1、INTERNATIONA1.STANDARDISO/IEC27035-2editionSecond2023-02Informationtechno1.ogy一Informationsecurityincidentmanagement一fM*inestop1.anandprepareforincidentresponseTechno1.ogiesdeinformation-GestiondesincidentsdeSecUri整deinformationPartie2:1.ignesdirectricesPOUrPIanifieretpreparerUnereponseauxincidentsR
2、eferencenumberISO/IEC27035-2:2023(E)ISO/IEC2023COPYRIGHTPROTECTEDDOCUMENTISO/1EC2023IUirhM*hedbdi1.iUedotherwiseupdhi.o啪InPSd1.Mc;GeatrOn1.fifiU81.andonnet8CH-1214Vernier,GenevaPhone:M1.22749O1.11觥ftte:丽丽BQrgPub1.ishedinSwitzer1.andISO/IEC2023-A1.1.rightsreservedISO/IEC2023-A1.1.rightsreservedISO(th
3、eInternationa1.OrganizationforStandardization)andIEC(theInternationa1.E1.ectrotechnica1.membersofISOtheparticipateintheforwor1.dwideInternationa1.Nationa1.bodiesarecommitteesestab1.ishedbytherespectiveorganizationtodea1.withparticu1.arfie1.dsoftechnica1.activity.ISOandIECmitteesco1.1.aborateinfie1.d
4、sofmutua1.interest.Otherinternationa1.work.Theproceduresusedtodeve1.opthisdocumentandthoseintendedforitsfurthermaintenanceareforthetypesofdocument1.Inbenoted,thedifferentwascriteriaMC3damswiUJwdi1.oria1.“theISO/IECDirectives,Part2(seewww.iso.org/directivesorwww.iec.ch/members-experts/refdocs).Ofpate
5、ntrights.totheIECsha1.1.notbehe1.dthee1.ementsthisdocumentorbethepatentrights.Detai1.sofanypatentrightsidentifiedduringthedeve1.opmento3*d3um4mUw41.4MMntheIntroductionand/orontheISO1.istofPagntd*Em。晔3ved(seewww.iso.org/patents)ortheIECAnytradenameusedinthisdocumentisinformationgivenfortheconvenience
6、ofusersanddoesnotconstituteanendorsementForanre1.atedofthevo1.untarynatureofwe1.1.themeaningofISOISO*stermstoth。WokiTVadoQrganizatio科(WTO)princip1.esin出。Tzhnka1.BanfeuT11(TBT)seewww.iso.org/iso/forcword.htni1.IntheIEC,seewsv.iec.chundcrstanding-s1.andards.Thisdocument27,preparedbyTechnica1.Committee
7、privacyTC1,Thissecondeditioncance1.sandrep1.acesthefirstedition(ISO/IEC27035-2:2016),whichhasbeenThemainchangesareasfo1.1.ows: newro1.esinc1.udingincidentmanagementteamandincidentcoordinatorandtheirresponsibi1.itieshavebeenadded; contentonarecommendedprocessfororganizationshasbeenaddedin6.7; C.3hasb
8、eenrep1.acedbyasing1.eparagraph;A1.istofa1.1.partsintheISO/IEC27035seriescanbefoundontheISOandIECwebsites.AnyAOrIiStingofthirbodiescanbefoundatusersnationa1.www.iec.ch/nationa1.-committees.IntroductionThisdocumentfocusesoninformationsecurityincidentmanagementwhichisidentifiedinISO/IEC27000asoneofthe
9、critica1.successfactorsfortheinformationseritymanagementsystem.Therecanbea1.argegapbetweenanorganizationp1.anforanincidentandanorganizationpreparednessforanincident.Therefore,thisdocumentaddressesthedeve1.opmentofprocedurestoiHFI三怖蛉楞ihi三AOfb螂预酬艇ta4网iciesre0Rss侬州布i闱由麻ationm油瞰&nt,aswe1.1.astheprocessf
10、orestab1.ishingtheincidentresponseteamandimprovingitsperformanceovertimebyadopting1.essons1.earnedandbyeva1.uation.Informationtechno1.ogyInformationsecurityincidentmanagement一Guide1.inestop1.anandprepareforincidentresponse1Scopeinformationresponse.Theguide1.inesmanagementphasesHiode1.andpresentedISO
11、/IEC27035-1:2023,5.2andThemajorpointswithinthep1.anandprepare*phaseinc1.ude:Organizationa1.securityandpo1.iciesrinc1.udingandnetwork1.eve1.s;riskmanagement,updatedatboth IncidentManagementTeam(IMT)estab1.ishment; technica1.andOthersupport(inc1.udingorganizationa1.andoperationa1.support);ThewIcarn1.e
12、ssonsphaseinc1.udes: Identifyingandmakingnecessaryimprovements;regard1.essofgivensizethisdocumentorganizationsandintendedtheapp1.icab1.etoa1.1.organizations,Normativeservicesreferencesconstitutesrequirementsaredocument.Fordatedinreferences,on1.ySomeeditiona1.1.citedapp1.ies.contentISO/IECOverview1.n
13、formationvocabu1.arySecuritytechniques-informationsecuritymanagementb) IMTsandIRTsofexterna1.organizations;c) managedserviceproviders(inc1.udingte1.ecommunicationserviceproviders).ISPs,vendorsandsupp1.iers;d) 1.awenforcementorganizations;c)emergencyauthorities;0CERTsi)andCSIRTs,whereappropriate;g) a
14、ppropriategovernmentorganizations,ordataprotectionagency;h) 1.ega1.personne1.;i) pub1.icre1.ationsofficia1.sand/ormembersofthemedia;j) businesspartners;k) customers;i)genera1.pub1.ic;m)regu1.ators.9Definingtechnica1.andothersupport9.1 Genera1.NOTE1C1.ause9,initsentirety,1.inkstoISO/IEC27035-1:2023,5
15、211.叭小沁博Cmhat赚n*w由Ujre1.*惘注地即世觥或级呼咏QM9b由e-AHinterna1.andexterna1.partiesforsupportandreportingshou1.dbedefinedandcommunicationchanne1.sandworkf1.owagreedupon.Theseactivitiesinc1.udethefo1.1.owing:1.ii!RStof1.frfonsorgfiW,1.setsw*v9f1.erjup-to-dateassetregisterandinformationdocumentedandpromu1.gated
16、communicationsprocessesinc1.udingmediacommunications tFftPevents/icidentsvu1.nerafeft1.3exchanget0啕田奥碗8F乳arei瑟船;Se感irft1.)F1.WaISFformatiofiecr*tyoperatingenvironment,a1.1.owingforrisk-basedandproactiveremediation; resources/too1.sforinformationSecurity/digita1.evidenceco1.1.ectionandana1.ysis; adeq
17、uatecrisismanagementdocumentationandarrangements(forguidanceonbusinesscontinuitymanagementseeISO/IEC27031JSO22301andISO22313);convenience矍蹄腺嘘麒OfandM1.剧螭SWU怒雕毓隰麻盟孤,.榴M加松渊版Iuctforthe&ISO/IEC2023-A1.1.rightsreservedISO/IEC2023-A1.1.rightsreserveda)quickacquisitionOfinformationsecurityevent/incident/vu1
18、nerabi1.ityreports;of(inc1.udingpaperandotherbackups)withbyrequireddetai1.s(e.g.thusposition,e-mai1.,te1.ephone,groupe-mai1.),andtheappropriatemeanstotransmitinformationtoindividua1.sinasecurefashionwhereappropriate;takingnon-internet,Withberisksforandthatavai1.ab1.ewhi1.ethesystem,serviceand/ornet
19、workisunderattack(thiscanrequirepre-p1.anneda1.ternativecommunicationsmechanismsbeinginp1.ace);system,theand/orofa1.1.anda1.1.aboutthebothstoredandanysupportinginformatione) usingcryptographicintegritycontro1.tohe1.pindeterminingwhetherandwhatpartsofthesystem,f) faci1.itatingthearchivingandsecuringo
20、fco1.1.ectedinformation(forexamp1.e,byapp1.yingdigita1.signaturesto1.ogsandotherevidencebeforestoringinappropriateoff-1.inestorage,a1.soseeg) enab1.ingthepreparationofprintouts(e.g.of1.ogs),inc1.udingthoseshowingtheprogressofanincident,andthereso1.utionprocessandchainofcustody;therecoveryprocedurest
21、hatare1.inewiththeservicecrisisnetworkto1)backuptesting;3)origina1.mediawithsystemandapp1.icationsoftware;5)dean,re1.iab1.eandup-to-datesystemandapp1.icationpatches;7)copiesofhardcopyrecords.basisforcreatingcreateaUsingsuchimageimageorigina1.mediaisanduseitasthedeantheimagehasa1.readybeenpatched,har
22、dened,tested,etc.Anpossib1.ernotechnica1.system,servicenetworkmaynotforcorrect1.y,anasassecurityincidentshou1.dre1.yintheiroperationsontheorganizationmainstreamsystems,servicesand/ornetworks,proportionatetotheassessedrisks.A1.1.technica1.meansshou1.dbecarefu1.1.yse1.ected,correct1.yimp1.ementedandin
23、dependent(inc1.udingtestingofthebackupsmade).Ifitispossib1.e,theNOTE2incidentsandmeansdescribedInandtosubc1.ausedonotnot1.1.ytechnica1.meansusedtodeec11echn1.ca1.meansaredescribedinISO/IEC27039.C)Wereanyproceduresortoo1.sidentifiedthatwou1.dhavebeenofassistanceintheresponseprocess?e)reportingcommuni
24、cationprocess?incidenttoa1.1.re1.evantpartiesCfTcc1.ivethroughoutthedetection,ana1.ysis.identifiedforimprovementincorporatedinformationsecurityincidentdocumentation,p1.anchangesrcviewcdnorganizationshou1.d1.ookbeyondasing1.einformationsecurityincidentorvu1.nerabi1.ityandcheck29forpracticefo1.1.owing
25、forwhichtheycanhe1.pidentifytoconductchanges.Ita1.sotesting,particu1.ar1.yvu1.nerabi1.ityassessment.Thus,anorganizationshou1.dana1.ysethedataintheinformationsecurityincidentregisteronaregu1.arbasisinordertodothefo1.1.owing:identifyareasofconcern;Re1.evantinformationacquiredthroughoutthecourseofaninf
26、ormationsecurityincidentshou1.dbechanne1.1.edintothetrend/patternana1.ysis(simi1.artothewayreportedinformationsecuritysecurityincidentsprovidesawarningfurthertheear1.yincidentsofcanarise,basedonpreviousexperienceanddocumentedknow1.edge.IRTsandSecurityshou1.da1.sobeused.Summaryana1.ysesofinformations
27、ecurityincidentsandvu1.nerabi1.itiesshou1.dbeproducedfortab1.ingateachtheoftheOrganizationrSinformationpo1.icy.Formoreforumand/orotherforumhand1.ing,seeISO/IEC30111.ASapartofpost-incidentreso1.ution,theincidentcoordinatorshou1.dreviewa1.1.thathashappenedtoSuchandthusaimstothedeterminewhichofthethere
28、sponsetoanincidentsecurityp1.anworkedsuccessfu1.1.yandidentifyifanyi11provemcntsarerequired.Animportantaspectofpostresponsep1.an.Iftofeedisandsevere,anbacktheshou1.densurethatameetingofa1.1.there1.evantpartiesisschedu1.edshort1.yafteritsreso1.utionwhi1.einformationissti1.1.freshinpeop!c,sminds.Facto
29、rstoconsiderinsuchameetinginc1.udethefo1.1.owing.Didtheb)Arethereanyproceduresormethodsthatwou1.dhaveaidedinthedetectionoftheincident?d)Werethereanyproceduresthatwou1.dhaveaidedinrecoveringinformationandsystemsfo1.1.owinganincidentidentified?WastheandresponseoftheTheresu1.tsofthemeetingshou1.dbedocu
30、mented.Theorganizationshou1.densurethattheareasandjustifiedchangestheupdateofthep1.anmanagementThearetotheISO/IEC2023-A1.1.rightsreservedrequircdupdate1.aterinformationFo1.1.owinganinformationproccdurcsincident,ifre1.evant,anorganizationorganization.theseinformationsecuritypo1.icyandprocedura1.updat
31、esarepropagatedthroughouttheinformationSecuritysoftwareconfigurations.procedures,personne1.securityContro1.simp1.ementingmoreincidentmanagement1.earnedIssituationcanarisenonstandardapp1.icationofareinformationreportingandsignifyreportingprocesses.Aofpotentia1.organizationthisinsuffiCientcantrainingh
32、igh1.ightdeficienciesin12.6 Identifyingandmakingimprovementstoinformationsecurityriskassessmentandmanagementreviewresu1.tsimpactassessmentandmanagementreviewsecurityVU1.nerabiIity),neCeSSaryaSSeSSmCntCOnSiderinfOrmat1.OnthreatsSeCUritya1.ignupdatedinfo11nationassessedIike1.ihoodassessmentconsequence
33、managemenbXsfo1.1.ow-uptothecomp1.etion12.7 Otherimprovementsmanagement,butcangivenaswithStream1.iningoperationimprovementsorganizationnomeansimprovements.vendors;providingfixes/PaICheScan1.eadtorefiningcriteriaforse1.ectingsoftwareorhardwaredep1.oymentcorrectedrequiredprovisionOfenhancements.1.eve1
34、s,enhancededucationandtrainingandtime1.yincidenttysociety,bytheinstabi1.ity(informative)Thisannexprovidesexamp1.eapproachestothecategorization,eva1.uationandprioritizationofaTheseconsistentmanner,sotheandbenefitsaretoa)promotingtheexchangeandsharingoftheinformationoninformationsecurityincidents;C)i
35、mprovingtheefficiencyandeffectivenessofinformationsecurityincidenthand1.ingandmanagement;e)identifyingtheseverity1.eve1.sofinformationsecurityincidentsusingconsistentcriteria.TheseCxamp1.esecurityevents,totheydoeva1.uationandsecuritycana1.soRe1.atedworkcanbefoundin:g)RFC6545Rea1.-timeintern-networkd
36、efence(RID);i) Mitre,sstructuredthreatinformationeXpression(STIX);j) Mitresexchangebytechnica1.orPhySiCRmeans.cancausedbyapproachaccidenta1.actionsofhumanbeings,byconsideringthreatsascategorizationfactors(forthreatsre4SO1.EC27005:2022,.2.5.1)A1.istofcategoriesofinformationsecurityincidentsisshowninT
37、ab1.eC.1.CategoryDescriptionExamp1.esotcausedISO/IEC2023-A1.1.rightsreservedTabIeC1.(continued)CategoryDescriptionExamp1.esPhysica1.The1.ossOfinformationsecuriFire,water,e1.ectrostatic,abominab1.eenrironment(suchaspo1.1.utiothebasicsystemsandservicesincidentOnnwMruynonsunavaiiaoiiiiyTab1.eC.1.(conti
38、nued)CategoryDescriptionMa1.wareThe1.ossOFinformationse-site.ransomware,etc.Examp1.esComputervims,networkworm,Trojanhorse,botnet,b1.endedat-domrjjpUaBke?ources.restoieawccetettbcIthmi1.deviceAiserinexchangeforTabIeC1.(continued)CategoryDescriptionExamp1.esTechnica1.The1.ossofinformationse-Ninformati
39、on?tworkscanning,exp1.oitationofvu1.nerabi1.ity,exp1.oitationofk11E112uctefa3f.1iMiiHQ1.fantK&弭H七山m”址rctetsaanfrnnemnibn11g1111&南XknhdoixrrScftwtniOTidwrri蜘51nbiJx115rjr5c如nW1.oginattemptstrytoguess,crackorbrteforcepasswords.、:.、.:一:II:力二一.,de1.iberate1.yoraccidenta1.1.y.父珈KAI叩e*i1.mkfe阿中济ft5ini印gmf
40、nj11kd*naBu,小Ii故mBreachofcopyrightiscausedbyse1.1.ingorinsta1.1.ingcopiesofincidentO(AbMtffc33frightsnakt5tHd*hts同1t5bewrEfcrtkrtcymsd0wMreferercFccpngDenia1.ofactionsiswhenapersondenieswhathe/shehasdone.Mis-Operat1.onscarryoutoperationsincorrect1.yorunintentiona1.1.y.H1.i*thntktr*d1)-K1rfccqacI.rIV
41、tATab1.eC.1.(continued)CategoryDescriptionExamp1.esCompromiseofTinformationincidenthe1.ossofinformationsecuri,1-1.上.-d4-4Interception,spying,eavesdropping,disc1.osure,masquerade,socia1.withdata,dataerror,dataf1.owana1.ysis,positiondetection,etc.repients.1.nterceptioncapturesdatabeforeitisab1.etoreac
42、htheintendedEiHesSpyingisdtoaaxhersKret1.yoqnizabixiro&ctandreportmformatx。为维001顺网1SjSMerfWGd陪XaTP上血nk叫attOtherNGbQVMd已I1heinentsC.3Eva1.uationandprioritizationOfinformationsecurityincidentsIncidenteva1.uationa1.1.owstodeterminetheimpactsandconsequencestotheorganizationduetotheUtajdmi1.jaiahtfwe1.sp
43、hbricjitoirthespondinfortniHtccaMsiisaicaqpadisJwuIdbecoherentwiththeinformationBib1.iography1KDnBnent27fiiH)iifrtif1.ifenentstechno1.ogySecuritytechniquesInformationsecurity2ISO22301,Securityandresi1.ienceBusinesscontinuitymanagementsystemsRequirements3也H星族以ri夕andresi1.ienceBusinesscontinuitymanage
44、mentsystemsGuidanceonthe4的股iGontechno1.ogySecuritytechniquesCodeOfpracticefor5 V5P),1.C,2(ft)52022,Informationtechno1.ogySecuritytechniquesInformationsecurityrisk6 快加MWU血吸Hg锦脑三呢掇?)的呦阳山9配/阿枫恤你幽江Informationsecurity7 时印物诃慎J%tf制前钳跖淤砌MfH盼E版群哥晒侧附UeSGuide1.inesforinformationand8 ft97YEC12FO9u,!fffrmationte
45、chno1.ogySecuritytechniquesNetworksecurityPart1:9 领摩G叙物附沏)rfWM(加姓期砌心亚州僦”K醐师业-Networksecurity-Part2:10 越珈Ec”的叩呼酮涮配齐诙胸蟒R/”傍懊泳的做心腌制丽趣fciW-Part3:11 七州身即(三u”网况用用wt三冰迎梦丘喙。他心树f1.。级AWetwoMsecurity-Part4:12 你用快哂也佻锄树出场*挖0阴飒嗷口海t畿曲阳一Se1.ection,dep1.oymentand13 1SOIEC27040,Informationtechno1.ogySecuritytechniquesStoragesecurity14 SOIEC30111,Informationtechno1.ogySecuritytechniquesVu1.nerabi1.ityhand1.ingprocesses5
