《BS-7799-3-2006.pdf》由会员分享,可在线阅读,更多相关《BS-7799-3-2006.pdf(56页珍藏版)》请在三一文库上搜索。
1、BS 7799-3:2006 Information security management systems Part 3: Guidelines for information security risk management ICS 35.020; 35.040 NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW BRITISH STANDARD Licensed Copy: London South Bank University, London South Bank University, Fri
2、 Dec 08 12:43:32 GMT+00:00 2006, Uncontrolled Copy, (c) BSI Publishing and copyright information The BSI copyright notice displayed in this document indicates when the document was last issued. BSI 17 MARCH 2006 ISBN 0 580 47247 7 The following BSI references relate to the work on this standard: Com
3、mittee reference BDD/2 Draft for comment 05/30125021 DC Publication history First published March 2006 Amendments issued since publication Amd. no.DateText affected BS 7799-3:2006 7 Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:43:32 GMT+00:00 2006, Uncontr
4、olled Copy, (c) BSI BSI MARCH 2006i BS 7799-3:2006 Contents Foreword ii Introduction 1 1Scope 4 2Normative references 4 3Terms and definitions 4 4Information security risks in the organizational context 7 5Risk assessment 9 6Risk treatment and management decision-making 16 7Ongoing risk management a
5、ctivities 21 Annexes Annex A (informative) Examples of legal and regulatory compliance 26 Annex B (informative) Information security risks and organizational risks 30 Annex C (informative) Examples of assets, threats, vulnerabilities and risk assessment methods 33 Annex D (informative) Risk manageme
6、nt tools 47 Annex E (informative) Relationship between BS ISO/IEC 27001:2005 and BS 7799-3:2006 48 Bibliography 49 List of figures Figure 1 Risk management process model 1 Figure C.1 Types of assets 33 List of tables Table C.1 Vulnerabilities related to human resources security 41 Table C.2 Vulnerab
7、ilities related to physical and environmental security 42 Table C.3 Vulnerabilities related to communications and operations management 42 Table C.4 Vulnerabilities related to access control 43 Table C.5 Vulnerabilities related to systems acquisition, development and maintenance 43 Table C.6 Matrix
8、with risk values 45 Table C.7 Matrix ranking incidents by measures of risk 46 Table E.1 Relationship between BS ISO/IEC 27001:2005 and BS 7799-3:2006 48 Summary of pages This document comprises a front cover, an inside front cover, pages i and ii, pages 1 to 50, an inside back cover and a back cover
9、. Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:43:32 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 7799-3:2006 ii BSI MARCH 2006 Foreword Publishing information This British Standard was published by BSI and came into effect on 17 March 2006. It was prepar
10、ed by Technical Committee BDD/2, Information security management. Relationship with other publications This British Standard includes and replaces the existing BS 7799 guidance material provided in the BSI publications PD 3002 and PD 3005. It is harmonized with other ISO/IEC work, in particular BS I
11、SO/IEC 17799:2005 and BS ISO/IEC 27001:2005 (the revised version of BS 7799-2:2002) to ensure consistency of terminology and methods. Information about this document This British Standard provides guidance and support for the implementation of BS 7799-2 and is generic enough to be of use to small, m
12、edium and large organizations. The guidance and advice given in this British Standard is not exhaustive and an organization might need to augment it with further guidance before it can be used as the basis for a risk management framework for BS ISO/IEC 27001:2005 (the revised version of BS 7799-2:20
13、02). As a guide, this British Standard takes the form of guidance and recommendations. It should not be quoted as if it was a specification and particular care should be taken to ensure that claims of compliance are not misleading. Contractual and legal considerations This publication does not purpo
14、rt to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance with a British Standard cannot confer immunity from legal obligations. Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:43:32 GMT+00:00 2006
15、, Uncontrolled Copy, (c) BSI BSI MARCH 20061 BS 7799-3:2006 0 Introduction 0.1General This British Standard has been prepared for those business managers and their staff involved in ISMS (Information Security Management System) risk management activities. It provides guidance and advice to specifica
16、lly support the implementation of those requirements defined in BS ISO/IEC 27001:2005 that relate to risk management processes and associated activities. Table E.1 illustrates the relationship between the two documents. 0.2Process approach This British Standard promotes the adoption of a process app
17、roach for assessing risks, treating risks, and ongoing risk monitoring, risk reviews and re-assessments. A process approach encourages its users to emphasize the importance of: a)understanding business information security requirements and the need to establish policy and objectives for information
18、security; b)selecting, implementing and operating controls in the context of managing an organizations overall business risks; c)monitoring and reviewing the performance and effectiveness of the Information Security Management System (ISMS) to manage the business risks; d)continual improvement based
19、 on objective risk measurement. See Figure 1. Figure 1Risk management process model This risk management process focuses on providing the business with an understanding of risks to allow effective decision-making to control risks. The risk management process is an ongoing activity that aims to conti
20、nuously improve its efficiency and effectiveness. Maintain and improve the risk controls Assess and evaluate the risks Select, implement and operate controls to treat the risks Monitor and review the risks Clause 7 Ongoing risk management activities Clause 5 Risk assessment Clause 6 Risk treatement
21、and management decision making Clause 7 Ongoing risk management activities Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:43:32 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 7799-3:2006 2 BSI MARCH 2006 The risk management process should be applied to the wh
22、ole ISMS (as specified in BS ISO/IEC 27001:2005), and new information systems should be integrated into the ISMS in the planning and design stage to ensure that any information security risks are appropriately managed. This document describes the elements and important aspects of this risk managemen
23、t process. The information security risks need to be considered in their business context, and the interrelationships with other business functions, such as human resources, research and development, production and operations, administration, IT, finance, and customers need to be identified, to achi
24、eve a holistic and complete picture of these risks. This consideration includes taking account of the organizational risks, and applying the concepts and ideas of corporate governance. This, together with the organizations business, effectiveness, and the legal and regulatory environment all serve a
25、s drivers and motivators for a successful risk management process. These ideas are described in more detail in Clause 4. An important part of the risk management process is the assessment of information security risks, which is necessary to understand the business information security requirements,
26、and the risks to the organizations business assets. As also described in BS ISO/IEC 27001:2005, the risk assessment includes the following actions and activities, which are described in more detail in Clause 5. Identification of assets. Identification of legal and business requirements that are rele
27、vant for the identified assets. Valuation of the identified assets, taking account of the identified legal and business requirements and the impacts of a loss of confidentiality, integrity and availability. Identification of significant threats and vulnerabilities for the identified assets. Assessme
28、nt of the likelihood of the threats and vulnerabilities to occur. Calculation of risk. Evaluation of the risks against a predefined risk scale. The next step in the risk management process is to identify the appropriate risk treatment action for each of the risks that have been identified in the ris
29、k assessment. Risks can be managed through a combination of prevention and detection controls, avoidance tactics, insurance and/or simple acceptance. Once a risk has been assessed a business decision needs to be made on what, if any, action to take. In all cases, the decision should be based on a bu
30、siness case which justifies the decision and which can be accepted or challenged by key stakeholders. The different risk treatment options and factors that influence this decision are described in Clause 6. Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:43:3
31、2 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BSI MARCH 20063 BS 7799-3:2006 Once the risk treatment decisions have been made and the controls selected following these decisions have been implemented, the ongoing risk management activities should start. These activities include the process of monitor
32、ing the risks and the performance of the ISMS to ensure that the implemented controls work as intended. Another activity is the risk review and re-assessment, which is necessary to adapt the risk assessment to the changes that might occur over time in the business environment. Risk reporting and com
33、munication is necessary to ensure that business decisions are taken in the context of an organization-wide understanding of risks. The co-ordination of the different risk related processes should ensure that the organization can operate in an efficient and effective way. Continual improvement is an
34、essential part of the ongoing risk management activities to increase the effectiveness of the implemented controls towards achieving the goals that have been set for the ISMS. The ongoing risk management activities are described in Clause 7. The successful implementation of the risk management proce
35、ss requires that roles and responsibilities are clearly defined and discharged within the organization. Roles and responsibilities that are involved in the risk management process are included in the document, as relevant. Licensed Copy: London South Bank University, London South Bank University, Fr
36、i Dec 08 12:43:32 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 7799-3:2006 4 BSI MARCH 2006 1 Scope This British Standard gives guidance to support the requirements given in BS ISO/IEC 27001:2005 regarding all aspects of an ISMS risk management cycle. This cycle includes assessing and evaluating th
37、e risks, implementing controls to treat the risks, monitoring and reviewing the risks, and maintaining and improving the system of risk controls. The focus of this standard is effective information security through an ongoing programme of risk management activities. This focus is targeted at informa
38、tion security in the context of an organizations business risks. The guidance set out in this British Standard is intended to be applicable to all organizations, regardless of their type, size and nature of business. It is intended for those business managers and their staff involved in ISMS (Inform
39、ation Security Management System) risk management activities. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document
40、(including any amendments) applies. BS ISO/IEC 27001:2005 (BS 7799-2:2005), Information technology Security techniques Information security management systems Requirements 3 Terms and definitions For the purposes of this British Standard, the following terms and definitions apply. 3.1information sec
41、urity event an information security event is an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant BS ISO/IEC TR 18044:2004 3.2information se
42、curity incident an information security incident is indicated by a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security BS ISO/IEC TR 18044:2004 3.3residual risk risk rema
43、ining after risk treatment ISO Guide 73:2002 3.4risk combination of the probability of an event and its consequence ISO Guide 73:2002 Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:43:32 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BSI MARCH 20065 BS 7799-3:20
44、06 3.5risk acceptance NOTE 1 The verb “to accept” is chosen to convey the idea that acceptance has its basic dictionary meaning. NOTE 2 Risk acceptance depends on risk criteria. decision to accept a risk ISO Guide 73:2002 3.6risk analysis NOTE 1 Risk analysis provides a basis for risk evaluation, ri
45、sk treatment, and risk acceptance. NOTE 2 Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. systematic use of information to identify sources and to estimate the risk ISO Guide 73:2002 3.7risk assessment overall process of risk analys
46、is and risk evaluation ISO Guide 73:2002 3.8risk avoidance NOTE The decision may be taken based on the result of risk evaluation. decision not to become involved in, or action to withdraw from, a risk situation ISO Guide 73:2002 3.9risk communication NOTE The information can relate to the existence,
47、 nature, form, probability, severity, acceptability, treatment or other aspects of risk. exchange or sharing of information about risk between the decision- maker and other stakeholders ISO Guide 73:2002 3.10risk control NOTE Risk control may involve monitoring, re-evaluation, and compliance with de
48、cisions. actions implementing risk management decisions ISO Guide 73:2002 3.11risk criteria NOTE Risk criteria can include associated cost and benefits, legal and statutory requirements, socio-economic and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assess
49、ment. terms of reference by which the significance of risk is assessed ISO Guide 73:2002 3.12risk evaluation process of comparing the estimated risk against given risk criteria to determine the significance of risk ISO Guide 73:2002 3.13risk management NOTE Risk management generally includes risk assessment, risk treatment, risk acceptance and risk communication. co-ordinated activities to direct and control an organization with regard to risk ISO Guide 73:2002 Licensed Copy:
链接地址:https://www.31doc.com/p-3736115.html