Upload
sai-global-apac
View
215
Download
0
Embed Size (px)
Citation preview
7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura
1/8
AS/NZS ISO/IEC 15443.1:2006ISO/IEC TR 15443-1:2005
Australian/New Zealand Standard
Information technologySecuritytechniquesA framework for IT securityassurance
Part 1: Overview and framework
AS/NZS
ISO/IEC15443.1:2006
7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura
2/8
AS/NZS ISO/IEC 15443.1:2006
This Joint Australian/New Zealand Standard was prepared by Joint TechnicalCommittee IT-012, Information Systems, Security and Identification. It wasapproved on behalf of the Council of Standards Australia on 23 June 2006 and onbehalf of the Council of Standards New Zealand on 30 June 2006.This Standard was published on 2 August 2006.
The following are represented on Commit tee IT-012:
Attorney Generals Department
Australian Association of Permanent Building Societies
Australian Bankers Association
Australian Chamber Commerce and Industry
Australian Electrical and Electronic Manufacturers Association
Certification Forum of Australia
Department of DefenceDepartment of Social Welfare, NZ
Government Communications Security Bureau, NZ
Internet Industry Association
NSW Police Service
New Zealand Defence Force
Reserve Bank of Australia
Keeping Standards up-to-date
Standards are living documents which reflect progress in science, technology andsystems. To maintain their currency, all Standards are periodically reviewed, andnew editions are published. Between editions, amendments may be issued.Standards may also be withdrawn. It is important that readers assure themselvesthey are using a current Standard, which should include any amendments whichmay have been published since the Standard was purchased.
Detailed information about joint Australian/New Zealand Standards can be found byvisiting the Standards Web Shop at www.standards.com.au or Standards NewZealand web site at www.standards.co.nz and looking up the relevant Standard inthe on-line catalogue.
Alternatively, both organizations publish an annual printed Catalogue with fulldetails of all current Standards. For more frequent listings or notification ofrevisions, amendments and withdrawals, Standards Australia and Standards NewZealand offer a number of update options. For information about these services,users should contact their respective national Standards organization.
We also welcome suggestions for improvement in our Standards, and especiallyencourage readers to notify us immediately of any apparent inaccuracies orambiguities. Please address your comments to the Chief Executive of eitherStandards Australia or Standards New Zealand at the address shown on the backcover.
This Standard was issued in draft form for comment as DR 06257.
7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura
3/8
AS/NZS ISO/IEC 15443.1:2006
Australian/New Zealand StandardInformation technologySecuritytechniquesA framework for IT securityassurance
Part 1: Overview and framework
COPYRIGHT
Standards Australia/Standards New Zealand
All rights are reserved. No part of this work may be reproduced or copied in any form or byany means, electronic or mechanical, including photocopying, without the written
permission of the publisher.
Jointly published by Standards Australia, GPO Box 476, Sydney, NSW 2001 and Standards
New Zealand, Private Bag 2439, Wellington 6020
ISBN 0 7337 7659 0
First published as AS/NZS ISO/IEC 15443.1:2006.
7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura
4/8
ii
PREFACE
This Standard was prepared by the Joint Standards Australia/Standards New Zealand Committee
IT-012, Information Systems, Security and Identification.
The objective of this Standard is to present a variety of assurance methods, and to guide the IT
Security Professional in the selection of an appropriate assurance method (or combination of
methods) to achieve confidence that a given deliverable satisfies its stated IT security assurance
requirements. This report examines assurance methods and approaches proposed by various
types of organisms whether they are approved or de-facto standards.
This Standardprovides an overview of the fundamental concepts and a general description of
assurance methods. It targets IT security manages and others responsible for developing a
security assurance program, determining the security assurance of their deliverable, entering an
assurance assessment audit or other assurance.
This Standard is identical with, and has been reproduced from ISO/IEC TR 15443-1:2005,
Information technologySecurity techniquesA framework for IT security assurancePart 1:
Overview and framework.
As this Standard is reproduced from an international standard, the following applies:
(a) Its number appears on the cover and title page while the international standard number
appears only on the cover
(b) In the source text this part of ISO/IEC TR 15443 should read this Australian/New
Zealand Standard.
(c) A full point substitutes for a comma when referring to a decimal marker.
7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura
5/8
ii i
CONTENTS
Page
1 Scope...................................................................................................................................................... 11.1 Purpose.................................................................................................................................................. 11.2 Approach ............................................................................................................................................... 11.3 Application............................................................................................................................................. 11.4 Field of Application............................................................................................................................... 11.5 Limitations ............................................................................................................................................. 12 Terms and definitions........................................................................................................................... 13 Abbreviated terms................................................................................................................................. 64 Concepts................................................................................................................................................ 74.1
Why do we need assurance? ............................................................................................................... 8
4.2 Assurance is distinguishable from confidence ................................................................................. 84.3 What is a deliverable? .......................................................................................................................... 84.4 Stakeholders.......................................................................................................................................... 94.5 Assurance requirements ...................................................................................................................... 94.6 Assurance methods applicability to IT security .............................................................................. 104.7 Assurance schemes ........................................................................................................................... 104.8 Quantifying assurance risk and mechanism strength.................................................................... 114.9 Assurance reduces security risk....................................................................................................... 114.10 Quantifying assurance ....................................................................................................................... 114.11 Assurance authority ........................................................................................................................... 115 Selecting security assurance ............................................................................................................ 125.1 Assurance requirements specification............................................................................................. 135.2 Economical aspects............................................................................................................................ 135.3 Organisational aspects....................................................................................................................... 145.4 Type of assurance............................................................................................................................... 145.5 Technical aspects ............................................................................................................................... 155.6 Optimisation considerations ............................................................................................................. 156 Framework ........................................................................................................................................... 166.1 Assurance approach........................................................................................................................... 166.2 Assurance methods............................................................................................................................ 166.3 Life cycle aspects ............................................................................................................................... 176.4 Correctness versus effectiveness assurance.................................................................................. 186.5 Categorisation of assurance methods.............................................................................................. 196.6 Composite assurance......................................................................................................................... 206.7 Assurance rating................................................................................................................................. 20
7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura
6/8
iv
NOTES
7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura
7/8
1AUSTRALIAN/NEW ZEALAND STANDARD
Information technology Security techniques A frameworkfor IT security assurance
Part 1:Overview and framework
1 Scope
1.1 Purpose
The purpose of this part of ISO/IEC TR 15443 is to introduce, relate and categorise security assurancemethods to a generic life cycle model in a manner enabling an increased level of confidence to be obtained inthe security functionality of a deliverable.
1.2 Approach
The approach adopted throughout this part of ISO/IEC TR 15443 presents an overview of the basic assuranceconcepts and terms required for understanding and applying assurance methods through a framework ofidentifying various assurance approaches and assurance stages.
1.3 Application
Using the categorisation obtained through this part of ISO/IEC TR 15443, Part 2 and the future Part 3 willguide the reader in the selection, and possible combination, of the assurance method(s) suitable forapplication to a given deliverable.
1.4 Field of Application
This part of ISO/IEC TR 15443 provides guidance for the categorisation of assurance methods including thosenot unique to IT security. It may be used in areas outside of IT security where criticality warrants assurance.
1.5 Limitations
This part of ISO/IEC TR 15443 applies to deliverables (refer to Clause 4.3) and their related organisationalsecurity issues only.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
NOTE The terms and definitions have been developed to be as generic as possible to support the assurance modeldeveloped in this part of ISO/IEC TR 15443. The assurance model, being applicable to a broad spectrum of assuranceapproaches, requires non-specific terminology to be applicable to a broad spectrum of assurance approaches.
Defining terms for a generic assurance model is a difficult task owing to the myriad of assurance terms that exist to satisfythe available assurance approaches. Furthermore, similar terms have different definitions and many are unique to aparticular assurance approach making it difficult to construct a generic language for the assurance model. Owing to these
COPYRIGHT
7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura
8/8
This is a free preview. Purchase the entire publication at the link below:
Looking for additional Standards? Visit SAI Global Infostore
Subscribe to ourFree Newsletters about Australian Standards in Legislation; ISO, IEC, BSI and more
Do you need to Manage Standards Collections Online?
Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation
Do you want to know when a Standard has changed?
Want to become an SAI Global Standards Sales Affiliate?
Learn about other SAI Global Services:
LOGICOM Military Parts and Supplier DatabaseMetals Infobase Database of Metal Grades, Standards and Manufacturers
Materials Infobase Database of Materials, Standards and Suppliers
Database of European Law, CELEX and Court Decisions
Need to speak with a Customer Service Representative - Contact Us
AS/NZS ISO/IEC 15443.1:2006, Informationtechnology - Security techniques - A framework forIT security assurance Overview and framework
http://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/Details.aspx?ProductId=394409&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSites