ImageVerifierCode 换一换
格式:PDF , 页数:48 ,大小:1.17MB ,
资源ID:588454      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-588454.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(BS ISO IEC 27036-3-2013 Information technology Security techniques Information security for supplier relationships Guidelines for information and communication technology supply ch.pdf)为本站会员(eveningprove235)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

BS ISO IEC 27036-3-2013 Information technology Security techniques Information security for supplier relationships Guidelines for information and communication technology supply ch.pdf

1、BSI Standards PublicationBS ISO/IEC 27036-3:2013Information technology Security techniques Information security forsupplier relationshipsPart 3: Guidelines for information andcommunication technology supply chainsecurityBS ISO/IEC 27036-3:2013 BRITISH STANDARDNational forewordThis British Standard i

2、s the UK implementation of ISO/IEC27036-3:2013.The UK participation in its preparation was entrusted to TechnicalCommittee IST/33, IT - Security techniques.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include al

3、l the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2013. Published by BSI StandardsLimited 2013ISBN 978 0 580 76090 7ICS 35.040Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standa

4、rd was published under the authority of theStandards Policy and Strategy Committee on 30 November 2013.Amendments issued since publicationDate Text affectedBS ISO/IEC 27036-3:2013Information technology Security techniques Information security for supplier relationships Part 3: Guidelines for informa

5、tion and communication technology supply chain securityTechnologies de linformation Techniques de scurit Scurit dinformation pour la relation avec le fournisseur Partie 3: Lignes directrices pour la scurit de la chane de fourniture des technologies de la communication et de linformation ISO/IEC 2013

6、INTERNATIONAL STANDARDISO/IEC27036-3First edition2013-11-15Reference numberISO/IEC 27036-3:2013(E)BS ISO/IEC 27036-3:2013ISO/IEC 27036-3:2013(E)ii ISO/IEC 2013 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2013All rights reserved. Unless otherwise specified, no part of this publication may

7、 be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the

8、requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandBS ISO/IEC 27036-3:2013ISO/IEC 27036-3:2013(E) ISO/IEC 2013 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 1

9、2 Normative references 13 Terms and definitions . 14 Structure of this standard . 25 Key concepts . 25.1 Business case for ICT supply chain security 25.2 ICT supply chain risks and associated threats . 35.3 Acquirer and supplier relationship types 35.4 Organizational capability . 45.5 System lifecyc

10、le processes 45.6 ISMS processes in relation to system lifecycle processes 55.7 ISMS information security controls in relation to ICT supply chain security . 55.8 Essential ICT supply chain security practices 56 ICT supply chain security in Lifecycle Processes 76.1 Agreement Processes 76.2 Organizat

11、ional Project-Enabling Processes 106.3 Project Processes . 136.4 Technical Processes . 15Annex A (informative) Summary of Supply and Acquisition Processes from ISO/IEC 15288 and ISO/IEC 12207 24Annex B (informative) Clause 6 mapping to ISO/IEC 27002 .35Bibliography .37BS ISO/IEC 27036-3:2013ISO/IEC

12、27036-3:2013(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards

13、through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC,

14、also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.The main task of the joint technical committee is to pr

15、epare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.Attention is drawn to the possibility

16、that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.ISO/IEC 27036-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security tec

17、hniques.ISO/IEC 27036 consists of the following parts, under the general title Information technology Security techniques Information security for supplier relationships: Part 1: Overview and concepts Part 2: Requirements Part 3: Guidelines for information and communication technology supply chain s

18、ecurityThe following part is under preparation: Part 4: Guidelines for security of cloud services.iv ISO/IEC 2013 All rights reservedBS ISO/IEC 27036-3:2013ISO/IEC 27036-3:2013(E)IntroductionInformation and Communication Technology (ICT) products and services are developed, integrated, and delivered

19、 globally through deep and physically dispersed supply chains. ICT products are assembled from many components provided by many suppliers. ICT services throughout the entire supplier relationship are also delivered through multiple tiers of outsourcing and supply chaining. Acquirers do not have visi

20、bility into the practices of hardware, software, and service providers beyond first or possibly second link of the supply chain. With the substantial increase in the number of organizations and people who “touch” an ICT product or service, the visibility into the practices by which these products an

21、d services are put together has decreased dramatically. This lack of visibility, transparency, and traceability into the ICT supply chain poses risks to acquiring organizations.This standard provides guidance to ICT product and service acquirers and suppliers to reduce or manage information security

22、 risk. This standard identifies the business case for ICT supply chain security, specific risks and relationship types as well as how to develop an organizational capability to manage information security aspects and incorporate a lifecycle approach to manage risks supported by specific controls and

23、 practices. Its application is expected to result in: Increased ICT supply chain visibility and traceability to enhance information security capability; Increased understanding by the acquirers of where their products or services are coming from, and of the practices used to develop, integrate, or o

24、perate these products or services, to enhance the implementation of information security requirements; In case of an information security compromise, the availability of information about what may have been compromised and who the involved actors may be.This international standard is intended to be

25、used by all types of organizations that acquire or supply ICT products and services in the ICT supply chain. The guidance is primarily focused on the initial link of the first acquirer and supplier, but the principle steps should be applied throughout the chain, starting when the first supplier chan

26、ges its role to being an acquirer and so on. This change of roles and applying the same steps for each new acquirer-supplier link in the chain is the essential intention of the standard. By following this international standard, information security implications can be communicated among organizatio

27、ns in the chain. This helps identifying information security risks and their causes and may enhance the transparency throughout the chain. Information security concerns related to supplier relationships cover a broad range of scenarios. Organizations desiring to improve trust within their ICT supply

28、 chain should define their trust boundaries, evaluate the risk associated with their supply chain activities, and then define and implement appropriate risk identification and mitigation techniques to reduce the risk of vulnerabilities being introduced through their ICT supply chain.ISO/IEC 27001 an

29、d ISO/IEC 27002 framework and controls provide a useful starting point for identifying appropriate requirements for acquirers and suppliers. ISO/IEC 27036 provides further detail regarding specific requirements to be used in establishing and monitoring supplier relationships. ISO/IEC 2013 All rights

30、 reserved vBS ISO/IEC 27036-3:2013BS ISO/IEC 27036-3:2013Information technology Security techniques Information security for supplier relationships Part 3: Guidelines for information and communication technology supply chain security1 ScopeThis part of ISO/IEC 27036 provides product and service acqu

31、irers and suppliers in ICT supply chain with guidance on:a) gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered ICT supply chains;b) responding to risks stemming from the global ICT supply chain to ICT products and services that can ha

32、ve an information security impact on the organizations using these products and services. These risks can be related to organizational as well as technical aspects (e.g. insertion of malicious code or presence of the counterfeit information technology (IT) products);c) integrating information securi

33、ty processes and practices into the system and software lifecycle processes, described in ISO/IEC 15288 and ISO/IEC 12207, while supporting information security controls, described in ISO/IEC 27002.This part of ISO/IEC 27036 does not include business continuity management/resiliency issues involved

34、with the ICT supply chain. ISO/IEC 27031 addresses business continuity.2 Normative referencesThe following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated referenc

35、es, the latest edition of the referenced document (including any amendments) applies.ISO/IEC 27000, Information technology Security techniques Information security management systems Overview and vocabularyISO/IEC 27036-1, Information technology Security techniques Information security for supplier

36、relationships Part 1: Overview and conceptsISO/IEC 27036-2, Information technology Security techniques Information security for supplier relationships Part 2: Requirements3 Terms and definitionsFor the purposes of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 27036-1 and t

37、he following apply.3.1reliabilityproperty of a system and its parts to perform its mission accurately and without failure or significant degradationINTERNATIONAL STANDARD ISO/IEC 27036-3:2013(E) ISO/IEC 2013 All rights reserved 1BS ISO/IEC 27036-3:2013ISO/IEC 27036-3:2013(E)3.2system elementmember o

38、f a set of elements that constitutes a systemNote 1 to entry: A system element is a discrete part of a system that can be implemented to fulfil specified requirements. A system element can be hardware, software, data, humans, processes (e.g. processes for providing required functionality to users),

39、procedures (e.g. operator instructions), facilities, materials, and naturally occurring entities (e.g. water, organisms, minerals), or any combination.SOURCE: ISO/IEC 15288:2008, definition 4.323.3transparencyproperty of a system or process to imply openness and accountability3.4traceabilityproperty

40、 that allows the tracking of the activity of an identity, process, or an element throughout the supply chain3.5validationconfirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilledNote 1 to entry: Validation is the s

41、et of activities ensuring and gaining confidence that a system is able to accomplish its intended use, goals and objectives (i.e. meet stakeholder requirements) in the intended operational environment.SOURCE: ISO/IEC 15288:2008, definition 4.373.6verificationconfirmation, through the provision of ob

42、jective evidence, that specified requirements have been fulfilledNote 1 to entry: Verification is a set of activities that compares a system or system element against the required characteristics. This may include, but is not limited to, specified requirements, design description and the system itse

43、lf.SOURCE: ISO/IEC 15288:2008, definition 4.384 Structure of this standardThis standard is structured to be harmonized with ISO/IEC 15288 and ISO/IEC 12207. Clause 6 mirrors lifecycle processes provided in those two standards. This standard is also harmonized with ISO/IEC 27002 and references releva

44、nt information security controls within the lifecycle processes with the mapping provided in Annex B.The documents named in this standard are generic and do not need to be elaborate or separate documents. Organizations should use existing documents to integrate ICT supply chain security.5 Key concep

45、ts5.1 Business case for ICT supply chain securityOrganizations acquire ICT products and services from numerous suppliers who may in turn acquire components from other suppliers. The information security risks associated with these dispersed and multi-layered ICT supply chains can be managed through

46、the application of risk management practices and trusted relationships, thereby increasing visibility, traceability and transparency in the ICT supply chain.For example, increased visibility into the ICT supply chain is obtained by defining adequate information security and quality requirements, and

47、 ongoing monitoring of suppliers and their products and services 2 ISO/IEC 2013 All rights reservedBS ISO/IEC 27036-3:2013ISO/IEC 27036-3:2013(E)once a supplier relationship is in operation. Identifying and tracking individuals accountable for quality and security for critical elements provides grea

48、ter traceability. Establishing contractual requirements and expectations, as well as reviewing processes and practices provides much needed transparency.Acquirers should establish an understanding within their organizations regarding the ICT supply chain risks and their possible impacts on businesse

49、s. Specifically, acquirers management should be aware that practices of suppliers throughout the supply chain can have impacts on whether resulting products and services can be trusted to protect acquirers business, information, and information systems.5.2 ICT supply chain risks and associated threatsIn a supply chain, information security management of an individual organization (acquirer or supplier) is not sufficient to maintain information security of the ICT products or services throughout their su

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1