CONTENTS

 

 1     Scope 
 2     Normative references       
 3     Definitions and abbreviations        
        3.1     Definition
        3.2     Abbreviations        
 4     Overview   
        4.1     Structure of this guideline   
        4.2     Information security management systems in telecommunications business    
 5     Security policy  
 6     Organization of information security          
        6.1     Internal organization           
        6.2     External parties      
 7     Asset management           
        7.1     Responsibility for assets     
        7.2     Information classification    
 8     Human resources security
        8.1     Prior to employment          
        8.2     During employment
        8.3     Termination or change of employment        
 9     Physical and environmental security          
        9.1     Secure areas          
        9.2     Equipment security 
10     Communications and operations management      
       10.1     Operational procedures and responsibilities           
       10.2     Third party service delivery management   
      10.3      System planning and acceptance   
      10.4      Protection against malicious and mobile code         
       10.5     Back‑up
       10.6     Network security management      
       10.7     Media handling     
       10.8     Exchange of information    
      10.9      Electronic commerce services       
     10.10      Monitoring           
11     Access control 
       11.1     Business requirement for access control     
       11.2     User access management  
      11.3      User responsibilities          
      11.4      Network access control    
       11.5     Operating system access control   
      11.6      Application and information access control
      11.7      Mobile computing and teleworking
12     Information systems acquisition, development and maintenance    
      12.1      Security requirements of information systems         
      12.2      Correct processing in applications 
      12.3      Cryptographic controls     
      12.4      Security of system files      
      12.5      Security in development and support processes     
      12.6      Technical vulnerability management           
13     Information security incident management
      13.1      Reporting information security events and weaknesses       
      13.2      Management of information security incidents and improvements    
14     Business continuity management  
      14.1      Information security aspects of business continuity management      
15     Compliance     
Annex A – Telecommunications extended control set     
        A.9     Physical and environmental security           
       A.10     Communications and operations management       
      A.11      Access control     
      A.15      Compliance         
Annex B – Additional implementation guidance     
        B.1     Network security measures against cyber attacks   
        B.2     Network security measures for network congestion
Bibliography