[clug] [OT] What *is* Security?

steve jenkin sjenkin at canb.auug.org.au
Thu Sep 11 08:29:46 GMT 2008


steve jenkin wrote on 11/9/08 8:37 AM:

> Recently I've been looking for a *formal* definition of 'security'
> and that has led to puzzling over an informal definition.

Daniel's response somehow made me think of the ISO standard.
Why didn't I look that up this morning??? Brain fart, I guess :-(
My apologies for again addressing my own question and forgetting the
obvious initially :-(


I've 2 comments on the ISO definition of "Information Security":
 - it's not formal enough for me.
    Like 'best practices', I find it wooly. :-)

 - Whither Systems, Network & Computer Security?
   [i.e. the resources get hijacked & used, not the information taken]


An overview of new standards emerging:
<http://www.27000.org/>


The current "Information Security Management" standard...
<http://www.iso.org/iso/support/faqs/faqs_widely_used_standards/widely_used_standards_other/information_security.htm>

ISO/IEC 17799:2005
Information technology - Security techniques -
 Code of practice for information security management

Information security is the protection of information from a wide range
of threats in order to ensure business continuity, minimize business
risk, and maximize return on investments and business opportunities.

Information security is achieved by implementing a suitable set of
controls, including policies, processes, procedures, organizational
structures and software and hardware functions. These controls need to
be established, implemented, monitored, reviewed and improved, where
necessary, to ensure that the specific security and business objectives
of the organization are met. This should be done in conjunction with
other business management processes.

ISO/IEC 17799:2005 establishes guidelines and general principles for
initiating, implementing, maintaining, and improving information
security management in an organization.

... contains best practices of control objectives and controls in the
following (10) areas of information security management:

* security policy;
* organization of information security;
* asset management;
* human resources security;
* physical and environmental security;
* communications and operations management;
* access control;
* information systems acquisition, development and maintenance;
* information security incident management;
* business continuity management;
* compliance.


The control objectives and controls in ISO/IEC 17799:2005 are intended
to be implemented to meet the requirements identified by a risk assessment.


-- 
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin


More information about the linux mailing list