|
| Security objective | ISO/IEC 27002:2013
section | Realization |
|
| (1) Security management and access control (SO1) | 5.1.1b: assignment of general and specific responsibilities for information security management to defined roles
6.1.1c: authorization levels should be defined and documented
9.1.2c: authorization procedures for determining who is allowed to access which networks and networked services
9.1.2d: the means used to access networks and network services [should be defined]
9.1.2e: user authentication requirements for accessing various network services
9.2.3a: the privileged access rights associated with each system or process and the users to whom they need to be allocated should be identified | Data flow management: RBAC role assignment |
|
| (2) Confidentiality, authenticity, or integrity protection (SO2) | 10.1.1a: the management approach towards the use of cryptographic controls across the organization
10.1.1b: the required level of protection should be identified taking into account the type, strength, and quality of the encryption algorithm required
10.1.1c: the use of encryption for protection of information transported across communication lines | Communication channel protection (TLS) |
|
| (3) System capacity management (SO3) | 12.1.3: the use of resources should be monitored and tuned and projections made of future capacity requirements to ensure the required system performance | Monitoring and analysis of server resources with distinct security mechanisms applied: the multilevel analysis process |
|
| (4) Assurance of correct and secure operation of information processing and handling facilities (SO4) | 12.1.1b: procedures should specify the operational instructions for processing and handling of information both automated and manual | Secure access to FTP, web, …, and servers |
|
| (5) Maintenance of the integrity and availability of information (SO5) | 12.3.1a: accurate and complete records of the back-up copies and documented restoration procedures should be produced
12.3.1c: the back-ups should be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site | Information back-up: secure access to data storage |
|
| (6) Protection of information involved in electronic messaging (SO6) | 13.2.3a: protecting messages from unauthorized access, modification, or denial of service
13.2.3f: stronger levels of authentication controlling access from publicly accessible networks | Secure access to e-mail server |
|
