A safety standard establishes requirements that are based on politics and governing certain aspects of security. They are therefore statements to satisfy. A rule must be clear, concise and unambiguous in its interpretation. As for the structure of a legal document, it is recommended to structure the following sections:
Objective: statement of purpose or intent of the wording of the document and the security objectives related to the policy been pursued.
Definitions: the definitions of those terms that appear in the standard and that may provide difficulty understanding are indicated. It is a way to eliminate the ambiguity in interpreting the meaning set the standard terms used.
Responsible for compliance: is defined within the organization which department or person responsible shall ensure compliance with the standard and review its correct implementation or enforcement.
Default: the consequences that will flow from the breach of the rule when it is detected or disciplinary actions that will cause established.
Rules to apply: must contain the security requirements that are declared mandatory. Requirements may be grouped into categories, establishing sections which group together related requirements. Statements can also b
e numbered to reference them later. Related documents: documents of the regulatory framework that could be related to the compliance of the standard are indicated.
As for the recommendations in drafting the document, you must ensure that:
- Compliance must be feasible to organizational and technical level.
- The writing should be clear and summarized.
- The statements made under "applying rules" should be taxativas, unambiguous and must enable the review or audit of compliance with the fact regulated.
- The tense of the rules should be present tense.
- The disclosure will be made between areas affected or involved in the performance.
- Its adoption should be formalized, stating the terms of validity and revision of the standard. It should be under version control.
Rules:
In order to provide a framework for security management of information usable by any organization, regardless of size or activity, has created a set of standards under the name ISO / IEC 27000.
LEGAL SECURITY AND LEGAL FRAMEWORK. SAFETY REGULATIONS.
Since the publication of the Organic Law of Protection of Personal Data in 1999 to the Law on Electronic Access to Public Services in 2007, a number of laws, one way or another, are related security of information and numerous sectoral regulations in several areas: financial, telecommunications, agriculture, etc.
Law 15/99 of Protection of Personal Data
This law is supplemented by the regulations stipulated in the Royal Decree 1720/2007.
The purpose of this Act is to guarantee and protect, with regard to the processing of personal data (automated or not), civil liberties and fundamental rights of physical and especially their honor and personal and family privacy people.
The rights under the Data Protection Act are:
• People from which personal data is stored, have a number of rights under the law:
or Right to information: When someone gives you data should be informed that they will be stored.
o Right of access, cancellation, rectification and opposition: the person can see the information that you have it, you can change the data to be correct and accurate, cancel the information stored on it and oppose it is stored.
Law 34/2002 on Information Society and Electronic Commerce (LSSI)
This Act regulates the obligations of service providers and the services they provide. The obligations under the Act are:
• Service providers should provide their contact details.
• Must cooperate with the authorities, keeping data connection and traffic for 12 months.
• The hosting information provided by a customer, not liable for the information stored at the request of the recipient, provided that:
or do not have actual knowledge that the activity or information stored is unlawful or harms property or rights of a third party liable for compensation, or
or if they do, their best efforts to remove or block all access to them.
When transmitting information from third parties, service providers will have no responsibility in the matter if:
• Do not modify the information.
• Allows access to it only to authorized recipients
• They update the information correctly.
• Do not use their position to obtain data on the use of information
• Withdraw the information they have stored or impossible access to it, once they know who has been removed from the network in which it was, or that a court or responsible administrative authority has ordered such removal or disablement her .
Law 59/2003 on electronic signature
This Act regulates electronic signatures, the legal effectiveness and the provision of certification services.
The electronic signature is the set of data in electronic form, attached to or associated with others, which can be used as a means of identifying the signatory.
The electronic signature shall have in relation to the above information in electronic form, the same value as a handwritten signature in relation to those reported in paper, so that both their generation and their use must be carefully controlled to avoid problems.
R.D.L, Intellectual Property Law 1/1996
The copyright in a literary, artistic or scientific work for the author and gives full control over and the exclusive right to exploit the work. The works may be expressed in any media or medium, tangible or intangible, currently known or invented in the future as:
• Books, pamphlets, forms, correspondence, writings, speeches and addresses, lectures, forensic reports, etc.
• Projects, plans, models and architectural designs and engineering.
• Charts, maps and drawings relating to topography, geography and general science.
• Photographic works.
• Computer programs.
Under this Act, organizations protect their knowledge and forces to respect the others. Another relevant in the field of information security point is required to have only the original (proprietary or free) software, since the use of unlicensed software would be a violation of the Act.
Law 17/2001 of Industrial Property
It is the governing rights:
• Marks.
• Trade names.
The agency responsible for maintaining the trademark is the Patent and Trademark Office. To have property rights in a mark must register at the Office.
Law 11/2007 on Electronic Access to Public Services
The highlights of the Act are:
• Citizens will be recognized new rights in their relations with public administrations.
• the Defender User is created.
• Processes and procedures can be done from anywhere, anytime.
• The administration will be easier, quicker and more effective.
• Citizens pass to take the lead in their relations with the administration.
It will have a National Insurance Scheme and other Interoperability services offered to have a minimum level of security and the various administrations to communicate fluently.
Standard guidelines 17799
ISO / IEC 17799 provides best practice recommendations on the management of information security to all concerned and responsible for initiating, implementing or maintaining systems security management information. The information security is defined in the standard as "the preservation of confidentiality (ensuring that only authorized individuals may access information), integrity (ensuring that information and its processing methods are accurate and complete) and availability (ensuring that authorized users have access to information and associated assets when required). "
The 2005 version of the standard includes the following eleven major sections:
Policy Information Security.
Organization of Information Security.
Information Asset Management.
Safety of Human Resources.
Physical and Environmental Security.
Communications Management and Operations.
Access Control.
Acquisition, Development and Maintenance of Information Systems.
Incident Management in Information Security.
Business Continuity Management.
Compliance.
Within each section, the objectives of the various controls for information security are specified. For each of the controls also indicates a guide for implementation. The sum total number of 133 controls among all sections but each organization must first consider how many will actually be applicable to their own needs.
With the adoption of ISO / IEC 27001 in October 2005 and the reservation of numbering 27,000 for information security is expected to ISO / IEC 17799: 2005 becomes renamed ISO / IEC 27002 in the review and updating its contents in 2007.
No hay comentarios:
Publicar un comentario