Saturday, May 15, 2010
'Database Management' in ISO 27001
> Is there a clause in ISO 27001 including Annexure 'A', specifically
> addressing the 'Database Management', like there are specific clauses
> for Network, Application or OS access management?
The answer is no, Arshad.
The word "database" gets just a few casual references, mostly along the
lines of "... an organization's databases and IT systems ...".
However, *many* information security controls are of course applicable to
databases, at all stages of the systems development lifecycle from risk
analysis, architecture and design, through development and testing, to
operation, management and eventual retirement of database systems.
Most security controls are required to protect the data in the databases
(e.g. data confidentiality, privacy and integrity issues, protected mostly
through authentication and access controls), and the business value of the
processes that databases (or indeed other IT systems) support (i.e. the
availability aspect - uptime, resilience, capacity & performance). Many are
general-purpose security controls (e.g. "accountability" in various forms).
Some are required to protect the underlying IT infrastructure and networks
(e.g. authentication of links between programs and/or systems). Rather few
are specifically required to protect the database per se (e.g. a subset of
the integrity controls is designed to protect the database structure, stored
functions etc. rather than the data).
[FYI The attached matrix was something I prepared in 2007 for a security
awareness module on database security. It shows yet another way of
categorising database security controls.]
Kind regards,
Gary
> addressing the 'Database Management', like there are specific clauses
> for Network, Application or OS access management?
The answer is no, Arshad.
The word "database" gets just a few casual references, mostly along the
lines of "... an organization's databases and IT systems ...".
However, *many* information security controls are of course applicable to
databases, at all stages of the systems development lifecycle from risk
analysis, architecture and design, through development and testing, to
operation, management and eventual retirement of database systems.
Most security controls are required to protect the data in the databases
(e.g. data confidentiality, privacy and integrity issues, protected mostly
through authentication and access controls), and the business value of the
processes that databases (or indeed other IT systems) support (i.e. the
availability aspect - uptime, resilience, capacity & performance). Many are
general-purpose security controls (e.g. "accountability" in various forms).
Some are required to protect the underlying IT infrastructure and networks
(e.g. authentication of links between programs and/or systems). Rather few
are specifically required to protect the database per se (e.g. a subset of
the integrity controls is designed to protect the database structure, stored
functions etc. rather than the data).
[FYI The attached matrix was something I prepared in 2007 for a security
awareness module on database security. It shows yet another way of
categorising database security controls.]
Kind regards,
Gary
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment