Informationssicherheitsmaßnahmen
- Titel (Englisch):
- Information technology - Security techniques - Guidelines for the assessment of information security controls
- letzte Aktualisierung:
- :2019-01
- letzte Aktualisierung:
- 01.01.2019
- Seiten:
- 91
- Link (Herausgeber):
- https://www.beuth.de/de/vornorm/iso-iec-ts-27008/301539513
Beschreibung
Contents
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Structure of this document
5 Background
6 Overview of information security control assessments
Assessment process
General
Preliminary information
Assessment checklists
Review fieldwork
The analysis process
Resourcing and competence
7 Review methods
Overview
Process analysis
General
Examination techniques
General
Procedural controls
Technical controls
Testing an validation techniques
General
Blind testing
Double Blind Testing
Grey Box Testing
Double Grey Box Testing
Tandem Testing
Reversal
Sampling techniques
General
Representative sampling
Exhaustive sampling
8 Control assessment process
Preparations
Planning the assessment
- Overview
- Scoping the assessment
- Review procedures
- Object-related considerations
- Previous findings
- Overview
- Changing conditions
- Acceptability of reusing reviews.
- Time aspects
- Work assignments
- External systems
- Information assets and organization
- Extended review procedure
- Optimization
- Finalization
Conduction reviews
Analysis and reporting results
AA - Initial information gathering (other than IT) (Informative)
General
- Human resources and security
- Policies
- Organization
Physical and environmental security
- Are the sites safe for information?
- Are the sites safe for ICT? (Environmental aspects)
- Are the sites safe for people?
Incident management
AB - Practice guide for technical security assessments (informative)
General
Assessment of controls from
Information security policies
Organization of information security
Human resource security
Asset management
Access control
Cryptography
Physical and environmental security
Operations security
Communications security
System acquisition, development and maintenance
Supplier relationships
Information security incident management
Information security aspects of business continuity management
Compliance
AC - Technical assessment guide for cloud services (Infrastructure as a service) (informative)
Positioning and purpose
Relationship with other international standards
Structure of this annex
Cloud services (infrastructure as a service) environment model
Meaning of the model introduced
Model and components
Correspondence to
Common practice in the Implementation Model
- General
- Application of virtualization technologies in the cloud service
- Carrying out the technical assessment for the common aspects in the virtualization mechanism
- Operation Security
Server virtualization
- Overview of server virtualization
- Application of server virtualization in the cloud services
- Carrying out the technical assessment for the server virtualization
- Access Control
Network virtualization
- Overview of network virtualization
- Application of network virtualization in the cloud services
- Carrying out a technical assessment for the network virtualization
- Access control
- Cryptography
- Communications security
Storage virtualization
- Overview of storage virtualization
- Application of storage virtualization in the cloud services
- Carrying out the technical assessment for the storage virtualization
- Access control
- Cryptography
- Operations security
Service management
- Overview of Service management
- Application of server virtualization in the cloud services
- Carrying out the technical assessment for the Service management
- User access management
- Cryptography
- Information security incident management