ImageVerifierCode 换一换
格式:PDF , 页数:40 ,大小:736.50KB ,
资源ID:804734      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-804734.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ITU-T X 1631-2015 Information technology - Security techniques - Code of practice for information security controls based on ISO IEC 27002 for cloud services (Study Group 17)《信息技术 .pdf)为本站会员(rimleave225)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ITU-T X 1631-2015 Information technology - Security techniques - Code of practice for information security controls based on ISO IEC 27002 for cloud services (Study Group 17)《信息技术 .pdf

1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1631 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (07/2015) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cloud computing security Cloud computing security design Information technology Security tech

2、niques Code of practice for information security controls based on ISO/IEC 27002 for cloud services Recommendation ITU-T X.1631 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BET

3、WEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.

4、1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-pee

5、r security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security

6、 X.1310X.1339 PKI related Recommendations X.1340X.1349 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569

7、 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation

8、 X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1631 (07/2015) i INTERNATIONAL STANDARD ISO/IEC 27017 RECOMMENDATION ITU-T X.1631 Information technology Security techniques Code of practice for information

9、 security controls based on ISO/IEC 27002 for cloud services Summary Recommendation ITU-T X.1631 | ISO/IEC 27017 provides guidelines for information security controls applicable to the provision and use of cloud services by providing: additional implementation guidance for relevant controls specifie

10、d in ISO/IEC 27002; additional controls with implementation guidance that specifically relate to cloud services. This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers. History Edition Recommendation App

11、roval Study Group Unique ID* 1.0 ITU-T X.1631 2015-07-14 17 11.1002/1000/12490 _ * To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. IT

12、U-T X.1631 (07/2015) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is

13、 responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by

14、 the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a colla

15、borative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certa

16、in mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirem

17、ents. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. I

18、TU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual

19、 property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2015 All rights res

20、erved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1631 (07/2015) iii CONTENTS Page 1 Scope 1 2 Normative references 1 2.1 Identical Recommendations | International Standards 1 2.2 Additional References . 1 3 Defin

21、itions and abbreviations . 1 3.1 Terms defined elsewhere . 1 3.2 Abbreviations 2 4 Cloud sector-specific concepts . 2 4.1 Overview . 2 4.2 Supplier relationships in cloud services 2 4.3 Relationships between cloud service customers and cloud service providers . 3 4.4 Managing information security ri

22、sks in cloud services . 3 4.5 Structure of this standard . 3 5 Information security policies 4 5.1 Management direction for information security 4 6 Organization of information security 5 6.1 Internal organization . 5 6.2 Mobile devices and teleworking 6 7 Human resource security 6 7.1 Prior to empl

23、oyment 6 7.2 During employment 6 7.3 Termination and change of employment . 7 8 Asset management 7 8.1 Responsibility for assets 7 8.2 Information classification 8 8.3 Media handling 8 9 Access control 8 9.1 Business requirements of access control . 8 9.2 User access management . 9 9.3 User responsi

24、bilities 10 9.4 System and application access control 10 10 Cryptography 11 10.1 Cryptographic controls 11 11 Physical and environmental security 12 11.1 Secure areas . 12 11.2 Equipment . 12 12 Operations security . 13 12.1 Operational procedures and responsibilities 13 12.2 Protection from malware

25、 . 14 12.3 Backup 14 12.4 Logging and monitoring 15 12.5 Control of operational software . 16 12.6 Technical vulnerability management 16 12.7 Information systems audit considerations . 17 13 Communications security . 17 13.1 Network security management 17 13.2 Information transfer. 17 14 System acqu

26、isition, development and maintenance . 18 14.1 Security requirements of information systems 18 14.2 Security in development and support processes 18 iv Rec. ITU-T X.1631 (07/2015) Page 14.3 Test data 19 15 Supplier relationships . 19 15.1 Information security in supplier relationships . 19 15.2 Supp

27、lier service delivery management 20 16 Information security incident management 20 16.1 Management of information security incidents and improvements. 20 17 Information security aspects of business continuity management 22 17.1 Information security continuity . 22 17.2 Redundancies 22 18 Compliance

28、. 22 18.1 Compliance with legal and contractual requirements 22 18.2 Information security reviews . 23 Annex A Cloud service extended control set 25 Annex B References on information security risk related to cloud computing 29 Bibliography 30 Rec. ITU-T X.1631 (07/2015) v Introduction The guidelines

29、 contained within this Recommendation | International Standard are in addition to and complement the guidelines given in ISO/IEC 27002. Specifically, this Recommendation | International Standard provides guidelines supporting the implementation of information security controls for cloud service cust

30、omers and cloud service providers. Some guidelines are for cloud service customers who implement the controls, and others are for cloud service providers to support the implementation of those controls. The selection of appropriate information security controls and the application of the implementat

31、ion guidance provided, will depend on a risk assessment and any legal, contractual, regulatory or other cloud-sector specific information security requirements. ISO/IEC 27017:2015 (E) Rec. ITU-T X.1631 (07/2015) 1 INTERNATIONAL STANDARD ITU-T RECOMMENDATION Information technology Security techniques

32、 Code of practice for information security controls based on ISO/IEC 27002 for cloud services 1 Scope This Recommendation | International Standard gives guidelines for information security controls applicable to the provision and use of cloud services by providing: additional implementation guidance

33、 for relevant controls specified in ISO/IEC 27002; additional controls with implementation guidance that specifically relate to cloud services. This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers. 2 N

34、ormative references The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standa

35、rds are subject to revision, and parties to agreements based on this Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently val

36、id International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. 2.1 Identical Recommendations | International Standards Recommendation ITU-T Y.3500 (in force) | ISO/IEC 17788: (in force), Information technology Cloud comp

37、uting Overview and vocabulary. Recommendation ITU-T Y.3502 (in force) | ISO/IEC 17789: (in force), Information technology Cloud computing Reference architecture. 2.2 Additional References ISO/IEC 27000: (in force), Information technology Security techniques Information security management systems Ov

38、erview and vocabulary. ISO/IEC 27002:2013, Information technology Security techniques Code of practice for information security controls. 3 Definitions and abbreviations 3.1 Terms defined elsewhere For the purposes of this Recommendation | International Standard, the terms and definitions given in I

39、SO/IEC 27000, Rec. ITU-T Y.3500 | ISO/IEC 17788, Rec. ITU-T Y.3502 | ISO/IEC 17789 and the following definitions apply: 3.1.1 The following term is defined in ISO 19440: capability: Quality of being able to perform a given activity. 3.1.2 The following terms are defined in ISO/IEC 27040: data breach

40、: Compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored, or otherwise processed. secure multi-tenancy: Type of multi-tenancy that employs security controls to explicitly guard against

41、 data breaches and provides validation of these controls for proper governance. NOTE 1 Secure multi-tenancy exists when the risk profile of an individual tenant is no greater than it would be in a dedicated, single-tenant environment. NOTE 2 In very secure environments, even the identity of the tena

42、nts is kept secret. ISO/IEC 27017:2015 (E) 2 Rec. ITU-T X.1631 (07/2015) 3.1.3 The following term is defined in ISO/IEC 17203: virtual machine: The complete environment that supports the execution of guest software. NOTE A virtual machine is a full encapsulation of the virtual hardware, virtual disk

43、s, and the metadata associated with it. Virtual machines allow multiplexing of the underlying physical machine through a software layer called a hypervisor. 3.2 Abbreviations For the purposes of this Recommendation | International Standard, the following abbreviations apply: IaaS Infrastructure as a

44、 Service PaaS Platform as a Service PII Personally Identifiable Information SaaS Software as a Service SLA Service Level Agreement VM Virtual Machine 4 Cloud sector-specific concepts 4.1 Overview The use of cloud computing has changed how organizations should assess and mitigate information security

45、 risks because of the significant changes in how computing resources are technically designed, operated and governed. This Recommendation | International Standard provides additional cloud-specific implementation guidance based on ISO/IEC 27002 and provides additional controls to address cloud-speci

46、fic information security threats and risks considerations. Users of this Recommendation | International Standard should refer to clauses 5 to 18 in ISO/IEC 27002 for controls, implementation guidance and other information. Because of the general applicability of ISO/IEC 27002, many of the controls,

47、implementation guidance and other information apply to both the general and cloud computing contexts of an organization. For example, “6.1.2 Segregation of duties“ of ISO/IEC 27002 provides a control that can be applied whether the organization is acting as a cloud service provider or not. Additiona

48、lly, a cloud service customer can derive requirements for segregation of duties in the cloud environment from the same control, e.g., segregating the cloud service customers cloud service administrators and cloud service users. As an extension to ISO/IEC 27002, this Recommendation | International St

49、andard further provides cloud service specific controls, implementation guidance and other information (see clause 4.5) that are intended to mitigate the risks that accompany the technical and operational features of cloud services (see Annex B). The cloud service customers and the cloud service providers can refer to ISO/IEC 27002 and this Recommendation | International Standard to select controls with the implementation gui

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1