Skip to content

Auftrag 1.3 ‐ Introduction IT‐Security

Jump to bottom
Rayleeigh edited this page Nov 27, 2024 · 2 revisions

Introduction

1. Standards and Definitions Developed by Interest Groups or Consortia

  1. IT-Grundschutz gemäß BSI-Grundschutzkompendium

    • A German standard defined by the Federal Office for Information Security (BSI).
    • Not international; specific to Germany.

  2. ISO/IEC 27001

    • An international standard for information security management systems (ISMS).
    • Defined by the International Organization for Standardization (ISO).
    • Internationally recognized.

  3. NIST Cybersecurity Framework 1.1

    • Created by the U.S. National Institute of Standards and Technology (NIST).
    • While globally adopted, it is a U.S.-based framework, not internationally standardized.

  4. BS 25777:2008

    • A British Standard (BS) focused on ICT continuity management.
    • Not an international standard; specific to the UK.

  5. OSSTMM (Open Source Security Testing Methodology Manual)

    • Developed by ISECOM (Institute for Security and Open Methodologies), a non-profit consortium.
    • A product of interest groups, not a formal standardization body.

  6. COBIT (Control Objectives for Information and Related Technologies)

    • A framework created by ISACA for IT governance and management.
    • Widely used, but not internationally standardized.

  7. DIN V ENV 1627

    • A German pre-standard focused on physical security (e.g., burglar resistance for buildings).
    • While it may have European relevance, it is not an international standard.

  8. ITIL (Information Technology Infrastructure Library)

    • Developed by Axelos, a consortium-led initiative.
    • A best-practice framework, not legally binding or standardized.

  9. OWASP Top 10

    • A list of the top 10 web application security risks created by OWASP, a non-profit interest group.
    • Widely recognized but not formalized as a standard.

  10. PCI-DSS (Payment Card Industry Data Security Standard)

  • Created by the PCI Security Standards Council, made up of major credit card companies.
  • An industry standard, not a formal regulation.

2. Standards Describing Legal Foundations or Binding Guidelines

  1. Schweizerisches Strafgesetzbuch (StGB)

    • The Swiss Penal Code.
    • Defines criminal laws and penalties in Switzerland.
    • A binding legal framework.
    • Correct answer.

  2. Schweizerisches Datenschutzgesetz (DSG)

    • The Swiss Data Protection Act.
    • Regulates personal data protection in Switzerland.
    • A binding legal framework.
    • Correct answer.

  3. ISO/IEC 27001

    • While internationally recognized, it is not legally binding unless adopted into specific laws or contracts.
    • Not a legal foundation.

  4. Basel II

    • A set of banking regulations by the Basel Committee on Banking Supervision.
    • Not a law but often incorporated into national legislation, making it partially binding.
    • Partially correct, depending on jurisdiction.

  5. PCI-DSS (Payment Card Industry Data Security Standard)

    • Enforced contractually by credit card companies.
    • Not a law or legal foundation.

  6. OSSTMM (Open Source Security Testing Methodology Manual)

    • A non-binding guideline for security testing.
    • Not a legal foundation.

Key Takeaways

  • Legal Foundations:

    • Schweizerisches Strafgesetzbuch (StGB).
    • Schweizerisches Datenschutzgesetz (DSG).
    • Basel II (conditionally, depending on jurisdiction).

  • Standards from Interest Groups or Consortia:

    • OSSTMM, ITIL, COBIT, OWASP Top 10, PCI-DSS, and ISO/IEC 27001.
    • These are widely used but lack binding legal authority unless specifically integrated into laws or contracts.
Clone this wiki locally