ISO 23195 pdf free download

ISO 23195-2021 pdf free download.Security objectives of information systems of third-party payment services.
4.1 Logical structural model
4.1.1 General
The reason for depicting the logical structural models in this clause is in order to identify the protected assets (according to the methodology defined in ISO/IEC 15408). However, the models included in this clause do not constitute a comprehensive landscape, i.e. characteristics that are not connected to information security are not included. Therefore, it is probably not sufficient to use these models to analyse other aspects, such as financial risks and business risks in the TPP context.
According to the methodology given in ISO/IEC 15408, the following steps should be taken when setting up TPP logical structural model:
a) identify assets to be protected;
b) identify any threats against the assets, organizational security policies affecting the assets and assumptions that may underpin those organizational security policies;
c) decide which security objectives apply (based on the comprehensive analysis of threats, organization security policies, and assumptions);
d) specify the security requirements that achieve these security objectives and are mainly chosen from ISO/IEC 15408-2 and ISO/IEC 15408-3;
e) design and implement the IT system based on those security requirements.
In order to perform this analysis, all components in a model are generally divided into two groups, namely those within the target of evaluation (TOE) and those outside the TOE. Only the assets within the TOE need to be considered for protection. Particularly, the communications between the TOE and Copynght Intefnational 0Q1j rights reserved 7 its operational environment are protected by the implementation of security mechanisms according to the applicable organizational security policies.
EXAMPLE 1 The networks in both Figure 1 and Figure 2 are within the TOE. In fact, the network can be either a private network, such as a leased line, or an open network, such as the internet. No matter the type of network used, there is a requirement to transmit messages securely via the networks.
EXAMPLE 2 It is assumed that communications between all ASPSPs and the CASS are secure. This assumption is fundamental for achieving the security objectives by the TPPSP. However, the implementation of such secure communications is out of the scope of this document.
The components inside the double-line rectangle in Figure 1 constitute the TOE of a TPP information system as described in this document. Components outside the double-line rectangle are deemed as external entities.
There are five types of communication channels represented in Figure 1. each one represented by a different graphical link according to Table 1.
Table 1 — Graphical representation of the communication channels in the logical structural model Link type Meaning
A solid single link with arrow represents a communication channel through a network. The TPP should implement specific IT security mechanisms, for example VPN, to ensure security properties such as confidentiality, availability and integrity of information transmitted using a public network.ISO 23195 pdf download.