BS ISO IEC 27032-2012 Information technology Security techniques Guidelines for cybersecurity《信息技术 安全技术 网络安全指南》.pdf

1、raising standards worldwide NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW BSI Standards Publication BS ISO/IEC 27032:2012 Information technology Security techniques Guidelines for cybersecurityBS ISO/IEC 27032:2012 BRITISH STANDARD National foreword This British Standard is

2、the UK implementation of ISO/IEC 27032:2012. The UK participation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include

3、all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2012. Published by BSI Standards Limited 2012 ISBN 978 0 580 59489 2 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This Brit

4、ish Standard was published under the authority of the Standards Policy and Strategy Committee on 31 July 2012. Amendments issued since publication Date Text affectedBS ISO/IEC 27032:2012 Information technology Security techniques Guidelines for cybersecurity Technologies de linformation Techniques d

5、e scurit Lignes directrices pour la cyberscurit INTERNATIONAL STANDARD ISO/IEC 27032 First edition 2012-07-15 Reference number ISO/IEC 27032:2012(E) ISO/IEC 2012 BS ISO/IEC 27032:2012ISO/IEC 27032:2012(E) ii ISO/IEC 2012 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2012 All rights reserv

6、ed. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requeste

7、r. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in SwitzerlandBS ISO/IEC 27032:2012ISO/IEC 27032:2012(E) ISO/IEC 2012 All rights reserved iii Contents Page Foreword . v Introduction .vi 1 Scope 1

8、 2 Applicability 1 2.1 Audience 1 2.2 Limitations . 1 3 Normative references . 2 4 T erms and definitions . 2 5 Abbreviated terms . 8 6 Overview 9 6.1 Introduction . 9 6.2 The nature of the Cyberspace 10 6.3 The nature of Cybersecurity .10 6.4 General model 11 6.5 Approach .13 7 Stakeholders in the

9、Cyberspace .14 7.1 Overview 14 7.2 Consumers 14 7.3 Providers .14 8 Assets in the Cyberspace .15 8.1 Overview 15 8.2 Personal assets .15 8.3 Organizational assets .15 9 Threats against the security of the Cyberspace .16 9.1 Threats .16 9.2 Threat agents 17 9.3 Vulnerabilities .17 9.4 Attack mechanis

10、ms 18 10 Roles of stakeholders in Cybersecurity 20 10.1 Overview 20 10.2 Roles of consumers 20 10.3 Roles of providers .21 11 Guidelines for stakeholders .22 11.1 Overview 22 11.2 Risk assessment and treatment 22 11.3 Guidelines for consumers .23 11.4 Guidelines for organizations and service provide

11、rs .25 12 Cybersecurity controls 28 12.1 Overview 28 12.2 Application level controls .28 12.3 Server protection .29 12.4 End-user controls 29 12.5 Controls against social engineering attacks .30 12.6 Cybersecurity readiness .33 12.7 Other controls 33 13 Framework of information sharing and coordinat

12、ion33 13.1 General .33 13.2 Policies .34 13.3 Methods and processes 35BS ISO/IEC 27032:2012ISO/IEC 27032:2012(E) iv ISO/IEC 2012 All rights reserved 13.4 People and organizations .36 13.5 Technical 37 13.6 Implementation guidance 38 Annex A (informative) Cybersecurity readiness .40 Annex B (informat

13、ive) Additional resources .44 Annex C (informative) Examples of related documents .47 Bibliography .50BS ISO/IEC 27032:2012ISO/IEC 27032:2012(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for w

14、orldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborat

15、e in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are

16、drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an I

17、nternational Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent right

18、s. ISO/IEC 27032 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 2012 All rights reserved vBS ISO/IEC 27032:2012ISO/IEC 27032:2012(E) Introduction The Cyberspace is a complex environment resulting from the interacti

19、on of people, software and services on the Internet, supported by worldwide distributed physical information and communications technology (ICT) devices and connected networks. However there are security issues that are not covered by current information security, Internet security, network security

20、 and ICT security best practices as there are gaps between these domains, as well as a lack of communication between organizations and providers in the Cyberspace. This is because the devices and connected networks that have supported the Cyberspace have multiple owners, each with their own business

21、, operational and regulatory concerns. The different focus placed by each organization and provider in the Cyberspace on relevant security domains where little or no input is taken from another organization or provider has resulted in a fragmented state of security for the Cyberspace. As such, the f

22、irst area of focus of this International Standard is to address Cyberspace security or Cybersecurity issues which concentrate on bridging the gaps between the different security domains in the Cyberspace. In particular this International Standard provides technical guidance for addressing common Cyb

23、ersecurity risks, including: social engineering attacks; hacking; the proliferation of malicious software (“malware”); spyware; and other potentially unwanted software. The technical guidance provides controls for addressing these risks, including controls for: preparing for attacks by, for example,

24、 malware, individual miscreants, or criminal organizations on the Internet; detecting and monitoring attacks; and responding to attacks. The second area of focus of this International Standard is collaboration, as there is a need for efficient and effective information sharing, coordination and inci

25、dent handling amongst stakeholders in the Cyberspace. This collaboration must be in a secure and reliable manner that also protects the privacy of the individuals concerned. Many of these stakeholders can reside in different geographical locations and time zones, and are likely to be governed by dif

26、ferent regulatory requirements. Stakeholders include: consumers, which can be various types of organizations or individuals; and providers, which include service providers. Thus, this International Standard also provides a framework for information sharing, coordination, and incident handling. The f

27、ramework includes key elements of considerations for establishing trust, necessary processes for collaboration and information exchange and sharing, as well as technical requirements for systems integration and interoperability between different stakeholders. Given the scope of this International St

28、andard, the controls provided are necessarily at a high level. Detailed technical specification standards and guidelines applicable to each area are referenced within this International Standard for further guidance. vi ISO/IEC 2012 All rights reservedBS ISO/IEC 27032:2012Information technology Secu

29、rity techniques Guidelines for cybersecurity 1 Scope This International Standard provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: information security, network security, internet

30、 security, and critical information infrastructure protection (CIIP). It covers the baseline security practices for stakeholders in the Cyberspace. This International Standard provides: an overview of Cybersecurity, an explanation of the relationship between Cybersecurity and other types of security

31、, a definition of stakeholders and a description of their roles in Cybersecurity, guidance for addressing common Cybersecurity issues, and a framework to enable stakeholders to collaborate on resolving Cybersecurity issues. 2 Applicability 2.1 Audience This International Standard is applicable to pr

32、oviders of services in the Cyberspace. The audience, however, includes the consumers that use these services. Where organizations provide services in the Cyberspace to people for use at home or other organizations, they may need to prepare guidance based on this International Standard that contains

33、additional explanations or examples sufficient to allow the reader to understand and act on it. 2.2 Limitations This International Standard does not address: Cybersafety, Cybercrime, CIIP, Internet safety, and Internet related crime. It is recognized that relationships exist between the domains ment

34、ioned and Cybersecurity. It is, however, beyond the scope of this International Standard to address these relationships, and the sharing of controls between these domains. It is important to note that the concept of Cybercrime, although mentioned, is not addressed. This International Standard does n

35、ot provide guidance on law-related aspects of the Cyberspace, or the regulation of Cybersecurity. INTERNATIONAL STANDARD ISO/IEC 27032:2012(E) ISO/IEC 2012 All rights reserved 1BS ISO/IEC 27032:2012ISO/IEC 27032:2012(E) The guidance in this International Standard is limited to the realization of the

36、 Cyberspace on the Internet, including the endpoints. However, the extension of the Cyberspace to other spatial representations through communication media and platforms are not addressed, nor the physical security aspects of them. EXAMPLE 1 Protection of the infrastructure elements, such as communi

37、cations bearers, which underpin the Cyberspace are not addressed. EXAMPLE 2 The physical security of mobile telephones that connect to the Cyberspace for content download and/or manipulation is not addressed. EXAMPLE 3 Text messaging and voice chat functions provided for mobile telephones are not ad

38、dressed. 3 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000, In

39、formation technology Security techniques Information security management systems Overview and vocabulary 4 T erms and definitio ns For the purposes of this document, the terms and definitions given in ISO/IEC 27000, and the following apply. 4.1 adware application which pushes advertising to users an

40、d/or gathers user online behaviour NOTE The application may or may not be installed with the users knowledge or consent or forced onto the user via licensing terms for other software. 4.2 application IT solution, including application software, application data and procedures, designed to help an or

41、ganizations users perform particular tasks or handle particular types of IT problems by automating a business process or function ISO/IEC 27034-1:2011 4.3 application service provider operator who provides a hosted software solution that provides application services which includes web based or clie

42、nt-server delivery models EXAMPLE Online game operators, office application providers and online storage providers. 4.4 application services software with functionality delivered on-demand to subscribers through an online model which includes web based or client-server applications 4.5 application s

43、oftware software designed to help users perform particular tasks or handle particular types of problems, as distinct from software that controls the computer itself ISO/IEC 18019 2 ISO/IEC 2012 All rights reservedBS ISO/IEC 27032:2012ISO/IEC 27032:2012(E) 4.6 asset anything that has value to an indi

44、vidual, an organization or a government NOTE Adapted from ISO/IEC 27000 to make provision for individuals and the separation of governments from organizations (4.37). 4.7 avatar representation of a person participating in the Cyberspace NOTE 1 An avatar can also be referred to as the persons alter e

45、go. NOTE 2 An avatar can also be seen as an “object” representing the embodiment of the user. 4.8 attack attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset ISO/IEC 27000:2009 4.9 attack potential perceived potential for success of an

46、 attack, should an attack be launched, expressed in terms of an attackers expertise, resources and motivation ISO/IEC 15408-1:2005 4.10 attack vector path or means by which an attacker can gain access to a computer or network server in order to deliver a malicious outcome 4.11 blended attack attack

47、that seeks to maximize the severity of damage and speed of contagion by combining multiple attacking methods 4.12 bot robot automated software program used to carry out specific tasks NOTE 1 The word is often used to describe programs, usually run on a server, that automate tasks such as forwarding

48、or sorting e-mail. NOTE 2 A bot is also described as a program that operates as an agent for a user or another program or simulates a human activity. On the Internet, the most ubiquitous bots are the programs, also called spiders or crawlers, which access websites and gather their content for search

49、 engine indexes. 4.13 botnet remote control software, specifically a collection of malicious bots, that run autonomously or automatically on compromised computers 4.14 cookiecapability or ticket in an access control system 4.15 cookiedata exchanged by ISAKMP to prevent certain Denial-of-Service attacks during the establishment of a security association ISO/IEC 2012 All rights reserved 3