Allan發表文章:專案管理的資訊安全-以ISO27001及TISAX的要求為例
專案安全要求在Information Security 與Prototype Protection都有明確要求
請注意:所謂專案,不限IT專案,不限內外部的專案,尤其客戶專案、研發專案、委外專案及外部服務專案的安全要求是TISAX的重點
第一關:依據安全要求的專案的分類,以及不同等級的安全的基本要求
第二關:識別專案的要求事項(包含合約、法律、內部安全要求)及專案風險評鑑
第三關:專案人員對安全要求事項都知道 (Prototype Protection 8.2.4的要求)
第四關:稽核專案的要求事項之遵循狀況
ISO 27001:2022
A.5.8專案管理之資訊安全 :資訊安全應整合入專案管理中。
VDA ISA 5.1.0 Information Security 之要求:
1.2.3 To what extent are information security requirements taken into account in projects? 在各項專案考慮資訊安全需求到什麼程度
MUST
+ Projects are classified while taking into account the information security requirements. 專案根據其資訊安全要求進行分類。
SHOULD
+ The procedure and criteria for the classification of projects are documented. 文件化專案分類的程序和標準。
+ During an early stage of the project, risk assessment is conducted based on the defined procedure and repeated in case of changes to the project. 在專案的早期階段,根據定義的程序進行風險評鑑,並在專案發生變化時重複進行風險評鑑。
+ For identified information security risks, measures are derived and taken into account in the project. 對於已識別的資訊安全風險,應在專案中得出並考慮措施。
Additional requirements for high protection needs
'+ The measures thus derived are reviewed regularly during the project and reassessed in case of changes to the assessment criteria. (C, I, A) 在專案期間定期審查由此衍生的措施,並在評估標準發生變化時重新評估。 (機密性,完整性,可用性 )
VDA ISA 5.1.0 Prototype Prototection之要求:
8.2.4 To what extent are security classifications of the project and the resulting security measures known?? 已知的專案安全歸類和由此產生的安全措施,要實施到什麼程度?
MUST
+ Ensuring that the security classification and requirements in relation to the project progress are made known to each project member. 確保每個專案成員都知道與專案進度相關的安全歸類和要求事項。
+ Consideration of step-by-step plans, measures for secrecy and camouflage, development policies. 考慮逐步計劃、保密和偽 裝措施、發展政策。
+ The requirements are considered as a requirement regarding the information security of the project (see Controls 1.2.3 and 7.1.1 Information Security). 這些要求事項被視為與專案相關的資訊安全要求事項(參見資訊安全控制 1.2.3 和 7.1.1)