==>> 点击下载文档 |
Part 1: Code of practice for information
security management
Foreword
This part of BS 7799 has been prepared under the supervision of the BSI/DISC committee BDD/2, Information security management. It supersedes BS 7799:1995, which is withdrawn.
BS 7799 is issued in two parts:
Part 1: Code of practice for information security management;
Part 2: Specification for information security management systems.
BS 7799-1 was first issued in 1995 to provide a comprehensive set of controls comprising best practices in information security. It is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organizations.
The term organization is used throughout this standard to mean both profit and non-profit making organizations such as public sector organizations.
The 1999 revision takes into account recent developments in the application of information processing technology, particularly in the area of networks and communications. It also gives greater emphasis to business involvement in and responsibility for information security.
Not all of the controls described in this document will be relevant to every situation. It cannot take account of local system, environmental or technological constraints. It may not be in a form that suits every potential user in an organization. Consequently the document may need to be supplemented by further guidance. It can be used as a basis from which, for example, a corporate policy or an inter-company trading agreement can be developed.
As a code of practice, this British Standard takes the form of guidance and recommendations. It should not be quoted as if it were a specification, and particular care should be taken to ensure that claims of compliance are not misleading.
It has been assumed in the drafting of this standard that the execution of its provisions is entrusted to appropriately qualified and experienced people.Annex A is informative and contains a table showing the relationship between the sections of the 1995 edition and the clauses of the 1999 edition.A British Standard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct application.
Compliance with a British Standard does not of itself confer immunity from legal obligations.
What is information security
Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protectedrmation security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunitiesrmation can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected.
Information security is characterized here as the preservation of:
Confidentiality: ensuring that information is accessible only to those authorized to have access;
Integrity: safeguarding the accuracy and completeness of information and processing methods;
Availability: ensuring that authorized users have access to information and associated assets when required.
Information security is achieved by implementing a suitable set of controls, which could be policies, practices, procedures, organizational structures and software functions. These controls need to be established to ensure that the specific security objectives of the organization are met.
Why information security is needed
Information and the supporting processes, systems and networks are important business assets.Confidentiality, integrity and availability of information may be essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image.
Increasingly, organizations and their information systems and networks are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Sources of damage such as computer viruses, computer hacking and denial of service attacks have become more common, more ambitious and increasingly sophisticated.Dependence on information systems and services means organizations are more vulnerable to security threats. The interconnecting of public and private networks and sharing of information resources increases the difficulty of achieving access control.The trend to distributed computing has weakened the effectiveness of central, specialist control.Many information systems have not been designed to be secure. The security that can be achieved through technical means is limited, and should be supported by appropriate management and procedures.Identifying which controls should be in place requires careful planning and attention to detail.
Information security management needs, as a minimum, participation by all employees in the organization. It may also require participation from suppliers, customers or shareholders. Specialist advice from outside organizations may also be needed.
Information security controls are considerably cheaper and more effective if incorporated at the requirements specification and design stage.
How to establish security requirements
It is essential that an organization identifies its security requirements. There are three main sources.The first source is derived from assessing risks to the organization. Through risk assessment threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated.
The second source is the legal, statutory, regulatory and contractual requirements that an organization, its trading partners, contractors and service providers have to satisfy.
The third source is the particular set of principles, objectives and requirements for information processing that an organization has developed to support its operations.
Assessing security risks
Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. Risk assessment techniques can be applied to the whole organization, or only parts of it, as well as to individual information systems, specific system components or services where this is practicable, realistic and helpful.
Risk assessment is systematic consideration of:
The business harm likely to result from a security failure, taking into account the potential consequences of a loss of confidentiality, integrity or availability of the information and other assets;
The realistic likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities, and the controls currently implemented.
The results of this assessment will help guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks. The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems.
It is important to carry out periodic reviews of security risks and implemented controls to:
Take account of changes to business requirements and priorities;
Consider new threats and vulnerabilities;
Confirm that controls remain effective and appropriate.
Reviews should be performed at different levels of depth depending on the results of previous assessments and the changing levels of risk t