AS 19335.1—2003 Australian Standard™ Information technology—Guidelines for the management of IT Security Part 1: Concepts and models for IT Security COPYRIGHT Ae i! won Seacnhen tes hewmen pant a (Geo cs, Syn. nat 2 APREFACE, ‘This Standard was prepared by the Australian members of the Joint Standards Austai/Standards ‘New Zealand Committee 17-012 Information Ssstems, Security and 1dentifetion Technology, After Conatation with sakeholders in both countries, Standards Australia and Standards New Zealand ‘fecidod to develop thls Standard as sn Austin, rather than an Australian/New Zealand Standard ‘Thi Standard is identical with, and bas been reproduced from ISOMEC TR 13335-11996, Information technology Guidelines fr the management of TT Security, Part: Concepts ond models for IT Security, "The objective ofthis Standard sto provide an overview ofthe Fundamental concepts and models used to deveribe the management of IT security "This Standacd is Patt of AS 13335, Infomation technology—Guidelines forthe management of IT ‘Security, which s polished sa pans as follows Part Concepts and tots for If Seourity (his Standard) Part 2; Managing and planning TT Security Dart 3; Teehnigues forthe management of TT Security Dare Selection of safeguards Part: Management guidance on network security ‘The terms “normative and “informative” are wed to define the application of the annex to which hey fpply. A normative ennes is ab integral part of a standard, whereas an informative annex is ony for Information and guidance, [As thi Standard is reproduced from an ntermational Technical Report, the following applies (@) ts number appears on the cover and tile page while the international sandard number appears ‘only on the cover () lathe soure text ISO/IEC TR 13335" should read ‘this Australian Standard (6) A fall point substiutes for x comma when referring toa decimal marker, References o International Standards. should be replaced by references 9 Australian or ‘Astalian/New Zealand Standards, a8 fllows: Reference to Internationa Standard Australian Standard 180 as 498 Tefermation processing systems— 277 Information processing sytems— ‘Open Syste Interconnection-Basic ‘Open Systems Interconnection Basie reference model reference model 9e-2 Part 2 Security architecture ara Past 2! Security arhiteetarepenny WEES NORTH COAST MTT 22081 10. 11 CONTENTS scope Reference Definitions Structure ‘im Background ‘Concepts for the Management of IT Security 7.1 Approach 72. Objectives, Statepis and Policies Security Blements| Bi Assets 82. Threats 83 Vulnerabilities 84 Impact £5 Risk 86 Sofeguards 87 Residual Risk SB Constainis Procesres for the Management off Security ‘91 Configuration Management 92 Change Management 93 Risk Management 914 Risk Analysis 95 Accoumability 916 Security Awareness 9.7 Monitoring 9.8 Contingency Plans and Disaster Recovery Models Summary Page 10 0 10 ul 2 2 2 B B ry i 18AUSTRALIAN STANDARD Information technology — Guidelines for the management of IT Security — Part 1: Concepts and models for IT Security 1 Scope {oneTR 13335 contains guigance on the management of IT secuy. Par 1 of ISOMEC TR 13335 ‘pou he baie management concept and models which reeset fran intodation to the PiSapement of scary. These concepts and models re further discussed and developed in the esining Tame pide mote Jetted guidance, Together tee parts an be used o hep det and manage ll care re eT accu, Pa| is wcessy for complete understanding of the subsequent parts of ISOMEC ‘TR335, 2. Reference F50-74982:1989, formation processing stems - Open Stems Inerconnection - Basic Reference Model = Part 2 Secury Architect, 3. Defiaitions “The following definitions are used in he tres parts of ISOMIEC TR 1333, ‘34. accountability the popsty that ensures that the ations ofan entity may be acd uniquely othe tatty 90 74982: 1989) ‘32 anaes anything that hs value to the organization 133 authenticity: the property tht ensures tat the identity of subject resource isthe oe limes ‘Auten aplics oes such a wes, proceses, systems ad information, 5.4 availablity: the propeny of being accesible nd sabe upon demand by an authorized enity 'SO Jane.2 1989), 45 baseline controls: «minimum st of safeguards xablished fra system or organization ‘36 confidentiality: he property tha information tnt made available or disclosed to wnstorzed indus, ents, processes (80 7498-2: 1989 13:7 data integrity: the prope that dts has ot bon altered or desvoyed in an unauthorized manner {G30 749821989), 38 impact thereto a unwanted incident ‘39. Integrity ee data integrity and system ing ‘340 security al aspects related to defining achieving ant maining confidentiality, inter ‘allablty,accoutbiiy, authentic, and rely.LALIT security pois rules, directives and practices hat govern how assets, ncuding sensitive Fnformaion re manage. potved sod dtbued within an organization and is T syste. 312 relia the property of consist ined beaviour and results. S13 residual is isk hat romaine afer safguars fave been implemented ‘S14 risk: the penal ht given threat wl exploit vulnerabilities of an asst o group of ses to ‘elo or danage tothe ass. ‘315 risk analyse the process of identifying ser risks, determining their magnitude, an identiying areas ceding safeguards ‘316 risk management the tol process of ieniffng controling, nd iminating o inimizing ‘een events my alec T system eoures, ‘317 safeguard: a pratc, procedure o mechanism that reduces sk $318 system integrity: the propery that sytem pecorms its intended function nan unimpaired mans, Fee fom deliberate or acidntalunsuhorized manipulation ofthe system 1.19 threat: potent cause of an unvonted ncdeet which may retin harm oa ye oF rpnization. 1320 vonerabilty:ncodes a weakness of an ase or group oF assets which can be exploited by a heat 4 Structure “This pa of ISOMEC TR 15335 is tract allows: Cae Soules the wim ofthis report and Case 6 ‘poviles information on the background requirements forthe manapemest of Tseeriy. Clause 7 presen [Toaneal overview ofthe concep and model for seca, and Clase § examines the elements of T ‘etary. Clause 9 discusses te presses ed for he management of security, and Clause 10 presents 8 {eneralscusin of severl mds ta re ween understanding te concepts presented in this repr. Fly, Part summarize in Cause 5 Aim ISOMEC TR 13335 isintended for avait of udiences. The aim of Pa 1s to describe the various topes ‘nn he management of T security ad o provide brief inrodaction to Basi TT security concepts and dels The materia sept bef inode oprovide high evel management overview. This shouldbe ‘tub for scior managers within crganizaton who ae responsible for seuriy and give an itoducon to security for ober ftrestd inthe rmaning pars ofthe repr. Pars 2 and 3 provide mae ‘npecensfve information and material sulle for nvduals who are dre responsible forthe Staplemestation and monitoring of secu. This is based onthe concepts ad model presente in Part vis ot the intent ofthis report o suggest a prcular management approach oT secu stead the report bees witha genera discussion of wool concepts and models and ends with a discussion of specific {eeiques and tools tat re valbl for the management of TT secu. This material is general and ‘Spplehsto mary diferent sje of management bd organizational environments, Thi epor i organizedpenny EENSN-NOFTH COAST MSTTUTE 9722084 ina manner which allows th allorng of he mater to mec the nods of an organization and it speciic management se 6 Background Ccoverient and comercial organizations rely eal on th use of infomation o conduct ther business ‘Stivites Los of confident, ntgety, avalailty, cebantabliy, authenticity and eit of ‘Monon and senses can hve sn adverse pat on organizations, Consequently, thee sa rica need ‘protection and wo manage the secur of infomation technology (TT) syste within Ptestion, This reement to prose! information is parculary important in td's envionment ‘eka many otzaniztons te interaly and extemal connected by networks of sysers. ‘rT sceary management isa process used to achieve and msnsin appropriate levels of confidently, Tnteguy, eset, acoumabiiy, eutnesiy an ein. TT secaity management fanetion incl: tetrmining xganiztonal IT ser objecsives, sates and policies, ‘temining organizational I sseunty reuiremens, ‘denying sd analyzing secu thet oT assets within the organization, ‘Mentifying and analyaing risks, specifying appropriate saeasards, ‘Renter he tpementaton and operation of safeguard that ae necessary in der o cast Ctteively protect he information and services win the organization, veloping and inpementng a scuriyevareess programme, sd etcting and resting incidents In onder to full those management responsibil for systems, security must bean etega part of ‘eguaton's oval marapemct plan. Ax aesu, several of he security ops adresse in ti repr. {ERE bonder anagementnpliaions, This epat wil ot tempt to foes he broad mansgemen ‘a throm te secur aspects ofthe topes and how they aerelted to management in general 1 Concepts forthe Managem 1 ofFT Security ‘The adoption ofthe concepts that fellow needs to tke lato acount the clare andthe environment in which ie cpateaton ports as hese ay aves sigan eet on te over approach wo secur In white they cas ave a impact on those tht ee resporible forthe protection of specie parts ofthe ‘Sse, In some sane the goveramen i considered to responsible nd charges his arta the enactment and enforcement of la In ober instances tate owner or manager who ‘Sanat responsible. Tissue ray ven considerable influence onthe approach adopted 1A Approach Assert approach is necessary fo the dete of requirements for IT secu within ABNER, aos toe for he implementation oT sci, and its ongoing eminstatin. This ester oa the management of secrty al incdes the following etivites: development of an T seer poles, ‘donfpng role nd responsTies within the crganintion, Fisk management, involving the Menifeation and assessment of sto be protected,teas, “alae, impacts, “iss, *safeguas, residual sks, and ‘configuration management, ‘hange manugenen, Contingency planning and disaster ecovery planing, Safepurdslestion and implementation, curity awareness an follow up, sintnance, Security aut, inonitorng, review, and “Teen handing 12 Objectives, Strategies and Policies ‘Corporate security objectives, strategie nd police (se Figure 1) nee toe formulated as basi for ‘Stezive rr secant iv an ognization. They oppor the busines ofthe crganization an togche they “tore consitncy between al sfegutds Te objectives identity what shal be achieve, sates identity fw fo chive these obcetives, and the policies wenify what needs to be done. CObjetives, strategies and polices may be developed hierzciclly fom te eorporste tothe operational {eve of the oremtzation. They should refet organizational requirements and take ito aesount ny ‘rgnizatoal constants, ad they shold ensue tat consistency is maintsine at each evel ad ‘Temaghoutall eels, Scout iste responsiblity fal level af management within he organization and ‘Stuus inal phases of ystems life eyele. The objectives, strategies and polices shoul be maintained end lod based on the ress of periodic rear reviews (gk analysis, seus aud’) ang changes in busines objects. “The corporate security pole essetally comprises the security principles and directives for the ‘Tieton ss whole. Corps security polices mast elect tbe broader corporate policies, outing howe hat aes individual gh, legal requirements and standards “Tae corporate IT seeurity oly mis elle! theesesal security principles and diretivesoplicable to ‘he comoratesevuty polity, and the general use of systems within the rzanzatin. [AnTT system security ply sust efles the secur principles and diresives contained within he ‘prac sect pole. H should also costa deta ofthe paricolr security reqiemens end ‘Stfguads tobe implemented and how fo ae thm corey o ensure adequate secur. al ess itis ‘Sipura ta the approach aken is effective in laon tote business neds ofthe organization.cm by TAFE NSW ORTH COAST TITUTE cn Na 2 ae Figure I: Hierarchy of Objectives, Strategies and Policies system sect objectives, strategies sod pois rprsent what expected fom the Psyc in ems ‘tes They are nomally expressed wing tral language, bu thre may Bea equreent © exes thom in more formal ny ving sone ahemstcal language They should ues TT secu cones, seh as consicetalty, secounliy, ‘utente, and relly ‘The objectives, strategies an polices will esablishthe lve of secu fr the organization, the dhesbold fork accoptance an the organizations comingencyrequtement, Security ements “The flowing sub-clasesdeserbe ata high level the major elements hat ae involved nthe sey nntgntant oes Each ofthe clement is inteduced, andthe major contributing factors identified. More ‘Daled desesipoon and discussion ofthese laments nd the relionships ar contained in ober pas of tis por,1 Assets “The pope management fasts vital tothe uscess of the organization ands major responsibility of ‘ll mangeren evel, The sits of an organization include: physical aes (computer hardware, communications sities, buildings), Infomation data document, databases), software, the ai to produce some product or provide sevice, people, and Intangibles (e¢, goodwill, imap), ‘Most oral ofthese ast maybe considered valuable enough to waren some degree of protection. An [scent ofthe isks beng accepted is necessry ifthe ase are not protected, roma scuityperspestv tis not possible to inplameat and mintain a succesful sour programme i {hems rpmizaton ar ot eff. In many stations, the process of denying est and [Seigning value can be accomplished at ver high level ard my not equi cosy, deta nd time Sonny anlisThe level of dtl for his analysis must be measured in terms of te ud cost vers ‘hevaluce he eset. Inany ese, the lve of data shouldbe determined onthe basis ofthe seuity jects In any esses, st ell to group ase, Ase atte tobe considered nse their value anor sensitivity, nd any inherent safeguards. The potecton urement of assets ere nfuened by thei vulorblies nthe presence of particular threat [tee arpec ar spptent to thease orc, hey soald be cape a this stage. The environments and ‘alles the organization operates in may allsc ascts ad heir abuts, Fo example, some cultures ISS the pretation of personel information a very Important while hes give a lower igiicance to {his ane. These environmental and ela varaon ean be sgn fer international organizations and theiruse of T systems srossiatematonal bounds. 82 Threats ‘Acasa subject to many bins ofthents A thea as the potential to cause an unwanted incident which ‘Day cet in arn fo a sjtem ov ogantin and is ss This hrm canoer fom a iret or indict MeL onthe information being Handled by an TT ete o: servic, ets unauthorized desuction, ‘Telos, modfcaton corruption, and unavailability or ass thet needs topo an existing ‘Tionbiy ofthe eet n order to success ene han fo the asset. Threats may be of natural or human TUiSiand Cos be seidentl or dsiberte. Both acienal and deliberate threats shoud be nsf and {ei level and kainoed assessed.camps of tet oe ce ame Exons inane assis weneng Bmore oniions (rie sooo odieon |i deeion luehnine — laces ong one also ate psilacens [te ‘Statistical data i avelele concerning many types of environmental treats. This data should be obtained ‘in cud by an orgnizaton during the test amessnent process. Threats may impact spec parts of an Tiymintion, for example the csepion to penonal computes. Some tres may be geneal io the sertoding cavironment ins pacar loeion in which sytem or organization exis, for example ‘Minaos a blldnge fom luneanes or ighning A Seat may aise fom within the orgaization, for eae Saboage ty an erployee or from ouside, for example malicious hacking oe indus espionage. ts comely the unwanted indent maybe Of temporary are or may be permanent as nthe ase ofthe deition oF an asset, ‘The amount of harm ease hy threat an var widely for each occurence Fr example a software vis may case diffrent acunts of harm depending ont tions, and “Sthques ne parclar ation may bave diferent stengis on each occasion ‘och ets rquctly have a measure of severity associated wih them. For example: -avias may be deed as destructive or pon destructive, and the sucngth ofan erthgake my be dese in terms ofthe Richer Sele Some threats my alfet more tan one ast In mich eases they may cause ferent impacts depending on Soi Mist we ate. For example, oftware vrs on Single personal computer may ve aimed or Pas tapice However, the sume sotvare virus on network based Mle server may have widespread Moot Ole threats, othe same thest na ferent location, may be consistent in the aroun of harm hey (oe fe harm sasd bythe thea is consistent, a genetic apeoach canbe taken, However, if he ‘frie widely, amore sesfe approach fr each heat oecrens is appropri. “Teas have characterises which provide wf infocmation about the threat self. Examples of sch informs neue soc, isider vs. outsides, motivation; eg final gain competitive varags, fiogueny of eccurenee, nd thvest svery. ‘Toe enviroments and cultures in which the organization is situated can havea sgfcant bearing and Jraucace on how te seats to the orguizaton are deal wi. In extreme cases, some thats may not becere WPENSN-NORTH COAST MTTUTE 922 Hv 2081 ‘onsdered harmful in some altars. Aspects of environment and culture must be considered when desing heats 83° Valnrabiites ‘Vulmembilies asocnted with assets include weaknesses in physical layout, organization, procdus, Haearychagwnt, amnion, hardware, softer of information. They may be exploited bY ‘Botan nay clue ham fo the TT system or busines objectives. A vulerbiity in ie does not cause ica ht yy autly condition o et of codons that may allow a treat to fest an ase ‘Wamblies asin fom diferent sources ned obe considered, for example thas inns ote ake ‘Yeerks aay ta nls these elf changes och tha the vlerabiity no Longer apis Velnerbles clude weaknesses in 4 system tht can be exploited and may Ted to wndesrble Teeeehces Thy ae opportnites which may allo a hes o cause barn. For example, the ack of earetel mechan fa vlnerality which could allow the treat of an ntrsion to oi asd ass i555 tat Within a specific sytem or orzanization not all volerbities wil be susceptible to threat ‘Saorbttis hick have a conesponding teat se of immediate concern. Howeves, asthe envioamsnt renee donmealy al wulneraities shoud be moeitored o identify thse that have become exposed {ald or be teats “Vulnerbility assis isthe examination of weaknesses which may be exploited by identified threats, This aang ake imo sccouet the envronmet and existing saeguds, The vulnerability of @ prtclar ae Pitt treat oa statement of the case wit which the stem or ast maybe med 4 Impact ect ist consequence of an unwanted incident, cansed either deliberately or acigatly, which ets Tae th conequences could be the destruction of ees asst, damage to the IT spiem and Jos of te fdentaly, integrity, vai, accountability, subenticy or relbily, Possible indirect roars ac nicl losses ead the os of market share cr company image. The measurerent of SSMER oan a bularce tobe made between the rents ofan unwanted incident andthe cost of th Separds protec aginst te unvaned siden. The fequecy of occurence ofan unwanted cient satepe ken into aceourt. This partly inprtart when the amount of harm eaused by ech tect oo ow but whore the agregate ffst of may incients over time may be tar. The cecum nips bak mporan clement inthe assessment of sks an the selection of steps Cuantativ and uaitative measrenents of impoet can be aceve in a amber of ways such ezblghing the financial cost, ‘Signing ah empirical sale of svete 1 though 1, and ibe tof adjectves selected rom a pedeind Tis eg ow, medium, igh BS Risk ‘isk is the potential that a given test will exploit vulerbltes fo cause fxs or damage to an sit or re Falmer an henor cy or ndety othe organization, Single or male teas may expo. $nple or motile vulerabiits. | isk scenario deserts how a pra host or goupof threats may exploit a paticular vanes or Ae Sf lnelies exposing ase to harm. The Hk is characterized by a combination of two ft, Foetal of the uowanted incest occuring and is impact, Any change to ase, eas,pcm TAPE SH -NORTH CORE NITUTE 09 2 N20) ‘vuloerabliies and safeguards may have significant fects on rss. Early detection or knowledge of changes inthe environment or system increases the oppetnity for appropriate actions to be taken to reduce thers, 86 Safeguards Safeguards ore prsties, procedures or mechanisms which may protect agains thet, reduce a ‘vulpes, imi the impact ofan unwanted incident, tet unwaedincdents and aia recover: Etecine socunty usually rogues combination of diffrent safeguards to provide layers of scary for sects For example sects contol mecanims applied o computers shouldbe supported by ait contol, Psonnel proces, walang and piyscl secaity. Some safeguards may exis already as pst of the nvtenment ora an inherent aspect fasts, o ay be already in place in he system or organization. ‘Safeguards may be considered to perform one of more ofthe following functions: detection, dteence, ‘preveition, Timitton, comection, recovery, monitoring, and awareness. An appropiate selection of Safegut seen for a propa implemented security progammme. Many safeguards can serve mile ‘incon, ls often move cow effetive to slet safeguards tat wil saify mulple fanetons. Some ‘examples of reas where safeguards can be used isd physical environment {echvieal envionment (hardware sofware and communications), ese ad Seeatty awareness is sfeguand ands elevan tothe personnel area. However, dt ots importance it wl te uacused in Clause 9.6, The environments and cles the ganization operates in may have a bering tn the safogars selected and on te scury awnreness of the organization. Cen sfegurds send 8 tong and clear mesage th epad f the organizations aitude Towards secur, In this rear, i is [mpovant to select safeguards which ae ot offensive tothe clare andlor te society the organization operates in Examples of safeguards ate: network firewalls, etwork monitoring nd analysis fnanpion for conden, ‘gia signe, St vir sottwae, eek up copies of information, reserve power suppl, and eceas contol mechani 87 Resdual Rsk ‘isk ze uusly only mitigated partially by safoguards. A partial mitantion is ll thst is usually possible to tcicve, end the more tht eto be achieved the geste the cost This implies tht thee are usual rei ‘isk, Part of judging wheter the security Is appropiate to the needs ofthe organization ite axeepance of the resid isk. This process is known as ik ocean ‘Management should be mide aware ofall esi ihs in tns of impact and the likelihood of an event ‘rcuring, The decison fo accept resi sks mat be take by those who ae in postion to acept he10 consequences ofthe impact of unwanted incidents occuring and who can authorize the implementation of ‘Butional steps the resid ik lve ae not accepable 88 Constraints ‘Consens ae normally set or recognised by the organization's management and inuensed by the “cvironment within wich the onpnizaon operates. Some examples of costints to be considered ae ‘reaizational, ‘nancial, eitonmental, personnel, time, lel, technical, and culiraloea All hse firs must be considered when selecting and implementing safeguards. Prod, exiting end few constants must be reviewed and aay changes Ientfid. It should also be noted that consis can ‘Change with time, geogrphy, and soll evolaon, at wel s rzanzational cult, The environment and ‘altare the organization operates in can have a earng on severel secur elements specially teas, risks, and safeguards 9, Proceses forthe Management of TT Security “The management of IT sear tan cngoing process consisting ofa number of other processes Some process sich as configuration management an change management have applicability to spins othe Than secur. One proces tit experienc ha shown lobe very ueflin the management of sects tik management ands subprocess of risk snags Several aspects ofthe management of IT ceri, Indi a angen cg ung nd ogo manage a8 ho igre 9.1 Configuration Management Configuation management isthe proces of keeping tek of changes tothe system ad ean be done formally tr infrmaly The primary secuity gol of eoafigurton manageset so ensure tat canges tothe sytem td not educe te effectiveness of sfegurds andthe overall eeu of the organization, “The security goal of configuration management ito krow what changes have ocured, ot owe scaly sa means of preventing changes fo TT systems, In sme eases, Uere may be reasons fr making changes Shih wil rede sect In these stustios the decrease in secur sould be asessed ad» management ‘echo mae which is based on all elevant factors. In ther words, changes to asst must adequately ‘cress cur conceme. Another goal of configuration management iso ensare tat changes othe system tre rele In other docirent ch diate reovery and contingency plans. Ifthe change is 2 shor ‘net maybe neceaery to analy some oral of th sytem safeguards ganpenny AEE NS - NORTH COAST MSTTUTE 9280208 " Management of IT Security igure 2: Aspects ofthe Management of fF Secarity 92 Change Management ‘Change managements the process wed to help Menify new scuily requirements when I systems changes systems andthe environment in which they operate re const changing. These changes are ares of {he valsblty of new FT features and services othe dscovery of rew teats and vloersiies, Changes to TT systems lalude ew procedures, ew features, oftware pats, Sardware revisions, fev uses to include external groups or anonymous groups nd ‘ltional networking and interconnection, Wien a change to an TT system occurs oe planned i is important to determine wht, if any, impact the Change will ve on the security of the sytem. Ifthe system has a configuration contol board or other ‘tgmzaonal seus fo manag tecnieal system chang, the scuniy fier shoul be asigned tthe ‘kn and be given the respon to make deisions abut whether the change wil impact security, andi to how, For major changes that involve the purchase of new hardware, software Series a alse wil ie rete to determine the new scout requirements. On te otber hand, many changes made to sysems {re mior in ature and donot requ he extensive anayss hati needed for mor changes. For bth types ‘tchanges a ak assessment thal considers the Benefts and ess shoud be made For minor hangs, hisdecry TAFE NS-NORTH COAST MSTUTE 029201 2 an be performed informally at meetings, bo the results end the management decisions should be Aocamentd 9.3 Risk Management Risk management exes are most effesive if hey oscirtroughout the system's ife cyte. The rs hmagement proce (isl a major spele of aves. While the entre cyte can be followed for new [pnt in We ease of egy systems tan be ned st any pint nthe syste if eee. The staegy nay ditt that evi i cated out a certain points ina syst’ ie cleo predefined tines. Thee may be follow up actions from a previous review, wit the aim of checking. on the progress of implementation of safeguards. There may bea roquieeat to carry ou risk management daring the design fol development of seems, this ensrng ta security is designed ad implemented atthe most cas effective tine, When sigifiant anges io the tiem ate planned, isk management shoud also be Inte, Clase 10, gure 4, sows be elements involved in isk management Whatever sk management method oe tshniqe is use, is important o provide @ god balance between rinimising the ine and resources spent in iSentihing and implementing safeguards while stl ensuring hat tllsyens are appropriately protected ‘isk management ithe process of omparing sere risks wih the benefits enor costs of sefeguads, and { Figure 4 Relationships in Risk Management Nowe The neo se row Reet am ove eset entire hse oes igues 5,6 and 7 show the relationships btwoon protein requirements and teat, valneabilits, and asset vals, especie. Some IT sectly management aproaces may emphasise oe ofthe perspectives iasuated by these Haus. However, such approaches may overlook some important specs. Consequeny, Figure provide the more general approach and is ted the bas for Parte? and of ISOMEC TR 13335,pcm TAFE NSH NOROH COAST NSTIEE on 2282811 Figure: impact Viewdecent ty TAFE NS NORTH COAST SITE 0220201 8 ‘Management of security isan ongoing proces which must ke ino account the secu if yee, These fspets ate futher examined in Part 2 of ISOMEC TR 13335, Part 3 adders the lecniques for the ‘agement of soul. The process mode sated in Figue # brings together the sxunty element *ssocated withthe management of secu. Figure i examined in dtl in Pas 2 > fer gun ==] Figure 8: The Management of TT Securify Process 1. Semmary ‘The concepts and modes discussed in this pat of ISOMEC TR 13335 can be used to develop a satey or polcting an organization's TT ass. This strategy and related security policies ned to be continunasy feviewed within an orguaization to uke into account the rapid changes inthe development and use of technology and inbrmaion services. Other pars of ISOMEC TR 13335 wil Tuber deserbe how these ‘concep and models ean be used effectively in an organization,une 2 anus L8v00 HAKONE20‘Standards Ave an ncapencent company ined by quran, whch popares and pushes ‘developed trough an open proces of consultation an consers, wich liars paris ae fend cine elven ears. The requamers or recorinendtons corned n publish Stand are ‘Scorsese o the vows of opresrine nares ar la tke account of commen reeled ‘rao contracu eve ate publeaonené se ups replay ake acount of haring ‘Stndaré asta reaper for ensuring thal he Austaan viewpoints corre nthe ‘atonal Starcace The oe ie vial esis oc! ust compete inert maka, ‘Standards Avira rapresris Atal! bth 80 (The ntmatorl Organization ‘or Sandrdzton) en the intemal Eectecniea Commision (EC) [Ai Avstalan Stanards are avaible in eluctonle ations, ether doweloded inci tom out Web ‘www.standards.com.aupero HEENSW- NORTH COAST MSTTUTE onz2 Nov 011 @ Standards Australiamses EES NORTH COAST MSETUTE on 2 N24 This page has been left intentionally blank.AS 13335.1—2003 ISOnES TR 18336: 1098 Australian Standard™ Information technology—Guidelines for the management of IT Security Part 1: Concepts and models for IT Security @& Standards Australia‘This Austin tnd was pepe by Commie 7-012, Information Systems ‘BekAy td Idcnshenon Totsony. ar apeoved on btu te Coe of ‘Sina Autaliaon 4 March 2003 td ple on 29 Ape 2003, “Te fling ae represented on Commitee I-01: ‘omy Genera’ Depruent “Austalian Associaton of Prmanent BaiingSoeletes “Awstralian Banker Assocation [Astalian Camber of Commerce ad Industry ‘Aualian Elect and Elston Manufastrers Assocation ‘AustalianIfrmaton Indy Asotin Ceritestion Foam of Assis Departs of Defene, Assia Deparinest of Seat Welle New Zealand ‘Goveranent Communications Seat Brea, New Zeand Internet Indosey Associaton [NSW Pie Service New Zealand Defence Force Reserve Bank of Australia ‘Keeping Standards wpt-date tnd ar ving documents which seflect progres i ince, tchnlogy and ‘Sitters gutter cane. al Sanda ae precy reviewed, and 2a hidend ae pals Between dons, amesent may Be soe ‘Elgar ny als be whiney Ti portant int renders ase hemslves ame ey 2 att Sedan whi souls ude ny amendment Mh [Bb Live etn pirhd since the Sencar was rebate Delaleg information abot Standards can be found by vigtng the Sunday Resi eb Te at ew andards om soso looking op the eleva Standard Mivonlne ‘teats, the pte Cilgue provides tfomaton cuenta 1 Janay exch JET otily mapasing The Ausalon Standard, bas tH tag of Fevton ad amendment abled eck most * "We sso welcome suggestion fr mpeoverent incur Sundads, end especial Ne a me eesScIa ics sny_appoent ince wets Contact tava son at milastacarés cout or wtf fo the Chief eee certs Auslis Inara 138, GPO Box S430, Spear, NSW it hs Stndard was sued raf or for comment as DR 2897