HB 231-2004 Information Security Risk Management Guidelines

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9
At a glance
Powered by AI
The key takeaways are that information security is important for businesses, infrastructure, and society due to increasing reliance on computer systems and networks. Risk management is an important process to ensure security.

The document is about information security risk management guidelines and providing a process for establishing and implementing a risk management program.

Some examples of systems that rely on computer security mentioned in the text include monetary transactions, electronic commerce, production systems, storing company secrets, marine/air/space control systems, and medical supervision systems.

This is a free 8 page sample. Access the full version at http://infostore.saiglobal.com.

HB 231:2004

Information security risk management guidelines

HB 231:2004

Handbook
This is a free 8 page sample. Access the full version at http://infostore.saiglobal.com.

Information security risk management guidelines

Originated as HB 231:2000. Second edition 2004.

COPYRIGHT
Standards Australia/Standards New Zealand All rights are reserved. No part of this work may be reproduced or copied in any form or by any means, electronic or mechanical, including photocopying, without the written permission of the publisher. Jointly published by Standards Australia International Ltd, GPO Box 5420, Sydney, NSW 2001 and Standards New Zealand, Private Bag 2439, Wellington 6020
ISBN 0 7337 5649 2

This is a free 8 page sample. Access the full version at http://infostore.saiglobal.com.

This page left intentionally blank

HB 231:2004 Information security risk management guidelines

Preface
The vulnerability of todays information society is still not sufficiently realised: Businesses, administrations and society depend to a high degree on the efficiency and security of modern information technology. In the business community, for example, most of the monetary transactions are administered by computers in the form of deposit money. Electronic commerce depends on safe systems for money transactions in computer networks. A companys entire production frequently depends on the functioning of its data-processing system. Many businesses store their most valuable company secrets electronically. Marine, air, and space control systems, as well as medical supervision, rely to a great extent on modern computer systems. Computers and the Internet also play an increasing role in the education and leisure of minors. International computer networks are the nerves of the economy, the public sector and society. The security of these computer and communication systems is therefore of essential importance. European Commission 1998 Ever more powerful personal computers, converging technologies and the widespread use of the Internet have replaced what were modest, stand-alone systems in predominantly closed networks. Today, participants are increasingly interconnected and the connections cross national borders. In addition, the Internet supports critical infrastructures such as energy, transportation and finance and plays a major part in how companies do business, how governments provide services to citizens and enterprises and how individual citizens communicate and exchange information. The nature and type of technologies that constitute the communications and information infrastructure also have changed significantly. The number and nature of infrastructure access devices have multiplied to include fixed, wireless and mobile devices and a growing percentage of access is through always on connections. Consequently, the nature, volume and sensitivity of information that is exchanged has expanded substantially. As a result of increasing interconnectivity, information systems and networks are now exposed to a growing number and a wider variety of threats and vulnerabilities. OECD 2002 Information security risk management forms the basis for an assessment of an organizations information security framework. With increasing electronic networking between organizations for a very wide range of applications, which impacts on most aspects of life in our society, there is a clear benefit in having a common set of reference documents for information security management. This enables mutual trust to be established between networked sites and trading partners and provides a basis for management of facilities between information users and service providers. Security for information systems is an essential requirement at organizational, national and international levels. This handbook was AS/NZS 7799.2:2003. revised in 2003 to be consistent with

This is a free 8 page sample. Access the full version at http://infostore.saiglobal.com.

Preface

iii

HB 231:2004 Information security risk management guidelines

This Joint Australia/New Zealand Handbook has been prepared by Committee IT-012, Information Systems, Security and Identification Technology. This publication extends the generic work done by Committee OB/7, Risk Management to specifically address the area of information security management. Information security risk management guidelines issued by the International Organization for Standardization (ISO) as ISO/IEC TR 13335, Information technology Guidelines for the management of IT security have been adapted to align with the Australian and New Zealand Standard AS/NZS 4360, Risk management. AS/NZS ISO/IEC 17799 establishes a code of practice for selecting information security controls (or equivalently treating information security risks). AS/NZS 7799.2 (BS 7799.2) specifies an information security management system. Both documents require that a risk assessment process is used as the basis for selecting controls (treating risks). This Handbook complements these Standards by providing additional guidance concerning management of information security risks. The guidance in this Handbook is not intended to be a comprehensive schedule of information security threats and vulnerabilities. It is intended to serve as a single reference point describing an information security risk management process suitable for most situations encountered in industry and commerce and therefore can be applied by a wide range of organizations. Not all of the steps described in the handbook are relevant to every situation, nor can they take account of local environmental or technological constraints, or be presented in a form that suits every potential user in an organization. Safety critical applications in particular will require additional consideration of factors specific to the circumstances and relevant Standards should be consulted in such cases. Consequently, these guidelines may require to be augmented by further guidance before they can be used as a basis (for example) for corporate policy or an inter-company trading agreement. It has been assumed in the drafting of these guidelines, that the execution of their provisions is entrusted to appropriately qualified and experienced people.

This is a free 8 page sample. Access the full version at http://infostore.saiglobal.com.

iv

Preface

HB 231:2004 Information security risk management guidelines

Contents
1 Scope, Application and Definitions................................................................. 1 1.1 1.2 1.3 1.4 1.5 1.6
This is a free 8 page sample. Access the full version at http://infostore.saiglobal.com.

Scope ..................................................................................................... 1 Methodology.......................................................................................... 1 Application ............................................................................................ 1 Terminology .......................................................................................... 2 Definitions ............................................................................................. 2 References ............................................................................................. 4

Risk Management Framework ........................................................................ 6 2.1 2.2 2.3 2.4 2.5 General .................................................................................................. 6 Risk management policy ....................................................................... 6 Planning and resourcing ........................................................................ 6 Implementation program ....................................................................... 7 Management review .............................................................................. 7

Risk Management Overview ........................................................................... 8 3.1 3.2 3.3 3.4 General .................................................................................................. 8 Information security management models............................................. 8 Main elements ..................................................................................... 12 Information security risks .................................................................... 13

Risk Management Process............................................................................. 17 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 Establish the context ............................................................................ 17 Risk identification................................................................................ 21 Risk analysis ........................................................................................ 22 Risk evaluation .................................................................................... 28 Risk treatment...................................................................................... 29 Risk acceptance ................................................................................... 38 Monitoring and review ........................................................................ 39 Communication and consultation ........................................................ 39

Documentation .............................................................................................. 40 5.1 5.2 5.3 5.4 5.5 5.6 General ................................................................................................ 40 Reasons for documentation.................................................................. 40 Security policy..................................................................................... 41 Scope and context of the information security management system ... 41 Risk identification and assessment ...................................................... 42 Risk treatment plan.............................................................................. 42
Contents v

HB 231:2004 Information security risk management guidelines

5.7 5.8 5.9

Implementation and operational procedures........................................ 43 Statement of Applicability................................................................... 43 Records ................................................................................................ 43

APPENDICES A B C D Examples of possible threat types ................................................................. 44 Examples of common vulnerabilities ............................................................ 46 Combined approach for risk identification, assessment and treatment.......... 50 Example risk analysis methods ..................................................................... 53

This is a free 8 page sample. Access the full version at http://infostore.saiglobal.com.

vi

Contents

HB 231:2004 Information security risk management guidelines

1
1.1
This is a free 8 page sample. Access the full version at http://infostore.saiglobal.com.

Scope, Application and Definitions


Scope
This Handbook provides a generic guide for the establishment and implementation of a risk management process for information security risks.

1.2

Methodology
The risk management process involves establishing the context, identifying, analysing, evaluating, treating, communicating and monitoring of risks.

1.3

Application
Risk management is recognized as an integral part of good management practice. It is an iterative process consisting of steps, which, when undertaken in sequence, enable continual improvement in decision making. Generally, information security risk management methods and techniques are applied to complete information systems and facilities, but they can also be directed to individual system components or services where this is practicable, realistic and helpful. This Handbook is intended for use as a reference document by three audiences: a) managers accountable for the management of information security; b) personnel who are responsible for initiating, implementing and/or monitoring generic risk management systems within their organizations; and c) personnel who are responsible for initiating, implementing and/or maintaining information security within their organization. This Handbook may be applied at all stages in the life of an activity, function, project, product or asset. Often a number of differing studies are carried out at different stages of a project. The maximum benefit is usually obtained by applying the risk management process from the beginning. This Handbook does not provide sufficient guidance for managing information security risks in safety related systems. IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems, gives requirements and guidance in this area.

Copyright

Section 1: Scope, Application and Definitions

This is a free preview. Purchase the entire publication at the link below:

HB 231:2004, Information security risk management guidelines


This is a free 8 page sample. Access the full version at http://infostore.saiglobal.com.

Looking for additional Standards? Visit SAI Global Infostore Subscribe to our Free Newsletters about Australian Standards in Legislation; ISO, IEC, BSI and more Do you need to Manage Standards Collections Online? Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation Do you want to know when a Standard has changed? Want to become an SAI Global Standards Sales Affiliate? Learn about other SAI Global Services: LOGICOM Military Parts and Supplier Database Metals Infobase Database of Metal Grades, Standards and Manufacturers Materials Infobase Database of Materials, Standards and Suppliers Database of European Law, CELEX and Court Decisions

Need to speak with a Customer Service Representative - Contact Us

You might also like