bcs-ismp-bk-en-GB March 30, 2010 - 08:51 98
Information Security Management Principles
and, although export controls are implemented by each individual WA Par-
ticipating State, the scope of export controls is determined by Wassenaar
directives.
Cryptographic controls should be used in compliance with all relevant
agreements, laws and regulations. Local legislation may disallow or restrict
the use of strong cryptography. It may restrict its sale and movement to
another country or put regulatory controls and registration requirements for
its use. You should seek legal advice to ensure compliance with any national
laws and regulations, and when transferring encrypted information or tools
from one legal jurisdiction to another.
ISO/IEC 27000 series advises that the following factors should be con-
sidered:
• restrictions on import and export of computer hardware and software
for performing cryptographic functions;
• restrictions on import and export of computer hardware and software
which is designed to have cryptographic functions added to it;
• restrictions on the usage of encryption;
• mandatory or discretionary methods of access by the countries’ author-
ities to information encrypted by computer hardware and software to
provide confidentiality of content.
For organisations that are subject to regulatory control, the associated regu-
latory body may define additional constraints on how cryptography should
be used. For example, the finance industry may specify use of particular
security standards. These factors also need to be taken into account when
applying cryptographic controls.
Activity 3.6
Miss Peacock is worried that after the information leak GANT’s controls
for protecting personal information may be weak. She has asked you to
carry out a review of the privacy legislation affecting GANT to ensure
that the organisation is compliant. What would be the main areas that
you would look at?
SECURITY STANDARDS AND PROCEDURES
Standards impact on many aspects of our daily lives and they have been
developed to ensure that products and services are safe, reliable, and effi-
cient. They also provide for interchange ability (interoperability between
products and systems). Today, there are recognised standards in place for
almost all aspects of commerce, industry or government, and Information
Assurance is no exception to this. Standards are produced by recognised
78
Get Information Security Management Principles now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
