ISO/IEC TR 13335-5:2001

TECHNICAL ISO/IEC
REPORT TR
13335-5
First edition
2001-11-01
Information technology — Guidelines for
the management of IT Security —
Part 5:
Management guidance on network security
Technologies de l'information — Lignes directrices pour la gestion de
sécurité IT —
Partie 5: Guide pour la gestion de sécurité du réseau

Reference number
©
ISO/IEC 2001
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not
be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this
file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this
area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters
were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event
that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2001
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic
or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body
in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.ch
Web www.iso.ch
Printed in Switzerland
ii © ISO/IEC 2001 – All rights reserved

TABLE OF CONTENTS
Foreword v
Introduction vi
1. SCOPE 1
2. REFERENCES 1
3. DEFINITIONS 2
4. ABBREVIATIONS 2
5. STRUCTURE 2
6. AIM 3
7. OVERVIEW 3
7.1 Background 3
7.2 Identification Process 3
8 REVIEW CORPORATE IT SECURITY POLICY REQUIREMENTS 6
9 REVIEW NETWORK ARCHITECTURES AND APPLICATIONS 6
9.1 Introduction 6
9.2 Types of Network 7
9.3 Network Protocols 8
9.4 Network Applications 8
9.5 Other Considerations 8
10 IDENTIFY TYPES OF NETWORK CONNECTION 8
11 REVIEW NETWORKING CHARACTERISTICS AND RELATED TRUST
RELATIONSHIPS 11
11.1 Network Characteristics 11
11.2 Trust Relationships 12
© ISO/IEC 2001 – All rights reserved iii

12 DETERMINE THE TYPES OF SECURITY RISK 13
13 IDENTIFY APPROPRIATE POTENTIAL SAFEGUARD AREAS 17
13.1 Introduction 17
13.2 Secure Service Management 18
13.2.1 Introduction 18
13.2.2 Security Operating Procedures 19
13.2.3 Security Compliance Checking 19
13.2.4 Security Conditions For Connection 19
13.2.5 Documented Security Conditions for Users of Network Services 20
13.2.6 Incident Handling 20
13.3 Identification and Authentication 20
13.3.1 Introduction 20
13.3.2 Remote Log-in 20
13.3.3 Authentication Enhancements 21
13.3.4 Remote System Identification 21
13.3.5 Secure Single Sign-on 22
13.4 Audit Trails 22
13.5 Intrusion Detection 23
13.6 Protection Against Malicious Code 24
13.7 Network Security Management 24
13.8 Security Gateways 25
13.9 Data Confidentiality Over Networks 26
13.10 Data Integrity Over Networks 26
13.11 Non-Repudiation 27
13.12    Virtual Private Networks 28
13.13 Business Continuity/Disaster Recovery 28
14 DOCUMENT AND REVIEW SECURITY ARCHITECTURE OPTIONS 29
15 PREPARE FOR THE ALLOCATION OF SAFEGUARD SELECTION,
DESIGN, IMPLEMENTATION AND MAINTENANCE 29
16 SUMMARY 29
Bibliography 31
iv © ISO/IEC 2001 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)
form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC
participate in the development of International Standards through technical committees established by the
respective organization to deal with particular fields of technical activity. ISO and IEC technical committees
collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in
liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have
established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.
The main task of the joint technical committee is to prepare International Standards. Draft International Standards
adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International
Standard requires approval by at least 75 % of the national bodies casting a vote.
In exceptional circumstances, the joint technical committee may propose the publication of a Technical Report of
one of the following types:
— type 1, when the required support cannot be obtained for the publication of an International Standard, despite
repeated efforts;
— type 2, when the subject is still under technical development or where for any other reason there is the future
but not immediate possibility of an agreement on an International Standard;
— type 3, when the joint technical committee has collected data of a different kind from that which is normally
published as an International Standard (“state of the art”, for example).
Technical Reports of types 1 and 2 are subject to review within three years of publication, to decide whether they
can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to be
reviewed until the data they provide are considered to be no longer valid or useful.
Attention is drawn to the possibility that some of the elements of this part of ISO/IEC TR 13335 may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC TR 13335-5, which is a Technical Report of type 3, was prepared by Joint Technical Committee
ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.
ISO/IEC TR 13335 consists of the following parts, under the general title Information technology — Guidelines for
the management of IT Security:
 Part 1: Concepts and models for IT Security
 Part 2: Managing and planning IT Security
 Part 3: Techniques for the management of IT Security
 Part 4: Selection of safeguards
 Part 5: Management guidance on network security
© ISO/IEC 2001 – All rights reserved v

Introduction
The purpose of this Technical Report (ISO/IEC TR 13335) is to provide guidance, not
solutions, on management aspects of IT security. Those individuals within an organization
that are responsible for IT security should be able to adapt the material in this report to
meet their specific needs. The main objectives of this Technical Report are:

• to define and describe the concepts associated with the management of IT security,

• to identify the relationships between the management of IT security and management
of IT in general,
• to present several models which can be used to explain IT security, and

• to provide general guidance on the management of IT security.

ISO/IEC TR 13335 is organized into five parts. Part 1 provides an overview of the
fundamental concepts and models used to describe the management of IT security. This
material is suitable for managers responsible for IT security and for those who are
responsible for an organization's overall security programme.

Part 2 describes management and planning aspects. It is relevant to managers with
responsibilities relating to an organization’s IT systems. They may be:

• IT managers who are responsible for overseeing the design, implementation, testing,
procurement, or operation of IT systems, or

• managers who are responsible for activities that make substantial use of IT systems.

Part 3 describes security techniques relevant to those involved with management activities
during a project life cycle, such as planning, designing, implementing, testing, acquisition
or operations.
Part 4 provides guidance for the selection of safeguards, and how this can be supported by
the use of baseline models and controls. It also describes how this complements the
security techniques described in Part 3, and how additional assessment methods can be
used for the selection of safeguards.

Part 5 provides guidance with respect to networks and communications to those
responsible for the management of IT security. This guidance supports the identification
and analysis of the communications related factors that should be taken into account to
establish network security requirements. It also contains a brief introduction to the possible
safeguard areas.
vi © ISO/IEC 2001 – All rights reserved

TECHNICAL REPORT ISO/IEC TR 13335-5:2001(E)

Information technology — Guidelines for the management of IT
Security —
Part 5:
Management guidance on network security
1. Scope
ISO/IEC TR 13335-5 provides guidance with respect to networks and communications to
those responsible for the management of IT security. This guidance supports the
identification and analysis of the communications related factors that should be taken into
account to establish network security requirements.

This part of ISO/IEC TR 13335 builds upon Part 4 of this Technical Report by providing
an introduction on how to identify appropriate safeguard areas with respect to security
associated with connections to communications networks.

It is not within the scope of this TR to provide advice on the detailed design and
implementation aspects of the technical safeguard areas. That advice will be dealt with in
future ISO documents.
2. References
ISO/IEC TR 13335-1:1996, Information technology — Guidelines for the management
of IT Security — Part 1: Concepts and models for IT Security
ISO/IEC TR 13335-2:1997, Information technology — Guidelines for the management
of IT Security — Part 2: Managing and planning IT Security
ISO/IEC TR 13335-3:1998, Information technology — Guidelines for the management
of IT Security — Part 3: Techniques for the management of IT Security
ISO/IEC TR 13335-4:2000, Information technology — Guidelines for the management
of IT Security — Part 4: Selection of safeguards
1)
ISO/IEC TR 14516:— , Information technology — Guidelines on the use and
management of Trusted Third Party (TTP) services
ISO/IEC 13888 (all parts), Information technology — Security techniques — Non-
repudiation
1)
ISO/IEC 15947:— , Information technology — Security techniques — IT intrusion
detection framework
ISO/IEC 7498-1:1994, Information technology — Open Systems Interconnection —
Basic Reference Model: The Basic Model
ISO 7498-2:1989, Information processing systems — Open Systems Interconnection —
Basic Reference Model — Part 2: Security Architecture
__________________
1) To be published.
© ISO/IEC 2001 – All rights reserved 1

ISO/IEC 7498-3:1997, Information technology — Open Systems Interconnection —
Basic Reference Model: Naming and addressing
ISO/IEC 7498-4:1989, Information processing systems — Open Systems
Interconnection — Basic Reference Model — Part 4: Management framework
(Other relevant, non ISO/IEC, references are given in the Bibliography.)
3. Definitions
For the purposes of this part of ISO/IEC TR 13335, the definitions given in Part 1 of
ISO/IEC TR 13335 apply: accountability, asset, authenticity, availability, baseline
controls, confidentiality, data integrity, impact, integrity, IT security, IT security policy,
non-repudiation, reliability, risk, risk analysis, risk management, safeguard, threat,
vulnerability.
4. Abbreviations
EDI    - Electronic Data Interchange
IP  - Internet Protocol
IT - Information Technology
PC - Personal Computer
PIN - Personal Identification Number
SecOPs - Security Operating Procedures
TR - Technical Report
5. Structure
The approach taken in TR 13335-5 is to first summarize the overall process for
identification and analysis of the communications related factors that should be taken into
account to establish network security requirements, and then provide an indication of the
potential safeguard areas (in doing so indicating where relevant content of other parts of
TR 13335 may be used).
This document describes three simple criteria to aid those persons responsible for IT
security to identify potential safeguard areas. These criteria identify (1) the different types
of network connections, (2) the different networking characteristics and related trust
relationships, and (3) the potential types of security risk associated with network
connections (and the use of services provided via those connections). The results of
combining these criteria are then utilised to indicate potential safeguard areas.
Subsequently, a brief introductory description is provided of the potential safeguard areas,
with indications to sources of more detail.

2 © ISO/IEC 2001 – All rights reserved

6. Aim
The aim of this document is to provide guidance for the identification and analysis of the
communications related factors that should be taken into account to establish network
security requirements, and to provide an indication of the potential safeguard areas.
7. Overview
7.1 Background
Government and commercial organizations rely heavily on the use of information to
conduct their business activities. Loss of confidentiality, integrity, availability, non-
repudiation, accountability, authenticity and reliability of information and services can
have an adverse impact on an organization’s business operations. Consequently, there is a
critical need to protect information and to manage the security of IT systems within
organizations.
This critical need to protect information is particularly important in today's environment
because many organizations’ IT systems are connected by networks. These network
connections can be within the organization, between different organizations, and
sometimes between the organization and the general public. Both governmental and
commercial organizations conduct business globally. Theref
...