Documente Academic
Documente Profesional
Documente Cultură
[]
August30,2017
EviatarMatania,PhD,HeadoftheNationalCyberBureau
PrimeMinister'sOffice
Bybyemail:sigalM@pmo.gov.il,reuta@pmo.gov.il,ArielC@pmo.gov.il
RE:StandardsandregulationinCyberSecurity
Yourresponsewithin45daysiskindlyrequestedpursuanttotheAdministrative
ProcedureReformAct(1958).
DearDrMatania:
AninternetpublicationbytheNationalAuthorityforCyberSecurityhasbeen
recentlybroughttomyattention.Itstitleis:StandardsandRegulationinCyber
Security(attached).Therecordisnotmarkedasaspokespersonspublication,it
failstospelloutthenameandauthorityofitsauthor,isunsigned,undated,andfails
toshowanyreferencenumber.
Obviously,acentralproblemincybersecurityofgovernmentinIsraelisthe
proliferationofinternetpublicationsbyvariousgovernmentauthorities,whichare
notvalidauthorizedrecords,butmerelydrafts(calledbymediafabrications).
Therefore,Ihereinrequestclarificationregardingtheabovereferenceddocument:
a)Thenameandauthorityofitsauthor.
b)Thenameandauthorityoftheperson,whoapproveditsonlinepublication.
Therecordconcludesbystating:TheAdministrationandProfessionalTraining
DivisionoftheNationalAuthorityforCyberDefense[sicjz]isnowworkingon
definingtheprofessionsandbuildingaprogramfortraininganddocumentationof
suchprofessionsintheIsraelimarket.Inthiscontext,IattachaFreedomof
Informationrequest,whichwasfiledwiththeCentralElectionCommittee,requesting
documentationofcomplianceoftheCommitteesITsystemswithexisting,effectual
InformationSecurityStandards.
Therefore,Ihereinrequestclarificationregardingtheabovereferenceddocument:
c)WilltheNationalAuthorityforCyberDefenseactasstatedintheabove
referenceddocumentonlyrelativetotheIsraelimarket,oralsorelativeto
governmentauthorities?
Truly,
JosephZernik,PhD
HumanRightsAlert(NGO)
2/1
CC:ShinBetHeadNadavArgaman,Widedistribution
Attachments:1)Undated:StandardsandRegulationinCyberSecurity
2)August30,2017FOIArequest,filedwiththeCentralElectionCommittee
_________________________________________________________________________
302017,
,
"sigalM@pmo.gov.il,reuta@pmo.gov.il,ArielC@pmo.gov.il:
:
(,
)
45,
.1958
,
" ",
"")(.,
,,,
.
,
,,
"")"(.
,":
(.
(.
":
][
.,,
,,
,.
,":
(""""",
.
,
'
HumanRightsAlertNGO
:",
(1:":"
(2292017
2/2
"
-1-
, , . ,
, , ,
.
" ,
. .
, ,
:
.1 ,
.
. ,
, ,
.
.
- .1.1
.2017
, ,
. 1.0 .2017
, 1995
( 3-5) . ,
, .
( ) , 7809"2017-
36 ," 1981-
( ) 7809 ,
"
-2-
. , (")
, ," .1981- 357
" " , 361 " " 355 "
"
- ,
() ," .1981- 2016 " "
,
.
' .
.1.2
ISO/IEC 27000
SOX
( )2002
. 404 ,
. " .
"
-3-
PCI-DSS
. ,
, , .
, .
CSA
NIST
ITIL
CobIT
" " ,
" HIPAA-HHS DHS-CYBERSCURITY
GDPR
.2 ,
.
.
.3 , ( )
.
.
:
.
(') . ,
"
:
, ,
'
, , , '.
"
-5-
, '.
, " , ( ).
.
.
"
-6-
'
" / #
, ISO/IEC 2701 1
0
" ISO/IEC 27000 ( 27000 27010: - ISO/IEC
,)family - 27XXX
2012
.
Information technology
Security techniques
, , Information security
- management for inter-sector
-.
and inter-organizational
communications
, ,
- ,
. ,
,
.
ISO/IEC 2701 2
, 4
, 27014:
Information technology
2013
()communicate Security techniques
. Governance of information
security
.
ISO/IEC 2703 3
, 2
27032:
, :
2012
Information technology
- ; Security techniques
- ; Guidelines for Cybersecurity
- ( ;)internet security
- (.)CIIP
( .)Cyberspace
:
- ;
-
;
"
-7-
" / #
-
;
-
;
-
.
ISO/IEC - 2703 4
. - : 3
27033-
1
1: 2009
[ Information technology --
, Security techniques --
,/
Network security: Overview
,
and concepts
(.])communication links
, .
,
( )administrators
/
, ,
.
,
.
, :
-
,
;
-
,
;
-
,
,
""
(
" )27033
,
.
,
" 27033"
" .
"
-8-
" / #
, ISO/IEC - 2703 5
. 27033- - : 3
2: 2012 2
Information technology --
Security techniques --
Network security : Guidelines
for the design and
implementation of network
security
, ISO/IEC - 2703 6
27033- - : 3
. , ,
, 3: 2010 3
( )mitigate Information technology --
. , Security techniques --
" 27033 Network security: Reference
4 5- - ISO/IEC networking scenarios --
,27033-6 Threats, design techniques
.
and control issues
/
/
,
" 27033 .2
(
" 27033 45-
- )ISO/IEC 27033-6
,
/ /
/ .
,
.
ISO/IEC - 2703 7
( , 27033- - : 3
,
) , 4: 2014 4
()Gateways
,:
Information technology --
)
; Security techniques --
Network security : Securing
) communications between
networks using security
"
-9-
" / #
; gateways
)
;
) ,,
.
, ISO/IEC - 2703 8
27033- - : 3
5: 2013 5
( )VPN
. )(VPNs
Information technology --
Security techniques --
Network security : Securing
communications across
networks using Virtual Private
)Networks (VPNs
ISO/IEC 2703 9
27034- : 4
.
1: 2011 1
Information technology
, , , Security techniques
.
Application
Overview and :security
( ,)in-house concepts
.
ISO/IEC 2703 10
27034- : 4
.
2: 2015 2
Information technology --
Security techniques --
Application security :
Organization normative
framework
ISO/IEC 2703 11
27039: , 9 IDPS
( IDPS intrusion
2015
.)detection and prevention systems ()IDPS
,
. Information technology
Security techniques
"
- 10 -
" / #
ISO/IEC 2704 12
27040: 0
( ,)risk mitigation
2015 Information technology
()consistent
, , Security techniques
. Storage security
()communication links
.
,
,
( )lifetime
.
,
, ( )acquirers
,
( )managers ( )administrators
,
.
,
.
.
,
. ,
-
( )practices
.
ISO/IEC 2703 13
"
- 11 -
" / #
ISO/IEC 2703 14
, , , ,, 27036- 6
. :
2: 2014 2
Information technology
, , Security techniques
,
,-- Information security for
. supplier relationships:
Requirements
, , .
,
,
. ,
, , ,
, .
, ISO/IEC 2703 15
27036- 6
( ,)ICT :
3: 2013 3
:
)
( physically Information technology
)dispersed- Security techniques
;ICT- Information security for
supplier relationships:
) ICT- Guidelines for information
and communication
,ICT- technology supply chain
security
.
(
"
- 12 -
" / #
( )IT);
)
, " 15288
" ,12207
,
" .27002
.ICT
" 27031 .
ISO/IEC - 2703 16
. 27037: - ,, 7
, ,
2012
( )digital evidence
( .)evidential value
Information technology
Security techniques
, Guidelines for identification,
. collection, acquisition, and
/ preservation of digital
, evidence
:
-
,,
- ,
;
- ,
( ,)PDA (,)PED
;
- ;
- ()
( );
- ;
- TCP / IP
;
-
.
:1
"
- 13 -
" / #
:2
.
,
,
.
ISO/IEC 2701 17
27017: 7
,:
2015
- " 27002
" ;27002
Information technology
-
Security techniques Code
.
of practice for information
security controls based on
. ISO/IEC 27002 for cloud
services
, ISO/IEC 2701 18
, 27018: 8
( ,)PII ( )PII
2014
"
29100 .
Information technology
" ,27002 Security techniques Code
of practice for protection of
( ,)PII
( ) personally identifiable
. information (PII) in public
clouds acting as PII
processors
,
,
,
,
.
ISO/IEC 2910 19
29100: 0
- ;
2011 Information technology
- ( )actors Security techniques
Privacy framework
(;)PII
- ;
"
- 14 -
" / #
-
.
, , , ,,
,
,
(.)PII
ISO/IEC 1804 20
" " - 15408 18045: 5 (
" . Common Criteria
2008
)ISO/IEC 15408
Information technology
" ,15408 Security techniques
Methodology for IT security
" .15408
evaluation
, IEC/TS 6244 21
62443- :, 3 SCADA /
( .)IACS
1-1: 1.1
" .62443 2009 Industrial communication
networks - Network and
:system security
. Terminology, concepts and
models
.
.
,
.
.
( SCADA
)
, :
) ;
) ;
) ;
) .
.
"
- 15 -
" / #
SCADA
.
( )IACS ,
,
. , :
)
,
( ,)DCSs
( ,)PLCs
( ,)RTUs ,
,SCADA ,
()custody
( . ,
( ,)SIS
).
) -
,
, ,
,
( ,)process historians ,
, ,
,
.
) , : ,
, , ,
,,
,
, ,
.
IEC 6244 22
()CSMS : 3
()IACS 62443-
. 2.1
2-1:
2010
Industrial communication
. networks Network and
Establishing :system security
an industrial automation and
,
, , control system security
"
- 16 -
" / #
. program
.
.
.
:
,
.
, , IEC 6244 23
: 3
( )IACS 62443- IACS
2.3
2-3:
. Security for industrial
2010
automation and control
( )format
Patch management :systems
in the IACS environment
,
,
.
( ,)OSs
.
.
.
,
( ,)bugs ,
, .
IEC 6244 24
IACS : 3
( )integration 62443-
IACS 2.4
(.)Automation Solution 2-4:
2015
Security for industrial
automation and control
"
- 17 -
" / #
IEC 6244 25
, : 3
( )mitigation 62443-
3.1
3-1:
2009 Industrial communication
()IACS
networks Network and
. Security :system security
- technologies for industrial
,
automation and control
,
systems
,
, ,
.
( ,)IACS
,
, ,
.
,
, :
( , .
( data historian
)servers (,
, ,),
(,)DCSs
(,)PLCs
( ,)SCADA
, , .
( )IT
( )links
.
, , :
, , ,,
,
(,)fieldbus systems
,
\ ,
( ,)RTUs
"
- 18 -
" / #
.
. , ,
,
,
, , ,,
, ,
,
,
, ,
.
,
,
( )broadly applied ,
, :
. ;
. , , ;
; .
. ;
.;
; .
; .
. .
,
,
.
, ,
.
:
.
, ,\
;
. ;
; .
.
(;)IACS
. ;
; .
. .
,
( ,)IACS
,
.
"
- 19 -
" / #
) (,)UC
) (,)SI
) (,)DC
) (,)RDF
) ( ,)TRE
) (.)RA
( )SLs ( SL-C ,
) .
.
NIST SP 8003 27
800- 0 800
. , Guide for Conducting Risk NIST
, 30:
Assessments
2012
/
. ,
( , ,
, ,
)
.
,
( ,
)
.
NIST SP 8006 28
800- 1
. 61: Computer Security Incident
"
- 20 -
" / #
NIST SP 8008 29
(,)malware 800- 3
( )mitigate
83:
. 2013
, Guide to Malware Incident
( )real-world Prevention and Handling for
Desktops and Laptops
.
()data points
.
.
" , 80061
.
ISO/IEC : 2476 30
24760- 0
, :
1: 2011
, 1
. Information technology
Security techniques A
(.)identity information framework for identity
management: Terminology
and concepts
ISO/IEC : 2476 31
24760- 0
:
2: 2015 2
( identity
,)information
Information technology
. Security techniques A
framework for identity
.
management: Reference
architecture and
requirements
ISO/IEC 2914 32
"
- 21 -
" / #
( )vulnerabilities 29147: 7
. 2014
( )vendor Information technology
Security techniques
. : Vulnerability disclosure
) ()vendors
,
) ()vendors
,
)
( )vendor
,
)
.
"
- 22 -
'
ECCouncil
Human Rights Alert (NGO)
Joseph Zernik, PhD "
PO Box 33407, Tel Aviv, Israel 6133301 ",33407 "
Fax: 077-3179186 Email: joseph.zernik@hra-ngo.org
[]
August29,2017
AttorneyAleadNaveh
CentralElectionCommitteeFOIAOffice
Jerusalem
Email: hofeshmeida@knesset.gov.il , eladn@knesset.gov.il
Fax: 02-5669855
RE:FreedomofInformationRequestregardingITsystemsoftheCentralElection
CommitteecompliancewithIsraeliStandardIS27001InformationTechnologies
securitytechniques
DearAttorneyNaveh:
PleaseacceptinstantFreedomofInformationRequest.Pleaseconfirmreceiptbyreturn
email,includingadulydesignatedFOIArequestnumber.
I.Requester
Name:JosephZernik
ID:
Address:POBox33407,TelAviv,Israel
Fax:0773179186
II.RequestedInformation
Instantrequestpertainstowrittendocumentationoftherequestedinformationinrecords,
whichareheldbytheCentralElectionCommittee,orspecificreferencestoofficial
publications(e.g.StateRegistry)oftherequestedinformation.
A.CompliancewithIsraeliStandardIS27001InformationTechnologies
Anysigned,lawfullymaderecord,whichdocumentscertificationofcompliancewithIsraeli
StandardIS27001InformationTechnologies:SecurityTechniquessystemsfor
administrationofinformationsecurity.
ThelatestversionoftheStandardwaspublishedonMarch06,2014intheStateRegistry
(YalkutHaPirsumim)6766:InstantStandarddetailstherequirementsforestablishing,
implementation,maintenanceandongoingupgradeofsystemforadministrationof
informationsecurityinthecontextofanorganization...
III,Payment:
a.RequestfeeinthesumofNIS20.00waspaid,ReferenceNo91898602.
Truly,
JosephZernik,PhD
HumanRightsAlert(NGO)
1/2
292017,
"
hofeshmeida@knesset.gov.il
",eladn@knesset.gov.il:
025669855:
:
.27001.
",
.",
.
.I
:
"053625596 :
:",33407"6133301
"joseph.zernik@hrango.org :
0773179186 :
:
.II
)(
,)(
.
..27001.
,.27001.
:.
676606:2014,
"",,
)"(...
III:
20",.91898602
,
'
HumanRightsAlertNGO
2/2