informationsecuritymanagement-2(编辑修改稿)

informationsecuritymanagement-2(编辑修改稿)内容摘要：

Objective: To ensure that users are aware of information security threats and concerns, and are equipped to support anizational security policy in the course of their normal work. Information security education and training All employees of the anization and, where relevant, third party users, shall receive appropriate training and regular updates in anizational policies and procedures. Responding to security incidents and malfunctions Objective: To minimize the damage from security incidents and malfunctions, and to monitor and learn from such incidents. Reporting security incidents Security incidents shall be reported through appropriate management channels as soon after the incident is discovered as possible. Reporting security weaknesses Users of information services shall be required to note and report any observed or suspected security weaknesses in or threats to systems or services. Reporting software malfunctions Procedures shall be established and followed for reporting software malfunctions. Learning from incidents Mechanisms shall be in place to enable the types, volumes and costs of incidents and malfunctions to be quantified and monitored. Disciplinary process The violation of anizational security policies and procedures by employees shall be dealt with through a formal disciplinary process. Physical and environmental security Secure areas Objective: To prevent unauthorized access, damage and interference to business premises and information. Physical security perimeter Organizations shall use security perimeters to protect areas which contain information processing facilities. Physical entry controls Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Securing offices, rooms and facilities Secure areas shall be created in order to protect offices, rooms and facilities with special security requirements. Working in secure areas Additional controls and guidelines for working in secure areas shall be used to enhance the security provided by the physical controls protecting the secure areas. Isolated delivery and loading areas Delivery and loading areas shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. Equipment security Objective: To prevent loss, damage or promise of assets and interruption to business activities. Equipment siting and protection Equipment shall be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. Power supplies Equipment shall be protected from power failures and other electrical anomalies. Cabling security Power and telemunications cabling carrying data or supporting information services shall be protected from interception or damage. Equipment maintenance Equipment shall be maintained in accordance with manufacturer’s instructions and/or documented procedures to ensure its continued availability and integrity. Security of equipment offpremises Security procedures and controls shall be used to secure equipment used outside an anization’s premises. Secure disposal or reuse of equipment Information shall be erased from equipment prior to disposal or reuse. General controls Objective: To prevent promise or theft of information and information processing facilities. Clear desk and clear screen policy Organizations shall have and implement a clear desk and a clear screen policy in order to reduce the risks of unauthorized access, loss of, and damage to information. Removal of property Equipment, information or software belonging to the anization shall not be removed without authorization. Communications and operations management Operational procedures and responsibilities Objective: To ensure the correct and secure operation of information processing facilities. Documented operating procedures The operating procedures identified in the security policy specified in shall be documented and maintained. Operational change control Changes to information processing facilities and systems shall be controlled. Incident management procedures Incident management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to security incidents. Segregation of duties Duties and areas of responsibility shall be segregated in order to reduce opportunities for unauthorized modification or misuse of information or services. Separation of development and operational facilities Development and testing facilities shall be separated from operational facilities. External facilities management Prior to using external facilities management services, the risks shall be identified and appropriate controls agreed with the contractor, and incorporated into the contract. System planning and acceptance Objective: To minimize the risk of systems failure. Capacity planning Capacity demands shall be monitored and projections of future capacity requirements made to ensure that adequate processing power and storage are available. System acceptance Acceptance criteria for new information systems, upgrades and new versions shall be established and suitable tests of the system carried out prior to acceptance. Protection against malicious software Objective: To protect the integrity of software and information. Controls against malicious software Detection and prevention controls to protect against malicious software and appropriate user awareness procedures shall be implemented. Housekeeping Objective: To maintain the integrity and availability of information processing and munication services. Info。