- 论坛徽章:
- 0
|
ISO 17799* is a detailed information security standard designed for implementation in the commercial sector. It was derived from the British Standard BS7799 and published in 2000. The standard is a comprehensive set of controls considered to be best practices in information security including policies, practices, procedures, organizational structures and software functions. The ten sections of controls described in the standard are summarized below. \r\n\r\n\r\nSecurity Policy\r\nThe objectives of this section are to provide management direction and support for information security. A policy document should be published and communicated to all employees including overall objectives and scope. Specific elements may include compliance with legislative and contractual requirements, access to information resources, security education, monitoring and enforcement. \r\n\r\nSecurity Organisation\r\nThe objectives of this section are to develop a management framework for the purpose of implementing information security in a company. Roles and responsibilities are to be assigned. Special emphasis should be placed on information assets accessed by third parties. Outsourcing arrangements should be managed according to risk and corresponding controls. \r\n\r\nAsset Classification and Control\r\nAll major information assets should be accounted for and have an assigned owner. Information assets include databases and data files, software assets and physical hardware. Information should be classified to indicate need, priorities and degree of protection. \r\n\r\nPersonnel Security\r\nThe objectives of this section are to reduce risks of human error, theft, fraud or misuse of IT facilities. Security should be considered when recruiting new employees, included in contracts and monitored during an individual’s employment. \r\n\r\nPhysical and Environmental Security\r\nThe objectives of this section are to prevent unauthorized access, damage and interference to business information, activities and premises. IT facilities should be housed in secure areas and protected by a security perimeter with entry controls. \r\n\r\nComputer & Operations Management\r\nThe objectives of this section are to ensure the correct and secure operation of information processing facilities. Advance planning and preparation is necessary to ensure adequate capacity and resources. Preventive controls are required to protect against malicious software including viruses and trojan horses. Network management should include controls to protect data as well as network services from unauthorized access.\r\n\r\nAccess Control\r\nThe objectives of this section are to control access to information, ensure the protection of networked services, detect unauthorized activities and provide security for remote access. \r\n\r\nSystem Development and Maintenance\r\nThe objectives of this section are to ensure security is designed into information systems; to prevent loss, modification or misuse of user data in application systems; to protect the confidentiality, authenticity and integrity of information; and to maintain the security of application system software and data. \r\n\r\nBusiness Continuity Planning\r\nThe objective of this section is to protect critical business processes from the effects of major failure or disasters. The capability should be developed, maintained and practiced for quick response to interruptions. \r\n\r\nCompliance\r\nThe objectives of this section are to avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations. Information systems must also comply with organizational security policies and standards. |
|