1、 ETSI GS ISI 001-2 V1.1.2 (2015-06) Information Security Indicators (ISI); Indicators (INC); Part 2: Guide to select operational indicators based on the full set given in part 1 Disclaimer This document has been produced and approved by the Information Security Indicators (ISI) ETSI Industry Specifi
2、cation Group (ISG) and represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP SPECIFICATION ETSI ETSI GS ISI 001-2 V1.1.2 (2015-06)2 Reference RGS/ISI-001-2ed2 Keywords ICT, security ETSI 650 Route des Luci
3、oles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standa
4、rds-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents
5、 between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. In
6、formation on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notific
7、ation No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright an
8、d the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2015. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registere
9、d for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS ISI 001-2 V1.1.2 (2015-06)3 Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 6g3Introduction 6g31 Sco
10、pe 7g32 References 7g32.1 Normative references . 7g32.2 Informative references 7g33 Definitions and abbreviations . 8g33.1 Definitions 8g33.2 Abbreviations . 13g34 Position ETSI GS ISI 001-1 within the framework of ISO/IEC 27001 to 27008 14g34.0 Introduction 14g34.1 Link of the proposed security ind
11、icators to existing ISMS 14g34.2 The 3 notions involved in ISMS monitoring and auditing . 15g34.3 Link to ISO/IEC 27001 and ISO/IEC 27002 standards 16g34.4 Link to ISO/IEC 27004 standard 16g35 Position ETSI GS ISI 001- i.10 1 against COBIT and ISO/IEC 20000 16g35.0 Introduction 16g35.1 Link to COBIT
12、 . 16g35.2 Link to ISO/IEC 20000 17g36 Different other useful cross-references 17g36.0 Introduction 17g36.1 Correspondence with the Consensus Audit Guidelines (CAG) 17g36.2 Link to ISO/IEC 15408 standard 18g3Annex A (normative): Position the proposed operational indicators against ISO/IEC 27002 cont
13、rol categories (Summary table) . 19g3Annex B (informative): Position the proposed operational indicators against COBIT V4.1 DS5 Control Objectives (Summary table) . 21g3Annex C (informative): Position the proposed operational indicators against CAG V4.0 framework 20 Critical Controls (Summary table)
14、 . 23g3Annex D (informative): Authors Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, i
15、ncluding IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Specification (GS) ha
16、s been produced by ETSI Industry Specification Group (ISG) Information Security Indicators (ISI). The present document is part 2 of a multi-part deliverable covering the Information Security Indicators (ISI); Indicators (INC), as identified below: Part 1: “A full set of operational indicators for or
17、ganizations to use to benchmark their security posture“; Part 2: “Guide to select operational indicators based on the full set given in part 1“. The present document is included in a series of 6 ISI specifications. These 6 specifications are the following (see figure 1 summarizing the various concep
18、ts involved in event detection and interactions between all specifications): The present document addressing (together with its base list of indicators described in ETSI GS ISI 001-1 5) information security indicators, which are meant to measure application and effectiveness of preventative measures
19、. ETSI GS ISI 002 9 addressing the underlying event classification model and the associated taxonomy. ETSI GS ISI 003 i.12 addressing the key issue of assessing organizations maturity level regarding overall event detection (technology/process/ people) and to weigh event detection results. ETSI GS I
20、SI 004 i.13 addressing demonstration through examples how to produce indicators and how to detect the related events with various means and methods (with a classification of the main categories of use cases/symptoms). ETSI GS ISI 005 i.14 addressing ways to produce security events and to test the ef
21、fectiveness of existing detection means within organization (for major types of events), which is a more detailed and a more case by case approach than the ETSI GS ISI 003 i.12 and which can therefore complement it. ETSI ETSI GS ISI 001-2 V1.1.2 (2015-06)6 GS ISG ISI Series Summary DefinitionReal ev
22、entsSecurity prevention measuresEvent detection measuresFake events (Simulation) Event reaction measuresDetectedeventsResidual risk (event model-centric vision)Figure 1: Positioning the 6 GS ISI against the 3 main security measures Modal verbs terminology In the present document “shall“, “shall not“
23、, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citat
24、ion. Introduction Given that ETSI GS ISI 001-1 5 indicators are positioned at the crossroads of governance and operational matters and may have to rest on global reference frameworks, it is key to help in this alignment and in the use of ETSI GS ISI 001-1 5 for selection of the appropriate indicator
25、s. As regards organizations existing ISMS which constitutes the prime security governance tool, the ETSI GS ISI 001-1 5 proposed range of indicators should be considered as a simple but representative ground work, from which to make a selection while completely relying on the existing ISMS. Proceedi
26、ng in this manner will lead to a series of unique indicators that are specific to each organization, amongst which a first part will typically consist of specific indicators, while a second part consists of a sub-set of the list given in ETSI GS ISI 001-1 5. The main characteristic of the former wil
27、l be “effective ISMS implementation“, while that of the latter will be more “operational“. As such, the structuring side of the ISMS will clarify and validate the choice of a given indicator from the proposed ground work. For that purpose, various reference frameworks and contexts should be addresse
28、d, such as ISO/IEC 27002 1 (first of all) and the Consensus Audit Guidelines 4 (sub-set of Priority One NIST SP 800-53 i.9 controls), but also the more extended frameworks COBIT 3 and ISO/IEC 20000 (ITIL) i.1 and i.2. Another different benefit of the indicators is being introduced with in this guide
29、; it consists of linking them to the field work of IT security evaluation (with ISO/IEC 15408 i.3, i.4, i.5 and ISO/IEC TR 17791 i.15). ETSI ETSI GS ISI 001-2 V1.1.2 (2015-06)7 1 Scope The present document provides a guide to use the range of indicators provided in ETSI GS ISI 001-1 5. The present d
30、ocument is meant mainly to support CISOs and IT security managers in their effort to evaluate and benchmark accurately their organizations security posture. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number
31、) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:
32、/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. 1 ISO/IEC 27002:2013: “Information techn
33、ology - Security techniques - Code of practice for information security controls“. 2 ISO/IEC 27004:2009: “Information technology - Security techniques - Information security management - Measurement“. 3 ISACA COBIT V4.1: “The Control Objectives for Information and related Technology“. NOTE: See http
34、:/www.isaca.org/Knowledge-Center/cobit/Pages/Downloads.aspx. 4 SANS Consensus Audit Guidelines V5: “20 Critical Security Controls for Effective Cyber Defense“. NOTE: See http:/www.sans.org/critical-security-controls/ for an up-to-date version. 5 ETSI GS ISI 001-1: “Information Security Indicators (I
35、SI); Indicators (INC); Part 1: A full set of operational indicators for organizations to use to benchmark their security posture“. 6 ISO/IEC 27001:2013 : “Information technology - Security techniques - Information security management systems - Requirements“. 7 ISO/IEC 27006:2011: “Information techno
36、logy - Security techniques - Requirements for bodies providing audit and certification of information security management systems“. 8 ISO/IEC 27000:2012: “Information technology - Security techniques - Information security management systems - Overview and vocabulary“. 9 ETSI GS ISI 002: “Informatio
37、n Security Indicators (ISI); Event Model A security event classification model and taxonomy“. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies
38、. For non-specific references, the latest version of the reference document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. ETSI ETSI GS ISI 001-2 V1.1.2 (2015-06)8 The follo
39、wing referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ISO/IEC 20000-1: 2011: “Information technology - Service management - Part 1: Service management system requirements“. i.2 ISO/IEC 20000-2:20
40、12: “Information technology - Service management - Part 2: Guidance on the application of service management systems“. i.3 ISO/IEC 15408-1:2009: “Information technology - Security techniques - Evaluation criteria for IT Security - Part 1: Introduction and general model“. i.4 ISO/IEC 15408-2:2008: “I
41、nformation technology - Security techniques - Evaluation criteria for IT Security - Part 2: Security functional components“. i.5 ISO/IEC 15408-3:2008: “Information technology - Security techniques - Evaluation criteria for IT Security - Part 3: Security assurance components“. i.6 ISO/IEC 27007:2011:
42、 “Information technology - Security techniques - Guidelines for information security management systems auditing“. i.7 ISO/IEC TR 27008:2011: “Information technology - Security techniques - Guidelines for auditors on information security controls“. i.8 ISO/IEC TR 19791:2010: “Information technology
43、- Security techniques - Security assessment of operational systems“. i.9 NIST SP 800-53: “Recommended Security Controls for Federal Information Systems and Organizations“. i.10 ISO/IEC 27003:2010: “Information technology - Security techniques - Information security management system implementation g
44、uidance“. i.11 ISO/IEC 27005:2011: “Information technology - Security techniques - Information security risk management“. i.12 ETSI GS ISI 003: “Information Security Indicators (ISI); Key Performance Security Indicators (KPSI) to evaluate the maturity of security event detection“. i.13 ETSI GS ISI 0
45、04: “Information Security Indicators (ISI); Guidelines for event detection implementation“. i.14 ETSI GS ISI 005: “Information Security Indicators (ISI); Event Testing; Part 5: Event Testing“. i.15 ISO/IEC TR 17791:2013: “Health informatics - Guidance on standards for enabling safety in health softw
46、are“. i.16 NIST 800-126: “Technical Specification for the Security Content Automation Protocol (SCAP)“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in ISO/IEC27000 8 and the following apply: NOTE: See also figure 2 at the
47、end of this clause. asset: information asset that has value to the organization and that can be broken down in primary assets (such as business activities, data, application software, etc. which hold the business value) and secondary/supporting assets (network or system infrastructure, which host pr
48、imary assets) assurance: planned and systematic activities implemented in a management system so that management requirements for a service will be fulfilled ETSI ETSI GS ISI 001-2 V1.1.2 (2015-06)9 NOTE: It is the systematic measurement, comparison with a standard, monitoring of processes and an as
49、sociated feedback loop that confers error prevention. This can be contrasted with Management “Control“, which is focused on process outputs. base measure: measure defined in terms of an attribute and the specified measurement method for quantifying it NOTE: E.g. number of trained personnel, number of sites, cumulative cost to date. As data is collected, a value is assigned to a base measure. continuous checking: constant checking of a series of controls identified w
