ImageVerifierCode 换一换
格式:PDF , 页数:62 ,大小:2MB ,
资源ID:396683      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-396683.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(BS ISO IEC 27032-2012 Information technology Security techniques Guidelines for cybersecurity《信息技术 安全技术 网络安全指南》.pdf)为本站会员(lawfemale396)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

BS ISO IEC 27032-2012 Information technology Security techniques Guidelines for cybersecurity《信息技术 安全技术 网络安全指南》.pdf

1、raising standards worldwide NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW BSI Standards Publication BS ISO/IEC 27032:2012 Information technology Security techniques Guidelines for cybersecurityBS ISO/IEC 27032:2012 BRITISH STANDARD National foreword This British Standard is

2、the UK implementation of ISO/IEC 27032:2012. The UK participation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include

3、all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2012. Published by BSI Standards Limited 2012 ISBN 978 0 580 59489 2 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This Brit

4、ish Standard was published under the authority of the Standards Policy and Strategy Committee on 31 July 2012. Amendments issued since publication Date Text affectedBS ISO/IEC 27032:2012 Information technology Security techniques Guidelines for cybersecurity Technologies de linformation Techniques d

5、e scurit Lignes directrices pour la cyberscurit INTERNATIONAL STANDARD ISO/IEC 27032 First edition 2012-07-15 Reference number ISO/IEC 27032:2012(E) ISO/IEC 2012 BS ISO/IEC 27032:2012ISO/IEC 27032:2012(E) ii ISO/IEC 2012 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2012 All rights reserv

6、ed. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requeste

7、r. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in SwitzerlandBS ISO/IEC 27032:2012ISO/IEC 27032:2012(E) ISO/IEC 2012 All rights reserved iii Contents Page Foreword . v Introduction .vi 1 Scope 1

8、 2 Applicability 1 2.1 Audience 1 2.2 Limitations . 1 3 Normative references . 2 4 T erms and definitions . 2 5 Abbreviated terms . 8 6 Overview 9 6.1 Introduction . 9 6.2 The nature of the Cyberspace 10 6.3 The nature of Cybersecurity .10 6.4 General model 11 6.5 Approach .13 7 Stakeholders in the

9、Cyberspace .14 7.1 Overview 14 7.2 Consumers 14 7.3 Providers .14 8 Assets in the Cyberspace .15 8.1 Overview 15 8.2 Personal assets .15 8.3 Organizational assets .15 9 Threats against the security of the Cyberspace .16 9.1 Threats .16 9.2 Threat agents 17 9.3 Vulnerabilities .17 9.4 Attack mechanis

10、ms 18 10 Roles of stakeholders in Cybersecurity 20 10.1 Overview 20 10.2 Roles of consumers 20 10.3 Roles of providers .21 11 Guidelines for stakeholders .22 11.1 Overview 22 11.2 Risk assessment and treatment 22 11.3 Guidelines for consumers .23 11.4 Guidelines for organizations and service provide

11、rs .25 12 Cybersecurity controls 28 12.1 Overview 28 12.2 Application level controls .28 12.3 Server protection .29 12.4 End-user controls 29 12.5 Controls against social engineering attacks .30 12.6 Cybersecurity readiness .33 12.7 Other controls 33 13 Framework of information sharing and coordinat

12、ion33 13.1 General .33 13.2 Policies .34 13.3 Methods and processes 35BS ISO/IEC 27032:2012ISO/IEC 27032:2012(E) iv ISO/IEC 2012 All rights reserved 13.4 People and organizations .36 13.5 Technical 37 13.6 Implementation guidance 38 Annex A (informative) Cybersecurity readiness .40 Annex B (informat

13、ive) Additional resources .44 Annex C (informative) Examples of related documents .47 Bibliography .50BS ISO/IEC 27032:2012ISO/IEC 27032:2012(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for w

14、orldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborat

15、e in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are

16、drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an I

17、nternational Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent right

18、s. ISO/IEC 27032 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 2012 All rights reserved vBS ISO/IEC 27032:2012ISO/IEC 27032:2012(E) Introduction The Cyberspace is a complex environment resulting from the interacti

19、on of people, software and services on the Internet, supported by worldwide distributed physical information and communications technology (ICT) devices and connected networks. However there are security issues that are not covered by current information security, Internet security, network security

20、 and ICT security best practices as there are gaps between these domains, as well as a lack of communication between organizations and providers in the Cyberspace. This is because the devices and connected networks that have supported the Cyberspace have multiple owners, each with their own business

21、, operational and regulatory concerns. The different focus placed by each organization and provider in the Cyberspace on relevant security domains where little or no input is taken from another organization or provider has resulted in a fragmented state of security for the Cyberspace. As such, the f

22、irst area of focus of this International Standard is to address Cyberspace security or Cybersecurity issues which concentrate on bridging the gaps between the different security domains in the Cyberspace. In particular this International Standard provides technical guidance for addressing common Cyb

23、ersecurity risks, including: social engineering attacks; hacking; the proliferation of malicious software (“malware”); spyware; and other potentially unwanted software. The technical guidance provides controls for addressing these risks, including controls for: preparing for attacks by, for example,

24、 malware, individual miscreants, or criminal organizations on the Internet; detecting and monitoring attacks; and responding to attacks. The second area of focus of this International Standard is collaboration, as there is a need for efficient and effective information sharing, coordination and inci

25、dent handling amongst stakeholders in the Cyberspace. This collaboration must be in a secure and reliable manner that also protects the privacy of the individuals concerned. Many of these stakeholders can reside in different geographical locations and time zones, and are likely to be governed by dif

26、ferent regulatory requirements. Stakeholders include: consumers, which can be various types of organizations or individuals; and providers, which include service providers. Thus, this International Standard also provides a framework for information sharing, coordination, and incident handling. The f

27、ramework includes key elements of considerations for establishing trust, necessary processes for collaboration and information exchange and sharing, as well as technical requirements for systems integration and interoperability between different stakeholders. Given the scope of this International St

28、andard, the controls provided are necessarily at a high level. Detailed technical specification standards and guidelines applicable to each area are referenced within this International Standard for further guidance. vi ISO/IEC 2012 All rights reservedBS ISO/IEC 27032:2012Information technology Secu

29、rity techniques Guidelines for cybersecurity 1 Scope This International Standard provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: information security, network security, internet

30、 security, and critical information infrastructure protection (CIIP). It covers the baseline security practices for stakeholders in the Cyberspace. This International Standard provides: an overview of Cybersecurity, an explanation of the relationship between Cybersecurity and other types of security

31、, a definition of stakeholders and a description of their roles in Cybersecurity, guidance for addressing common Cybersecurity issues, and a framework to enable stakeholders to collaborate on resolving Cybersecurity issues. 2 Applicability 2.1 Audience This International Standard is applicable to pr

32、oviders of services in the Cyberspace. The audience, however, includes the consumers that use these services. Where organizations provide services in the Cyberspace to people for use at home or other organizations, they may need to prepare guidance based on this International Standard that contains

33、additional explanations or examples sufficient to allow the reader to understand and act on it. 2.2 Limitations This International Standard does not address: Cybersafety, Cybercrime, CIIP, Internet safety, and Internet related crime. It is recognized that relationships exist between the domains ment

34、ioned and Cybersecurity. It is, however, beyond the scope of this International Standard to address these relationships, and the sharing of controls between these domains. It is important to note that the concept of Cybercrime, although mentioned, is not addressed. This International Standard does n

35、ot provide guidance on law-related aspects of the Cyberspace, or the regulation of Cybersecurity. INTERNATIONAL STANDARD ISO/IEC 27032:2012(E) ISO/IEC 2012 All rights reserved 1BS ISO/IEC 27032:2012ISO/IEC 27032:2012(E) The guidance in this International Standard is limited to the realization of the

36、 Cyberspace on the Internet, including the endpoints. However, the extension of the Cyberspace to other spatial representations through communication media and platforms are not addressed, nor the physical security aspects of them. EXAMPLE 1 Protection of the infrastructure elements, such as communi

37、cations bearers, which underpin the Cyberspace are not addressed. EXAMPLE 2 The physical security of mobile telephones that connect to the Cyberspace for content download and/or manipulation is not addressed. EXAMPLE 3 Text messaging and voice chat functions provided for mobile telephones are not ad

38、dressed. 3 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000, In

39、formation technology Security techniques Information security management systems Overview and vocabulary 4 T erms and definitio ns For the purposes of this document, the terms and definitions given in ISO/IEC 27000, and the following apply. 4.1 adware application which pushes advertising to users an

40、d/or gathers user online behaviour NOTE The application may or may not be installed with the users knowledge or consent or forced onto the user via licensing terms for other software. 4.2 application IT solution, including application software, application data and procedures, designed to help an or

41、ganizations users perform particular tasks or handle particular types of IT problems by automating a business process or function ISO/IEC 27034-1:2011 4.3 application service provider operator who provides a hosted software solution that provides application services which includes web based or clie

42、nt-server delivery models EXAMPLE Online game operators, office application providers and online storage providers. 4.4 application services software with functionality delivered on-demand to subscribers through an online model which includes web based or client-server applications 4.5 application s

43、oftware software designed to help users perform particular tasks or handle particular types of problems, as distinct from software that controls the computer itself ISO/IEC 18019 2 ISO/IEC 2012 All rights reservedBS ISO/IEC 27032:2012ISO/IEC 27032:2012(E) 4.6 asset anything that has value to an indi

44、vidual, an organization or a government NOTE Adapted from ISO/IEC 27000 to make provision for individuals and the separation of governments from organizations (4.37). 4.7 avatar representation of a person participating in the Cyberspace NOTE 1 An avatar can also be referred to as the persons alter e

45、go. NOTE 2 An avatar can also be seen as an “object” representing the embodiment of the user. 4.8 attack attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset ISO/IEC 27000:2009 4.9 attack potential perceived potential for success of an

46、 attack, should an attack be launched, expressed in terms of an attackers expertise, resources and motivation ISO/IEC 15408-1:2005 4.10 attack vector path or means by which an attacker can gain access to a computer or network server in order to deliver a malicious outcome 4.11 blended attack attack

47、that seeks to maximize the severity of damage and speed of contagion by combining multiple attacking methods 4.12 bot robot automated software program used to carry out specific tasks NOTE 1 The word is often used to describe programs, usually run on a server, that automate tasks such as forwarding

48、or sorting e-mail. NOTE 2 A bot is also described as a program that operates as an agent for a user or another program or simulates a human activity. On the Internet, the most ubiquitous bots are the programs, also called spiders or crawlers, which access websites and gather their content for search

49、 engine indexes. 4.13 botnet remote control software, specifically a collection of malicious bots, that run autonomously or automatically on compromised computers 4.14 cookiecapability or ticket in an access control system 4.15 cookiedata exchanged by ISAKMP to prevent certain Denial-of-Service attacks during the establishment of a security association ISO/IEC 2012 All rights reserved 3

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1