ISO/IEC 27010 Information technology -- Security techniques -- Information security management for inter-sector communications (draft)
This will be a multi-part standard providing guidance in relation to sharing information on information security risks, controls, issues and/or incidents that span the boundaries between industry sectors and/or nations, particularly those affecting “critical infrastructure”.
Scope
ISO/IEC 27010 will provide guidance for information security interworking and communications between industries in the same sectors, in different industry sectors and with governments, either in times of crisis and to protect critical infrastructure or for mutual recognition under normal business circumstances to meet legal, regulatory and contractual obligations.
Purpose and justification
The standard will provide guidance on methods, models, processes, policies, controls, protocols and other mechanisms for same sector industries; industries of different sectors and governments to securely exchange information with the understanding that mutually recognized principles are respected.
Analysis of emerging and future risks clearly indicates the need to provide protection of interworking and communications between industry sectors as well as with government. In particular such protection is required to maintain operational conditions within business environments within and across industry sectors, for economic growth and national and global sustainability, as well as for critical infrastructure purposes in times of crisis.
Following this standard would ensure that partners communicating and exchanging with other partners follow agreed upon levels of known best practice criteria for information security management. Such levels would be according to given circumstances, from normal business transactions to emergency crisis.
This will be a multi-part standard covering the following:
Part 1 Overview, Model and Principles
Part 2 Interworking and Communications Policy
Part 3 Process Management and Control
Part 4 Crisis Management Protocols
Part 5 Economics of information security management
In contrast to the others, part 3 appears to be calling for a technical security standard for SCADA/ICS security. As such, it may be better developed as a separate standard rather than part of ISO/IEC 27010. The scope of this project as a whole and the component parts may well change before it is published. There is clearly a lot of work to do here!
Comments on the Working Draft raise concerns over the repeated use of ‘information sharing community’ without properly defining that term, and various structural issues. The present draft standard includes requirements for the management system as well as for information security controls, which may not be appropriate. This standard is likely to go a ballot as a Committee Draft at the next SC27 meeting in Berlin in October 2010.
|
