没有合适的资源?快使用搜索试试~ 我知道了~
首页AS/NZS ISO/IEC 17799:2001 信息安全管理实践标准
AS/NZS ISO/IEC 17799:2001 信息安全管理实践标准
需积分: 10 8 下载量 89 浏览量
更新于2023-06-23
收藏 536KB PDF 举报
"AS/NZS ISO/IEC 17799:2001是澳大利亚和新西兰联合制定的信息安全管理实践代码标准,它取代了AS/NZS 4444.1:1999,与ISO/IEC 17799:2000国际标准保持一致,旨在为负责组织内部信息安全启动、实施或维护的人提供指导。该标准与AS/NZS 4444.2:2000(修订为AS/NZS 7799.2:2000)和HB 231:2000(信息安全风险管理指南)互补,提供了全面的信息安全控制,适用于大型、中型和小型组织。" AS/NZS ISO/IEC 17799:2001标准的目的是为组织提供信息安全管理的推荐做法,以供负责信息安全的管理者和员工使用。标准中的控制措施包含了当前最佳的信息安全实践,旨在尽可能全面地提供指导,适用于各种依赖信息系统的企业和商业环境。随着组织间电子网络的增加,共享一个通用的信息安全管理参考文档可以建立网络化信息系统和交易伙伴之间的互信,并为用户和服务提供商之间管理这些系统提供基础。 标准中的所有控制措施并不都适用于每个具体情况,可能需要根据组织的本地环境和技术约束进行补充。它可以用作制定企业政策或跨公司交易协议的基础。在引用标准中的指导和建议时,应注意它们不是规范,应避免误导性的合规性声明。标准的实施应由合格且有经验的专业人员执行。 此标准的制定假设其建议将由合适的专业人士执行,以确保信息安全的实施。为了保持标准的时效性,标准会定期更新,以反映科学、技术和系统的最新进展。因此,组织需要关注并适应这些更新,以确保持续符合信息安全的最佳实践。
资源详情
资源推荐
Owners of information assets may delegate their security responsibilities to individual
managers or service providers. Nevertheless the owner remains ultimately responsible for the
security of the asset and should be able to determine that any delegated responsibility has
been discharged correctly.
It is essential that the areas for which each manager is responsible are clearly stated; in
particular the following should take place.
a) The various assets and security processes associated with each individual system
should be identified and clearly defined.
b) The manager responsible for each asset or security process should be agreed and the
details of this responsibility should be documented.
c) Authorization levels should be clearly defined and documented.
4.1.4 Authorization process for information processing facilities
A management authorization process for new information processing facilities should be
established.
The following controls should be considered.
a) New facilities should have appropriate user management approval, authorizing their
purpose and use. Approval should also be obtained from the manager responsible for
maintaining the local information system security environment to ensure that all
relevant security policies and requirements are met.
b) Where necessary, hardware and software should be checked to ensure that they are
compatible with other system components.
NOTE Type approval may be required for certain connections.
c) The use of personal information processing facilities for processing business
information and any necessary controls should be authorized.
d) The use of personal information processing facilities in the workplace may cause
new vulnerabilities and should therefore be assessed and authorized.
These controls are especially important in a networked environment.
4.1.5 Specialist information security advice
Specialist security advice is likely to be required by many organizations. Ideally, an
experienced in-house information security adviser should provide this. Not all organizations
may wish to employ a specialist adviser. In such cases, it is recommended that a specific
individual is identified to co-ordinate in-house knowledge and experiences to ensure
consistency, and provide help in security decision making. They should also have access to
suitable external advisers to provide specialist advice outside their own experience.
Information security advisers or equivalent points of contact should be tasked with providing
advice on all aspects of information security, using either their own or external advice. The
quality of their assessment of security threats and advice on controls will determine the
effectiveness of the organization’s information security. For maximum effectiveness and
impact they should be allowed direct access to management throughout the organization.
The information security adviser or equivalent point of contact should be consulted at the
earliest possible stage following a suspected security incident or breach to provide a source of
expert guidance or investigative resources. Although most internal security investigations will
4
COPYRIGHT
Licensed to Milton Baar on 11 Mar 2004. For Committee IT-012 use only
normally be carried out under management control, the information security adviser may be
called on to advise, lead or conduct the investigation.
4.1.6 Co-operation between organizations
Appropriate contacts with law enforcement authorities, regulatory bodies, information service
providers and telecommunications operators should be maintained to ensure that appropriate
action can be quickly taken, and advice obtained, in the event of a security incident. Similarly,
membership of security groups and industry forums should be considered.
Exchanges of security information should be restricted to ensure that confidential information
of the organization is not passed to unauthorized persons.
4.1.7 Independent review of information security
The information security policy document (see 3.1) sets out the policy and responsibilities for
information security. Its implementation should be reviewed independently to provide
assurance that organizational practices properly reflect the policy, and that it is feasible and
effective (see 12.2).
Such a review may be carried out by the internal audit function, an independent manager or a
third party organization specialising in such reviews, where these candidates have the
appropriate skills and experience.
4.2 Security of third party access
Objective: To maintain the security of organizational information processing facilities and
information assets accessed by third parties.
Access to the organization’s information processing facilities by third parties should be
controlled.
Where there is a business need for such third party access, a risk assessment should be carried
out to determine security implications and control requirements. Controls should be agreed
and defined in a contract with the third party.
Third party access may also involve other participants. Contracts conferring third party access
should include allowance for designation of other eligible participants and conditions for their
access.
This standard could be used as a basis for such contracts and when considering the
outsourcing of information processing.
4.2.1 Identification of risks from third party access
4.2.1.1 Types of access
The type of access given to a third party is of special importance. For example, the risks of
access across a network connection are different from risks resulting from physical access.
Types of access that should be considered are:
a) physical access, e.g. to offices, computer rooms, filing cabinets;
b) logical access, e.g. to an organization’s databases, information systems.
4.2.1.2 Reasons for access
Third parties may be granted access for a number of reasons. For example, there are third
parties that provide services to an organization and are not located on-site but may be given
physical and logical access, such as:
5
COPYRIGHT
Licensed to Milton Baar on 11 Mar 2004. For Committee IT-012 use only
a) hardware and software support staff, who need access to system level or low level
application functionality;
b) trading partners or joint ventures, who may exchange information, access
information systems or share databases.
Information might be put at risk by access from third parties with inadequate security
management. Where there is a business need to connect to a third party location a risk
assessment should be carried out to identify any requirements for specific controls. It should
take into account the type of access required, the value of the information, the controls
employed by the third party and the implications of this access to the security of the
organization’s information.
4.2.1.3 On-site contractors
Third parties that are located on-site for a period of time as defined in their contract may also
give rise to security weaknesses. Examples of on-site third party include:
a) hardware and software maintenance and support staff;
b) cleaning, catering, security guards and other outsourced support services;
c) student placement and other casual short term appointments;
d) consultants.
It is essential to understand what controls are needed to administer third party access to
information processing facilities. Generally, all security requirements resulting from third
party access or internal controls should be reflected by the third party contract (see also 4.2.2).
For example, if there is a special need for confidentiality of the information, non-disclosure
agreements might be used (see 6.1.3).
Access to information and information processing facilities by third parties should not be
provided until the appropriate controls have been implemented and a contract has been signed
defining the terms for the connection or access.
4.2.2 Security requirements in third party contracts
Arrangements involving third party access to organizational information processing facilities
should be based on a formal contract containing, or referring to, all the security requirements
to ensure compliance with the organization’s security policies and standards. The contract
should ensure that there is no misunderstanding between the organization and the third party.
Organizations should satisfy themselves as to the indemnity of their supplier. The following
terms should be considered for inclusion in the contract:
a) the general policy on information security;
b) asset protection, including:
1) procedures to protect organizational assets, including information and software;
2) procedures to determine whether any compromise of the assets, e.g. loss or
modification of data, has occurred;
3) controls to ensure the return or destruction of information and assets at the end of,
or at an agreed point in time during, the contract;
4) integrity and availability;
5) restrictions on copying and disclosing information;
c) a description of each service to be made available;
d) the target level of service and unacceptable levels of service;
6
COPYRIGHT
Licensed to Milton Baar on 11 Mar 2004. For Committee IT-012 use only
e) provision for the transfer of staff where appropriate;
f) the respective liabilities of the parties to the agreement;
g) responsibilities with respect to legal matters, e.g. data protection legislation,
especially taking into account different national legal systems if the contract involves
co-operation with organizations in other countries (see also 12.1);
h) intellectual property rights (IPRs) and copyright assignment (see 12.1.2) and
protection of any collaborative work (see also 6.1.3);
i) access control agreements, covering:
1) permitted access methods, and the control and use of unique identifiers such as
user IDs and passwords;
2) an authorization process for user access and privileges;
3) a requirement to maintain a list of individuals authorized to use the services being
made available and what their rights and privileges are with respect to such use;
j) the definition of verifiable performance criteria, their monitoring and reporting;
k) the right to monitor, and revoke, user activity;
l) the right to audit contractual responsibilities or to have those audits carried out by a
third party;
m) the establishment of an escalation process for problem resolution; contingency
arrangements should also be considered where appropriate;
n) responsibilities regarding hardware and software installation and maintenance;
o) a clear reporting structure and agreed reporting formats;
p) a clear and specified process of change management;
q) any required physical protection controls and mechanisms to ensure those controls
are followed;
r) user and administrator training in methods, procedures and security;
s) controls to ensure protection against malicious software (see 8.3);
t) arrangements for reporting, notification and investigation of security incidents and
security breaches;
u) involvement of the third party with subcontractors.
4.3 Outsourcing
Objective: To maintain the security of information when the responsibility for information
processing has been outsourced to another organization.
Outsourcing arrangements should address the risks, security controls and procedures for
information systems, networks and/or desk top environments in the contract between the
parties.
4.3.1 Security requirements in outsourcing contracts
The security requirements of an organization outsourcing the management and control of all
or some of its information systems, networks and/or desk top environments should be
addressed in a contract agreed between the parties.
For example, the contract should address:
a) how the legal requirements are to be met, e.g. data protection legislation;
7
COPYRIGHT
Licensed to Milton Baar on 11 Mar 2004. For Committee IT-012 use only
剩余82页未读,继续阅读
johnny_jiang
- 粉丝: 0
- 资源: 29
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- IPQ4019 QSDK开源代码资源包发布
- 高频组电赛必备:掌握数字频率合成模块要点
- ThinkPHP开发的仿微博系统功能解析
- 掌握Objective-C并发编程:NSOperation与NSOperationQueue精讲
- Navicat160 Premium 安装教程与说明
- SpringBoot+Vue开发的休闲娱乐票务代理平台
- 数据库课程设计:实现与优化方法探讨
- 电赛高频模块攻略:掌握移相网络的关键技术
- PHP简易简历系统教程与源码分享
- Java聊天室程序设计:实现用户互动与服务器监控
- Bootstrap后台管理页面模板(纯前端实现)
- 校园订餐系统项目源码解析:深入Spring框架核心原理
- 探索Spring核心原理的JavaWeb校园管理系统源码
- ios苹果APP从开发到上架的完整流程指南
- 深入理解Spring核心原理与源码解析
- 掌握Python函数与模块使用技巧
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功