PodMaster.it, Social media non vi temo - Ascolti tra Marketing e AI
controlli aziendali | 2023-06-20 · NEW: ![]() |
TOMs: le linee guida sullo stato dell'arte delle misure di sicurezza tecniche e organizzative |
abstract:
Un documento straordinario tra Teletrust ed Enisa.
Fonte: TeleTrust EnisaLink: https://www.teletrust.de/en/publikationen/broschue
analisi:
.... ........... ... .......... / ......... ...... ...... .. ...........
.' ........... .. ........ ........... .... ......... ...... ... ....... ... ........... ... ......... ........... ... ...........
. ........ .... ... ......... ..... ........ . ......... ... ........ ..... .. .......... ... .... ........, ......... ..... . ........ ...' .........
index:
testo:
L
Le linee guida in inglese sono eccellentemente strutturate. Poche parole: ecco l'indice: Principles of the guideline .................................................................................................................... 6
1
Introduction ............................................................................................................................ 7
1.1
IT Security Act .......................................................................................................................... 7
1.2
German BSI security standards for CI operators in specific sectors........................................ 8
1.3
European implications .............................................................................................................. 8
1.4
General Data Protection Regulation ........................................................................................ 9
1.5
Appropriateness of measures ................................................................................................ 10
2
Determining the state of technology .................................................................................. 11
2.1
Definition ................................................................................................................................. 11
2.2
Method for determining the state of technology ..................................................................... 12
2.3
Quality assurance process for the guide ................................................................................ 14
2.4
Required protection objectives ............................................................................................... 14
3
Technical and organisational measures (TOMs) .............................................................. 16
3.1
General information ................................................................................................................ 16
3.2
Technical measures ............................................................................................................... 19
3.2.1
Authentication methods and procedures ............................................................................... 19
3.2.2
Evaluation and enforcement of strong passwords ................................................................. 20
3.2.3
Multi-factor authentication ...................................................................................................... 21
3.2.4
Cryptographic procedures ...................................................................................................... 24
3.2.5
Disk encryption ....................................................................................................................... 25
3.2.6
Encryption of files and folders ................................................................................................ 27
3.2.7
E-mail encryption ................................................................................................................... 28
3.2.8
Securing electronic data communication with PKI ................................................................. 29
3.2.9
Use of VPNs (layer 3) ............................................................................................................ 32
3.2.10
Layer 2 encryption .................................................................................................................. 34
3.2.11
Cloud-based data exchange .................................................................................................. 36
3.2.12
Data storage in the cloud ....................................................................................................... 37
3.2.13
Use of mobile voice and data services .................................................................................. 39
3.2.14
Communication through instant messenger .......................................................................... 40
3.2.15
Mobile Device Management................................................................................................... 41
3.2.16
Router security ....................................................................................................................... 42
3.2.17
Network monitoring using Intrusion Detection System .......................................................... 44
3.2.18
Web traffic protection ............................................................................................................. 46
3.2.19
Web application protection ..................................................................................................... 47
3.2.20
Remote network access/ remote maintenance ...................................................................... 49
3.2.21
Server hardening .................................................................................................................... 50
3.2.22
Endpoint Detection & Response Platform .............................................................................. 53
3.2.23
Using internet with web isolation ............................................................................................ 54
3.2.24
Attack detection and analysis (SIEM) .................................................................................... 56
3.2.25
Confidential computing ........................................................................................................... 58
3.2.26
Sandboxing for malicious code analysis ................................................................................ 59
3.2.27
Cyber threat intelligence ........................................................................................................ 61
3.2.28
Securing administrative IT systems ....................................................................................... 62
3.2.29
Monitoring of Directory Services and Identity-Based Segmentation ..................................... 64
3.2.30
Network segmentation and segregation ................................................................................ 66
3.3
Organisational measures ....................................................................................................... 69
3.3.1
Standards and norms ............................................................................................................. 69
3.3.2
Processes............................................................................................................................... 72
3.3.3
Secure software development ............................................................................................... 80
3.3.4
Process certification ............................................................................................................... 84
3.3.5
Vulnerability and patch management ..................................................................................... 86
3.3.6
Management of information security risks ............................................................................. 88
3.3.7
Personal certification .............................................................................................................. 91
3.3.8
Dealing with providers ............................................................................................................ 94
3.3.9
Information Security Management Systems (ISMS) .............................................................. 96
3.3.10
Securing privileged accounts ................................................................................................. 98
5
3.3.11
Dark Web Monitoring ........................................................................................................... 102
3.3.12
Software Bill of Materials (SBOM) ....................................................................................... 103
4
Appendix ............................................................................................................................. 105
4.1
Excursion: Measures against ransomware attacks .............................................................. 105
List of figures
Figure 1: Three-step theory according to the Kalkar decision ............................................................... 11
Figure 2: Evaluation criteria ................................................................................................................... 13
Figure 3: Example of state of technology classification ........................................................................ 13
Figure 4: Process outline for evaluating technical measures in chapter 3.2 ......................................... 14
Figure 5: Structure levels of standards relevant to information security ............................................... 70
Figure 6: PDCA model ........................................................................................................................... 75
Figure 7: Risk process according to ISO 31000 ................................................................................... 89
List of tables
Table 1: Overview of ISO/IEC 27000 series .......................................................................................... 70
Table 2: Differentiation of ISO 27001 vs. BSI9s IT basic protection ...................................................... 71
Testo del 2023-06-20 Fonte: TeleTrust Enisa
Controlli aziendali Linee guida English Enisa Teletrust Germany Sicurezza Strumenti aziendali
Download Pdf
Link: https://www.teletrust.de/en/publikationen/broschue