ebook img

BS ISO/IEC 27002:2005, BS 7799-1:2005,BS ISO/IEC 17799:2005 Information technology. Security techniques. Code of practice for information security management PDF

130 Pages·2007·1.36 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview BS ISO/IEC 27002:2005, BS 7799-1:2005,BS ISO/IEC 17799:2005 Information technology. Security techniques. Code of practice for information security management

) c ( , 8 BS ISO/IEC BRITISH STANDARD 2 : 27002:2005 2 0 BS 7799-1:2005 9 Incorporating 0 0 corrigendum no. 1 2 / 3 0 Information / 9 1 of technology — s a t Security techniques — c e r r o Code of practice for c n o i information security s r e V management , g n o K g n o H f o y SI tB i s r e v i n U e h T , g n o K g n o H f o y t i s r e v i n U e h ICS 35.040 T : y p o c d e s n (cid:2)(cid:3)(cid:4)(cid:5)(cid:3)(cid:6)(cid:7)(cid:8)(cid:2)(cid:9)(cid:4)(cid:10)(cid:8)(cid:11)(cid:12)(cid:3)(cid:13)(cid:11)(cid:4)(cid:14)(cid:15)(cid:8)(cid:4)(cid:6)(cid:16)(cid:17)(cid:18)(cid:8)(cid:15)(cid:15)(cid:8)(cid:3)(cid:2)(cid:4)(cid:16)(cid:19)(cid:5)(cid:16)(cid:6)(cid:11)(cid:4)(cid:20)(cid:15)(cid:4)(cid:6)(cid:16)(cid:17)(cid:18)(cid:8)(cid:11)(cid:11)(cid:16)(cid:21)(cid:4)(cid:14)(cid:7)(cid:4)(cid:5)(cid:3)(cid:6)(cid:7)(cid:17)(cid:8)(cid:9)(cid:12)(cid:11)(cid:4)(cid:22)(cid:20)(cid:10) e c i L ) c ( , 8 BS ISO/IEC 27002:2005 2 : 2 0 National foreword 9 0 0 2 This British Standard is the UK implementation of ISO/IEC 27002:2005, / 3 incorporating corrigendum July 2007. It supersedes BS ISO/IEC 17799:2000 0 which is withdrawn. / 9 1 The UK participation in its preparation was entrusted to Technical Committee IST/33, Information technology — Security Techniques. f o A list of organizations represented on this committee can be obtained on s a request to its secretary. t This publication does not purport to include all the necessary provisions of a c e contract. Users are responsible for its correct application. r r Compliance with a British Standard cannot confer immunity from o legal obligations. c n o i s r e V , g n o K g n o H f o y SI tB i s r e v i n U e h T , g n o K g n o H f o y t i s This British Standard was Amendments issued since publication r published under the authority e of the Standards Policy and v i Strategy Committee Amd. No. Date Comments n on 16 June 2005 U 17310 31 July 2007 Identifier of standard renumbered from e Corrigendum No. 1 (BS) ISO/IEC 17799 to (BS) ISO/IEC 27002 h © BSI 2007 T : y p o c d ISBN 978 0 580 59729 9 e s n e c i L ) c ( , 8 2 BS ISO/IEC 27002:2005 : 2 0 9 INTERNATIONAL ISO/IEC 0 0 2 STANDARD 27002 / 3 0 / 9 1 f Second edition o 2005-06-15 s a t c e r r o c n o si r e V Information technology — Security , g techniques — Code of practice for n o information security management K g n Technologies de l'information — Techniques de sécurité — Code de o H pratique pour la gestion de sécurité d'information f o y SI tB i s r e v i n U e h T , g n o K g n o H f o y t i s r e v i n U e h T : y p o Reference number c ISO/IEC 27002:2005(E) d e s n e c i L ) c ( , 8 2 : 2 0 9 0 0 2 / 3 0 / 9 1 f o s a t c e r r o c n o i s r e V , g n o K g n o H f o y SI tB i s r e v i n U e h T , g n o K g n o H f o y t i s r e v i n U e h T : y p o c d e s n ii e c i L ) c ( , 8 2 BS ISO/IEC 27002:2005 : 2 0 9 0 0 2 Contents Page 3/ 0 / FOREWORD..................................................................................................................................................... VII 9 1 f 0 INTRODUCTION ..................................................................................................................................... VIII o s 0.1 WHAT IS INFORMATION SECURITY?......................................................................................................VIII a 0.2 WHY INFORMATION SECURITY IS NEEDED? .........................................................................................VIII t 0.3 HOW TO ESTABLISH SECURITY REQUIREMENTS ......................................................................................IX ec 0.4 ASSESSING SECURITY RISKS .................................................................................................................... IX r 0.5 SELECTING CONTROLS............................................................................................................................ IX r o 0.6 INFORMATION SECURITY STARTING POINT.............................................................................................. IX c 0.7 CRITICAL SUCCESS FACTORS ................................................................................................................... X n 0.8 DEVELOPING YOUR OWN GUIDELINES ................................................................................................... XI o si 1 SCOPE.............................................................................................................................................................. 1 r e V 2 TERMS AND DEFINITIONS ........................................................................................................................ 1 , g 3 STRUCTURE OF THIS STANDARD........................................................................................................... 4 n o 3.1 CLAUSES ................................................................................................................................................. 4 K 3.2 MAIN SECURITY CATEGORIES.................................................................................................................. 4 g n 4 RISK ASSESSMENT AND TREATMENT.................................................................................................. 5 o H 4.1 ASSESSING SECURITY RISKS .................................................................................................................... 5 4.2 TREATING SECURITY RISKS...................................................................................................................... 5 f o y SI 5 SECURITY POLICY ..................................................................................................................................... 7 itB 5.1 INFORMATION SECURITY POLICY............................................................................................................ 7 s r 5.1.1 Information security policy document ............................................................................................ 7 e 5.1.2 Review of the information security policy....................................................................................... 8 v i n 6 ORGANIZATION OF INFORMATION SECURITY................................................................................ 9 U 6.1 INTERNAL ORGANIZATION....................................................................................................................... 9 e h 6.1.1 Management commitment to information security......................................................................... 9 T 6.1.2 Information security co-ordination............................................................................................... 10 , 6.1.3 Allocation of information security responsibilities....................................................................... 10 g 6.1.4 Authorization process for information processing facilities......................................................... 11 n o 6.1.5 Confidentiality agreements........................................................................................................... 11 K 6.1.6 Contact with authorities ............................................................................................................... 12 g 6.1.7 Contact with special interest groups ............................................................................................12 n 6.1.8 Independent review of information security ................................................................................. 13 o 6.2 EXTERNAL PARTIES ............................................................................................................................... 14 H 6.2.1 Identification of risks related to external parties.......................................................................... 14 f 6.2.2 Addressing security when dealing with customers ....................................................................... 15 o 6.2.3 Addressing security in third party agreements ............................................................................. 16 y it 7 ASSET MANAGEMENT.............................................................................................................................. 19 s er 7.1 RESPONSIBILITY FOR ASSETS................................................................................................................. 19 v 7.1.1 Inventory of assets ........................................................................................................................ 19 i n 7.1.2 Ownership of assets...................................................................................................................... 20 U 7.1.3 Acceptable use of assets................................................................................................................ 20 e 7.2 INFORMATION CLASSIFICATION............................................................................................................. 21 h 7.2.1 Classification guidelines............................................................................................................... 21 T 7.2.2 Information labeling and handling...............................................................................................21 : y 8 HUMAN RESOURCES SECURITY........................................................................................................... 23 p o 8.1 PRIOR TO EMPLOYMENT ........................................................................................................................ 23 c 8.1.1 Roles and responsibilities............................................................................................................. 23 d e s n iii 3 e c i L ) c ( , 8 2 BS ISO/IEC 27002:2005 : 2 0 9 0 8.1.2 Screening ...................................................................................................................................... 23 0 8.1.3 Terms and conditions of employment ........................................................................................... 24 2 8.2 DURING EMPLOYMENT .......................................................................................................................... 25 3/ 8.2.1 Management responsibilities........................................................................................................ 25 0 8.2.2 Information security awareness, education, and training ............................................................ 26 9/ 8.2.3 Disciplinary process..................................................................................................................... 26 1 8.3 TERMINATION OR CHANGE OF EMPLOYMENT......................................................................................... 27 of 8.3.1 Termination responsibilities ......................................................................................................... 27 8.3.2 Return of assets............................................................................................................................. 27 s a 8.3.3 Removal of access rights .............................................................................................................. 28 ct 9 PHYSICAL AND ENVIRONMENTAL SECURITY ................................................................................ 29 e r 9.1 SECURE AREAS ...................................................................................................................................... 29 r o 9.1.1 Physical security perimeter .......................................................................................................... 29 c 9.1.2 Physical entry controls ................................................................................................................. 30 n 9.1.3 Securing offices, rooms, and facilities.......................................................................................... 30 o 9.1.4 Protecting against external and environmental threats................................................................ 31 i s 9.1.5 Working in secure areas............................................................................................................... 31 r e 9.1.6 Public access, delivery, and loading areas................................................................................... 32 V 9.2 EQUIPMENT SECURITY........................................................................................................................... 32 , 9.2.1 Equipment siting and protection................................................................................................... 32 g n 9.2.2 Supporting utilities ....................................................................................................................... 33 o 9.2.3 Cabling security............................................................................................................................ 34 K 9.2.4 Equipment maintenance................................................................................................................ 34 g 9.2.5 Security of equipment off-premises............................................................................................... 35 n 9.2.6 Secure disposal or re-use of equipment........................................................................................ 35 o H 9.2.7 Removal of property ..................................................................................................................... 36 f 10 COMMUNICATIONS AND OPERATIONS MANAGEMENT.............................................................. 37 o y SI 10.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES ............................................................................. 37 itB 10.1.1 Documented operating procedures............................................................................................... 37 rs 10.1.2 Change management .................................................................................................................... 37 e 10.1.3 Segregation of duties .................................................................................................................... 38 v i 10.1.4 Separation of development, test, and operational facilities.......................................................... 38 n U 10.2 THIRD PARTY SERVICE DELIVERY MANAGEMENT .................................................................................. 39 10.2.1 Service delivery............................................................................................................................. 39 e 10.2.2 Monitoring and review of third party services.............................................................................. 40 h T 10.2.3 Managing changes to third party services.................................................................................... 40 10.3 SYSTEM PLANNING AND ACCEPTANCE................................................................................................... 41 , g 10.3.1 Capacity management .................................................................................................................. 41 n 10.3.2 System acceptance ........................................................................................................................ 41 o K 10.4 PROTECTION AGAINST MALICIOUS AND MOBILE CODE........................................................................... 42 10.4.1 Controls against malicious code................................................................................................... 42 g n 10.4.2 Controls against mobile code ....................................................................................................... 43 o 10.5 BACK-UP ............................................................................................................................................... 44 H 10.5.1 Information back-up ..................................................................................................................... 44 f 10.6 NETWORK SECURITY MANAGEMENT...................................................................................................... 45 o 10.6.1 Network controls........................................................................................................................... 45 y 10.6.2 Security of network services ......................................................................................................... 46 t si 10.7 MEDIA HANDLING ................................................................................................................................. 46 r 10.7.1 Management of removable media................................................................................................. 46 e v 10.7.2 Disposal of media ......................................................................................................................... 47 ni 10.7.3 Information handling procedures.................................................................................................47 U 10.7.4 Security of system documentation................................................................................................. 48 e 10.8 EXCHANGE OF INFORMATION ................................................................................................................ 48 h 10.8.1 Information exchange policies and procedures............................................................................ 49 T 10.8.2 Exchange agreements................................................................................................................... 50 : 10.8.3 Physical media in transit .............................................................................................................. 51 y p 10.8.4 Electronic messaging.................................................................................................................... 52 o 10.8.5 Business information systems ....................................................................................................... 52 c d e s n iv e c i L ) c ( , 8 2 BS ISO/IEC 27002:2005 : 2 0 9 0 0 10.9 ELECTRONIC COMMERCE SERVICES ....................................................................................................... 53 2 10.9.1 Electronic commerce .................................................................................................................... 53 / 3 10.9.2 On-Line Transactions................................................................................................................... 54 0 10.9.3 Publicly available information ..................................................................................................... 55 / 9 10.10 MONITORING..................................................................................................................................... 55 1 10.10.1 Audit logging ............................................................................................................................ 55 of 10.10.2 Monitoring system use.............................................................................................................. 56 s 10.10.3 Protection of log information ...................................................................................................57 a 10.10.4 Administrator and operator logs .............................................................................................. 58 t 10.10.5 Fault logging ............................................................................................................................ 58 c e 10.10.6 Clock synchronization .............................................................................................................. 58 r r 11 ACCESS CONTROL .................................................................................................................................... 60 o c 11.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL ................................................................................... 60 n 11.1.1 Access control policy.................................................................................................................... 60 o i 11.2 USER ACCESS MANAGEMENT................................................................................................................. 61 s r 11.2.1 User registration........................................................................................................................... 61 e 11.2.2 Privilege management .................................................................................................................. 62 V 11.2.3 User password management......................................................................................................... 62 g, 11.2.4 Review of user access rights......................................................................................................... 63 n 11.3 USER RESPONSIBILITIES......................................................................................................................... 63 o 11.3.1 Password use................................................................................................................................ 64 K 11.3.2 Unattended user equipment .......................................................................................................... 64 g 11.3.3 Clear desk and clear screen policy............................................................................................... 65 on 11.4 NETWORK ACCESS CONTROL................................................................................................................. 65 H 11.4.1 Policy on use of network services................................................................................................. 66 11.4.2 User authentication for external connections............................................................................... 66 f o 11.4.3 Equipment identification in networks ........................................................................................... 67 y SI 11.4.4 Remote diagnostic and configuration port protection .................................................................. 67 itB 11.4.5 Segregation in networks ............................................................................................................... 68 s r 11.4.6 Network connection control.......................................................................................................... 68 e 11.4.7 Network routing control ............................................................................................................... 69 v i 11.5 OPERATING SYSTEM ACCESS CONTROL.................................................................................................. 69 n U 11.5.1 Secure log-on procedures............................................................................................................. 69 11.5.2 User identification and authentication ......................................................................................... 70 e 11.5.3 Password management system......................................................................................................71 h T 11.5.4 Use of system utilities ................................................................................................................... 72 11.5.5 Session time-out............................................................................................................................ 72 , g 11.5.6 Limitation of connection time ....................................................................................................... 72 n o 11.6 APPLICATION AND INFORMATION ACCESS CONTROL ............................................................................. 73 K 11.6.1 Information access restriction ...................................................................................................... 73 11.6.2 Sensitive system isolation ............................................................................................................. 74 g n 11.7 MOBILE COMPUTING AND TELEWORKING.............................................................................................. 74 o 11.7.1 Mobile computing and communications....................................................................................... 74 H 11.7.2 Teleworking .................................................................................................................................. 75 f o 12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE.................. 77 ty 12.1 SECURITY REQUIREMENTS OF INFORMATION SYSTEMS.......................................................................... 77 si 12.1.1 Security requirements analysis and specification......................................................................... 77 er 12.2 CORRECT PROCESSING IN APPLICATIONS ............................................................................................... 78 v 12.2.1 Input data validation..................................................................................................................... 78 ni 12.2.2 Control of internal processing...................................................................................................... 78 U 12.2.3 Message integrity.......................................................................................................................... 79 e 12.2.4 Output data validation.................................................................................................................. 79 h 12.3 CRYPTOGRAPHIC CONTROLS ................................................................................................................. 80 T 12.3.1 Policy on the use of cryptographic controls ................................................................................. 80 y: 12.3.2 Key management........................................................................................................................... 81 p 12.4 SECURITY OF SYSTEM FILES................................................................................................................... 83 o 12.4.1 Control of operational software ................................................................................................... 83 c 12.4.2 Protection of system test data....................................................................................................... 84 d e s n v e c i L ) c ( , 8 2 BS ISO/IEC 27002:2005 : 2 0 9 0 0 12.4.3 Access control to program source code........................................................................................ 84 /2 12.5 SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES ......................................................................... 85 3 12.5.1 Change control procedures .......................................................................................................... 85 0 / 12.5.2 Technical review of applications after operating system changes................................................ 86 9 12.5.3 Restrictions on changes to software packages.............................................................................. 86 1 12.5.4 Information leakage...................................................................................................................... 87 of 12.5.5 Outsourced software development................................................................................................ 87 s 12.6 TECHNICAL VULNERABILITY MANAGEMENT ........................................................................................ 88 a 12.6.1 Control of technical vulnerabilities .............................................................................................. 88 t c 13 INFORMATION SECURITY INCIDENT MANAGEMENT ................................................................. 90 e rr 13.1 REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES.......................................................... 90 o 13.1.1 Reporting information security events.......................................................................................... 90 c 13.1.2 Reporting security weaknesses ..................................................................................................... 91 n 13.2 MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS ....................................... 91 o i 13.2.1 Responsibilities and procedures................................................................................................... 92 s r 13.2.2 Learning from information security incidents .............................................................................. 93 e 13.2.3 Collection of evidence................................................................................................................... 93 V , 14 BUSINESS CONTINUITY MANAGEMENT ............................................................................................ 95 g n 14.1 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT ........................................ 95 o 14.1.1 Including information security in the business continuity management process.......................... 95 K 14.1.2 Business continuity and risk assessment....................................................................................... 96 g 14.1.3 Developing and implementing continuity plans including information security .......................... 96 n o 14.1.4 Business continuity planning framework...................................................................................... 97 H 14.1.5 Testing, maintaining and re-assessing business continuity plans................................................. 98 of 15 COMPLIANCE........................................................................................................................................... 100 y SI 15.1 COMPLIANCE WITH LEGAL REQUIREMENTS ......................................................................................... 100 itB 15.1.1 Identification of applicable legislation....................................................................................... 100 s r 15.1.2 Intellectual property rights (IPR) ............................................................................................... 100 e v 15.1.3 Protection of organizational records.......................................................................................... 101 ni 15.1.4 Data protection and privacy of personal information ................................................................ 102 U 15.1.5 Prevention of misuse of information processing facilities.......................................................... 102 15.1.6 Regulation of cryptographic controls......................................................................................... 103 e h 15.2 COMPLIANCE WITH SECURITY POLICIES AND STANDARDS, AND TECHNICAL COMPLIANCE ................... 103 T 15.2.1 Compliance with security policies and standards....................................................................... 104 , 15.2.2 Technical compliance checking.................................................................................................. 104 g 15.3 INFORMATION SYSTEMS AUDIT CONSIDERATIONS ............................................................................... 105 n o 15.3.1 Information systems audit controls............................................................................................. 105 K 15.3.2 Protection of information systems audit tools ............................................................................ 105 g BIBLIOGRAPHY.............................................................................................................................................. 107 n o H INDEX................................................................................................................................................................ 108 f o y t i s r e v i n U e h T : y p o c d e s n vi e c i L ) c ( , 8 2 BS ISO/IEC 27002:2005 : 2 0 9 0 0 2 / 3 0 / 9 1 Foreword f o s ISO (the International Organization for Standardization) and IEC (the International Electrotechnical a Commission) form the specialized system for worldwide standardization. National bodies that are t c members of ISO or IEC participate in the development of International Standards through technical e r committees established by the respective organization to deal with particular fields of technical r o activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international c organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the n work. In the field of information technology, ISO and IEC have established a joint technical o i committee, ISO/IEC JTC 1. s r e V International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. , g n o The main task of the joint technical committee is to prepare International Standards. Draft K International Standards adopted by the joint technical committee are circulated to national bodies for g voting. Publication as an International Standard requires approval by at least 75 % of the national n bodies casting a vote. o H Attention is drawn to the possibility that some of the elements of this document may be the subject of f o patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. y SI tB si ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, er Subcommittee SC 27, IT Security techniques. v i n This second edition cancels and replaces the first edition (ISO/IEC 17799:2000), which has been U technically revised. e h A family of Information Security Management System (ISMS) International Standards is being T developed within ISO/IEC JTC 1/SC 27. The family includes International Standards on information , g security management system requirements, risk management, metrics and measurement, and n o implementation guidance. This family will adopt a numbering scheme using the series of numbers K 27000 et seq. g n From 2007, it is proposed to incorporate the new edition of ISO/IEC 17799 into this new numbering o H scheme as ISO/IEC 27002. f o y t i s r e v i n U e h T : y p o c d e s n vii e c i L ) c ( , 8 2 BS ISO/IEC 27002:2005 : 2 0 9 0 0 0 Introduction 2 / 3 0 0.1 What is information security? / 9 1 Information is an asset that, like other important business assets, is essential to an organization’s f business and consequently needs to be suitably protected. This is especially important in the o increasingly interconnected business environment. As a result of this increasing interconnectivity, s a information is now exposed to a growing number and a wider variety of threats and vulnerabilities (see also OECD Guidelines for the Security of Information Systems and Networks). t c e r Information can exist in many forms. It can be printed or written on paper, stored electronically, r o transmitted by post or by using electronic means, shown on films, or spoken in conversation. c Whatever form the information takes, or means by which it is shared or stored, it should always be n o appropriately protected. si er Information security is the protection of information from a wide range of threats in order to ensure V business continuity, minimize business risk, and maximize return on investments and business , opportunities. g n o Information security is achieved by implementing a suitable set of controls, including policies, K processes, procedures, organizational structures and software and hardware functions. These controls g need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure n that the specific security and business objectives of the organization are met. This should be done in o H conjunction with other business management processes. f o y SI 0.2 Why information security is needed? itB Information and the supporting processes, systems, and networks are important business assets. s r Defining, achieving, maintaining, and improving information security may be essential to maintain e v competitive edge, cash flow, profitability, legal compliance, and commercial image. ni U Organizations and their information systems and networks are faced with security threats from a wide e range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. h Causes of damage such as malicious code, computer hacking, and denial of service attacks have T become more common, more ambitious, and increasingly sophisticated. , g n Information security is important to both public and private sector businesses, and to protect critical o K infrastructures. In both sectors, information security will function as an enabler, e.g. to achieve e- government or e-business, and to avoid or reduce relevant risks. The interconnection of public and g n private networks and the sharing of information resources increase the difficulty of achieving access o control. The trend to distributed computing has also weakened the effectiveness of central, specialist H control. f o y Many information systems have not been designed to be secure. The security that can be achieved t i through technical means is limited, and should be supported by appropriate management and s r procedures. Identifying which controls should be in place requires careful planning and attention to e v detail. Information security management requires, as a minimum, participation by all employees in the i n organization. It may also require participation from shareholders, suppliers, third parties, customers or U other external parties. Specialist advice from outside organizations may also be needed. e h T : y p o c d e s n viii e c i L

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.