1

ISO/IEC 13335

Information Technology – Guidelines for the Management of IT Security

普華資安股份有限公司報告人：蔡興樺

Steven.Tsai@mail.pwcglobal.com.tw

2

ISO 13335 part 1

ISO 13335 part 2

ISO 13335 part 3

ISO 13335 part 4

報告大綱

3

Concepts for the

Management of IT

Security

Security Elements

Processes for the

Management of IT

Security

ISO 13335 Part 1

4

Approach

Objectives, Strategies and Policies

Concepts for the Management of IT Security

5

Assets Threat Vulnerability Impact

Risk Safeguard Residual Risk Constraints

Security Elements

6

Configuration Management

Change Management Risk Management Risk Analysis

Accountability Security Awareness Monitoring Contingency Plans and

Disaster Recovery

Processes for the Management of IT Security

7

Management of IT Security

Corporate IT Security Policy

Organizational Aspects of IT

Security

Corporate Risk Analysis

Strategy Options

IT Security Recommendations

ISO 13335 Part 2

8

IT System Security Policy

IT Security Plan

Implementation of

Safeguards

Security Awareness

Follow-up

ISO 13335 Part 2 (cont.)

9

Management of IT Security

Planning and Management Process Overview

Risk Management Overview Implementation Overview Follow-up Overview

10

Corporate IT Security Policy

Objective Management Commitment Policy Relationships Corporate IT Security Policy Elements

11

Organizational Aspects of IT Security

Roles and Responsibilities Commitment Consistent Approach

12

Corporate Risk Analysis Strategy Options

Baseline Approach Information Approach Detailed Risk Analysis Combined Approach

13

IT Security Recommendations

Safeguard Selection

Risk Acceptance

14

ISO 13335 Part 3

Techniques for the Management of IT Security

IT Security Objectives, Strategy Options

Corporate Risk Analysis Strategy Options

15

ISO 13335 Part 3(Cont.)

Combined Approach

Implementation of the

IT Security Plan

Follow-up

16

IT Security Objectives, Strategy Options

IT Security Objectives, Strategy and Policies

Corporate IT Security Policy

17

Corporate Risk Analysis Strategy Options

Baseline Approach Information Approach Detailed Risk Analysis Combined Approach

18

Combined Approach

High Level Risk Analysis Baseline Approach Detailed Risk Analysis Selection of Safeguards Risk Acceptance IT System Policy Security IT Security Plan

19

Implementation of the IT Security Plan

Implementation of Safeguards Security Awareness Security Training Approach of IT System

20

Follow-up

Maintenance Security Compliance Checking Change Management Monitoring Incident Handling

21

ISO 13335 Part 4

Introduction to Safeguard Selection and the Concept of Baseline

Basic Assessments Safeguards Baseline Approach :

Selection of Safeguards According to the Type of IT System

22

ISO 13335 Part 4 (Cont.)

Selection of Safeguards According to Security Concerns and Threats

Selection of Safeguards According to Detail Assessment

Development of an Organization-wide Baseline

23

Basic Assessment

Identification of the type of IT System Identification of Physical/Environment

Conditions Assessment of Existing/planned Safeguards

24

Safeguards

Organizational and Physical Safeguards IT System Specific Safeguards

25

Selection of Safeguards According to the type of IT System

General Applicable Safeguards IT System Specific Safeguards

26

Selection of Safeguards According to security Concerns and Threat

Assessment of Security Concerns Safeguards for Confidentiality Safeguards for Integrity Safeguards for Availability Safeguards for Accountability,

Authenticity, Reliability

27

Selection of Safeguards According to Detailed Assessment

Relation Between Part 3 and Part 4 of this Technical Report

Principles of Selection

28

敬請指教

普華資安：蔡興樺Steven.Tsai@mail.pwcglobal.com.tw