《BS-7799-1-1999.pdf》由会员分享,可在线阅读,更多相关《BS-7799-1-1999.pdf(52页珍藏版)》请在三一文库上搜索。
1、| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | BRITISH STANDARD BS 7799-1:1999 ICS 35.020
2、; 35.040 NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW Information security management Part 1: Code of practice for information security management Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:43:06 GMT+00:00 2006, Uncontrolled Cop
3、y, (c) BSI This British Standard, having been prepared under the direction of the DISC Board, was published under the authority of the Standards Committee and comes into effect on 15 May 1999 BSI 05-1999 First published as BS 7799 in February 1995 Published as BS 7799-1 in February 1998 The followin
4、g BSI references relate to the work on this standard: Committee reference BDD/2 Draft for comment DPC 98/682025 DC ISBN 0 580 28271 1 BS 7799-1:1999 Amendments issued since publication Amd. No.DateText affected Committees responsible for this British Standard The preparation of this British Standard
5、 was entrusted to BSI/DISC Committee BDD/2, Information security management, upon which the following bodies were represented: Association of British Insurers British Computer Society British Telecommunications plc The Business Continuity Institute Department of Trade and Industry (Information Secur
6、ity Policy Group) Det Norske Veritas Quality Assurance HMG Protective Security Authority HSBC Indicii Salus Institute of Chartered Accountants in England and Wales Institute of Internal Auditors KPMG plc L3 Network Security Lloyds TSB Logica UK Marks and Spencer plc Nationwide Building Society PCSL
7、Racal Network Services RKPAssociates Shell International Petroleum Co Ltd Unilever plc Whitbread plc XiSEC Consultants Ltd/AEXIS Consultants Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:43:06 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 7799-1:1999 BSI 05
8、-1999i Contents Page Committees responsibleInside front cover Forewordiii Introduction1 1Scope3 2Terms and definitions3 3Security policy3 3.1 Information security policy3 4Security organization4 4.1 Information security infrastructure4 4.2 Security of third party access5 4.3 Outsourcing7 5Asset clas
9、sification and control7 5.1 Accountability for assets7 5.2 Information classification8 6Personnel security8 6.1 Security in job definition and resourcing8 6.2 User training9 6.3 Responding to security incidents and malfunctions9 7Physical and environmental security10 7.1 Secure areas10 7.2 Equipment
10、 security12 7.3 General controls13 8Communications and operations management14 8.1 Operational procedures and responsibilities14 8.2 System planning and acceptance16 8.3 Protection against malicious software16 8.4 Housekeeping17 8.5 Network management18 8.6 Media handling and security18 8.7 Exchange
11、s of information and software19 9Access control22 9.1 Business requirement for access control22 9.2 User access management22 9.3 User responsibilities23 9.4 Network access control24 9.5 Operating system access control26 9.6 Application access control28 9.7 Monitoring system access and use28 9.8 Mobi
12、le computing and teleworking29 10Systems development and maintenance30 10.1 Security requirements of systems30 10.2 Security in application systems31 10.3 Cryptographic controls32 10.4 Security of system files34 10.5 Security in development and support processes34 11Business continuity management36
13、11.1 Aspects of business continuity management36 Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:43:06 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 7799-1:1999 ii BSI 05-1999 Page 12Compliance38 12.1 Compliance with legal requirements38 12.2 Reviews of secur
14、ity policy and technical compliance40 12.3 System audit considerations41 Annex A (informative) Changes to internal numbering42 Index44 Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:43:06 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 7799-1:1999 BSI 05-1999i
15、ii Foreword This part of BS 7799 has been prepared under the supervision of the BSI/DISC committee BDD/2, Information security management. It supersedes BS 7799:1995, which is withdrawn. BS 7799 is issued in two parts: Part 1: Code of practice for information security management; Part 2: Specificati
16、on for information security management systems. BS 7799-1 was first issued in 1995 to provide a comprehensive set of controls comprising best practices in information security. It is intended to serve as a single reference point for identifying the range of controls needed for most situations where
17、information systems are used in industry and commerce, and to be used by large, medium and small organizations. The term organization is used throughout this standard to mean both profit and non-profit making organizations such as public sector organizations. The 1999 revision takes into account rec
18、ent developments in the application of information processing technology, particularly in the area of networks and communications. It also gives greater emphasis to business involvement in and responsibility for information security. Not all of the controls described in this document will be relevan
19、t to every situation. It cannot take account of local system, environmental or technological constraints. It may not be in a form that suits every potential user in an organization. Consequently the document may need to be supplemented by further guidance. It can be used as a basis from which, for e
20、xample, a corporate policy or an inter-company trading agreement can be developed. As a code of practice, this British Standard takes the form of guidance and recommendations. It should not be quoted as if it were a specification, and particular care should be taken to ensure that claims of complian
21、ce are not misleading. It has been assumed in the drafting of this standard that the execution of its provisions is entrusted to appropriately qualified and experienced people. Annex A is informative and contains a table showing the relationship between the sections of the 1995 edition and the claus
22、es of the 1999 edition. A British Standard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. Summary of pages
23、This document comprises of a front cover, an inside front cover, pages i to iv, pages 1 to 44, an inside back cover and a back cover. Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:43:06 GMT+00:00 2006, Uncontrolled Copy, (c) BSI ivblank Licensed Copy: Londo
24、n South Bank University, London South Bank University, Fri Dec 08 12:43:06 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BSI 05-19991 BS 7799-1:1999 Introduction What is information security? Information is an asset which, like other important business assets, has value to an organization and consequen
25、tly needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. Information can exist in many forms. It can be printed or written
26、 on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected. Information security is characterized here as the pr
27、eservation of: a) confidentiality: ensuring that information is accessible only to those authorized to have access; b) integrity: safeguarding the accuracy and completeness of information and processing methods; c) availability: ensuring that authorized users have access to information and associate
28、d assets when required. Information security is achieved by implementing a suitable set of controls, which could be policies, practices, procedures, organizational structures and software functions. These controls need to be established to ensure that the specific security objectives of the organiza
29、tion are met. Why information security is needed Information and the supporting processes, systems and networks are important business assets. Confidentiality, integrity and availability of information may be essential to maintain competitive edge, cash-flow, profitability, legal compliance and comm
30、ercial image. Increasingly, organizations and their information systems and networks are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Sources of damage such as computer viruses, computer hacking and denial
31、 of service attacks have become more common, more ambitious and increasingly sophisticated. Dependence on information systems and services means organizations are more vulnerable to security threats. The interconnecting of public and private networks and sharing of information resources increases th
32、e difficulty of achieving access control. The trend to distributed computing has weakened the effectiveness of central, specialist control. Many information systems have not been designed to be secure. The security that can be achieved through technical means is limited, and should be supported by a
33、ppropriate management and procedures. Identifying which controls should be in place requires careful planning and attention to detail. Information security management needs, as a minimum, participation by all employees in the organization. It may also require participation from suppliers, customers
34、or shareholders. Specialist advice from outside organizations may also be needed. Information security controls are considerably cheaper and more effective if incorporated at the requirements specification and design stage. How to establish security requirements It is essential that an organization
35、identifies its security requirements. There are three main sources. The first source is derived from assessing risks to the organization. Through risk assessment threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated. The second
36、 source is the legal, statutory, regulatory and contractual requirements that an organization, its trading partners, contractors and service providers have to satisfy. The third source is the particular set of principles, objectives and requirements for information processing that an organization ha
37、s developed to support its operations. Assessing security risks Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. Risk assessment techniques can be applied
38、 to the whole organization, or only parts of it, as well as to individual information systems, specific system components or services where this is practicable, realistic and helpful. Risk assessment is systematic consideration of: a) the business harm likely to result from a security failure, takin
39、g into account the potential consequences of a loss of confidentiality, integrity or availability of the information and other assets; b) the realistic likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities, and the controls currently implemented. The results o
40、f this assessment will help guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks. The process of assessing risks and selecting controls may need to be performed a number of
41、times to cover different parts of the organization or individual information systems. Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:43:06 GMT+00:00 2006, Uncontrolled Copy, (c) BSI 2 BSI 05-1999 BS 7799-1:1999 It is important to carry out periodic reviews o
42、f security risks and implemented controls to: a) take account of changes to business requirements and priorities; b) consider new threats and vulnerabilities; c) confirm that controls remain effective and appropriate. Reviews should be performed at different levels of depth depending on the results
43、of previous assessments and the changing levels of risk that management is prepared to accept. Risk assessments are often carried out first at a high level, as a means of prioritizing resources in areas of high risk, and then at a more detailed level, to address specific risks. Selecting controls On
44、ce security requirements have been identified, controls should be selected and implemented to ensure risks are reduced to an acceptable level. Controls can be selected from this document or from other control sets, or new controls can be designed to meet specific needs as appropriate. There are many
45、 different ways of managing risks and this document provides examples of common approaches. However, it is necessary to recognize that some of the controls are not applicable to every information system or environment, and might not be practicable for all organizations. As an example, 8.1.4 describe
46、s how duties may be segregated to prevent fraud and error. It may not be possible for smaller organizations to segregate all duties and other ways of achieving the same control objective may be necessary. Controls should be selected based on the cost of implementation in relation to the risks being
47、reduced and the potential losses if a security breach occurs. Non-monetary factors such as loss of reputation should also be taken into account. Some of the controls in this document can be considered as guiding principles for information security management and applicable for most organizations. Th
48、ey are explained in more detail below under the heading Information security starting point. Information security starting point A number of controls can be considered as guiding principles providing a good starting point for implementing information security. They are either based on essential legi
49、slative requirements or considered to be common best practice for information security. Controls considered to be essential to an organization from a legislative point of view include: a) intellectual property rights (see 12.1.2); b) safeguarding of organizational records (see 12.1.3); c) data protection and privacy of personal information (see 12.1.4). Controls considered to be common best practice for information security include: a) information security policy document (see 3.1.1); b) allocation of information security responsibilities (see 4.1.3); c) information security
链接地址:https://www.31doc.com/p-3736134.html