Information Technology Reference
In-Depth Information
table 9.5 Applied
iA
2
Summary: Standards
IA
2
Topic
Description
Section
Security standards
Drivers
Optimal, consistent, quality results of IA efforts; cost
management via enterprise purchase agreements and
service agreements; standard vulnerability and patch
management (if heterogeneous environment)
IA
2
views
Standards describe what to use to implement and enforce
policy. Standards apply to the acquisition and application of
IA mechanisms. Standards convey a common manner of
doing business or facilitating business; therefore, the
applicable IA
2
views are: Policy, systems and applications,
information/data, infrastructure (technical, physical)
IA core principles
Applicable IA core principles include:
Confidentiality-integrity-availability (CIA)
Possession-authenticity-utility (PAU)
Privacy-authorized use-nonrepudiation (PAN)
Compliance
requirements
Legislative, regulatory, policy, guidelines, or other
documents that specifically call out or imply the use of
specific standards; implicit requirements may also call on
standards to ensure consistency.
ELCM application
Standards may both drive the ELCM process and evolve from
the ELCM process, and therefore apply to all phases:
Concept, architect, engineer, develop/acquire, implement,
test, deploy, train, O&M, retire
Verification
Formal documentation of applied processes
Operations
Standards affect all phases of IA operations cycle: Anticipate,
defend, monitor, respond
that lead to the need for any given IA mechanism. To look at business risk from
many perspectives in many contexts assists you to determine the breadth and depth
of IA necessary to effectively address those risks.
9.5.3
Standards in the IA
2
Process: An Example
An example of standards in context of the IA
2
Process is to align external compli-
ance requirements with the ELCM in the IA
2
Framework; examples of external
compliance include:
