信息安全控制程序InformationSecurityOperatingProceduresJanuary07Word文档格式.docx
《信息安全控制程序InformationSecurityOperatingProceduresJanuary07Word文档格式.docx》由会员分享,可在线阅读,更多相关《信息安全控制程序InformationSecurityOperatingProceduresJanuary07Word文档格式.docx(38页珍藏版)》请在冰豆网上搜索。
XXXInformationSecurityOperatingProcedures
CONTENTS:
ThisdocumentdescribesmandatoryinformationsecurityoperatingproceduresforInformationManagement(IM),RiskManagement,HR,linemanagersandSecurityorganizationinXXXSE.
TABLEOFCONTENTS
1.PURPOSE4
2.SCOPEANDCONTENT5
3.TERMSANDDEFINITIONS6
4.SECURITYPOLICYANDDOCUMENTATION7
5.SECURITYORGANIZATIONANDRESPONSIBILITIES7
5.1InformationSecurityorganization7
6.SECURITYOFOUTSOURCINGANDTHIRDPARTYACCESS10
6.1Managementofexternalservicesrelatingtodatasystems10
7.ASSETSCLASSIFICATIONANDCONTROL11
8.SECURITYGUIDELINESFORINFORMATIONSYSTEMUSERS11
9.PERSONNELSECURITY11
9.1Confidentialityagreementandbackgroundchecks11
9.2Personneltraining12
9.3Reportinginformationsecurityincidentsandweaknesses12
9.4Disciplinaryprocedure12
9.5Theendoftheemployment13
9.6Controlofpersonnelinformation13
10.PHYSICALANDENVIRONMENTALSECURITY13
10.1Physicalentrycontrolstothebuildings13
10.2Secureareas14
11.ITServiceandNetworkManagement17
11.1Instructionsandobligationsrelatingtoinformationsystemmanagement17
11.2Virusprotection18
11.3Databackupandrecovery19
11.4Networksecuritymanagement19
11.5Externalconnections21
11.6Disposalofmedia23
11.7E-mailandInternetuse24
11.8Segregationofduties24
11.9Electronicbusinesssecurity25
11.10Softwareandtoolslicensing25
11.11Un-authorizedNetworkUsage26
11.12GeneralinstructionsforusingBluetooth26
12.ACCESSCONTROL26
12.1Businessrequirementsforaccesscontrol26
12.2Administrationofuserrights27
12.3Grantinguserrights27
12.4Withdrawinguserrights27
12.5Privilegedusers28
12.6Reviewofuserrights28
12.7Givingguidancetotheusersandprocedureswhenthepasswordisforgotten28
13.APPLICATIONCONTROLANDSYSTEMSDEVELOPMENT29
13.1Loggingofevents29
13.2Analysisandspecificationofsecurityrequirementinsystems29
13.3Development,testandproductionenvironmentprotection29
13.4Controlofsoftwareinuse30
13.5Informationencryptioninnewsystems30
14.RISKMANAGEMENT30
14.1Assets30
14.2Assetvalues(andpotentialimpacts)31
14.3Threats31
14.4Vulnerabilities31
14.5Securityrisk31
14.6Securityrequirements,controlsandimplementationplan32
15.ITSERVICECONTINUITYMANAGEMENT32
15.1ITServiceContinuityManagementprocess32
16.COMPLIANCE36
16.1Compliancewithlegalrequirements36
16.2Compliancewithstandards37
16.3Systemauditconsiderations37
17.REFERENCES37
APPENDIX1:
AdditionalsecurityrequirementsforProductDevelopmentServicesandNewProductIntroductionServices(formerlyregulatedbyExtendedISOP)38
APPENDIX2:
CLIENTSPECIFICREQUIREMENTS39
AnexampleforEricssonspecificprocedures39
1.PURPOSE
ThisInformationSecurityOperatingProceduredocumentwillgivedetailedoperatingprinciplesandguidelinesforinformationsecurityinXXXSE.TheintendedaudienceforthisdocumentisInformationManagement,securityorganizationandallmanagers(includingRiskManagementandHumanResource)inXXX.
Whatisinformationsecurity?
Informationisanasset,which,likeotherimportantbusinessassets,hasvaluetoanorganizationandconsequentlyneedstobesuitablyprotected.Informationsecurityprotectsinformationfromawiderangeofthreatsinordertoensurebusinesscontinuity,minimizebusinessdamageandmaximizereturnoninvestmentsandbusinessopportunities.Informationcanexistinmanyforms.Itcanbeprintedorwrittenonpaper,storedelectronically,transmittedbypostorusingelectronicmeans,shownonfilms,orspokeninconversations.Whateverforminformationtakes,ormeansbywhichitissharedorstored,itshouldalwaysbeappropriatelyprotected.Informationsecurityischaracterizedhereasthepreservationof:
a)Confidentiality:
ensuringthatinformationisaccessibleonlytothoseauthorizedtohaveaccess.
b)Integrity:
safeguardingtheaccuracyandcompletenessofinformationandprocessingmethods.
c)Availability:
ensuringthatauthorizedusershaveaccesstoinformationandassociatedassetswhenrequired.
d)Non-repudiability:
obstaclestocredibleclaimsofinformationforging.
Informationsecurityisachievedbyimplementingasuitablesetofcontrols,whichcouldbee.g.policies,practices,procedures,organizationalstructuresandsoftwarefunctions.ThisdocumentdescribesthemandatorysecuritycontrolsimplementedinXXX.
InXXXthemostimportantinformationsecurityobjectivesareavailabilityandintegrityofinformation.Thefocusofsecuritycontroldevelopmentisthereforealwaysinthesea