ImageVerifierCode 换一换
格式:PDF , 页数:32 ,大小:3.99MB ,
资源ID:396698      下载积分:5000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-396698.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(BS ISO IEC 27036-4-2016 Information technology Security techniques Information security for supplier relationships Guidelines for security of cloud services《信息技术 安全技术 供应商关.pdf)为本站会员(confusegate185)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

BS ISO IEC 27036-4-2016 Information technology Security techniques Information security for supplier relationships Guidelines for security of cloud services《信息技术 安全技术 供应商关.pdf

1、BS ISO/IEC 27036-4:2016 Information technology Security techniques Information security for supplier relationships Part 4: Guidelines for security of cloud services BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS ISO/IEC 27036-4:2016 BRITISH STANDARD National for

2、eword This British Standard is the UK implementation of ISO/IEC 27036-4:2016. The UK participation in its preparation was entrusted to Technical Committee IST/33/4, Security Controls and Services. A list of organizations represented on this committee can be obtained on request to its secretary. This

3、 publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 81383 2 ICS 35.040 Compliance with a British Standard cannot confer i

4、mmunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 October 2016. Amendments/corrigenda issued since publication Date T e x t a f f e c t e dBS ISO/IEC 27036-4:2016 Information technology Security techniques Inf

5、ormation security for supplier relationships Part 4: Guidelines for security of cloud services Technologies de linformation Techniques de scurit Scurit dinformation pour la relation avec le fournisseur Partie 4: Lignes directrices pour la scurit des services du nuage INTERNATIONAL STANDARD ISO/IEC 2

6、7036-4 Reference number ISO/IEC 27036-4:2016(E) First edition 2016-10-01 ISO/IEC 2016 BS ISO/IEC 27036-4:2016ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be rep

7、roduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the request

8、er. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 27036-4:2016(E)BS ISO/IEC 27036-4:2016ISO/IEC 27036-4:2016(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T er

9、ms and definitions . 1 4 Structure of this document 2 5 Key cloud concepts and security threats and risks 2 5.1 Characteristics of cloud computing . 2 5.2 Cloud service threats and associated risks to the cloud service customer . 3 5.3 Cloud service threats and associated risks for public cloud depl

10、oyment model . 4 5.4 Cloud service threats and associated risks for hybrid cloud deployment model 5 5.5 Cloud service threats and associated risks for private cloud deployment model 5 6 Information security controls in cloud service acquisition lifecycle .6 6.1 Agreement processes 6 6.1.1 Acquisitio

11、n process . 6 6.1.2 Supply process . 7 6.2 Organizational project-enabling processes 8 6.3 Project processes 8 6.3.1 Project planning process . 8 6.3.2 Project assessment and control process . 8 6.3.3 Decision management process 8 6.3.4 Risk management process . 8 6.3.5 Configuration management proc

12、ess . 8 6.3.6 Information management process . 9 6.3.7 Measurement process . 9 6.4 Technical processes 9 6.4.1 Stakeholder requirements definition process 9 6.4.2 Requirements analysis process . 9 6.4.3 Architectural design process . 9 6.4.4 Implementation process . 9 6.4.5 Integration process .10 6

13、.4.6 Verification process 10 6.4.7 Transition process .10 6.4.8 Validation process 10 6.4.9 Operation process 10 6.4.10 Maintenance process .10 6.4.11 Disposal process 11 7 Information security controls in cloud service providers .11 7.1 Overview .11 7.1.1 Control sets related to cloud service deplo

14、yment model 11 7.1.2 Setting information security controls at a cloud service provider 11 7.2 Public cloud deployment model12 7.2.1 Infrastructure capabilities type .12 7.2.2 Platform capabilities type .13 7.2.3 Application capabilities type 13 7.3 Hybrid cloud deployment model 14 7.4 Private cloud

15、deployment model .14 Annex A (informative) Information security standards for cloud providers 15 Annex B (informative) Mapping to ISO/IEC 27017 controls .19 Bibliography .21 ISO/IEC 2016 All rights reserved iii Contents PageBS ISO/IEC 27036-4:2016ISO/IEC 27036-4:2016(E) Foreword ISO (the Internation

16、al Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by

17、 the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of

18、 information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the

19、different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and

20、IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this do

21、cument is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformit y assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in

22、the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. A list of all parts in the ISO/IEC 27036 series can be found on the ISO websit

23、e.iv ISO/IEC 2016 All rights reservedBS ISO/IEC 27036-4:2016ISO/IEC 27036-4:2016(E) Introduction This document provides guidance on information security to cloud service customers and cloud service providers. Its application should result in increased understanding and definition of information secu

24、rity in cloud services, increased understanding by the customers of the risks associated with cloud services to enhance the specification of information security requirements, and increased ability of cloud service providers to provide assurance to customers that they have identified risks in their

25、service(s) and associated supply chains and have taken measures to manage those risks. This document is intended to be used by all types of organizations that acquire or supply cloud services. The document is intended primarily for risk owners in cloud service customers, who finally accept the use o

26、f the cloud service, and the individual accountable for the cloud service provided by the cloud service provider. The guidance is primarily focused on the initial link of the first cloud service customer and cloud service provider, but the principal steps should be applied throughout the supply chai

27、n, starting when the first cloud service provider changes its role to being a cloud service customer and so on. The manner in which this change of roles is repeated and the manner in which the same steps are repeated for each new cloud service customer-cloud service provider link in the chain are ce

28、ntral to this document. By following the guidance contained within this document, it should be possible to have a seamless linkage of information security priorities visible across the supply chain. Information security concerns related to supplier relationships cover a broad range of scenarios. Org

29、anizations that wish to improve trust within their cloud service provision should define their trust boundaries, evaluate the risk associated with their supply chain activities, and then define and implement appropriate risk identification and mitigation techniques to reduce the risk of vulnerabilit

30、ies being introduced through their cloud service provision supply chain. ISO/IEC 27001 and ISO/IEC 27002 framework and controls provide a useful starting point for identifying appropriate requirements for customers and providers. ISO/IEC 27017 and ISO/IEC 27018 provide guidance on how a cloud servic

31、e customer and cloud service provider can implement, manage and operate information security for a cloud service. ISO/IEC 27036 (all parts) provides further detail regarding specific requirements to be used in establishing and monitoring information security in supplier relationships. This document

32、is based upon the premise that a cloud service customer has applied general information security according to an information security management system (ISMS) (ISO/IEC 27001). As a result, much of the content is focused on the cloud service provider and depends on the capabilities type, service cate

33、gory and deployment model of the actual cloud service. Typically, cloud services are purchased “as is”; a cloud service customer has no ability to specify or request changes to the cloud service being purchased. However, in certain cases, the customer has the ability to specify the service and the d

34、etail of that service, including the information security arrangements required of the supplier. ISO/IEC 27036 is written to cover both of these eventualities. This document is written to cover the first of these eventualities and refers to ISO/IEC 27036-1, ISO/IEC 27036-2 and ISO/IEC 27036-3 for th

35、e cases when security arrangements can be specified. For a cloud service customer, this means that when reading this document, it should be noted that it is only addressing what are cloud service-specific security processes and controls. It is assumed all other general information security processes

36、 and controls necessary for the cloud service customer organization are in place to handle information security in the cloud service to be or being used. The general information security processes and controls are found in other ISO/IEC standards and in particular ISO/IEC 27036-1, ISO/IEC 27036-2, I

37、SO/IEC 27036-3, ISO/IEC 27017 and ISO/IEC 27018. ISO/IEC 2016 All rights reserved vBS ISO/IEC 27036-4:2016BS ISO/IEC 27036-4:2016Information technology Security techniques Information security for supplier relationships Part 4: Guidelines for security of cloud services 1 Scope This document provides

38、 cloud service customers and cloud service providers with guidance on a) gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively, and b) responding to risks specific to the acquisition or provision of cloud services that c

39、an have an information security impact on organizations using these services. This document does not include business continuity management/resiliency issues involved with the cloud service. ISO/IEC 27031 addresses business continuity. This document does not provide guidance on how a cloud service p

40、rovider should implement, manage and operate information security. Guidance on those can be found in ISO/IEC 27002 and ISO/IEC 27017. The scope of this document is to define guidelines supporting the implementation of information security management for the use of cloud services. 2 Normative referen

41、ces The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) ap

42、plies. ISO/IEC 17788 | ITU-T Rec. Y.3500, Information technology Cloud computing Overview and vocabulary ISO/IEC 27017 | ITU-T Rec. X.1631, Information technology Security techniques Code of practice for information security controls based on ISO/IEC 27002 for cloud services ISO/IEC 27036-1, Informa

43、tion technology Security techniques Information security in supplier relationships Part 1: Overview and concepts ISO/IEC 27036-2, Information technology Security techniques Information security in supplier relationships Part 2: Requirements ISO/IEC 27036-3, Information technology Security techniques

44、 Information security in supplier relationships Part 3: Guidelines for information and communication technology supply chain security 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 27036-1, ISO/IEC 27036- 2, ISO/IEC 27036-3 and ISO/IEC 17788

45、| ITU-T Rec. Y.3500 apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: IEC Electropedia: available at http:/ /www.electropedia.org/ INTERNATIONAL ST ANDARD ISO/IEC 27036-4:2016(E) ISO/IEC 2016 All rights reserved 1BS ISO/IEC 27036-4:2016ISO/IE

46、C 27036-4:2016(E) ISO Online browsing platform: available at http:/ /www.iso.org/obp 4 Structure of this document This document should be used in combination with the other parts within ISO/IEC 27036. It is necessary to follow ISO/IEC 27036-1, ISO/IEC 27036-2 and ISO/IEC 27036-3 to implement the gui

47、delines. This document should be used as additional guidelines for information security specifically addressing cloud services; security controls for cloud services are found in ISO/IEC 27017 and ISO/IEC 27018. Mapping of security controls can be found in Annex A. This document is structured to be h

48、armonized with ISO/IEC/IEEE 15288 and ISO/IEC 12207. Clause 6 mirrors lifecycle processes provided in those two standards. This document is also harmonized with ISO/IEC 27017 and provides a mapping of ISO/IEC 27017 information security controls to the lifecycle processes in Annex B. NOTE 1 Clause 6

49、is particularly applicable to public cloud deployment models. NOTE 2 In each table presented in Clause 6, a blank column is inserted between the columns of “cloud service customer” and “cloud service provider”. This blank column indicates that the guidance given for cloud service customer and cloud service provider are separate and not related. The documents named in this document are generic and do not need to be elaborated or be separate documents. Organizati

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1