SANS 27011-2009 Information technology - Security techniques - Information security management guidelines for telecommunications organizations based on ISO IEC 27002《信息技术 远程通信用信息安全.pdf

1、 Collection of SANS standards in electronic format (PDF) 1. Copyright This standard is available to staff members of companies that have subscribed to the complete collection of SANS standards in accordance with a formal copyright agreement. This document may reside on a CENTRAL FILE SERVER or INTRA

2、NET SYSTEM only. Unless specific permission has been granted, this document MAY NOT be sent or given to staff members from other companies or organizations. Doing so would constitute a VIOLATION of SABS copyright rules. 2. Indemnity The South African Bureau of Standards accepts no liability for any

3、damage whatsoever than may result from the use of this material or the information contain therein, irrespective of the cause and quantum thereof. ISBN 978-0-626-22546-9 SANS 27011:2009Edition 1 ISO/IEC 27011:2008Edition 1 SOUTH AFRICAN NATIONAL STANDARDInformation technology Information security ma

4、nagement guidelines for telecommunications This national standard is the identical implementation of ISO/IEC 27011:2008 and is adopted with the permission of the International Organization for Standardization and the International Electrotechnical Commission. Published by SABS Standards Division 1 D

5、r Lategan Road Groenkloof Private Bag X191 Pretoria 0001Tel: +27 12 428 7911 Fax: +27 12 344 1568 www.sabs.co.za SABS SANS 27011:2009 Edition 1 ISO/IEC FDIS 27011:2008 Edition 1 Table of changes Change No. Date Scope National foreword This South African standard was approved by National Committee SA

6、BS SC 71F, Information technology Information security, in accordance with procedures of the SABS Standards Division, in compliance with annex 3 of the WTO/TBT agreement. This SANS document was published in May 2009. Please see the administrative notes on page ii-1 RECIPIENTS OF THIS DRAFT ARE INVIT

7、ED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE AND TO PROVIDE SUPPORT-ING DOCUMENTATION. IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT INTERNATIONAL STANDARDS MAY ON OCCAS

8、ION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME STAN-DARDS TO WHICH REFERENCE MAY BE MADE IN NATIONAL REGULATIONS. Reference numberISO/IEC FDIS 27011:2008(E)ISO/IEC 2008FINAL DRAFT ISO/IEC JTC 1 Secretariat: ANSI Voting begins on: 2008-03-29 Voting terminates on: 2008-05-29 INTER

9、NATIONAL STANDARD ISO/IECFDIS27011Information technology Information security management guidelines for telecommunications Technologies de linformation Lignes directrices relatives la gestion de la scurit de linformation pour les tlcommunications SANS 27011:2009This s tandard may only be used and pr

10、inted by approved subscription and freemailing clients of the SABS .ISO/IEC FDIS 27011:2008(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded a

11、re licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Detai

12、ls of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem re

13、lating to it is found, please inform the Central Secretariat at the address given below. Copyright notice This ISO document is a Draft International Standard and is copyright-protected by ISO. Except as permitted under the applicable laws of the users country, neither this ISO draft nor any extract

14、from it may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, photocopying, recording or otherwise, without prior written permission being secured. Requests for permission to reproduce should be addressed to either ISO at the address below or ISOs me

15、mber body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Reproduction may be subject to royalty payments or a licensing agreement. Violators may be prosecuted. ii ISO/IEC 200

16、8 All rights reservedSANS 27011:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC FDIS 27011:2008(E) ISO/IEC 2008 All rights reserved ii-1In accordance with the provisions of Council Resolution 21/1986, this document is circulated i

17、n the English language only. SANS 27011:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC FDIS 27011:2008(E) ii-2 ISO/IEC 2008 All rights reservedSANS 27011:2009This s tandard may only be used and printed by approved subscription an

18、d freemailing clients of the SABS .ISO/IEC FDIS 27011:2008(E) ISO/IEC 2008 All rights reserved iiiCONTENTS Summary.4 Objective .4 Introduction4 Audience5 1. Scope6 2. Normative references.6 3. Definitions.6 4. Overview .7 4.1 Structure of this guideline 7 4.2 Information security management systems

19、in Telecommunications business 8 5 Security Policy.11 6 Organization of information security11 6.1 Internal organization 11 6.2 External parties 13 7 Asset management 17 7.1 Responsibility for assets 17 7.2 Information classification 18 8 Human resources security19 8.1 Prior to employment 19 8.2 Dur

20、ing employment. 22 8.3 Termination or change of employment . 22 9 Physical and environmental security 22 9.1 Secure areas. 22 9.2 Equipment security24 10 Communications and operations management.26 10.1 Operational procedures and responsibilities 26 10.2 Third party service delivery management . 29

21、10.3 System planning and acceptance . 29 SANS 27011:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC FDIS 27011:2008(E) iv ISO/IEC 2008 All rights reserved10.4 Protection against malicious and mobile code. 29 10.5 Back-up 30 10.6 N

22、etwork security management 30 10.7 Media handling 31 10.8 Exchange of information . 31 10.9 Electric Commerce Service . 31 10.10 Monitoring. 31 11 Access control32 11.1 Business requirement for access control . 32 11.2 User access management. 34 11.3 User responsibilities 34 11.4 Network access cont

23、rol 34 11.5 Operating system access control 34 11.6 Application and information access control 34 11.7 Mobile computing and teleworking. 34 12 Information systems acquisition, development and maintenance34 12.1 Security requirements of information systems 34 12.2 Correct processing in applications.

24、34 12.3 Cryptographic controls 34 12.4 Security of system files 34 12.5 Security in development and support processes 35 12.6 Technical Vulnerability Management . 35 13 Information security incident management .36 13.1 Reporting information security events and weaknesses 36 13.2 Management of inform

25、ation security incidents and improvements. 37 SANS 27011:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC FDIS 27011:2008(E) ISO/IEC 2008 All rights reserved v14 Business continuity management40 14.1 Information security aspects of

26、 business continuity management. 40 15 Compliance 42 Annex A: Telecommunications Extended Control Set.43 Annex B: Additional Implementation Guidance 54 Bibliography .56 SANS 27011:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC FD

27、IS 27011:2008(E) vi ISO/IEC 2008 All rights reserved(Blank Page) SANS 27011:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC FDIS 27011:2008(E) ISO/IEC 2008 All rights reserved viiForeword ISO (the International Organization for St

28、andardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organi

29、zation to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technolog

30、y, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards ad

31、opted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject

32、of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27011 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques in collaboration with ITU-T. The identical text is publ

33、ished as ITU-T Rec. X.1051. SANS 27011:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC FDIS 27011:2008(E) viii ISO/IEC 2008 All rights reservedINTERNATIONAL STANDARD ITU-T RECOMMENDATION Recommendation X.1051 | ISO/IEC 27011 Infor

34、mation Security Management Guidelines for telecommunications organizations based on ISO/IEC 27002 Summary This Recommendation | International Standard: (a) establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in teleco

35、mmunications organizations based on ISO/IEC 27002; (b) provides an implementation baseline of Information Security Management within telecommunications organizations to ensure the confidentiality, integrity and availability of telecommunications facilities and services. As a result of implementing t

36、his International Standard, telecommunications organizations, both within and between jurisdictions, will: (a) be able to assure the confidentiality, integrity and availability of the global telecommunications facilities and services; (b) have adopted secure collaborative processes and controls ensu

37、ring the lowering of risks in the delivery of telecommunications services; (c) be able to redeployed resources to more productive activities; (d) have adopted a consistent holistic approach to information security; (e) be able to improve personal awareness and moral, and increase public trust. Objec

38、tive The objectives of this Recommendation | International Standard are to provide practical guidance specially suited for telecommunications organizations on: (a) commonly-accepted goals of information security management specifically suited for telecommunications organizations; (b) information sec

39、urity management practices to assist in the building of confidence for telecommunications activities. Introduction This Recommendation | International Standard provides interpretation guidelines for the implementation and management of Information Security Management in telecommunications organizati

40、ons based on ISO/IEC 27002 (Code of practice for information security management). In addition to the application of security objectives and controls described in ISO/IEC 27002, telecommunications organizations have to take into account the following security features: 1. Confidentiality Information

41、 related to telecommunications organizations should be protected from unauthorized disclosure. This implies non-disclosure of communications in terms of the existence, the content, the source, the destination and the date and time of communicated information. It is critical that telecommunications o

42、rganizations ensure that the non-disclosure of communications being handled by them is not breached. Persons engaged by the telecommunications organization should SANS 27011:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC FDIS 270

43、11:2008(E) ISO/IEC 2008 All rights reserved ixmaintain the confidentiality of any information regarding others that may have come to be known during their work duties. Note: The term “secrecy of communications“ is used in some countries in the context of “non-disclosure of communications“. 2. Integr

44、ity The installation and use of telecommunications facilities should be controlled, ensuring the authenticity, accuracy and completeness of information transmitted, relayed or received by wire, radio or any other method. 3. Availability Only authorized access should be provided when necessary to tel

45、ecommunications information, facilities and the medium used for the provision of communication services whether it might be provided by wire, radio or any other methods. As an extension of the availability, telecommunications organizations should give priority to essential communications in case of

46、emergency, and comply with regulatory requirements. Information security management in telecommunications organizations is required regardless of the method e.g. wired, wireless or broadband technologies. If information security management is not implemented properly the extent of telecommunications

47、 risks regarding confidentiality, integrity and availability, may be increased. Telecommunications organizations are designated to provide telecommunications services by intermediating communications of others through facilities for the use of others communications. Therefore, it should be taken int

48、o account that information processing facilities within a telecommunication organization are accessed and utilized by not only its own employees and contractors, but also various users outside of the organization. In order to provide telecommunications services, telecommunications organizations need

49、 to interconnect and/or share their telecommunications services and facilities, and/or use the telecommunications services and facilities of other telecommunications organizations. Therefore the management of information security in telecommunications organizations is mutually dependent and may include any and all areas of network infrastructure, services applications and other facilities. Regardless of operational scales, service areas or service types, telecommunications organizations must implement appropriate controls to e