I provvedimenti spiegati alle aziende
con guide, checklist, modelli; AI assisted
Osservatorio a cura del dott. V. Spataro 



   controlli aziendali 2023-06-20 ·  NEW:   Appunta · Stampa · Cita: 'Doc 96865' · pdf
  

TOMs: le linee guida sullo stato dell'arte delle misure di sicurezza tecniche e organizzative

abstract:


Un documento straordinario tra Teletrust ed Enisa.

Fonte: TeleTrust Enisa
Link: https://www.teletrust.de/en/publikationen/broschue

analisi:

L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni

.... ........... ... .......... / ......... ...... ...... .. ...........

.' ........... .. ........ ........... .... ......... ...... ... ....... ... ........... ... ......... ........... ... ...........

. ........ .... ... ......... ..... ........ . ......... ... ........ ..... .. .......... ... .... ........, ......... ..... . ........ ...' .........


index:

testo:

L

Le linee guida in inglese sono eccellentemente strutturate.

Poche parole: ecco l'indice:

Principles of the guideline .................................................................................................................... 6
1
Introduction ............................................................................................................................ 7
1.1
IT Security Act .......................................................................................................................... 7
1.2
German BSI security standards for CI operators in specific sectors........................................ 8
1.3
European implications .............................................................................................................. 8
1.4
General Data Protection Regulation ........................................................................................ 9
1.5
Appropriateness of measures ................................................................................................ 10
2
Determining the state of technology .................................................................................. 11
2.1
Definition ................................................................................................................................. 11
2.2
Method for determining the state of technology ..................................................................... 12
2.3
Quality assurance process for the guide ................................................................................ 14
2.4
Required protection objectives ............................................................................................... 14
3
Technical and organisational measures (TOMs) .............................................................. 16
3.1
General information ................................................................................................................ 16
3.2
Technical measures ............................................................................................................... 19
3.2.1
Authentication methods and procedures ............................................................................... 19
3.2.2
Evaluation and enforcement of strong passwords ................................................................. 20
3.2.3
Multi-factor authentication ...................................................................................................... 21
3.2.4
Cryptographic procedures ...................................................................................................... 24
3.2.5
Disk encryption ....................................................................................................................... 25
3.2.6
Encryption of files and folders ................................................................................................ 27
3.2.7
E-mail encryption ................................................................................................................... 28
3.2.8
Securing electronic data communication with PKI ................................................................. 29
3.2.9
Use of VPNs (layer 3) ............................................................................................................ 32
3.2.10
Layer 2 encryption .................................................................................................................. 34
3.2.11
Cloud-based data exchange .................................................................................................. 36
3.2.12
Data storage in the cloud ....................................................................................................... 37
3.2.13
Use of mobile voice and data services .................................................................................. 39
3.2.14
Communication through instant messenger .......................................................................... 40
3.2.15
Mobile Device Management................................................................................................... 41
3.2.16
Router security ....................................................................................................................... 42
3.2.17
Network monitoring using Intrusion Detection System .......................................................... 44
3.2.18
Web traffic protection ............................................................................................................. 46
3.2.19
Web application protection ..................................................................................................... 47
3.2.20
Remote network access/ remote maintenance ...................................................................... 49
3.2.21
Server hardening .................................................................................................................... 50
3.2.22
Endpoint Detection & Response Platform .............................................................................. 53
3.2.23
Using internet with web isolation ............................................................................................ 54
3.2.24
Attack detection and analysis (SIEM) .................................................................................... 56
3.2.25
Confidential computing ........................................................................................................... 58
3.2.26
Sandboxing for malicious code analysis ................................................................................ 59
3.2.27
Cyber threat intelligence ........................................................................................................ 61
3.2.28
Securing administrative IT systems ....................................................................................... 62
3.2.29
Monitoring of Directory Services and Identity-Based Segmentation ..................................... 64
3.2.30
Network segmentation and segregation ................................................................................ 66
3.3
Organisational measures ....................................................................................................... 69
3.3.1
Standards and norms ............................................................................................................. 69
3.3.2
Processes............................................................................................................................... 72
3.3.3
Secure software development ............................................................................................... 80
3.3.4
Process certification ............................................................................................................... 84
3.3.5
Vulnerability and patch management ..................................................................................... 86
3.3.6
Management of information security risks ............................................................................. 88
3.3.7
Personal certification .............................................................................................................. 91
3.3.8
Dealing with providers ............................................................................................................ 94
3.3.9
Information Security Management Systems (ISMS) .............................................................. 96
3.3.10
Securing privileged accounts ................................................................................................. 98
5
3.3.11
Dark Web Monitoring ........................................................................................................... 102
3.3.12
Software Bill of Materials (SBOM) ....................................................................................... 103
4
Appendix ............................................................................................................................. 105
4.1
Excursion: Measures against ransomware attacks .............................................................. 105
List of figures
Figure 1: Three-step theory according to the Kalkar decision ............................................................... 11
Figure 2: Evaluation criteria ................................................................................................................... 13
Figure 3: Example of state of technology classification ........................................................................ 13
Figure 4: Process outline for evaluating technical measures in chapter 3.2 ......................................... 14
Figure 5: Structure levels of standards relevant to information security ............................................... 70
Figure 6: PDCA model ........................................................................................................................... 75
Figure 7: Risk process according to ISO 31000 ................................................................................... 89
List of tables
Table 1: Overview of ISO/IEC 27000 series .......................................................................................... 70
Table 2: Differentiation of ISO 27001 vs. BSI9s IT basic protection ...................................................... 71

Download Pdf


Link: https://www.teletrust.de/en/publikationen/broschue

Testo del 2023-06-20 Fonte: TeleTrust Enisa




Commenta



i commenti sono anonimi e inviati via mail e cancellati dopo aver migliorato la voce alla quale si riferiscono: non sono archiviati; comunque non lasciare dati particolari. Si applica la privacy policy.


Ricevi gli aggiornamenti su TOMs: le linee guida sullo stato dell'arte delle misure di sicurezza tecniche e organizzative e gli altri post del sito:

Email: (gratis Info privacy)






Nota: il dizionario è aggiornato frequentemente con correzioni e giurisprudenza