AS/NZS ISO/IEC 17799:2001 信息安全管理实践标准

ISO/IEC

17799:2001

需积分: 10 89 浏览量更新于2023-06-23 收藏 536KB PDF 举报

身份认证购VIP最低享 7 折!

30元优惠券

资源详情

资源推荐

Owners of information assets may delegate their security responsibilities to individual

managers or service providers. Nevertheless the owner remains ultimately responsible for the

security of the asset and should be able to determine that any delegated responsibility has

been discharged correctly.

It is essential that the areas for which each manager is responsible are clearly stated; in

particular the following should take place.

a) The various assets and security processes associated with each individual system

should be identified and clearly defined.

b) The manager responsible for each asset or security process should be agreed and the

details of this responsibility should be documented.

c) Authorization levels should be clearly defined and documented.

4.1.4 Authorization process for information processing facilities

A management authorization process for new information processing facilities should be

established.

The following controls should be considered.

a) New facilities should have appropriate user management approval, authorizing their

purpose and use. Approval should also be obtained from the manager responsible for

maintaining the local information system security environment to ensure that all

relevant security policies and requirements are met.

b) Where necessary, hardware and software should be checked to ensure that they are

compatible with other system components.

NOTE Type approval may be required for certain connections.

c) The use of personal information processing facilities for processing business

information and any necessary controls should be authorized.

d) The use of personal information processing facilities in the workplace may cause

new vulnerabilities and should therefore be assessed and authorized.

These controls are especially important in a networked environment.

4.1.5 Specialist information security advice

Specialist security advice is likely to be required by many organizations. Ideally, an

experienced in-house information security adviser should provide this. Not all organizations

may wish to employ a specialist adviser. In such cases, it is recommended that a specific

individual is identified to co-ordinate in-house knowledge and experiences to ensure

consistency, and provide help in security decision making. They should also have access to

suitable external advisers to provide specialist advice outside their own experience.

Information security advisers or equivalent points of contact should be tasked with providing

advice on all aspects of information security, using either their own or external advice. The

quality of their assessment of security threats and advice on controls will determine the

effectiveness of the organization’s information security. For maximum effectiveness and

impact they should be allowed direct access to management throughout the organization.

The information security adviser or equivalent point of contact should be consulted at the

earliest possible stage following a suspected security incident or breach to provide a source of

expert guidance or investigative resources. Although most internal security investigations will

Licensed to Milton Baar on 11 Mar 2004. For Committee IT-012 use only

normally be carried out under management control, the information security adviser may be

called on to advise, lead or conduct the investigation.

4.1.6 Co-operation between organizations

Appropriate contacts with law enforcement authorities, regulatory bodies, information service

providers and telecommunications operators should be maintained to ensure that appropriate

action can be quickly taken, and advice obtained, in the event of a security incident. Similarly,

membership of security groups and industry forums should be considered.

Exchanges of security information should be restricted to ensure that confidential information

of the organization is not passed to unauthorized persons.

4.1.7 Independent review of information security

The information security policy document (see 3.1) sets out the policy and responsibilities for

information security. Its implementation should be reviewed independently to provide

assurance that organizational practices properly reflect the policy, and that it is feasible and

effective (see 12.2).

Such a review may be carried out by the internal audit function, an independent manager or a

third party organization specialising in such reviews, where these candidates have the

appropriate skills and experience.

4.2 Security of third party access

Objective: To maintain the security of organizational information processing facilities and

information assets accessed by third parties.

Access to the organization’s information processing facilities by third parties should be

controlled.

Where there is a business need for such third party access, a risk assessment should be carried

out to determine security implications and control requirements. Controls should be agreed

and defined in a contract with the third party.

Third party access may also involve other participants. Contracts conferring third party access

should include allowance for designation of other eligible participants and conditions for their

access.

This standard could be used as a basis for such contracts and when considering the

outsourcing of information processing.

4.2.1 Identification of risks from third party access

4.2.1.1 Types of access

The type of access given to a third party is of special importance. For example, the risks of

access across a network connection are different from risks resulting from physical access.

Types of access that should be considered are:

a) physical access, e.g. to offices, computer rooms, filing cabinets;

b) logical access, e.g. to an organization’s databases, information systems.

4.2.1.2 Reasons for access

Third parties may be granted access for a number of reasons. For example, there are third

parties that provide services to an organization and are not located on-site but may be given

physical and logical access, such as:

Licensed to Milton Baar on 11 Mar 2004. For Committee IT-012 use only

a) hardware and software support staff, who need access to system level or low level

application functionality;

b) trading partners or joint ventures, who may exchange information, access

information systems or share databases.

Information might be put at risk by access from third parties with inadequate security

management. Where there is a business need to connect to a third party location a risk

assessment should be carried out to identify any requirements for specific controls. It should

take into account the type of access required, the value of the information, the controls

employed by the third party and the implications of this access to the security of the

organization’s information.

4.2.1.3 On-site contractors

Third parties that are located on-site for a period of time as defined in their contract may also

give rise to security weaknesses. Examples of on-site third party include:

a) hardware and software maintenance and support staff;

b) cleaning, catering, security guards and other outsourced support services;

c) student placement and other casual short term appointments;

d) consultants.

It is essential to understand what controls are needed to administer third party access to

information processing facilities. Generally, all security requirements resulting from third

party access or internal controls should be reflected by the third party contract (see also 4.2.2).

For example, if there is a special need for confidentiality of the information, non-disclosure

agreements might be used (see 6.1.3).

Access to information and information processing facilities by third parties should not be

provided until the appropriate controls have been implemented and a contract has been signed

defining the terms for the connection or access.

4.2.2 Security requirements in third party contracts

Arrangements involving third party access to organizational information processing facilities

should be based on a formal contract containing, or referring to, all the security requirements

to ensure compliance with the organization’s security policies and standards. The contract

should ensure that there is no misunderstanding between the organization and the third party.

Organizations should satisfy themselves as to the indemnity of their supplier. The following

terms should be considered for inclusion in the contract:

a) the general policy on information security;

b) asset protection, including:

1) procedures to protect organizational assets, including information and software;

2) procedures to determine whether any compromise of the assets, e.g. loss or

modification of data, has occurred;

3) controls to ensure the return or destruction of information and assets at the end of,

or at an agreed point in time during, the contract;

4) integrity and availability;

5) restrictions on copying and disclosing information;

c) a description of each service to be made available;

d) the target level of service and unacceptable levels of service;

Licensed to Milton Baar on 11 Mar 2004. For Committee IT-012 use only

e) provision for the transfer of staff where appropriate;

f) the respective liabilities of the parties to the agreement;

g) responsibilities with respect to legal matters, e.g. data protection legislation,

especially taking into account different national legal systems if the contract involves

co-operation with organizations in other countries (see also 12.1);

h) intellectual property rights (IPRs) and copyright assignment (see 12.1.2) and

protection of any collaborative work (see also 6.1.3);

i) access control agreements, covering:

1) permitted access methods, and the control and use of unique identifiers such as

user IDs and passwords;

2) an authorization process for user access and privileges;

3) a requirement to maintain a list of individuals authorized to use the services being

made available and what their rights and privileges are with respect to such use;

j) the definition of verifiable performance criteria, their monitoring and reporting;

k) the right to monitor, and revoke, user activity;

l) the right to audit contractual responsibilities or to have those audits carried out by a

third party;

m) the establishment of an escalation process for problem resolution; contingency

arrangements should also be considered where appropriate;

n) responsibilities regarding hardware and software installation and maintenance;

o) a clear reporting structure and agreed reporting formats;

p) a clear and specified process of change management;

q) any required physical protection controls and mechanisms to ensure those controls

are followed;

r) user and administrator training in methods, procedures and security;

s) controls to ensure protection against malicious software (see 8.3);

t) arrangements for reporting, notification and investigation of security incidents and

security breaches;

u) involvement of the third party with subcontractors.

4.3 Outsourcing

Objective: To maintain the security of information when the responsibility for information

processing has been outsourced to another organization.

Outsourcing arrangements should address the risks, security controls and procedures for

information systems, networks and/or desk top environments in the contract between the

parties.

4.3.1 Security requirements in outsourcing contracts

The security requirements of an organization outsourcing the management and control of all

or some of its information systems, networks and/or desk top environments should be

addressed in a contract agreed between the parties.

For example, the contract should address:

a) how the legal requirements are to be met, e.g. data protection legislation;

Licensed to Milton Baar on 11 Mar 2004. For Committee IT-012 use only

剩余82页未读，继续阅读

johnny_jiang

粉丝: 0
资源: 29

AS/NZS ISO/IEC 17799:2001 信息安全管理实践标准

ISO/IEC17799

IT安全管理最佳实践基于ISO/IEC17799

ISO_IEC_17799

GOST R ISO/IEC 25010与AS/NZS ISO/IEC 25010有什么区别

as/nzs iec 60227.5:2019

as/nzs iec 61000.3.3:2023

as /nzs 2520

as/nzs 60079

AS/NZS CISPR 14.1

ISO/IEC 25010有国家区别，我该选择哪个版本的ISO/IEC 25010呢

某单相变压器一次绕组 N,=460,接于 220 V 的电源上,空载电流略去不计。现二次侧需要三个电压:Uz=110 V,Uz = 36 V,Uzs=6.3 V;电流分别为 =0.2 A,=0.5A.Izs=1A,负载均为电阻性。试求:(1)二次绕组数 N2N2 、Nzs;(2)变压器容量 S和一次电流1。

FroalaEditor使用方法汇总

四选一选择器的电路原理

ssm9293农家乐管理系统.zip

基于SpringBoot和Vue的青锋后台管理系统设计源码

基于51单片机太阳能锂电池充电电压电流检测液晶显示设计（毕业设计）

外鼻梁条超声焊接机_三维3D设计图纸.zip

基于PHP+JavaScript+CSS的爱宠狼人杀后台服务设计源码

基于Java的Spring Security基础教程设计源码

Nacos持久化SQL脚本-nacos.sql

最新资源