首页 > 资料专栏 > 经营 > 运营治理 > 信息技术 > Information Security Management-2(doc 22).rar

Information Security Management-2(doc 22).rar

ECOPROF***
V 实名认证
内容提供者
热门搜索
信息安全
资料大小:38KB(压缩后)
文档格式:DOC
资料语言:中文版/英文版/日文版
解压密码:m448
更新时间:2016/6/9(发布于四川)

类型:积分资料
积分:8分 (VIP无积分限制)
推荐:升级会员

   点此下载 ==>> 点击下载文档


文本描述
Information security management
BS7799
Part 2: Specification for information
security management systems1 1
1 SCOPE 4
2 TERMS AND DEFINITIONS 4
2.1 statement of applicability 4
3 INFORMATION SECURITY MANAGEMENT SYSTEM REQUIREMENTS 4
3.1 General 4
3.2 Establishing a management framework 4
3.3 Implementation 4
3.4 Documentation 5
3.5 Document control 5
3.6 Records 5
4 DETAILED CONTROLS 6
4.1 Security policy 6
4.1.1 Information security policy 6
4.2 Security organization 6
4.2.1 Information security infrastructure 6
4.2.2 Security of third party access 7
4.2.3 Outsourcing 7
4.3 Asset classification and control 7
4.3.1 Accountability for assets 7
4.3.2 Information classification 7
4.4 Personnel security 8
4.4.1 Security in job definition and resourcing 8
4.4.2 User training 8
4.4.3 Responding to security incidents and malfunctions 8
4.5 Physical and environmental security 9
4.5.1 Secure areas 9
4.5.2 Equipment security 10
4.5.3 General controls 10
4.6 Communications and operations management 11
4.6.1 Operational procedures and responsibilities 11
4.6.2 System planning and acceptance 11
4.6.3 Protection against malicious software 12
4.6.4 Housekeeping 12
4.6.5 Network management 12
4.6.6 Media handling and security 12
4.6.7 Exchanges of information and software 13
4.7 Access control 14
4.7.1 Business requirement for access control 14
4.7.2 User access management 14
4.7.3 User responsibilities 14
4.7.4 Network access control 15
4.7.5 Operating system access control 16
4.7.6 Application access control 16
4.7.7 Monitoring system access and use 17
4.7.8 Mobile computing and teleworking 17
4.8 Systems development and maintenance 17
4.8.1 Security requirements of systems 17
4.8.2 Security in application systems 18
4.8.3 Cryptographic controls 18
4.8.4 Security of system files 19
4.8.5 Security in development and support processes 19
4.9 Business continuity management 19
4.9.1 Aspects of business continuity management 19
4.10 Compliance 20
4.10.1 Compliance with legal requirements 20
4.10.2 Review of security policy and technical compliance 21
4.10.3 System audit consideration 21
1 Scope

This part of BS 7799 specifies requirements for establishing, implementing and documenting information security management systems (ISMSs). It specifies requirements for security controls to be implemented according to the needs of individual organizations.
NOTE Part 1 gives recommendations for best practice in support of the requirements of this specification. The control objectives and controls given in clause 4 of this part of BS 7799 are derived from and aligned with the objectives and controls listed in BS 7799-1:1999.
2 Terms and definitions

For the purposes of this part of BS 7799, the definitions given in BS 7799-1 apply, together with the following.
2.1 statement of applicability

Critique of the objectives and controls applicable to the needs of the organization
3 Information security management system requirements
General

The organization shall establish and maintain a documented ISMS. This shall address the assets to be protected, the organization’s approach to risk management, the control objectives and controls, and the degree of assurance required.
Establishing a management framework

The following steps shall be undertaken to identify and document the control objectives and controls (see Figure 1).
The information security policy shall be defined.
The scope of the information security management system shall be defined. The boundaries shall be defined in terms of the characteristics of the organization, its location, assets and technology.
An appropriate risk assessment shall be undertaken. The risk assessment shall identify the threats to assets, vulnerabilities and impacts on the organization and shall determine the degree of risk.
The areas of risk to be managed shall be identified based on the organization’s information security policy and the degree of assurance required.
Appropriate control objectives and controls shall be selected from clause 4 for implementation by the organization, and the selection shall be justified.
NOTE: Guidance on the selection of control objectives and controls can be found in BS 7799-1. The control objectives and controls listed in clause 4 of this part of BS 7799 are not exhaustive and additional controls may also be selected.
A statement of applicability shall be prepared.The selected control objectives and controls, and the reasons for their selection shall be documented in the statement of applicability. This statement shall also record the exclusion of any controls listed in clause 4.
These steps shall be reviewed at appropriately defined intervals as required.