ISO IEC 27011:2016 download free.Information technology Security techniques Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations.
I Scope
The scope of ISO IEC 27011 is to define guidclines supporting the implementation of information security controls in telecommunications organizations.
The adoption of ISO IEC 27011 will allow telecommunications organizations to mcci baseline information security management requirements of confidentiality, integrity, availability and any other relevant security property.
2 Normative references
The following Recommendations and International Standards contain peovisions which, through reference in this text. constitute provisions of this Recommendation International Standard. At the time of publication. the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this Recommendation I Tntcrnational Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of JEC and ISO maintain registers of currently valid International Standards. The Telecommunication Standardization Iurcau of the ITU maintains a list of currently valid ITU-T Recommendations.
ISOTEC 27000. Information kchnologv Securin’ techniques infor,naiion .securiii management ssWns
– C)vensew UULI vocbularv
ISO1EC 27002:2013, Information techno!ogi Securin techniques Code of practice for information security controls.
3 I)efinititms and abbreviations
3.1 1)efinitions
For the purposes of ISO IEC 27011, the definitions given in TSOIEC 27000 and the following apply:
4.2 Information security management systems in teleconimunications organizations
4.2.1 Goal
Information is critical to every organization. In the case of telecommunications. information consists of data transmitted betwcen any two points in an electronic formation as well as metadata of each transmission. e.g., positioning data of sender and receiver. Regardless of how the information is transmitted and whether it is cached or stored during transmission, information should always be appropriately protected.
Telecommunications organizations and their information systems and networks arc ccposed to security threats from a wide range of sources, including: wire-tapping: advanced persistent threats: terrorism: espionage; sabotage; vandalism:
information leakage; errors; and force majcurc events. These security threats may originate from inside or outside the telecommunications organization, resulting in damage to the organization.
Once information security is violated, e.g., by wire-tapping the telecommunications lines, the organization may suffer damage. Therefore, it is essential for an organization to ensure its information security by continual improvement of its information security management system (ISMS).
Effective information security is achieved by implementing a suitable set of controls based on those described in this Recommendation International Standard. These controls need to be established, implemented, monitored. rcvicsed and improved in telecommunications facilities, services and applications. These activities ill enable an organization to meet its security objectives and therefore business objectives.
Telecommunications organizations provide facilities to various user types to process, transmit and store information. This information could be personally identifiable information, or confidential private and business data. In all cases. information should be handled wih the correct level of care and attention, and the appropriate levels of protection provided to ensure confidentiality, integrity and availability (CIA), with privacy and sensitivity being paramount.
4.2.2 Securtv considerations in telecommunications
The requirement for a generic security framework in telecommunications has originated from different sources:
a) customers/subscribers needing confidence in the network and the services to be provided, including availability of services (especially emergency services) in case of major catastrophes.
6.1.2 Segregation of duties
Control and the contcnts from ISOIIE( 27002 6.1.2 apply.
6.1.3 Contact with authorities
Control
Appropriate contacts with relevant authorities should be maintained.
Implementation guidance
The implcrncnration gwdancc from ISOIE( 27002 6.1.3 applies.
Telecom mu nicalions-specifle implementation guidance
When telecommunications organizations receive enquiries from law-enforcement agencies or Investigative organizations regarding information relating to telecommunications service users. these tclecommumcations organizations need to confirm that the enquiries have gone through legitimate processes and procedures according to national laws and regulations before any information is disclosed.
The applications and infrastructure of telecommunications organizations can be considered part of critical infrastructure and may be essential for the functioning of the community, society and economy as a shole. Operators of such systems should therefore maintain contact with all of the relevant authorities. Telecommunications organization.s should therefore maintain contact with all of the relevant authorities.
Other information
The other information from ISO1EC 27002 6.1.3 applies.
6.1.4 Contact with special interest groups
Control and the contents from ISOIEC 27002 6.1.4 apply.
6.1.5 Information security in project management
Control and the contents from of ISO/IEC 27002 6.1.5 apply.
NOTE Any person ho is invoked with critical national infrastructure (CNI) aspects ol’ communications systems should be subjected to formal screening and criminal records checks before being given access.
7.1.2 Terms and conditions of enlplo3 ment
Control
The contractual agreements with employees and contractors should state iheir and the organization’s responsibilities for information security.
Implementation guidance
The implementation guidance from ISOW( 27002 7.1.2 applies.
lelecommu niciations-specific implementation guidance
The legal rights and responsibilities regarding non-disclosure of communications and essential communications, which telecommunications organizations should take into account, arc included in the laws and regulations.
Telecommunications organizations should clarif’ and stale the responsibilities for maintaining the communications service provided by telecommunications organizations in addition to the protection and non-disclosure of personally identifiable and other confidential information in the terms and conditions of employment.
Telecommunications organizations should make sure that any person engaged in their telecommunications services is aware and up-to date on:
a) their responsibilities for protecting the personal identifiable information and other confidential information of users of their scrvice
b) their responsibilities concerning the non-disclosure of privileged information obtained through their operational activities on telecommunications services.
Other information
The other information from ISO’TEC 27002 71.1 applies.
9.1.1 Access control poIic
Control
An access control pohcy should be cstablished. documented and reviewed based on business and information security requirements.
Implementation guidance
The implementation guidance from ISOIEC 27002 9.l,1 applies.
Telecommunications-specific Implementation guidance
Telecommunications organizalions should implement role-based access controls, with a limited number of profiles and controlled sets of user access permissions as applicable.
As telecommunication companies are regularly exposed to different suppliers that may not support the same security features or standards, it is essential to ensure all access is tracked for amendments and timely removal.
Only the authorized users should have access to use the communications services, such as a particular phone number, voicemail or other data services that have been assigned to them.
Other inlormation
The other information from ISOTEC 27002 9.1.1 applies.
9.1.2 Access to networks and network services
Control and the contents from ISO’IEC 27002 9.1.2 apply.
9.2 User access managenient
The control objective and the contents from ISO/IEC 27002 9.2 apply.
9.3 User re%ponsibihties
All customers should be made fWly aware of problem escalation procedurcs and have the relevant documentation available to them.
For cample. customer-initiated issues can be prioritized according to the criteria provided:
a) customer site is completely down or is failing to meet service level agrecmcrn (SLA) requirements:
b) customer site is being significantly impacted by the outage one or more systems down or significant packet loss and or latency;
c) customer service degraded;
d customer requests.
Telecommunications organizations, responsible for the provision of telecommunications services as an important utility, should establish mechanisms ancLor procedures for containing, eradicating and recovenng from information security incidents, as well as those for detecting and analysing incidents in telecommunications systems accurately and in a timely manner.
Such mechanisms andor procedures should, in addition to actions proposed in ISO/TEC 27002 16,1.1 include the following:
a) report the incident to the appropnaie internal personnel and external organizations, including regulators. emergency services and those involved in critical infrastructure, as required;
b) isolate the telecommunication syswm, if possible use of it should be stopped if the system is to be eamincd. it should be disconnected from any telecommunications operation networks before being re-powered;
C) recover from the incident with a confirmation thai the affected systems are functioning normally: if necessary, implement additional monitoring to look for future related activity.
Other information
The other information from ISOIEC 27002 16.1.1 applies.