ImageVerifierCode 换一换
格式:PDF , 页数:116 ,大小:2.84MB ,
资源ID:581944      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-581944.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(BS EN ISO 27799-2016 Health informatics Information security management in health using ISO IEC 27002《健康信息学 使用ISO IEC 27002的健康信息安全管理》.pdf)为本站会员(visitstep340)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

BS EN ISO 27799-2016 Health informatics Information security management in health using ISO IEC 27002《健康信息学 使用ISO IEC 27002的健康信息安全管理》.pdf

1、BS EN ISO 27799:2016Health informatics Information securitymanagement in health usingISO/IEC 27002 (ISO 27799:2016)BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS EN ISO 27799:2016 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of

2、EN ISO27799:2016. It supersedes BS EN ISO 27799:2008 which iswithdrawn.The UK participation in its preparation was entrusted to TechnicalCommittee IST/35, Health informatics.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not pur

3、port to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2016.Published by BSI Standards Limited 2016ISBN 978 0 580 87253 2ICS 35.240.80Compliance with a British Standard cannot confer immunity fromlegal obligation

4、s.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 31 August 2016.Amendments/corrigenda issued since publicationDate T e x t a f f e c t e dEUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO 27799 August 2016 ICS 35.240.80 Supersedes EN I

5、SO 27799:2008English Version Health informatics - Information security management in health using ISO/IEC 27002 (ISO 27799:2016) Informatique de sant - Management de la scurit de linformation relative la sant en utilisant lISO/IEC 27002 (ISO 27799:2016) Medizinische Informatik - Informationsmanageme

6、nt im Gesundheitswesen bei Verwendung der ISO/IEC 27002 (ISO 27799:2016) This European Standard was approved by CEN on 18 June 2016. CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national sta

7、ndard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, French, German). A version in

8、any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Re

9、public, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPE

10、AN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2016 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN ISO 27799:2016 EBS

11、 EN ISO 27799:2016EN ISO 27799:2016 (E) 3 European foreword This document (EN ISO 27799:2016) has been prepared by Technical Committee ISO/TC 215 “Health informatics” in collaboration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of which is held by NEN. This European Stan

12、dard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by February 2017, and conflicting national standards shall be withdrawn at the latest by February 2017. Attention is drawn to the possibility that some of the elements o

13、f this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. This document supersedes EN ISO 27799:2008. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following co

14、untries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,

15、Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO 27799:2016 has been approved by CEN as EN ISO 27799:2016 without any modification. BS EN ISO 27799:2016ISO 27799:2016(E)Foreword viiIntroduction viii1 Scope .

16、12 Normative references 23 Terms and definitions . 24 Structure of this International Standard . 35 Information security policies 45.1 Management direction for information security . 45.1.1 Policies for information security 45.1.2 Review of the policies for information security 56 Organization of in

17、formation security . 66.1 Internal organization . 66.1.1 Information security roles and responsibilities . 66.1.2 Segregation of duties 76.1.3 Contact with authorities 76.1.4 Contact with special interest groups 76.1.5 Information security in project management . 86.2 Mobile devices and teleworking

18、86.2.1 Mobile device policy . 86.2.2 Teleworking 97 Human resource security 97.1 Prior to employment 97.1.1 Screening 97.1.2 Terms and conditions of employment 107.2 During employment . 117.2.1 Management responsibilities . 117.2.2 Information security awareness, education and training .117.2.3 Disc

19、iplinary process .117.3 Termination and change of employment 127.3.1 Termination or change of employment responsibilities 128 Asset management 128.1 Responsibility for assets 128.1.1 Inventory of assets 128.1.2 Ownership of assets .138.1.3 Acceptable use of assets . 138.1.4 Return of assets .138.2 I

20、nformation classification . 148.2.1 Classification of information 148.2.2 Labelling of information . 158.2.3 Handling of assets 158.3 Media handling 168.3.1 Management of removable media 168.3.2 Disposal of media .168.3.3 Physical media transfer . 179 Access control .179.1 Business requirements of a

21、ccess control 179.1.1 Access control policy .179.1.2 Access to networks and network services 189.2 User access management 189.2.1 User registration and de-registration .189.2.2 User access provisioning 19 ISO 2016 All rights reserved iiiContents PageBS EN ISO 27799:2016ISO 27799:2016(E)9.2.3 Managem

22、ent of privileged access rights 199.2.4 Management of secret authentication information of users .209.2.5 Review of user access rights . 209.2.6 Removal or adjustment of access rights .219.3 User responsibilities . 219.3.1 Use of secret authentication information 219.4 System and application access

23、control 229.4.1 Information access restriction 229.4.2 Secure log-on procedures . 229.4.3 Password management system 229.4.4 Use of privileged utility programs .239.4.5 Access control to program source code 2310 Cryptography .2310.1 Cryptographic controls . 2310.1.1 Policy on the use of cryptographi

24、c controls 2310.1.2 Key management 2411 Physical and environmental security .2411.1 Secure areas 2411.1.1 Physical security perimeter . 2411.1.2 Physical entry controls 2511.1.3 Securing offices, rooms and facilities 2511.1.4 Protecting against external and environmental threats .2511.1.5 Working in

25、 secure areas . 2511.1.6 Delivery and loading areas . 2511.2 Equipment 2611.2.1 Equipment siting and protection 2611.2.2 Supporting utilities .2611.2.3 Cabling security .2711.2.4 Equipment maintenance 2711.2.5 Removal of assets .2711.2.6 Security of equipment and assets off-premises .2711.2.7 Secure

26、 disposal or reuse of equipment .2811.2.8 Unattended user equipment . 2811.2.9 Clear desk and clear screen policy 2812 Operations security 2912.1 Operational procedures and responsibilities 2912.1.1 Documented operating procedures 2912.1.2 Change management .2912.1.3 Capacity management 3012.1.4 Sep

27、aration of development, testing and operational environments 3012.2 Protection from malware 3012.2.1 Controls against malware 3012.3 Backup . 3112.3.1 Information backup 3112.4 Logging and monitoring . 3112.4.1 Event logging 3112.4.2 Protection of log information . 3212.4.3 Administrator and operato

28、r logs 3312.4.4 Clock synchronisation 3412.5 Control of operational software 3412.5.1 Installation of software on operational systems .3412.6 Technical vulnerability management . 3412.6.1 Management of technical vulnerabilities.3412.6.2 Restrictions on software installation 3512.7 Information system

29、s audit considerations 3512.7.1 Information systems audit controls . 35iv ISO 2016 All rights reservedBS EN ISO 27799:2016ISO 27799:2016(E)13 Communications security 3513.1 Network security management . 3513.1.1 Network controls 3513.1.2 Security of network services 3613.1.3 Segregation in networks

30、3613.2 Information transfer . 3613.2.1 Information transfer policies and procedures 3613.2.2 Agreements on information transfer 3713.2.3 Electronic messaging 3713.2.4 Confidentiality or non-disclosure agreements .3814 System acquisition, development and maintenance 3814.1 Security requirements of in

31、formation systems . 3814.1.1 Information security requirements analysis and specification 3814.1.2 Securing application services on public networks 4014.1.3 Protecting application services transactions .4014.2 Security in development and support processes .4014.2.1 Secure development policy 4014.2.2

32、 System change control procedures . 4114.2.3 Technical review of applications after operating platform changes 4114.2.4 Restrictions on changes to software packages .4114.2.5 Secure system engineering principles4214.2.6 Secure development environment 4214.2.7 Outsourced development 4214.2.8 System s

33、ecurity testing .4214.2.9 System acceptance testing 4314.3 Test data . 4314.3.1 Protection of test data 4315 Supplier relationships .4315.1 Information security in supplier relationships 4315.1.1 Information security policy for supplier relationships .4315.1.2 Addressing security within supplier agr

34、eements 4415.1.3 Information and communication technology supply chain .4415.2 Supplier service delivery management 4415.2.1 Monitoring and review of supplier services .4515.2.2 Managing changes to supplier services .4516 Information security incident management 4516.1 Management of information secu

35、rity incidents and improvements .4516.1.1 Responsibilities and procedures . 4516.1.2 Reporting information security events .4516.1.3 Reporting information security weaknesses 4616.1.4 Assessment of and decision on information security events .4716.1.5 Response to information security incidents .4716

36、.1.6 Learning from information security incidents 4716.1.7 Collection of evidence .4717 Information security aspects of business continuity management .4817.1 Information security continuity 4817.1.1 Planning information security continuity .4817.1.2 Implementing information security continuity .491

37、7.1.3 Verify, review and evaluate information security continuity .4917.2 Redundancies 4917.2.1 Availability of information processing facilities 4918 Compliance 5018.1 Compliance with legal and contractual requirements .5018.1.1 Identification of applicable legislation and contractual requirements

38、5018.1.2 Intellectual property rights . 5018.1.3 Protection of records .50 ISO 2016 All rights reserved vBS EN ISO 27799:2016ISO 27799:2016(E)18.1.4 Privacy and protection of personally identifiable information 5118.1.5 Regulation of cryptographic controls .5218.2 Information security reviews 5218.2

39、.1 Independent review of information security .5218.2.2 Compliance with security policies and standards .5218.2.3 Technical compliance review . 53Annex A (informative) Threats to health information security.54Annex B (informative) Practical action plan for implementing ISO/IEC 27002 in healthcare .5

40、9Annex C (informative) Checklist for conformance to ISO 27799 72Bibliography .98vi ISO 2016 All rights reservedBS EN ISO 27799:2016ISO 27799:2016(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of

41、 preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental

42、, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to develop this document and those intended for its further maintenance are described in the ISO

43、/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibilit

44、y that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of pate

45、nt declarations received (see www.iso.org/patents).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as inform

46、ation about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary informationThe committee responsible for this document is ISO/TC 215, Health informatics.This second edition cancels and replaces the first edition (ISO 27799:200

47、8), which has been technically revised. ISO 2016 All rights reserved viiBS EN ISO 27799:2016ISO 27799:2016(E)IntroductionThis International Standard provides guidance to healthcare organizations and other custodians of personal health information on how best to protect the confidentiality, integrity

48、 and availability of such information. It is based upon and extends the general guidance provided by ISO/IEC 27002:2013 and addresses the special information security management needs of the health sector and its unique operating environments. While the protection and security of personal informatio

49、n is important to all individuals, corporations, institutions and governments, there are special requirements in the health sector that need to be met to ensure the confidentiality, integrity, auditability and availability of personal health information. This type of information is regarded by many as being among the most confidential of all types of personal information. Protecting this confidentiality is essential if the privacy of subjects of care is to be maintained. The integrity of health information is to be protected to ensure patient safety, and

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1