信息安全控制程序InformationSecurityOperatingProceduresJanuary07.docx

1、信息安全控制程序InformationSecurityOperatingProceduresJanuary07ResponsibleJussi RautpaloNameXXX Information Security Operating Procedures 2.4DateJanuary 18, 2007TypeStandardXXX Information Security Operating ProceduresCONTENTS:This document describes mandatory information security operating procedures for I

2、nformation Management (IM), Risk Management, HR, line managers and Security organization in XXX SE.TABLE OF CONTENTS1. PURPOSE 42. SCOPE AND CONTENT 53. TERMS AND DEFINITIONS 64. SECURITY POLICY AND DOCUMENTATION 75. SECURITY ORGANIZATION AND RESPONSIBILITIES 75.1 Information Security organization 7

3、6. SECURITY OF OUTSOURCING AND THIRD PARTY ACCESS 106.1 Management of external services relating to data systems 107. ASSETS CLASSIFICATION AND CONTROL 118. SECURITY GUIDELINES FOR INFORMATION SYSTEM USERS 119. PERSONNEL SECURITY 119.1 Confidentiality agreement and background checks 119.2 Personnel

4、training 129.3 Reporting information security incidents and weaknesses 129.4 Disciplinary procedure 129.5 The end of the employment 139.6 Control of personnel information 1310. PHYSICAL AND ENVIRONMENTAL SECURITY 1310.1 Physical entry controls to the buildings 1310.2 Secure areas 1411. IT Service an

5、d Network Management 1711.1 Instructions and obligations relating to information system management 1711.2 Virus protection 1811.3 Data backup and recovery 1911.4 Network security management 1911.5 External connections 2111.6 Disposal of media 2311.7 E-mail and Internet use 2411.8 Segregation of duti

6、es 2411.9 Electronic business security 2511.10 Software and tools licensing 2511.11 Un-authorized Network Usage 2611.12 General instructions for using Bluetooth 2612. ACCESS CONTROL 2612.1 Business requirements for access control 2612.2 Administration of user rights 2712.3 Granting user rights 2712.

7、4 Withdrawing user rights 2712.5 Privileged users 2812.6 Review of user rights 2812.7 Giving guidance to the users and procedures when the password is forgotten 2813. APPLICATION CONTROL AND SYSTEMS DEVELOPMENT 2913.1 Logging of events 2913.2 Analysis and specification of security requirement in sys

8、tems 2913.3 Development, test and production environment protection 2913.4 Control of software in use 3013.5 Information encryption in new systems 3014. RISK MANAGEMENT 3014.1 Assets 3014.2 Asset values (and potential impacts) 3114.3 Threats 3114.4 Vulnerabilities 3114.5 Security risk 3114.6 Securit

9、y requirements, controls and implementation plan 3215. IT SERVICE CONTINUITY MANAGEMENT 3215.1 IT Service Continuity Management process 3216. COMPLIANCE 3616.1 Compliance with legal requirements 3616.2 Compliance with standards 3716.3 System audit considerations 3717. REFERENCES 37APPENDIX 1: Additi

10、onal security requirements for Product Development Services and New Product Introduction Services (formerly regulated by Extended ISOP) 38APPENDIX 2: CLIENT SPECIFIC REQUIREMENTS 39An example for Ericsson specific procedures 391. PURPOSEThis Information Security Operating Procedure document will giv

11、e detailed operating principles and guidelines for information security in XXX SE. The intended audience for this document is Information Management, security organization and all managers (including Risk Management and Human Resource) in XXX.What is information security?Information is an asset, whi

12、ch, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and busin

13、ess opportunities. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversations. Whatever form information takes, or means by which it is shared or stored, it should always

14、 be appropriately protected. Information security is characterized here as the preservation of:a) Confidentiality: ensuring that information is accessible only to those authorized to have access.b) Integrity: safeguarding the accuracy and completeness of information and processing methods.c) Availab

15、ility: ensuring that authorized users have access to information and associated assets when required.d) Non-repudiability: obstacles to credible claims of information forging.Information security is achieved by implementing a suitable set of controls, which could be e.g. policies, practices, procedu

16、res, organizational structures and software functions. This document describes the mandatory security controls implemented in XXX.In XXX the most important information security objectives are availability and integrity of information. The focus of security control development is therefore always in these a