BS7799Part1.docx

1、BS7799Part1Information SecurityManagementBS 7799-1:1999Part 1: Code of practice for information security managementForewordThis part of BS 7799 has been prepared under the supervision of the BSI/DISC committee BDD/2, Information security management. It supersedes BS 7799:1995, which is withdrawn.BS

2、7799 is issued in two parts: Part 1: Code of practice for information security management; Part 2: Specification for information security management systems.BS 7799-1 was first issued in 1995 to provide a comprehensive set of controls comprising best practices in information security. It is intended

3、 to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organizations. The term organization is used throughout this standard to mean both profit and

4、non-profit making organizations such as public sector organizations.The 1999 revision takes into account recent developments in the application of information processing technology, particularly in the area of networks and communications. It also gives greater emphasis to business involvement in and

5、 responsibility for information security.Not all of the controls described in this document will be relevant to every situation. It cannot take account of local system, environmental or technological constraints. It may not be in a form that suits every potential user in an organization. Consequentl

6、y the document may need to be supplemented by further guidance. It can be used as a basis from which, for example, a corporate policy or an inter-company trading agreement can be developed.As a code of practice, this British Standard takes the form of guidance and recommendations. It should not be q

7、uoted as if it were a specification, and particular care should be taken to ensure that claims of compliance are not misleading.It has been assumed in the drafting of this standard that the execution of its provisions is entrusted to appropriately qualified and experienced people. Annex A is informa

8、tive and contains a table showing the relationship between the sections of the 1995 edition and the clauses of the 1999 edition. A British Standard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct application.Complia

9、nce with a British Standard does not of itself confer immunity from legal obligations.What is information security?Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information security protects informat

10、ion from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or using electronic

11、means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected.Information security is characterized here as the preservation of:a) Confidentiality: ensuring that information is accessible o

12、nly to those authorized to have access;b) Integrity: safeguarding the accuracy and completeness of information and processing methods;c) Availability: ensuring that authorized users have access to information and associated assets when required.Information security is achieved by implementing a suit

13、able set of controls, which could be policies, practices, procedures, organizational structures and software functions. These controls need to be established to ensure that the specific security objectives of the organization are met.Why information security is neededInformation and the supporting p

14、rocesses, systems and networks are important business assets. Confidentiality, integrity and availability of information may be essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image.Increasingly, organizations and their information systems and networ

15、ks are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Sources of damage such as computer viruses, computer hacking and denial of service attacks have become more common, more ambitious and increasingly sophi

16、sticated. Dependence on information systems and services means organizations are more vulnerable to security threats. The interconnecting of public and private networks and sharing of information resources increases the difficulty of achieving access control. The trend to distributed computing has w

17、eakened the effectiveness of central, specialist control. Many information systems have not been designed to be secure. The security that can be achieved through technical means is limited, and should be supported by appropriate management and procedures. Identifying which controls should be in plac

18、e requires careful planning and attention to detail.Information security management needs, as a minimum, participation by all employees in the organization. It may also require participation from suppliers, customers or shareholders. Specialist advice from outside organizations may also be needed.In

19、formation security controls are considerably cheaper and more effective if incorporated at the requirements specification and design stage.How to establish security requirementsIt is essential that an organization identifies its security requirements. There are three main sources. The first source i

20、s derived from assessing risks to the organization. Through risk assessment threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated.The second source is the legal, statutory, regulatory and contractual requirements that an organi

21、zation, its trading partners, contractors and service providers have to satisfy.The third source is the particular set of principles, objectives and requirements for information processing that an organization has developed to support its operations.Assessing security risksSecurity requirements are

22、identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. Risk assessment techniques can be applied to the whole organization, or only parts of it, as well as to individual information syst

23、ems, specific system components or services where this is practicable, realistic and helpful.Risk assessment is systematic consideration of:a) The business harm likely to result from a security failure, taking into account the potential consequences of a loss of confidentiality, integrity or availab

24、ility of the information and other assets;b) The realistic likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities, and the controls currently implemented.The results of this assessment will help guide and determine the appropriate management action and prioriti

25、es for managing information security risks, and for implementing controls selected to protect against these risks. The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems.It is imp

26、ortant to carry out periodic reviews of security risks and implemented controls to:a) Take account of changes to business requirements and priorities;b) Consider new threats and vulnerabilities;c) Confirm that controls remain effective and appropriate.Reviews should be performed at different levels

27、of depth depending on the results of previous assessments and the changing levels of risk that management is prepared to accept. Risk assessments are often carried out first at a high level, as a means of prioritizing resources in areas of high risk, and then at a more detailed level, to address spe

28、cific risks.Selecting controlsOnce security requirements have been identified, controls should be selected and implemented to ensure risks are reduced to an acceptable level. Controls can be selected from this document or from other control sets, or new controls can be designed to meet specific need

29、s as appropriate. There are many different ways of managing risks and this document provides examples of common approaches. However, it is necessary to recognize that some of the controls are not applicable to every information system or environment, and might not be practicable for all organization

30、s. As an example, 8.1.4 describes how duties may be segregated to prevent fraud and error. It may not be possible for smaller organizations to segregate all duties and other ways of achieving the same control objective may be necessary.Controls should be selected based on the cost of implementation

31、in relation to the risks being reduced and the potential losses if a security breach occurs. Non-monetary factors such as loss of reputation should also be taken into account. Some of the controls in this document can be considered as guiding principles for information security management and applic

32、able for most organizations. They are explained in more detail below under the heading Information security starting point.Information security starting pointA number of controls can be considered as guiding principles providing a good starting point for implementing information security. They are either based on essential legislative requirements or considered to be common best practice for information security.Controls considered to be essential to an organization from a legislative point of view include:a) intellectual property rights (see 12.1.2);b) safeguarding of organizational r