ImageVerifierCode 换一换
格式:PDF , 页数:15 ,大小:94.16KB ,
资源ID:739337      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-739337.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ETSI TS 102 640-3-2011 Electronic Signatures and Infrastructures (ESI) Registered Electronic Mail (REM) Part 3 Information Security Policy Requirements for REM Management Domains (.pdf)为本站会员(孙刚)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ETSI TS 102 640-3-2011 Electronic Signatures and Infrastructures (ESI) Registered Electronic Mail (REM) Part 3 Information Security Policy Requirements for REM Management Domains (.pdf

1、 ETSI TS 102 640-3 V2.1.2 (2011-09) Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 3: Information Security Policy Requirements for REM Management Domains Technical Specification ETSI ETSI TS 102 640-3 V2.1.2 (2011-09)2Reference RTS/ESI-000071-3 Keywords e-com

2、merce, electronic signature, email, security, trust services ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Imp

3、ortant notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is t

4、he Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Inf

5、ormation on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No

6、part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2011. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI register

7、ed for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 102 640-3 V2.1.2 (2011-09)3Contents Intellectual

8、 Property Rights 4g3Foreword . 4g3Introduction 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 6g33 Definitions and abbreviations . 6g33.1 Definitions 6g33.2 Abbreviations . 7g34 Information security management systems in REM-MDs . 7g34.1 Goal/ISMS introduction

9、 . 7g34.1.1 Information Security Policy vs. REM Policy 7g34.2 Information asset to be protected . 8g34.3 Establishment of information security management 8g34.3.1 How to establish security requirements 8g34.3.2 Assessing security risks 8g34.3.3 Selecting controls 8g34.3.4 Critical success factors 8g

10、35 Application of ISO/IEC 27002 Controls and Objectives . 9g35.1 Security Policy . 9g35.2 Organization of information security . 9g35.3 Asset management 9g35.4 Human resources security 9g35.5 Physical and environmental security 9g35.6 Communications and operations management . 9g35.7 Access control

11、9g35.8 Security requirements of information systems . 10g35.9 Information security incident management 10g35.10 Business continuity management . 10g35.11 Compliance. 10g36 Further Requirements . 10g36.1 REM Practice Statement 10g36.2 REM Interconnection Statement 11g36.3 REM Sender/REM Recipient Aut

12、hentication . 11g36.4 Electronic Signatures 12g36.4.1 Class of Electronic Signature 12g36.4.2 Public Key Certificates . 12g36.4.3 Protection of Private Signing Key 12g36.5 Maintenance of REM-MD Evidence and REM-MD Envelopes over storage period . 13g36.6 Records Retention and Destruction 13g3Annex A

13、(informative): Bibliography . 14g3History 15g3ETSI ETSI TS 102 640-3 V2.1.2 (2011-09)4Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETS

14、I members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr

15、.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to

16、 the present document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). The present document is part 3 of a multi-part deliverable. Full details of the entire series can be found in part 1 i.1. Introduction Busi

17、ness and administrative relationships among companies, public administrations and private citizens, are the more and more implemented electronically. Trust is becoming essential for their success and continued development of electronic services. It is therefore important that any entity using electr

18、onic services have suitable security controls and mechanisms in place to protect their transactions and to ensure trust and confidence with their partners. Electronic mail is a major tool for electronic business and administration. Additional security services are necessary for e-mail to be trusted.

19、 At the time of writing the present document, in some European Union Member States (Italy, Belgium, etc.) regulation(s) and application(s) are being developed, if not already in place on mails transmitted by electronic means providing origin authentication and proof of delivery. A range of Registere

20、d E-Mail (“REM“) services is already established and their number is set to grow significantly over the next few years. Without the definition of common standards there will be no consistency in the services provided, making it difficult for users to compare them. Under these circumstances, users mi

21、ght be prevented from easily changing to alternative providers, damaging free competition. Lack of standardization might also affect interoperability between REM based systems implemented based on different models. The present document is to ensure a consistent form of service across Europe, especia

22、lly with regard to the form of evidence provided, in order to maximize interoperability even between e-mail domains governed by different policy rules. In order to move towards the general recognition and readability of evidence provided by registered e-mail services, it is necessary to specify tech

23、nical formats, as well as procedures and practices for handling REM, and the ways the electronic signatures are applied to it. In this respect, the electronic signature is an important security component to protect the information and to provide trust in electronic business. It is to be noted that a

24、 simple “electronic signature“ would be insufficient to provide the required trust to an information exchange. Therefore the present document assumes the usage of at least an Advanced Electronic Signature, with the meaning of article 2(2) of EU Directive 1999/93/EC 4 issued with a Secure Signature C

25、reation Device, with the meaning of article 2(6) of the same Directive. The summarised scope of each part and sub-part can be found in part 1 i.1 of this multi-part deliverable. ETSI ETSI TS 102 640-3 V2.1.2 (2011-09)51 Scope The present document specifies requirements on the security of a Registere

26、d E-Mail Management Domain (REM-MD). These requirements are based on the REM-MD operating an Information Security Management System as specified in ISO/IEC 27001 1. Requirements relating to the handling of messages (e.g. message transfer or storage) which do not impact on the REM related evidence ar

27、e outside the scope of the present document. The present document uses the concepts and models defined in TS 102 640-1 i.1. The present document considers the policy requirements applicable to the REM-MD as a whole. It is the responsibility of the management authority for that domain to ensure the r

28、equirements of that domain are met including any requirements which impact on external services. 2 References References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-s

29、pecific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were v

30、alid at the time of publication, ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. 1 ISO/IEC 27001:2005: “Information technology - Security techniques - Information security managemen

31、t systems - Requirements“. 2 ISO/IEC 27002:2005: “Information technology - Security techniques - Code of practice for information security management“. 3 ISO/IEC 27005:2011: “Information technology - Security techniques - Information security risk management“. 4 Directive 1999/93/EC of the European

32、Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. 5 ETSI TS 102 042: “Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates“. 6 ETSI TS 101 456: “Electronic Signatures and

33、 Infrastructures (ESI); Policy requirements for certification authorities issuing qualified certificates“. 7 CEN Workshop Agreement (CWA) 14169: “Secure signature-creation devices “EAL 4+“. NOTE: CWA 14169 was drafted based on Common Criteria 2.1 which has since been superseded. It is specified in t

34、he Common criteria site (http:/moncriteriaportal.org/thecc.html): “omissis the 2.* series, is to be used until March 2008, and maintenance based in this version during further 18 months, i.e. until September 2009“. 8 ISO/IEC 15408 (Parts 1 to 3): “Information technology - Security techniques - Evalu

35、ation criteria for IT security“. ETSI ETSI TS 102 640-3 V2.1.2 (2011-09)69 CEN CWA 14167 (Parts 2 and 4): “Cryptographic module for CSP signing operations with/without backup - Protection profile - CMCSOB PP/CMCSO PP“. 10 FIPS PUB 140-2 (2001): “Security Requirements for Cryptographic Modules“. 2.2

36、Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI TS 102 640-1: “Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 1

37、: Architecture“. i.2 ETSI TS 102 640-2: “Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 2: Data requirements, Formats and Signatures for REM“. i.3 ETSI TS 102 640-4: “Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 4: R

38、EM-MD Conformance Profiles“. i.4 ETSI TS 102 640-5: “Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 5: REM-MD Interoperability Profiles“. i.5 ETSI TS 102 640-6-3: “Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 6: Inte

39、roperability Profiles; Sub-part 3: REM-MD SOAP Binding Profile“. i.6 ETSI TS 102 640-6-2: “Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 6: Interoperability Profiles; Sub-part 2: REM-MD BUSDOX Interoperability Profile“. i.7 ETSI TS 102 640-6-1: “Electronic S

40、ignatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 6: Interoperability Profiles; Sub-part 1: REM-MD UPU PReM Interoperability Profile“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in TS 102 640-1 i

41、.1 and the following apply: information security management system: part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security NOTE: See ISO/IEC 27001 1, clause 3.7. may, need not: indicate a

42、course of action permissible within the limits of the present document shall, shall not: indicate requirements strictly to be followed in order to conform to the present document and from which no deviation is permitted should, should not: indicate that among several possibilities one is recommended

43、 as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is deprecated but not prohibited ETSI ETSI TS 102 640-3 V2.1.2 (2011-09)73.2 Abbre

44、viations For the purposes of the present document, the following abbreviations apply: AdES Advanced Electronic Signature CA Certification Authority ISMS Information Security Management System QES Qualified Electronic Signature REM Registered E-Mail REM-MD REM Management Domain S b) in the context of

45、 clause 15.1.3 records shall be destroyed as specified in clause 6.6; c) in the context of clause 15.2 any REM Policy applicable to the REM-MD shall be applied. 6 Further Requirements The following controls shall be applied within the context of the ISO/IEC 27002 2 requirements as specified above. 6

46、.1 REM Practice Statement The REM Practice Statement is a statement of the practices employed in providing REM services meeting the policy requirements specified in the present document. The REM Practice statement shall include as applicable, at least: a) Specification of the country/ies under whose

47、 legal system the REM-MD operates and other applicable legal requirements (where applicable). b) Reference to REM Policy or other legal or policy requirements to which the REM-MD conforms. c) Details of any certification of conformance, government accreditation or other form of external audit agains

48、t the requirements specified in the present document. d) The Style(s) of Operation the REM-MD implements. e) Specification on the hashing algorithm (e.g. “SHA-1“, “SHA256“) currently used in the M00 REM-MD Component consistently with TS 102 640-2 i.2, clause 5.2.2.4.1 “M00 - REM-MD Message/REM Dispa

49、tch details“. It may specify also the previously adopted hashing algorithms, also indicating the time period they have been in force. f) Information on how the requirements specified in the present document are implemented, including at least: i) a statement of applicability of the ISO/IEC 27002 2 controls taking into account the particular requirements specified in the present document; ETSI ETSI TS 102 640-3 V2.1.2 (2011-09)11ii) whether Advanced signatures are supported by Qualified Certificates in accordan

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1