informationsecuritymanagement-1(doc81)-it(编辑修改稿)

informationsecuritymanagement-1(doc81)-it(编辑修改稿)内容摘要：

ntrols in this code of practice may be applicable. Furthermore, additional controls not included in this document may be required. When this happens it may be useful to retain crossreferences which will facilitate pliance checking by auditors and business partners. Table of Contents 1 SCOPE 11 2 TERMS AND DEFINITIONS 12 Information security 12 Risk assessment 12 Risk management 12 3 SECURITY POLICY 13 Information security policy 13 Information security policy document 13 Review and evaluation 13 4 SECURITY ORGANIZATION 14 Information security infrastructure 14 Management information security forum 14 Information security coordination 14 Allocation of information security responsibilities 15 Authorization process for information processing facilities 15 Specialist information security advice 16 Cooperation between anizations 16 Independent review of information security 16 Security of third party access 17 Identification of risks from third party access 17 Security requirements in third party contracts 18 Outsourcing 19 Security requirements in outsourcing contracts 19 5 ASSET CLASSIFICATION AND CONTROL 21 Accountability for assets 21 Inventory of assets 21 Information classification 21 Classification guidelines 21 Information labelling and handling 22 6 PERSONNEL SECURITY 23 Security in job definition and resourcing 23 Including security in job responsibilities 23 Personnel screening and policy 23 Confidentiality agreements 23 Terms and conditions of employment 24 User training 24 Information security education and training 24 Responding to security incidents and malfunctions 24 Reporting security incidents 25 Reporting security weaknesses 25 Reporting software malfunctions 25 Learning from incidents 25 Disciplinary process 25 7 PHYSICAL AND ENVIRONMENTAL SECURITY 26 Secure areas 26 Physical security perimeter 26 Physical entry controls 26 Securing offices, rooms and facilities 27 Working in secure areas 27 Isolated delivery and loading areas 28 Equipment security 28 Equipment siting and protection 28 Power supplies 29 Cabling security 29 Equipment maintenance 29 Security of equipment offpremises 30 Secure disposal or reuse of equipment 30 General controls 30 Clear desk and clear screen policy 30 Removal of property 31 8 COMMUNICATIONS AND OPERATIONS MANAGEMENT 32 Operational procedures and responsibilities 32 Documented operating procedures 32 Operational change control 32 Incident management procedures 33 Segregation of duties 33 separation of development and operational facilities 34 External facilities management 34 System planning and acceptance 35 Capacity planning 35 System acceptance 35 Protection against malicious software 36 Controls against malicious software 36 Housekeeping 37 Information backup 37 Operator logs 37 Fault logging 37 Network management 38 Network controls 38 Media handling and security 38 Management of removable puter media 38 Disposal of media 38 Information handling procedures 39 Security of system documentation 39 Exchanges of information and software 40 Information and software exchange agreements 40 Security of media in transit 40 Electronic merce security 41 Security of electronic mail 41 Security of electronic office systems 42 Publicly available systems 43 Other forms of information exchange 43 9 ACCESS CONTROL 45 Business requirement for access control 45 Access control policy 45 User access management 46 User registration 46 Privilege management 46 User password management 47 Review of user access rights 47 User responsibilities 48 Password use 48 Unattended user equipment 48 Network access control 49 Policy on use of work services 49 Enforced path 49 User authentication for external connections 50 Node authentication 50 Remote diagnostic port protection 50 Segregation in works 50 Network connection control 51 Network routing control 51 Security of work services 51 Operating system access control 52 Automatic terminal identification 52 Terminal logon procedures 52 User identification and authentication 53 Password management system 53 Use of system utilities 53 Duress alarm to safeguard users 54 Terminal timeout 54 Limitation of connection time 54 Application access control 55 Information access restriction 55 Sensitive system isolation 55 Monitoring system access and use 56 Event logging 56 Monitoring system use 56 Clock synchronization 57 Mobile puting and teleworking 58 Mobile puting 58 Teleworking 58 10 SYSTEMS DEVELOPMENT AND MAINTENANCE 60 Security requirements of systems 60 Security requirements analysis and specification 60 Security in application systems 60 Input data validation 60 Control of internal processing 61 Message authentication 61 Output data validation 62 Cryptographic controls 62 Policy on the use of cryptographic controls 62 Encryption 63 Digital signatures 63 Nonrepudiation services 63 Key management 63 Security of system files 65 Control of operational software 65 Protection of system test data 65 Access control to program source library 65 Security in development and support processes 66 Change control procedures 66 Technical review of operating system changes 67 Restrictions on changes to software packages 67 Covert channels and Trojan code 67 Outsourced software development 68 11 BUSINESS CONTINUITY MANAGEMENT 69 Aspects of business continuity management 69 Business continuity management process 69 Business continuity and impact analysis 69 Writing and implementing continuity plans 70 Business continuity planning framework 70 Testing, maintai。