信息安全管理体系实施指南-ISO_IEC 27002-2013

文档正文


概要信息

本文档为 PDF 格式,共计 172 页,售价为 5.00 元(人民币),由本站用户 zhh 于 2019-03-31 日上传。


内容摘要

INTERNATIONAL STANDARD ISO/IEC 27002 Second edition 2013-10-01 Information technology — Security techniques — Code of practice for information security controls Technologies de l’information — Techniques de sécurité — Code de bonne pratique pour le management de la sécurité de l’information Reference number ISO/IEC 27002:2013(E) © ISO/IEC 2013 ISO/IEC 27002 信息技术-安全技术-信息安全控制实用 规则 Information technology-Security techniques -Code of practice for information security controls ISO/IEC 27002:2013(E) 7 8 9 5 6 0 1 2 3 4 Contents Page Foreword ..........................................................................................................................................................................................................................................(cid:883) Introduction .............................................................................................................................................................................................................(cid:885) Scope .................................................................................................................................................................................................................................(cid:889) Normative references ......................................................................................................................................................................................(cid:889) Terms and definitions .....................................................................................................................................................................................(cid:889) Structure of this standard ...........................................................................................................................................................................(cid:889) Clauses ...........................................................................................................................................................................................................7 4.1 4.2 Control categories ................................................................................................................................................................................7 Information security policies ..................................................................................................................................................................(cid:891) 5.1 Management direction for information security .......................................................................................................9 Organization of information security .............................................................................................................................................(cid:883)(cid:885) 6.1 Internal organization .........................................................................................................................................................................13 6.2 Mobile devices and teleworking ..............................................................................................................................................17 Human resource security ............................................................................................................................................................................23 7.1 Prior to employment ..........................................................................................................................................................................23 7.2 During employment .........................................................................................................................................................................25 7.3 Termination and change of employment ......................................................................................................................31 Asset management ..........................................................................................................................................................................................31 8.1 Responsibility for assets ..............................................................................................................................................................31 Information classification ...........................................................................................................................................................35 8.2 8.3 Media handling ....................................................................................................................................................................................39 Access control .......................................................................................................................................................................................................43 9.1 Business requirements of access control ......................................................................................................................43 9.2 User access management ............................................................................................................................................................47 User responsibilities .......................................................................................................................................................................53 9.3 9.4 System and application access control ............................................................................................................................55 Cryptography .........................................................................................................................................................................................................61 10.1 Cryptographic controls .................................................................................................................................................................61 Physical and environmental security ...........................................................................................................................................65 11.1 Secure areas ............................................................................................................................................................................................65 11.2 Equipment ................................................................................................................................................................................................71 Operations security ........................................................................................................................................................................................81 12.1 Operational procedures and responsibilities ............................................................................................................81 12.2 Protection from malware ............................................................................................................................................................87 12.3 Backup .........................................................................................................................................................................................................89 12.4 Logging and monitoring ...............................................................................................................................................................91 12.5 Control of operational software ............................................................................................................................................95 12.6 Technical vulnerability management ...............................................................................................................................97 Information systems audit considerations ..................................................................................................................101 12.7 Communications security ........................................................................................................................................................................103 13.1 Network security management .............................................................................................................................................103 13.2 Information transfer .......................................................................................................................................................................105 System acquisition, development and maintenance ....................................................................................................113 Security requirements of information systems .......................................................................................................113 14.1 14.2 Security in development and support processes ...................................................................................................119 14.3 Test data .....................................................................................................................................................................................................129 Supplier relationships .................................................................................................................................................................................129 15.1 Information security in supplier relationships ........................................................................................................129 10 11 13 12 14 15 目 次 前言 引言 0 简介 0.1 背景和环境 0.2 信息安全要求 0.3 选择控制措施 0.4 编制组织的指南 0.5 生命周期的考虑 0.6 相关标准 1 范围 2 规范性引用文件 3 术语和定义 4 本标准的结构 4.1 章节 4.2 控制类别 5 信息安全策略 5.1 信息安全的管理方向 6 信息安全组织 6.1 内部组织 6.2 移动设备和远程工作 7 人力资源安全 7.1 任用之前 7.2 任用中 7.3 任用的终止或变更 8 资产管理 8.1 对资产负责 8.2 信息分类 8.3 介质处置 9 访问控制 9.1 访问控制的业务要求 9.2 用户访问管理 9.3 用户职责 9.4 系统和应用访问控制 10 密码学 10.1 密码控制 11 物理和环境安全 11.1 安全区域 11.2 设备 12 操作安全 12.1 操作规程和职责 12.2 恶意软件防护 12.3 备份 .................................................................................. 2 ................................................................................. 4 ............................................................................... 4 ....................................................................... 4 ..................................................................... 4 .................................................................... 6 .................................................................. 6 .................................................................. 6 ........................................................................ 6 ................................................................................ 8 ...................................................................... 8 .......................................................................... 8 ........................................................................ 8 .............................................................................. 8 .......................................................................... 8 ........................................................................ 10 ................................................................ 10 ........................................................................ 14 .......................................................................... 14 ................................................................ 18 ........................................................................ 24 .......................................................................... 24 ........................................................................... 26 ................................................................. 32 ........................................................................... 32 ....................................................................... 32 ......................................................................... 36 ......................................................................... 40 ........................................................................... 44 ............................................................... 44 ..................................................................... 48 ......................................................................... 54 ............................................................... 56 ............................................................................ 62 ........................................................................ 62 .................................................................... 66 ........................................................................ 66 ............................................................................ 72 .......................................................................... 82 .................................................................. 82 .................................................................... 88 ............................................................................ 90 16 17 ISO/IEC 27002:2013(E) 15.2 Supplier service delivery management ..........................................................................................................................137 Information security incident management ........................................................................................................................139 16.1 Management of information security incidents and improvements .....................................................139 Information security aspects of business continuity management .............................................................147 Information security continuity ............................................................................................................................................147 17.1 17.2 Redundancies ........................................................................................................................................................................................151 Compliance ..............................................................................................................................................................................................................153 18.1 Compliance with legal and contractual requirements .......................................................................................153 18.2 Information security reviews ..................................................................................................................................................159 Bibliography .............................................................................................................................................................................................................................163 18 12.4 日志和监视 12.5 运行软件的控制 12.6 技术脆弱性管理 12.7 信息系统审计考虑 13 通信安全 13.1 网络安全管理 13.2 信息传递 14 系统获取、开发和维护 14.1 信息系统的安全要求 14.2 开发和支持过程中的安全 14.3 测试数据 15 供应商关系 15.1 供应商关系的信息安全 15.2 供应商服务交付管理 16 信息安全事件管理 16.1 信息安全事件和改进的管理 17 业务连续性管理的信息安全方面 17.1 信息安全连续性 17.2 冗余 18 符合性 18.1 符合法律和合同要求 18.2 信息安全评审 参考文献 ...................................................................... 92 .................................................................. 96 .................................................................. 98 ................................................................ 102 .......................................................................... 104 .................................................................... 104 ........................................................................ 106 .............................................................. 114 .............................................................. 114 .......................................................... 120 ........................................................................ 130 ........................................................................ 130 ............................................................ 130 .............................................................. 138 .................................................................. 140 ........................................................ 140 ...................................................... 148 .................................................................. 148 ............................................................................ 152 ............................................................................ 154 .............................................................. 154 .................................................................... 160 ............................................................................. 164 ISO/IEC 27002:2013(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. This second edition cancels and replaces the first edition (ISO/IEC 27002:2005), which has been technically and structurally revised. 1 前 言 ISO(国际标准化组织)和IEC(国际电工委员会)是为国际标准化制定专门体制的国际组织。国 家机构是ISO或IEC的成员,他们通过各自的组织建立技术委员会参与国际标准的制定,来处理特定领 域的技术活动。ISO和IEC技术委员会在共同感兴趣的领域合作。其他国际组织、政府和非政府等机构, 通过联络ISO和IEC参与这项工作。 国际标准的制定遵循ISO/IEC 导则第2部分的规则。 ISO和IEC已经在信息技术领域建立了一个联合技术委员会ISO/IEC JTC1。 ISO/IEC 27002由联合技术委员会ISO/IEC JTC1(信息技术)分委员会SC27(安全技术)起草。 ISO/IEC 27002中的某些内容有可能涉及一些专利权问题,这一点应该引起注意。ISO和IEC不负责 识别任何这样的专利权问题。 第二版进行了技术上的修订,并取消和替代第一版(ISO/IEC 27002:2005)。 2 ISO/IEC 27002:2013(E) 0 Introduction 0.1 Background and context This International Standard is designed for organizations to use as a reference for selecting controls within the process of implementing an Information Security Management System (ISMS) based on ISO/IEC 27001[10] or as a guidance document for organizations implementing commonly accepted information security controls. This standard is also intended for use in developing industry- and organization-specific information security management guidelines, taking into consideration their specific information security risk environment(s). Organizations of all types and sizes (including public and private sector, commercial and non-profit) collect, process, store and transmit information in many forms including electronic, physical and verbal (e.g. conversations and presentations). The value of information goes beyond the written words, numbers and images: knowledge, concepts, ideas and brands are examples of intangible forms of information. In an interconnected world, information and related processes, systems, networks and personnel involved in their operation, handling and protection are assets that, like other important business assets, are valuable to an organization’s business and consequently deserve or require protection against various hazards. Assets are subject to both deliberate and accidental threats while the related processes, systems, networks and people have inherent vulnerabilities. Changes to business processes and systems or other external changes (such as new laws and regulations) may create new information security risks. Therefore, given the multitude of ways in which threats could take advantage of vulnerabilities to harm the organization, information security risks are always present. Effective information security reduces these risks by protecting the organization against threats and vulnerabilities, and then reduces impacts to its assets. Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organization are met. An ISMS such as that specified in ISO/IEC 27001[10] takes a holistic, coordinated view of the organization’s information security risks in order to implement a comprehensive suite of information security controls under the overall framework of a coherent management system. Many information systems have not been designed to be secure in the sense of ISO/IEC 27001[10] and this standard. The security that can be achieved through technical means is limited and should be supported by appropriate management and procedures. Identifying which controls should be in place requires careful planning and attention to detail. A successful ISMS requires support by all employees in the organization. It can also require participation from shareholders, suppliers or other external parties. Specialist advice from external parties can also be needed. In a more general sense, effective information security also assures management and other stakeholders that the organization’s assets are reasonably safe and protected against harm, thereby acting as a business enabler. It is essential that an organization identifies its security requirements. There are three main sources of security requirements: a) the assessment of risks to the organization, taking into account the organization’s overall business strategy and objectives. Through a risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated; b) the legal, statutory, regulatory and contractual requirements that an organization, its trading partners, contractors and service providers have to satisfy, and their socio-cultural environment; Information security requirements 0.2 3 引 言 0 简介 0.1 背景和环境 本标准可作为组织基于 ISO/IEC 27001 实施信息安全管理体系(ISMS)的过程中选择控制措施时 的参考,或作为组织实施通用信息安全控制措施时的指南文件。本标准还可以用于开发行业和组织特定 的信息安全管理指南,考虑其特定信息安全风险环境。 所有类型和规模的组织(包括公共和私营部门、商业和非盈利组织)都要采用不同方式(包括电 子方式、物理方式、会谈和陈述等口头方式)收集、处理、存储和传输信息。 信息的价值超越了文字、数字和图像:无形的信息可能包括知识、概念、观念和品牌等。在互联 的世界里,信息和相关过程、系统、网络及其操作、处理和保护的过程中所涉及的人员都是资产,与其 它重要的业务资产一样,对组织的业务至关重要,因此需要防护各种危害。 因相关过程、系统、网络和人员具有固有的脆弱性,资产易受到故意或意外的威胁。对业务过程 和系统的变更或其他外部变更(例如新的法律和规章)可能产生新的信息安全风险。因此,考虑到威胁 利用脆弱性损害组织会有大量方式,信息安全风险是一直存在的。有效的信息安全可以通过保护组织免 受威胁和脆弱性,从而减少这些风险,进一步降低对组织资产的影响。 信息安全是通过实施一组合适的控制措施而达到的,包括策略、过程、规程、组织结构以及软件 和硬件功能。在必要时需建立、实施、监视、评审和改进这些控制措施,以确保满足该组织的特定安全 和业务目标。为在一个一致的管理体系总体框架下实施一套全面的信息安全控制措施,信息安全管理体 系(例如 ISO/IEC 27001 所指定的)从整体、协调的角度看待组织的信息安全风险。 从 ISO/IEC 27001 和本标准的意义上说,许多信息系统并没有被设计成是安全的。通过技术手段可 获得的安全性是有限的,宜通过适当的管理和规程给予支持。确定哪些控制措施宜实施到位需要仔细规 划并注意细节。成功的信息安全管理体系需要组织所有员工的参与 ,还要求利益相关者、供应商或其他 外部方的参与。外部方的专家建议也是需要的。 就一般意义而言,有效的信息安全还可以向管理者和其他利益相关者保证,组织的资产是适当安 全的,并能防范损害。因此,信息安全可承担业务使能者的角色。 0.2 信息安全要求 组织识别出其安全要求是非常重要的,安全要求有三个主要来源: a) 对组织的风险进行评估,考虑组织的整体业务策略与目标。通过风险评估,识别资产受到的威 胁,评价易受威胁利用的脆弱性和威胁发生的可能性,估计潜在的影响; b) 组织、贸易伙伴、承包方和服务提供者必须满足的法律、法规、规章和合同要求,以及他们的 社会文化环境; 4 ISO/IEC 27002:2013(E) 0.3 Selecting controls Developing your own guidelines c) the set of principles, objectives and business requirements for information handling, processing, storing, communicating and archiving that an organization has developed to support its operations. Resources employed in implementing controls need to be balanced against the business harm likely to result from security issues in the absence of those controls. The results of a risk assessment will help guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks. ISO/IEC 27005[11] provides information security risk management guidance, including advice on risk assessment, risk treatment, risk acceptance, risk communication, risk monitoring and risk review. Controls can be selected from this standard or from other control sets, or new controls can be designed to meet specific needs as appropriate. The selection of controls is dependent upon organizational decisions based on the criteria for risk acceptance, risk treatment options and the general risk management approach applied to the organization, and should also be subject to all relevant national and international legislation and regulations. Control selection also depends on the manner in which controls interact to provide defence in depth. Some of the controls in this standard can be considered as guiding principles for information security management and applicable for most organizations. The controls are explained in more detail below along with implementation guidance. More information about selecting controls and other risk treatment options can be found in ISO/IEC 27005.[11] This International Standard may be regarded as a starting point for developing organization-specific guidelines. Not all of the controls and guidance in this code of practice may be applicable. Furthermore, additional controls and guidelines not included in this standard may be required. When documents are developed containing additional guidelines or controls, it may be useful to include cross-references to clauses in this standard where applicable to facilitate compliance checking by auditors and business partners. Information has a natural lifecycle, from creation and origination through storage, processing, use and transmission to its eventual destruction or decay. The value of, and risks to, assets may vary during their lifetime (e.g. unauthorized disclosure or theft of a company’s financial accounts is far less significant after they have been formally published) but information security remains important to some extent at all stages. Information systems have lifecycles within which they are conceived, specified, designed, developed, tested, implemented, used, maintained and eventually retired from service and disposed of. Information security should be taken into account at every stage. New system developments and changes to existing systems present opportunities for organizations to update and improve security controls, taking actual incidents and current and projected information security risks into account. While this standard offers guidance on a broad range of information security controls that are commonly applied in many different organizations, the remaining standards in the ISO/IEC 27000 family provide complementary advice or requirements on other aspects of the overall process of managing information security. Refer to ISO/IEC 27000 for a general introduction to both ISMSs and the family of standards. ISO/IEC 27000 provides a glossary, formally defining most of the terms used throughout the ISO/IEC 27000 family of standards, and describes the scope and objectives for each member of the family. Lifecycle considerations 0.6 Related standards 0.4 0.5 5 c) 组织开发的支持其运行的信息处理、加工、存储、沟通和存档的原则、目标和业务要求的特定 集合。 实施控制措施所用资源需要根据缺乏这些控制措施时由安全问题导致的业务损害加以平衡。 风险评估的结果将帮助指导和确定适当的管理措施、管理信息安全风险以及实现所选择的用以防 范这些风险的控制措施的优先级。 ISO/IEC 27005 提供了信息安全风险管理的指南,包括风险评估、风险处置、风险接受、风险沟通、 风险监视和风险评审的建议。 0.3 选择控制措施 控制措施可以从本标准或其他控制措施集合中选择,或者当合适时设计新的控制措施以满足特定 需求。 控制措施的选择依赖于组织基于风险接受准则、风险处置选项以及所应用的通用风险管理方法做 出的决策,同时还宜遵守所有相关的国家和国际法律法规。控制措施的选择还依赖于控制措施为提供深 度防御而相互作用的方式。 本标准中的某些控制措施可被当作信息安全管理的指导原则,并且可用于大多数组织。在下面的 实施指南中,将更详细的解释这些控制措施。更多的关于选择控制措施和其他风险处置选项的信息见 ISO/IEC 27005。 0.4 编制组织的指南 本标准可作为是组织开发其详细指南的起点。对一个组织来说,本标准中的控制措施和指南并非 全部适用,此外,很可能还需要本标准中未包括的另外的控制措施和指南。为便于审核员和业务伙伴进 行符合性核查,当开发包含另外的指南或控制措施的文件时,对本标准中条款的引用可能是有用的。 0.5 生命周期的考虑 信息具有自然的生命周期,从创建和产生,经存储、处理、使用和传输,到最后的销毁或衰退。 资产的价值和风险可能在其生命期中是变化的(例如公司财务报表的泄露或被盗在他们被正式公布后就 不那么重要了),但在某种程度上信息安全对于所有阶段而言都是非常重要的。 信息系统也具有生命周期,他们被构想、指定、设计、开发、测试、实施、使用、维护,并最终 退出服务进行处置。在每一个阶段最好都要考虑信息安全。新系统的开发和现有系统的变更为组织更新 和改进安全控制带来了机会,可将现实事件、当前和预计的信息安全风险考虑在内。 0.6 相关标准 虽然本标准提供了通常适用于不同组织的大范围信息安全控制措施的指南,ISO/IEC 27000 标准族 的其他部分提供了信息安全管理全过程其他方面的补充建议或要求。 ISO/IEC 27000 作为信息安全管理体系和标准族的总体介绍,提供了一个词汇表,正式定义了整个 ISO/IEC 27000 标准族中的大部分术语,并描述了族中每个成员的范围和目标。 6 INTERNATIONAL STANDARD ISO/IEC 27002:2013(E) Information technology — Security techniques — Code of practice for information security controls 1 Scope systems — Overview and vocabulary 3 Terms and definitions 2 Normative references This International Standard gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s). This International Standard is designed to be used by organizations that intend to: a) select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;[10] b) implement commonly accepted information security controls; c) develop their own information security management guidelines. The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000, Information technology — Security techniques — Information security management For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply. This standard contains 14 security control clauses collectively containing a total of 35 main security categories and 114 controls. Each clause defining security controls contains one or more main security categories. The order of the clauses in this standard does not imply their importance. Depending on the circumstances, security controls from any or all clauses could be important, therefore each organization applying this standard should identify applicable controls, how important these are and their application to individual business processes. Furthermore, lists in this standard are not in priority order. Each main security control category contains: a) a control objective stating what is to be achieved; b) one or more controls that can be applied to achieve the control objective. 4 Structure of this standard 4.1 Clauses 4.2 Control categories 7 信息技术-安全技术-信息安全控制实用规则 1 范围 本标准为组织的信息安全标准和信息安全管理实践提供了指南,包括考虑组织信息安全 风险环境前提下控制措施的选择、实施和管理。 本标准可被组织用于下列目的: a) 在基于ISO/IEC 27001实施信息安全管理体系过程中选择控制措施; b) 实施通用信息安全控制措施; c) 开发组织自身的信息安全管理指南。 2 规范性引用文件 下列参考文件对于本文件的应用是必不可少的。凡是注日期的引用文件,只有引用的版 本适用于本标准;凡是不注日期的引用文件,其最新版本(包括任何修改)适用于本标准。 ISO/IEC 27000,信息技术—安全技术—信息安全管理体系—概述和词汇 3 术语和定义 ISO/IEC 27000 中的术语和定义适用于本标准。 4 本标准的结构 本标准包括 14 个安全控制措施的章节,共含有 35 个主要安全类别和 113 项安全控制措 施。 4.1 章节 定义安全控制的每个章节含一个或多个主要安全类别。 本标准中章节的顺序不表示其重要性。根据不同的环境,任何或所有章节的安全控制措 施都可能是重要的,因此使用本标准的每一个组织宜识别适用的控制措施及其重要性,以及 它们对各个业务过程的适用性。另外,本标准的排列没有优先顺序。 4.2 控制类别 每一个主要安全控制类别包含: a) 一个控制目标,声明要实现什么; b) 一个或多个控制措施,可被用于实现该控制目标。 8 ISO/IEC 27002:2013(E) 5 Information security policies 5.1.1 Policies for information security 5.1 Management direction for information security Control descriptions are structured as follows: Control Defines the specific control statement, to satisfy the control objective. Implementation guidance Provides more detailed information to support the implementation of the control and meeting the control objective. The guidance may not be entirely suitable or sufficient in all situations and may not fulfil the organization’s specific control requirements. . Other information Provides further information that may need to be considered, for example legal considerations and references to other standards. If there is no other information to be provided this part is not shown. Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. Control A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. Implementation guidance At the highest level, organizations should define an “information security policy” which is approved by management and which sets out the organization’s approach to managing its information security objectives. Information security policies should address requirements created by: a) business strategy; b) regulations, legislation and contracts; c) the current and projected information security threat environment. The information security policy should contain statements concerning: a) definition of information security, objectives and principles to guide all activities relating to information security; b) assignment of general and specific responsibilities for information security management to defined roles; c) processes for handling deviations and exceptions. At a lower level, the information security policy should be supported by topic-specific policies, which further mandate the implementation of information security controls and are typically structured to address the needs of certain target groups within an organization or to cover certain topics. Examples of such policy topics include: a) access control (see Clause 9); 9 控制措施的描述结构如下: 控制措施 定义满足控制目标的特定的控制措施的陈述。 实施指南 为支持控制措施的实施和满足控制目标,提供更详细的信息。本指南可能不能全部适用 或满足所有情况,也可能不满足组织的特定控制要求。 其他信息 提供需要考虑的进一步的信息,例如法律方面的考虑和对其他标准的引用。如果没有其 他信息需要提供,将不显示本部分。 5 信息安全策略 5.1 信息安全的管理方向 目标:依据业务要求和相关法律法规提供管理方向并支持信息安全。 5.1.1 信息安全策略 控制措施 信息安全策略集宜由管理者定义、批准、发布并传达给员工和相关外部方。 实施指南 在最高级别上,组织宜定义“信息安全方针”,由管理者批准,制定组织管理其信息安 全目标的方法。 信息安全方针宜解决下列方面创建的要求: a) 业务战略; b) 规章、法规和合同; c) 当前和预期的信息安全威胁环境。 信息安全方针宜包括以下声明: a) 指导所有信息安全相关活动的信息安全、目标和原则的定义; b) 已定义角色信息安全管理一般和特定职责的分配; c) 处理偏差和意外的过程。 在较低级别,信息安全方针宜由特定主题的策略加以支持,这些策略进一步强化了信息 安全控制措施的执行,并且在组织内通常以结构化的形式处理某些目标群体的需求或涵盖某 些主题。 这些细化的策略主题包括: a) 访问控制(见 9); 10 ISO/IEC 27002:2013(E) b) information classification (and handling) (see 8.2); c) physical and environmental security (see Clause 11); d) end user oriented topics such as: 1) acceptable use of assets (see 8.1.3); 2) clear desk and clear screen (see 11.2.9); 3) information transfer (see 13.2.1); 4) mobile devices and teleworking (see 6.2); 5) restrictions on software installations and use (see 12.6.2); e) backup (see 12.3); f) information transfer (see 13.2); g) protection from malware (see 12.2); h) management of technical vulnerabilities (see 12.6.1); i) cryptographic controls (see Clause 10); communications security (see Clause 13); j) k) privacy and protection of personally identifiable information (see 18.1.4); l) supplier relationships (see Clause 15). These policies should be communicated to employees and relevant external parties in a form that is relevant, accessible and understandable to the intended reader, e.g. in the context of an “information security awareness, education and training programme” (see 7.2.2). Other information The need for internal policies for information security varies across organizations. Internal policies are especially useful in larger and more complex organizations where those defining and approving the expected levels of control are segregated from those implementing the controls or in situations where a policy applies to many different people or functions in the organization. Policies for information security can be issued in a single “information security policy” document or as a set of individual but related documents. If any of the information security policies are distributed outside the organization, care should be taken not to disclose confidential information. Some organizations use other terms for these policy documents, such as “Standards”, “Directives” or “Rules”. Control The policies for information security should be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. Implementation guidance Each policy should have an owner who has approved management responsibility for the development, review and evaluation of the policies. The review should include assessing opportunities for improvement of the organization’s policies and approach to managing information security in response to changes to the organizational environment, business circumstances, legal conditions or technical environment. 5.1.2 Review of the policies for information security 11 b) 信息分类(和处理)(见 8.2); c) 物理和环境安全(见 11); d) 面向终端用户的主题,例如: 1) 资产的可接受使用(见 8.1.3); 2) 清空桌面和清空屏幕(见 11.2.9); 3) 信息传递(见 13.2.1); 4) 移动设备和远程工作(见 6.2); 5) 软件安装和使用的限制(见 12.6.2); e) 备份(见 12.3); f) 信息传递(见 13.2); g) 恶意软件防范(见 12.2); h) 技术脆弱性管理(见 12.6.1); i) 密码控制(见 10); j) 通信安全(见 13); k) 隐私和个人可识别信息的保护(见 18.1.4); l) 供应商关系(见 15)。 这些策略宜采用预期读者适合的、可访问的和可理解的形式传达给员工和相关外部方, 例如在“信息安全意识、教育和培训方案”(见 7.2.2)的情况下。 其他信息 信息安全内部策略的需求因组织而异。内部策略对于大型和复杂的组织而言更加有用, 这些组织中,定义和批准控制预期水平的人员与实施控制措施的人员或策略应用于组织中不 同人员或职能的情境是隔离的。信息安全策略可以以单一《信息安全方针》文件的形式发布, 或作为各不相同但相互关联的一套文件。 如果任何信息安全策略要分发至组织外部,宜注意不要泄露保密信息。 一些组织使用其他术语定义这些策略文件,例如“标准”、“导则”或“规则”。 5.1.2 信息安全策略的评审 控制措施 信息安全策略宜按计划的时间间隔或当重大变化发生时进行评审,以确保其持续的适宜 性、充分性和有效性。 实施指南 每个策略宜有专人负责,他负有授权的策略开发、评审和评价的管理职责。评审宜包括 评估组织策略改进的机会和管理信息安全适应组织环境、业务状况、法律条件或技术环境变 化的方法。 12 ISO/IEC 27002:2013(E) 6.1 Internal organization 6.1.1 Information security roles and responsibilities 6 Organization of information security The review of policies for information security should take the results of management reviews into account. Management approval for a revised policy should be obtained. Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization. Control All information security responsibilities should be defined and allocated. Implementation guidance Allocation of information security responsibilities should be done in accordance with the information security policies (see 5.1.1). Responsibilities for the protection of individual assets and for carrying out specific information security processes should be identified. Responsibilities for information security risk management activities and in particular for acceptance of residual risks should be defined. These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Local responsibilities for the protection of assets and for carrying out specific security processes should be defined. Individuals with allocated information security responsibilities may delegate security tasks to others. Nevertheless they remain accountable and should determine that any delegated tasks have been correctly performed. Areas for which individuals are responsible should be stated. In particular the following should take place: a) the assets and information security processes should be identified and defined; b) the entity responsible for each asset or information security process should be assigned and the details of this responsibility should be documented (see 8.1.2); c) authorization levels should be defined and documented; d) to be able to fulfil responsibilities in the information security area the appointed individuals should be competent in the area and be given opportunities to keep up to date with developments; e) coordination and oversight of information security aspects of supplier relationships should be identified and documented. Other information Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls. However, responsibility for resourcing and implementing the controls will often remain with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection. Control 6.1.2 Segregation of duties 13 信息安全策略评审宜考虑管理评审的结果。 宜获得管理者对修订的策略的批准。 6 信息安全组织 6.1 内部组织 目标:建立管理框架,以启动和控制组织范围内的信息安全的实施和运行。 6.1.1 信息安全角色和职责 控制措施 所有的信息安全职责宜予以定义和分配。 实施指南 信息安全职责的分配宜与信息安全策略(见 5.1.1)相一致。宜识别各个资产的保护和 执行特定信息安全过程的职责。宜定义信息安全风险管理活动,特别是残余风险接受的职责。 这些职责宜在必要时加以补充,来为特定地点和信息处理设施提供更详细的指南。资产保护 和执行特定安全过程的局部职责宜予以定义。 分配有信息安全职责的人员可以将安全任务委托给其他人员。尽管如此,他们仍然负 有责任,并且他们宜能够确定任何被委托的任务是否已被正确地执行。 个人负责的领域宜予以规定;特别是,宜进行下列工作: a) 宜识别和定义资产和信息安全过程; b) 宜分配每一资产或信息安全过程的实体职责,并且该职责的细节宜形成文件(见 8.1.2); c) 宜定义授权级别,并形成文件; d) 能够履行信息安全领域的职责,领域内被任命的人员宜有能力,并给予他们机会, 使其能够紧跟发展的潮流; e) 宜识别供应商关系信息安全方面的协调和监督措施,并形成文件。 其他信息 在许多组织中,将任命一名信息安全管理人员全面负责信息安全的开发和实施,并支 持控制措施的识别。 然而,提供控制措施资源并实施这些控制措施的职责通常归于各个管理人员。一种通常 的做法是为每一项资产指定一名责任人负责该项资产的日常保护。 6.1.2 职责分离 控制措施 14 ISO/IEC 27002:2013(E) 6.1.3 Contact with authorities Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. Implementation guidance Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls. Small organizations may find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision should be considered. Other information Segregation of duties is a method for reducing the risk of accidental or deliberate misuse of an organization’s assets. Control Appropriate contacts with relevant authorities should be maintained. Implementation guidance Organizations should have procedures in place that specify when and by whom authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner (e.g. if it is suspected that laws may have been broken). Other information Organizations under attack from the Internet may need authorities to take action against the attack source. Maintaining such contacts may be a requirement to support information security incident management (see Clause 16) or the business continuity and contingency planning process (see Clause 17). Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in laws or regulations, which have to be implemented by the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers and health and safety, e.g. fire departments (in connection with business continuity), telecommunication providers (in connection with line routing and availability) and water suppliers (in connection with cooling facilities for equipment). Control Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained. Implementation guidance Membership in special interest groups or forums should be considered as a means to: a) improve knowledge about best practices and stay up to date with relevant security information; b) ensure the understanding of the information security environment is current and complete; c) receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities; d) gain access to specialist information security advice; 6.1.4 Contact with special interest...

信息安全管理体系实施指南-ISO_IEC 27002-2013 第1页 第1页 / 共172页


信息安全管理体系实施指南-ISO_IEC 27002-2013 第2页 第2页 / 共172页


信息安全管理体系实施指南-ISO_IEC 27002-2013 第3页 第3页 / 共172页


信息安全管理体系实施指南-ISO_IEC 27002-2013 第4页 第4页 / 共172页


信息安全管理体系实施指南-ISO_IEC 27002-2013 第5页 第5页 / 共172页


信息安全管理体系实施指南-ISO_IEC 27002-2013 第6页 第6页 / 共172页


信息安全管理体系实施指南-ISO_IEC 27002-2013 第7页 第7页 / 共172页


信息安全管理体系实施指南-ISO_IEC 27002-2013 第8页 第8页 / 共172页


信息安全管理体系实施指南-ISO_IEC 27002-2013 第9页 第9页 / 共172页


信息安全管理体系实施指南-ISO_IEC 27002-2013 第10页 第10页 / 共172页


信息安全管理体系实施指南-ISO_IEC 27002-2013 第11页 第11页 / 共172页


信息安全管理体系实施指南-ISO_IEC 27002-2013 第12页 第12页 / 共172页


说明:e文库 网站作为信息服务提供商,积极倡导原创、高质量的文档分享及各方权益的保护。本站只允许浏览文档前12页的内容,下载后的文档将可以浏览全部内容并且会比当前页面所见更加清晰,请放心下载!
下载此文档