BS7799Part1.docx
《BS7799Part1.docx》由会员分享,可在线阅读,更多相关《BS7799Part1.docx(124页珍藏版)》请在冰点文库上搜索。
BS7799Part1
InformationSecurity
Management
BS7799-1:
1999
Part1:
Codeofpracticeforinformation
securitymanagement
Foreword
ThispartofBS7799hasbeenpreparedunderthesupervisionoftheBSI/DISCcommitteeBDD/2,Informationsecuritymanagement.ItsupersedesBS7799:
1995,whichiswithdrawn.
BS7799isissuedintwoparts:
∙Part1:
Codeofpracticeforinformationsecuritymanagement;
∙Part2:
Specificationforinformationsecuritymanagementsystems.
BS7799-1wasfirstissuedin1995toprovideacomprehensivesetofcontrolscomprisingbestpracticesininformationsecurity.Itisintendedtoserveasasinglereferencepointforidentifyingtherangeofcontrolsneededformostsituationswhereinformationsystemsareusedinindustryandcommerce,andtobeusedbylarge,mediumandsmallorganizations.
Thetermorganizationisusedthroughoutthisstandardtomeanbothprofitandnon-profitmakingorganizationssuchaspublicsectororganizations.
The1999revisiontakesintoaccountrecentdevelopmentsintheapplicationofinformationprocessingtechnology,particularlyintheareaofnetworksandcommunications.Italsogivesgreateremphasistobusinessinvolvementinandresponsibilityforinformationsecurity.
Notallofthecontrolsdescribedinthisdocumentwillberelevanttoeverysituation.Itcannottakeaccountoflocalsystem,environmentalortechnologicalconstraints.Itmaynotbeinaformthatsuitseverypotentialuserinanorganization.Consequentlythedocumentmayneedtobesupplementedbyfurtherguidance.Itcanbeusedasabasisfromwhich,forexample,acorporatepolicyoraninter-companytradingagreementcanbedeveloped.
Asacodeofpractice,thisBritishStandardtakestheformofguidanceandrecommendations.Itshouldnotbequotedasifitwereaspecification,andparticularcareshouldbetakentoensurethatclaimsofcompliancearenotmisleading.
Ithasbeenassumedinthedraftingofthisstandardthattheexecutionofitsprovisionsisentrustedtoappropriatelyqualifiedandexperiencedpeople.AnnexAisinformativeandcontainsatableshowingtherelationshipbetweenthesectionsofthe1995editionandtheclausesofthe1999edition.ABritishStandarddoesnotpurporttoincludeallthenecessaryprovisionsofacontract.UsersofBritishStandardsareresponsiblefortheircorrectapplication.
CompliancewithaBritishStandarddoesnotofitselfconferimmunityfromlegalobligations.
Whatisinformationsecurity?
Informationisanassetwhich,likeotherimportantbusinessassets,hasvaluetoanorganizationandconsequentlyneedstobesuitablyprotected.Informationsecurityprotectsinformationfromawiderangeofthreatsinordertoensurebusinesscontinuity,minimizebusinessdamageandmaximizereturnoninvestmentsandbusinessopportunities.Informationcanexistinmanyforms.Itcanbeprintedorwrittenonpaper,storedelectronically,transmittedbypostorusingelectronicmeans,shownonfilms,orspokeninconversation.Whateverformtheinformationtakes,ormeansbywhichitissharedorstored,itshouldalwaysbeappropriatelyprotected.
Informationsecurityischaracterizedhereasthepreservationof:
a)Confidentiality:
ensuringthatinformationisaccessibleonlytothoseauthorizedtohaveaccess;
b)Integrity:
safeguardingtheaccuracyandcompletenessofinformationandprocessingmethods;
c)Availability:
ensuringthatauthorizedusershaveaccesstoinformationandassociatedassetswhenrequired.
Informationsecurityisachievedbyimplementingasuitablesetofcontrols,whichcouldbepolicies,practices,procedures,organizationalstructuresandsoftwarefunctions.Thesecontrolsneedtobeestablishedtoensurethatthespecificsecurityobjectivesoftheorganizationaremet.
Whyinformationsecurityisneeded
Informationandthesupportingprocesses,systemsandnetworksareimportantbusinessassets.Confidentiality,integrityandavailabilityofinformationmaybeessentialtomaintaincompetitiveedge,cash-flow,profitability,legalcomplianceandcommercialimage.
Increasingly,organizationsandtheirinformationsystemsandnetworksarefacedwithsecuritythreatsfromawiderangeofsources,includingcomputer-assistedfraud,espionage,sabotage,vandalism,fireorflood.Sourcesofdamagesuchascomputerviruses,computerhackinganddenialofserviceattackshavebecomemorecommon,moreambitiousandincreasinglysophisticated.Dependenceoninformationsystemsandservicesmeansorganizationsaremorevulnerabletosecuritythreats.Theinterconnectingofpublicandprivatenetworksandsharingofinformationresourcesincreasesthedifficultyofachievingaccesscontrol.Thetrendtodistributedcomputinghasweakenedtheeffectivenessofcentral,specialistcontrol.Manyinformationsystemshavenotbeendesignedtobesecure.Thesecuritythatcanbeachievedthroughtechnicalmeansislimited,andshouldbesupportedbyappropriatemanagementandprocedures.Identifyingwhichcontrolsshouldbeinplacerequirescarefulplanningandattentiontodetail.
Informationsecuritymanagementneeds,asaminimum,participationbyallemployeesintheorganization.Itmayalsorequireparticipationfromsuppliers,customersorshareholders.Specialistadvicefromoutsideorganizationsmayalsobeneeded.
Informationsecuritycontrolsareconsiderablycheaperandmoreeffectiveifincorporatedattherequirementsspecificationanddesignstage.
Howtoestablishsecurityrequirements
Itisessentialthatanorganizationidentifiesitssecurityrequirements.Therearethreemainsources.Thefirstsourceisderivedfromassessingriskstotheorganization.Throughriskassessmentthreatstoassetsareidentified,vulnerabilitytoandlikelihoodofoccurrenceisevaluatedandpotentialimpactisestimated.
Thesecondsourceisthelegal,statutory,regulatoryandcontractualrequirementsthatanorganization,itstradingpartners,contractorsandserviceprovidershavetosatisfy.
Thethirdsourceistheparticularsetofprinciples,objectivesandrequirementsforinformationprocessingthatanorganizationhasdevelopedtosupportitsoperations.
Assessingsecurityrisks
Securityrequirementsareidentifiedbyamethodicalassessmentofsecurityrisks.Expenditureoncontrolsneedstobebalancedagainstthebusinessharmlikelytoresultfromsecurityfailures.Riskassessmenttechniquescanbeappliedtothewholeorganization,oronlypartsofit,aswellastoindividualinformationsystems,specificsystemcomponentsorserviceswherethisispracticable,realisticandhelpful.
Riskassessmentissystematicconsiderationof:
a)Thebusinessharmlikelytoresultfromasecurityfailure,takingintoaccountthepotentialconsequencesofalossofconfidentiality,integrityoravailabilityoftheinformationandotherassets;
b)Therealisticlikelihoodofsuchafailureoccurringinthelightofprevailingthreatsandvulnerabilities,andthecontrolscurrentlyimplemented.
Theresultsofthisassessmentwillhelpguideanddeterminetheappropriatemanagementactionandprioritiesformanaginginformationsecurityrisks,andforimplementingcontrolsselectedtoprotectagainsttheserisks.Theprocessofassessingrisksandselectingcontrolsmayneedtobeperformedanumberoftimestocoverdifferentpartsoftheorganizationorindividualinformationsystems.
Itisimportanttocarryoutperiodicreviewsofsecurityrisksandimplementedcontrolsto:
a)Takeaccountofchangestobusinessrequirementsandpriorities;
b)Considernewthreatsandvulnerabilities;
c)Confirmthatcontrolsremaineffectiveandappropriate.
Reviewsshouldbeperformedatdifferentlevelsofdepthdependingontheresultsofpreviousassessmentsandthechanginglevelsofriskthatmanagementispreparedtoaccept.Riskassessmentsareoftencarriedoutfirstatahighlevel,asameansofprioritizingresourcesinareasofhighrisk,andthenatamoredetailedlevel,toaddressspecificrisks.
Selectingcontrols
Oncesecurityrequirementshavebeenidentified,controlsshouldbeselectedandimplementedtoensurerisksarereducedtoanacceptablelevel.Controlscanbeselectedfromthisdocumentorfromothercontrolsets,ornewcontrolscanbedesignedtomeetspecificneedsasappropriate.Therearemanydifferentwaysofmanagingrisksandthisdocumentprovidesexamplesofcommonapproaches.However,itisnecessarytorecognizethatsomeofthecontrolsarenotapplicabletoeveryinformationsystemorenvironment,andmightnotbepracticableforallorganizations.Asanexample,8.1.4describeshowdutiesmaybesegregatedtopreventfraudanderror.Itmaynotbepossibleforsmallerorganizationstosegregatealldutiesandotherwaysofachievingthesamecontrolobjectivemaybenecessary.
Controlsshouldbeselectedbasedonthecostofimplementationinrelationtotherisksbeingreducedandthepotentiallossesifasecuritybreachoccurs.Non-monetaryfactorssuchaslossofreputationshouldalsobetakenintoaccount.Someofthecontrolsinthisdocumentcanbeconsideredasguidingprinciplesforinformationsecuritymanagementandapplicableformostorganizations.TheyareexplainedinmoredetailbelowundertheheadingªInformationsecuritystartingpointº.
Informationsecuritystartingpoint
Anumberofcontrolscanbeconsideredasguidingprinciplesprovidingagoodstartingpointforimplementinginformationsecurity.Theyareeitherbasedonessentiallegislativerequirementsorconsideredtobecommonbestpracticeforinformationsecurity.
Controlsconsideredtobeessentialtoanorganizationfromalegislativepointofviewinclude:
a)intellectualpropertyrights(see12.1.2);
b)safeguardingoforganizationalr