CAN CSA-ISO IEC 27010-2013 Information technology - Security techniques - Information security management for inter-sector and inter-organizational communications.pdf

1、Information technology Security techniques Information security management for inter-sector and inter-organizational communicationsCAN/CSA-ISO/IEC 27010:13(ISO/IEC 27010:2012, IDT)National Standard of CanadaNOT FOR RESALE. / PUBLICATION NON DESTINE LA REVENTE.Legal Notice for StandardsCanadian Stand

2、ards Association (operating as “CSA Group”) develops standards through a consensus standards development process approved by the Standards Council of Canada. This process brings together volunteers representing varied viewpoints and interests to achieve consensus and develop a standard. Although CSA

3、 Group administers the process and establishes rules to promote fairness in achieving consensus, it does not independently test, evaluate, or verify the content of standards.Disclaimer and exclusion of liabilityThis document is provided without any representations, warranties, or conditions of any k

4、ind, express or implied, including, without limitation, implied warranties or conditions concerning this documents fitness for a particular purpose or use, its merchantability, or its non-infringement of any third partys intellectual property rights. CSA Group does not warrant the accuracy, complete

5、ness, or currency of any of the information published in this document. CSA Group makes no representations or warranties regarding this documents compliance with any applicable statute, rule, or regulation. IN NO EVENT SHALL CSA GROUP, ITS VOLUNTEERS, MEMBERS, SUBSIDIARIES, OR AFFILIATED COMPANIES,

6、OR THEIR EMPLOYEES, DIRECTORS, OR OFFICERS, BE LIABLE FOR ANY DIRECT, INDIRECT, OR INCIDENTAL DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES, HOWSOEVER CAUSED, INCLUDING BUT NOT LIMITED TO SPECIAL OR CONSEQUENTIAL DAMAGES, LOST REVENUE, BUSINESS INTERRUPTION, LOST OR DAMAGED DATA, OR ANY OTHER COMMERCIAL

7、 OR ECONOMIC LOSS, WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR ANY OTHER THEORY OF LIABILITY, ARISING OUT OF OR RESULTING FROM ACCESS TO OR POSSESSION OR USE OF THIS DOCUMENT, EVEN IF CSA GROUP HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES.In pu

8、blishing and making this document available, CSA Group is not undertaking to render professional or other services for or on behalf of any person or entity or to perform any duty owed by any person or entity to another person or entity. The information in this document is directed to those who have

9、the appropriate degree of experience to use and apply its contents, and CSA Group accepts no responsibility whatsoever arising in any way from any and all use of or reliance on the information contained in this document. CSA Group is a private not-for-profit company that publishes voluntary standard

10、s and related documents. CSA Group has no power, nor does it undertake, to enforce compliance with the contents of the standards or other documents it publishes. Intellectual property rights and ownershipAs between CSA Group and the users of this document (whether it be in printed or electronic form

11、), CSA Group is the owner, or the authorized licensee, of all works contained herein that are protected by copyright, all trade-marks (except as otherwise noted to the contrary), and all inventions and trade secrets that may be contained in this document, whether or not such inventions and trade sec

12、rets are protected by patents and applications for patents. Without limitation, the unauthorized use, modification, copying, or disclosure of this document may violate laws that protect CSA Groups and/or others intellectual property and may give rise to a right in CSA Group and/or others to seek leg

13、al redress for such use, modification, copying, or disclosure. To the extent permitted by licence or by law, CSA Group reserves all intellectual property rights in this document.Patent rightsAttention is drawn to the possibility that some of the elements of this standard may be the subject of patent

14、 rights. CSA Group shall not be held responsible for identifying any or all such patent rights. Users of this standard are expressly advised that determination of the validity of any such patent rights is entirely their own responsibility.Authorized use of this documentThis document is being provide

15、d by CSA Group for informational and non-commercial use only. The user of this document is authorized to do only the following:If this document is in electronic form:sLOADTHISDOCUMENTONTOACOMPUTERFORTHESOLEPURPOSEOFREVIEWINGITsSEARCHANDBROWSETHISDOCUMENTANDsPRINTTHISDOCUMENTIFITISIN0$ this remains t

16、he continuing responsibility of the SDO. An NSC reflects a consensus of a number of capable individuals whose collective interests provide, to the greatest practicable extent, a balance of representation of general interests, producers, regulators, users (including consumers), and others with releva

17、nt interests, as may be appropriate to the subject in hand. It normally is a standard which is capable of making a significant and timely contribution to the national interest.Those who have a need to apply standards areencouraged to use NSCs. These standards are subjectto periodic review. Users of

18、NSCs are cautionedto obtain the latest edition from the SDO which publishes the standard.The responsibility for approving standards as National Standards of Canada rests with theStandards Council of Canada270 Albert Street, Suite 200Ottawa, Ontario, K1P 6N7CanadaAlthough the intended primary applica

19、tion of this Standard is stated in its Scope, it is importantto note that it remains the responsibility of the users to judge its suitability for their particular purpose.Registered trade-mark of Canadian Standards AssociationCette norme est offerte en anglais seulement pour le moment. Le Groupe CSA

20、 publiera la versionen franais ds quelle sera produite par lorganisme rdacteur.TMA trade-mark of the Canadian Standards Association, operating as “CSA Group”National Standard of CanadaPublished in January 2013 by CSA GroupA not-for-profit private sector organization5060 Spectrum Way, Suite 100, Miss

21、issauga, Ontario, Canada L4W 5N61-800-463-6727 416-747-4044Visit our Online Store at shop.csa.caApproved byStandards Council of CanadaCAN/CSA-ISO/IEC 27010:13Information technology Security techniques Information security management for inter-sector and inter-organizational communicationsPrepared by

22、 InternationalOrganizationforStandardization/ International Electrotechnical CommissionReviewed byCAN/CSA-ISO/IEC 27010:13Information technology Security techniques Information security management for inter-sectorand inter-organizational communicationsCSA/4 2013 CSA Group January 2013CAN/CSA-ISO/IEC

23、 27010:13Information technology Security techniques Information security management for inter-sector and inter-organizational communicationsCSA PrefaceStandards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Comm

24、ittee on Information Technology (TCIT), Canadians serve as the Canadian Advisory Committee (CAC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and sponsor of the Canadian National Committee of

25、 the IEC. Also, as a member of the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T).At the time of publication, ISO/IEC 27010:2012 is available from ISO and IEC in English only. CSA Group will publish the Fre

26、nch version when it becomes available from ISO and IEC.This International Standard was reviewed by the TCIT under the jurisdiction of the Strategic Steering Committee on Information Technology and deemed acceptable for use in Canada. From time to time, ISO/IEC may publish addenda, corrigenda, etc. T

27、he TCIT will review these documents for approval and publication. For a listing, refer to the Current Standards Activities page at standardsactivities.csa.ca. This Standard has been formally approved, without modification, by the Technical Committee and has been approved as a National Standard of Ca

28、nada by the Standards Council of Canada. 2013 CSA GroupAll rights reserved. No part of this publication may be reproduced in any form whatsoever without the prior permission of thepublisher. ISO/IEC material is reprinted with permission. Where the words “this International Standard” appear in the te

29、xt, they should be interpreted as “this National Standard of Canada”.Inquiries regarding this National Standard of Canada should be addressed toCSA Group5060 Spectrum Way, Suite 100, Mississauga, Ontario, Canada L4W 5N61-800-463-6727 416-747-4000http:/csa.caTo purchase standards and related publicat

30、ions, visit our Online Store at shop.csa.ca or call toll-free 1-800-463-6727 or 416-747-4044.This Standard is subject to periodic review, and suggestions for its improvement will be referred to the appropriate committee. To submit a proposal for change, please send the following information to inqui

31、riescsagroup.org and include “Proposal for change” in the subject line:(a) Standard designation (number);(b) relevant clause, table, and/or figure number;(c) wording of the proposed change; and(d) rationale for the change.Reference numberISO/IEC 27010:2012(E)ISO/IEC 2012INTERNATIONAL STANDARD ISO/IE

32、C27010First edition2012-04-01Information technology Security techniques Information security management for inter-sector and inter-organizational communications Technologies de linformation Techniques de scurit Gestion de la scurit de linformation des communications intersectorielles et interorganis

33、ationnelles ISO/IEC 27010:2012(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2012 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in wr

34、iting from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org ii ISO/IEC 2012 All rights reservedCAN/CSA-ISO/IEC 27010:13ISO/I

35、EC 27010:2012(E) ISO/IEC 2012 All rights reserved iiiContents Page Foreword vi Introduction . vii 1 Scope 1 2 Normative references 1 3 Terms and definitions . 1 4 Concepts and justification . 2 4.1 Introduction 2 4.2 Information sharing communities . 2 4.3 Community management 2 4.4 Supporting entit

36、ies 2 4.5 Inter-sector communication . 2 4.6 Conformity . 3 4.7 Communications model 4 5 Security policy . 5 5.1 Information security policy 5 5.1.1 Information security policy document 5 5.1.2 Review of the information security policy 5 6 Organization of information security 5 6.1 Internal organiza

37、tion . 5 6.2 External parties 5 6.2.1 Identification of risks related to external parties . 5 6.2.2 Addressing security when dealing with customers 5 6.2.3 Addressing security in third party agreements . 5 7 Asset management 6 7.1 Responsibility for assets 6 7.1.1 Inventory of assets 6 7.1.2 Ownersh

38、ip of assets . 6 7.1.3 Acceptable use of assets 6 7.2 Information classification . 6 7.2.1 Classification guidelines 6 7.2.2 Information labelling and handling 6 7.3 Information exchanges protection 7 7.3.1 Information dissemination . 7 7.3.2 Information disclaimers 7 7.3.3 Information credibility .

39、 8 7.3.4 Information sensitivity reduction . 8 7.3.5 Anonymous source protection 8 7.3.6 Anonymous recipient protection . 9 7.3.7 Onwards release authority . 9 8 Human resources security . 9 8.1 Prior to employment 9 8.1.1 Roles and responsibilities 9 8.1.2 Screening . 9 8.1.3 Terms and conditions o

40、f employment 9 8.2 During employment . 10 8.3 Termination or change of employment . 10 9 Physical and environmental security 10 CAN/CSA-ISO/IEC 27010:13ISO/IEC 27010:2012(E) iv ISO/IEC 2012 All rights reserved10 Communications and operations management .10 10.1 Operational procedures and responsibil

41、ities .10 10.2 Third party service delivery management .10 10.3 System planning and acceptance 10 10.4 Protection against malicious and mobile code 10 10.4.1 Controls against malicious code .10 10.4.2 Controls against mobile code 10 10.5 Back-up .10 10.6 Network security management .11 10.7 Media ha

42、ndling .11 10.8 Exchange of information .11 10.8.1 Information exchange policies and procedures .11 10.8.2 Exchange agreements .11 10.8.3 Physical media in transit .11 10.8.4 Electronic messaging 11 10.8.5 Business information systems .11 10.9 Electronic commerce services .11 10.10 Monitoring 11 10.

43、10.1 Audit logging 11 10.10.2 Monitoring system use 12 10.10.3 Protection of log information .12 10.10.4 Administrator and operator logs 12 10.10.5 Fault logging 12 10.10.6 Clock synchronisation 12 11 Access control .12 12 Information systems acquisition, development and maintenance .12 12.1 Securit

44、y requirements of information systems 12 12.2 Correct processing in applications 12 12.3 Cryptographic controls .12 12.3.1 Policy on the use of cryptographic controls 12 12.3.2 Key management .12 12.4 Security of system files .13 12.5 Security in development and support processes 13 12.6 Technical v

45、ulnerability management .13 13 Information security incident management 13 13.1 Reporting information security events and weaknesses 13 13.1.1 Reporting information security events 13 13.1.2 Reporting security weaknesses .13 13.1.3 Early warning system 13 13.2 Management of information security inci

46、dents and improvements .14 13.2.1 Responsibilities and procedures .14 13.2.2 Learning from information security incidents 14 13.2.3 Collection of evidence .14 14 Business continuity management .14 14.1 Information security aspects of business continuity management .14 14.1.1 Including information se

47、curity in the business continuity management process .14 14.1.2 Business continuity and risk assessment 14 14.1.3 Developing and implementing continuity plans including information security 14 14.1.4 Business continuity planning framework .15 14.1.5 Testing, maintaining and re-assessing business con

48、tinuity plans 15 15 Compliance .15 15.1 Compliance with legal requirements .15 15.1.1 Identification of applicable legislation 15 15.1.2 Intellectual property rights (IPR) 15 15.1.3 Protection of organizational records .15 15.1.4 Data protection and privacy of personal information 15 15.1.5 Preventi

49、on of misuse of information processing facilities .15 CAN/CSA-ISO/IEC 27010:13ISO/IEC 27010:2012(E) ISO/IEC 2012 All rights reserved v15.1.6 Regulation of cryptographic controls . 15 15.1.7 Liability to the information sharing community . 15 15.2 Compliance with security policies and standards, and technical compliance . 16 15.3 Information sys