BS7799Part1.docx

BS7799Part1.docx

《BS7799Part1.docx》由会员分享，可在线阅读，更多相关《BS7799Part1.docx（124页珍藏版）》请在冰豆网上搜索。

BS7799Part1

InformationSecurity

Management

BS7799-1:

1999

Part1:

Codeofpracticeforinformation

securitymanagement

Foreword

ThispartofBS7799hasbeenpreparedunderthesupervisionoftheBSI/DISCcommitteeBDD/2,Informationsecuritymanagement.ItsupersedesBS7799:

1995,whichiswithdrawn.

BS7799isissuedintwoparts:

∙Part1:

Codeofpracticeforinformationsecuritymanagement;

∙Part2:

Specificationforinformationsecuritymanagementsystems.

BS7799-1wasfirstissuedin1995toprovideacomprehensivesetofcontrolscomprisingbestpracticesininformationsecurity.Itisintendedtoserveasasinglereferencepointforidentifyingtherangeofcontrolsneededformostsituationswhereinformationsystemsareusedinindustryandcommerce,andtobeusedbylarge,mediumandsmallorganizations.

Thetermorganizationisusedthroughoutthisstandardtomeanbothprofitandnon-profitmakingorganizationssuchaspublicsectororganizations.

The1999revisiontakesintoaccountrecentdevelopmentsintheapplicationofinformationprocessingtechnology,particularlyintheareaofnetworksandcommunications.Italsogivesgreateremphasistobusinessinvolvementinandresponsibilityforinformationsecurity.

Notallofthecontrolsdescribedinthisdocumentwillberelevanttoeverysituation.Itcannottakeaccountoflocalsystem,environmentalortechnologicalconstraints.Itmaynotbeinaformthatsuitseverypotentialuserinanorganization.Consequentlythedocumentmayneedtobesupplementedbyfurtherguidance.Itcanbeusedasabasisfromwhich,forexample,acorporatepolicyoraninter-companytradingagreementcanbedeveloped.

Asacodeofpractice,thisBritishStandardtakestheformofguidanceandrecommendations.Itshouldnotbequotedasifitwereaspecification,andparticularcareshouldbetakentoensurethatclaimsofcompliancearenotmisleading.

Ithasbeenassumedinthedraftingofthisstandardthattheexecutionofitsprovisionsisentrustedtoappropriatelyqualifiedandexperiencedpeople.AnnexAisinformativeandcontainsatableshowingtherelationshipbetweenthesectionsofthe1995editionandtheclausesofthe1999edition.ABritishStandarddoesnotpurporttoincludeallthenecessaryprovisionsofacontract.UsersofBritishStandardsareresponsiblefortheircorrectapplication.

CompliancewithaBritishStandarddoesnotofitselfconferimmunityfromlegalobligations.

Whatisinformationsecurity?

Informationisanassetwhich,likeotherimportantbusinessassets,hasvaluetoanorganizationandconsequentlyneedstobesuitablyprotected.Informationsecurityprotectsinformationfromawiderangeofthreatsinordertoensurebusinesscontinuity,minimizebusinessdamageandmaximizereturnoninvestmentsandbusinessopportunities.Informationcanexistinmanyforms.Itcanbeprintedorwrittenonpaper,storedelectronically,transmittedbypostorusingelectronicmeans,shownonfilms,orspokeninconversation.Whateverformtheinformationtakes,ormeansbywhichitissharedorstored,itshouldalwaysbeappropriatelyprotected.

Informationsecurityischaracterizedhereasthepreservationof:

a）Confidentiality:

ensuringthatinformationisaccessibleonlytothoseauthorizedtohaveaccess;

b）Integrity:

safeguardingtheaccuracyandcompletenessofinformationandprocessingmethods;

c）Availability:

ensuringthatauthorizedusershaveaccesstoinformationandassociatedassetswhenrequired.

Informationsecurityisachievedbyimplementingasuitablesetofcontrols,whichcouldbepolicies,practices,procedures,organizationalstructuresandsoftwarefunctions.Thesecontrolsneedtobeestablishedtoensurethatthespecificsecurityobjectivesoftheorganizationaremet.

Whyinformationsecurityisneeded

Informationandthesupportingprocesses,systemsandnetworksareimportantbusinessassets.Confidentiality,integrityandavailabilityofinformationmaybeessentialtomaintaincompetitiveedge,cash-flow,profitability,legalcomplianceandcommercialimage.

Increasingly,organizationsandtheirinformationsystemsandnetworksarefacedwithsecuritythreatsfromawiderangeofsources,includingcomputer-assistedfraud,espionage,sabotage,vandalism,fireorflood.Sourcesofdamagesuchascomputerviruses,computerhackinganddenialofserviceattackshavebecomemorecommon,moreambitiousandincreasinglysophisticated.Dependenceoninformationsystemsandservicesmeansorganizationsaremorevulnerabletosecuritythreats.Theinterconnectingofpublicandprivatenetworksandsharingofinformationresourcesincreasesthedifficultyofachievingaccesscontrol.Thetrendtodistributedcomputinghasweakenedtheeffectivenessofcentral,specialistcontrol.Manyinformationsystemshavenotbeendesignedtobesecure.Thesecuritythatcanbeachievedthroughtechnicalmeansislimited,andshouldbesupportedbyappropriatemanagementandprocedures.Identifyingwhichcontrolsshouldbeinplacerequirescarefulplanningandattentiontodetail.

Informationsecuritymanagementneeds,asaminimum,participationbyallemployeesintheorganization.Itmayalsorequireparticipationfromsuppliers,customersorshareholders.Specialistadvicefromoutsideorganizationsmayalsobeneeded.

Informationsecuritycontrolsareconsiderablycheaperandmoreeffectiveifincorporatedattherequirementsspecificationanddesignstage.

Howtoestablishsecurityrequirements

Itisessentialthatanorganizationidentifiesitssecurityrequirements.Therearethreemainsources.Thefirstsourceisderivedfromassessingriskstotheorganization.Throughriskassessmentthreatstoassetsareidentified,vulnerabilitytoandlikelihoodofoccurrenceisevaluatedandpotentialimpactisestimated.

Thesecondsourceisthelegal,statutory,regulatoryandcontractualrequirementsthatanorganization,itstradingpartners,contractorsandserviceprovidershavetosatisfy.

Thethirdsourceistheparticularsetofprinciples,objectivesandrequirementsforinformationprocessingthatanorganizationhasdevelopedtosupportitsoperations.

Assessingsecurityrisks

Securityrequirementsareidentifiedbyamethodicalassessmentofsecurityrisks.Expenditureoncontrolsneedstobebalancedagainstthebusinessharmlikelytoresultfromsecurityfailures.Riskassessmenttechniquescanbeappliedtothewholeorganization,oronlypartsofit,aswellastoindividualinformationsystems,specificsystemcomponentsorserviceswherethisispracticable,realisticandhelpful.

Riskassessmentissystematicconsiderationof:

a）Thebusinessharmlikelytoresultfromasecurityfailure,takingintoaccountthepotentialconsequencesofalossofconfidentiality,integrityoravailabilityoftheinformationandotherassets;

b）Therealisticlikelihoodofsuchafailureoccurringinthelightofprevailingthreatsandvulnerabilities,andthecontrolscurrentlyimplemented.

Theresultsofthisassessmentwillhelpguideanddeterminetheappropriatemanagementactionandprioritiesformanaginginformationsecurityrisks,andforimplementingcontrolsselectedtoprotectagainsttheserisks.Theprocessofassessingrisksandselectingcontrolsmayneedtobeperformedanumberoftimestocoverdifferentpartsoftheorganizationorindividualinformationsystems.

Itisimportanttocarryoutperiodicreviewsofsecurityrisksandimplementedcontrolsto:

a）Takeaccountofchangestobusinessrequirementsandpriorities;

b）Considernewthreatsandvulnerabilities;

c）Confirmthatcontrolsremaineffectiveandappropriate.

Reviewsshouldbeperformedatdifferentlevelsofdepthdependingontheresultsofpreviousassessmentsandthechanginglevelsofriskthatmanagementispreparedtoaccept.Riskassessmentsareoftencarriedoutfirstatahighlevel,asameansofprioritizingresourcesinareasofhighrisk,andthenatamoredetailedlevel,toaddressspecificrisks.

Selectingcontrols

Oncesecurityrequirementshavebeenidentified,controlsshouldbeselectedandimplementedtoensurerisksarereducedtoanacceptablelevel.Controlscanbeselectedfromthisdocumentorfromothercontrolsets,ornewcontrolscanbedesignedtomeetspecificneedsasappropriate.Therearemanydifferentwaysofmanagingrisksandthisdocumentprovidesexamplesofcommonapproaches.However,itisnecessarytorecognizethatsomeofthecontrolsarenotapplicabletoeveryinformationsystemorenvironment,andmightnotbepracticableforallorganizations.Asanexample,8.1.4describeshowdutiesmaybesegregatedtopreventfraudanderror.Itmaynotbepossibleforsmallerorganizationstosegregatealldutiesandotherwaysofachievingthesamecontrolobjectivemaybenecessary.

Controlsshouldbeselectedbasedonthecostofimplementationinrelationtotherisksbeingreducedandthepotentiallossesifasecuritybreachoccurs.Non-monetaryfactorssuchaslossofreputationshouldalsobetakenintoaccount.Someofthecontrolsinthisdocumentcanbeconsideredasguidingprinciplesforinformationsecuritymanagementandapplicableformostorganizations.TheyareexplainedinmoredetailbelowundertheheadingªInformationsecuritystartingpointº.

Informationsecuritystartingpoint

Anumberofcontrolscanbeconsideredasguidingprinciplesprovidingagoodstartingpointforimplementinginformationsecurity.Theyareeitherbasedonessentiallegislativerequirementsorconsideredtobecommonbestpracticeforinformationsecurity.

Controlsconsideredtobeessentialtoanorganizationfromalegislativepointofviewinclude:

a）intellectualpropertyrights（see12.1.2）;

b）safeguardingoforganizationalr