ISO/IEC 27011-2016 pdf free.Information technology一Security techniques – Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations.
Information is critical to cvcry organization. In the case of telecommunications, information consists of data transmitted between any two points in an electronic formation as well as metadata of each transmission, e.g.. positioning data of sender and receiver. Regardless of how the information is transmitted and whether it is cached or stored during transmission, information should always be appropriately protected.
Telecommunications organizations and their information systems and networks are exposed to security threats from a wide range of sources. including: wire-tapping: advanced persistent threats: terrorism; espionage: sabotage: vandalism:
information leakage; errors; and force majcure events. These security threats may originatc from inside or outside the telecommunications organization, resulting in damage to the organization
Once information security is violated, e.g., by wire-tapping the telecommunications lines, the organization may suffer damage. Therefore, it is essential for an organization to ensure its information security by continual improvement of its information security management system (ISMS).
Efkctivc information security is achieved by implementing a suitable set of controls based on those described in this Recommendation International Standard. These controls need to bc established. implemented, monitored, reviewed and improved in telecommunications facilities, services and applications. These activities will enable an organization to meet its security objectives and therefore business objectives.
Telecommunications organizations provide facilities to various user types to process, transmit and store information. This information could be personally identifiable information, or confidential private and business data. In all cases. information should be handled with the correct level of care and attention, and the appropriate levels of protection provided to ensure confidentiality, integrity and availability (CIA). with privacy and sensitivity being paramount.
4.2.2 Security considerations in telecommunictions
The requirement for a generic security framework in telecommunications has originated from different sources:
a) customers/subscribers needing confidence in the network and the services to be proided. including availability of services (especially emergency services) in case of major catastrophes;
b) public authorities demanding security by directives, regulation and legislation, in order to ensure availability of services, fair competition and privacy protection;
C) network operators and service providers themselves needing security to safeguard their operational and business interests, and to meet their obligations to their customers and the public.
Furthermore, telecommunications organizations should consider the following environmental and operational security incidents.
a) Telecommunications services are heavily dependent on various interconnected facilities, such as routers, switches, domain name servers, transmission relay systems and a network management system (NMS). Therefore, telecommunications security incidents can occur to various cquipmentfacilities and the incidents can propagate rapidly through the network into other equipment/facilities.
b) In addition to telecommunications facilities, vulnerabilities in network protocols and topology can result in serious security incidents. In particular, convergence of wired and wireless networks can impose significant challenges for developing intcropcrabk protocols.
c) A major concern of telecommunications organizations is the possibility of compromised security that causes network down-time. Such down-time can be extremely costly in terms of customer relations, lost revenue and recovery costs. Deliberate attacks on the availability of the national telecommunications infrastructure can be viewed as a national security concern.
d) Telecommunications management networks and systems are susceptible to hackcr pcnctrations. A common motivation for such pcnctrations is theft of telecommunications services. Such theft can be engineered in various ways. such as invoking diagnostic functions, manipulating accounting records. altering provisioning databases and eavesdropping on subscriber calls.
e) In addition to external penetrations, carriers are concerned about security compromises from internal sources, such as invalid changes to network management databases and configurations on the part of unauthoriied personnel. Such occurrences may be accidental or deliberate.
1) Telecommunications services can be disrupted by malware such as worms and viruses attacking end systems or communications infrastructure. DoS/DDoS is a major cause of incidents on communications and can be caused by various methods to interrupt or block communication signals, or sending data to one system or network from many hundreds of systems as the same time to overload it (see TEL 13.1.6).
For the purpose of protecting information assets in telecommunications originating from different sources in various telecommunications environments, security guidelines for telecommunications are indispensable to support the implementation of information security management in tekcoinmunications organizations.
The security guidelines should be applicable to the following:
a) telecommunications organizations seeking confidence that the information security requirements of their interested parties (e.g.. suppliers, customers, regulators) will be satisfied:
b) telecommunications organizations seeking a business advantage through the implementation of an ISMS:
c) users and suppliers of the information security related products and services for the telecommunications industry;
d) those internal or external to thc telecommunications organization who assess and audit the ISMS for conformity with the requirements of lSO’IEC 27001;
e) those internal or external to the telecommunications organizations who give advice or training on the ISMS appropriate to that organization;
f) ensuring compliance with trans-border legal and regulatory requirements, and complying with statutory requirements in all countries of operation or transit.
4.2.3 Information assets to be protected
In order to establish information security management. it is essential for an organization to clarify and identify all organizational assets. The clarification of attributes and importance of the assets makes it possible to implement appropriate controls.
Information assets which telecommunications organizations should protect can be found in clause 8.1.1.ISO/IEC 27011 pdf free download.