ITU-T X 1631-2015 Information technology - Security techniques - Code of practice for information security controls based on ISO IEC 27002 for cloud services (Study Group 17)《信息技术 .pdf

1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1631 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (07/2015) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cloud computing security Cloud computing security design Information technology Security tech

2、niques Code of practice for information security controls based on ISO/IEC 27002 for cloud services Recommendation ITU-T X.1631 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BET

3、WEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.

4、1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-pee

5、r security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security

6、 X.1310X.1339 PKI related Recommendations X.1340X.1349 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569

7、 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation

8、 X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1631 (07/2015) i INTERNATIONAL STANDARD ISO/IEC 27017 RECOMMENDATION ITU-T X.1631 Information technology Security techniques Code of practice for information

9、 security controls based on ISO/IEC 27002 for cloud services Summary Recommendation ITU-T X.1631 | ISO/IEC 27017 provides guidelines for information security controls applicable to the provision and use of cloud services by providing: additional implementation guidance for relevant controls specifie

10、d in ISO/IEC 27002; additional controls with implementation guidance that specifically relate to cloud services. This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers. History Edition Recommendation App

11、roval Study Group Unique ID* 1.0 ITU-T X.1631 2015-07-14 17 11.1002/1000/12490 _ * To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. IT

12、U-T X.1631 (07/2015) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is

13、 responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by

14、 the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a colla

15、borative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certa

16、in mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirem

17、ents. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. I

18、TU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual

19、 property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2015 All rights res

20、erved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1631 (07/2015) iii CONTENTS Page 1 Scope 1 2 Normative references 1 2.1 Identical Recommendations | International Standards 1 2.2 Additional References . 1 3 Defin

21、itions and abbreviations . 1 3.1 Terms defined elsewhere . 1 3.2 Abbreviations 2 4 Cloud sector-specific concepts . 2 4.1 Overview . 2 4.2 Supplier relationships in cloud services 2 4.3 Relationships between cloud service customers and cloud service providers . 3 4.4 Managing information security ri

22、sks in cloud services . 3 4.5 Structure of this standard . 3 5 Information security policies 4 5.1 Management direction for information security 4 6 Organization of information security 5 6.1 Internal organization . 5 6.2 Mobile devices and teleworking 6 7 Human resource security 6 7.1 Prior to empl

23、oyment 6 7.2 During employment 6 7.3 Termination and change of employment . 7 8 Asset management 7 8.1 Responsibility for assets 7 8.2 Information classification 8 8.3 Media handling 8 9 Access control 8 9.1 Business requirements of access control . 8 9.2 User access management . 9 9.3 User responsi

24、bilities 10 9.4 System and application access control 10 10 Cryptography 11 10.1 Cryptographic controls 11 11 Physical and environmental security 12 11.1 Secure areas . 12 11.2 Equipment . 12 12 Operations security . 13 12.1 Operational procedures and responsibilities 13 12.2 Protection from malware

25、 . 14 12.3 Backup 14 12.4 Logging and monitoring 15 12.5 Control of operational software . 16 12.6 Technical vulnerability management 16 12.7 Information systems audit considerations . 17 13 Communications security . 17 13.1 Network security management 17 13.2 Information transfer. 17 14 System acqu

26、isition, development and maintenance . 18 14.1 Security requirements of information systems 18 14.2 Security in development and support processes 18 iv Rec. ITU-T X.1631 (07/2015) Page 14.3 Test data 19 15 Supplier relationships . 19 15.1 Information security in supplier relationships . 19 15.2 Supp

27、lier service delivery management 20 16 Information security incident management 20 16.1 Management of information security incidents and improvements. 20 17 Information security aspects of business continuity management 22 17.1 Information security continuity . 22 17.2 Redundancies 22 18 Compliance

28、. 22 18.1 Compliance with legal and contractual requirements 22 18.2 Information security reviews . 23 Annex A Cloud service extended control set 25 Annex B References on information security risk related to cloud computing 29 Bibliography 30 Rec. ITU-T X.1631 (07/2015) v Introduction The guidelines

29、 contained within this Recommendation | International Standard are in addition to and complement the guidelines given in ISO/IEC 27002. Specifically, this Recommendation | International Standard provides guidelines supporting the implementation of information security controls for cloud service cust

30、omers and cloud service providers. Some guidelines are for cloud service customers who implement the controls, and others are for cloud service providers to support the implementation of those controls. The selection of appropriate information security controls and the application of the implementat

31、ion guidance provided, will depend on a risk assessment and any legal, contractual, regulatory or other cloud-sector specific information security requirements. ISO/IEC 27017:2015 (E) Rec. ITU-T X.1631 (07/2015) 1 INTERNATIONAL STANDARD ITU-T RECOMMENDATION Information technology Security techniques

32、 Code of practice for information security controls based on ISO/IEC 27002 for cloud services 1 Scope This Recommendation | International Standard gives guidelines for information security controls applicable to the provision and use of cloud services by providing: additional implementation guidance

33、 for relevant controls specified in ISO/IEC 27002; additional controls with implementation guidance that specifically relate to cloud services. This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers. 2 N

34、ormative references The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standa

35、rds are subject to revision, and parties to agreements based on this Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently val

36、id International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. 2.1 Identical Recommendations | International Standards Recommendation ITU-T Y.3500 (in force) | ISO/IEC 17788: (in force), Information technology Cloud comp

37、uting Overview and vocabulary. Recommendation ITU-T Y.3502 (in force) | ISO/IEC 17789: (in force), Information technology Cloud computing Reference architecture. 2.2 Additional References ISO/IEC 27000: (in force), Information technology Security techniques Information security management systems Ov

38、erview and vocabulary. ISO/IEC 27002:2013, Information technology Security techniques Code of practice for information security controls. 3 Definitions and abbreviations 3.1 Terms defined elsewhere For the purposes of this Recommendation | International Standard, the terms and definitions given in I

39、SO/IEC 27000, Rec. ITU-T Y.3500 | ISO/IEC 17788, Rec. ITU-T Y.3502 | ISO/IEC 17789 and the following definitions apply: 3.1.1 The following term is defined in ISO 19440: capability: Quality of being able to perform a given activity. 3.1.2 The following terms are defined in ISO/IEC 27040: data breach

40、: Compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored, or otherwise processed. secure multi-tenancy: Type of multi-tenancy that employs security controls to explicitly guard against

41、 data breaches and provides validation of these controls for proper governance. NOTE 1 Secure multi-tenancy exists when the risk profile of an individual tenant is no greater than it would be in a dedicated, single-tenant environment. NOTE 2 In very secure environments, even the identity of the tena

42、nts is kept secret. ISO/IEC 27017:2015 (E) 2 Rec. ITU-T X.1631 (07/2015) 3.1.3 The following term is defined in ISO/IEC 17203: virtual machine: The complete environment that supports the execution of guest software. NOTE A virtual machine is a full encapsulation of the virtual hardware, virtual disk

43、s, and the metadata associated with it. Virtual machines allow multiplexing of the underlying physical machine through a software layer called a hypervisor. 3.2 Abbreviations For the purposes of this Recommendation | International Standard, the following abbreviations apply: IaaS Infrastructure as a

44、 Service PaaS Platform as a Service PII Personally Identifiable Information SaaS Software as a Service SLA Service Level Agreement VM Virtual Machine 4 Cloud sector-specific concepts 4.1 Overview The use of cloud computing has changed how organizations should assess and mitigate information security

45、 risks because of the significant changes in how computing resources are technically designed, operated and governed. This Recommendation | International Standard provides additional cloud-specific implementation guidance based on ISO/IEC 27002 and provides additional controls to address cloud-speci

46、fic information security threats and risks considerations. Users of this Recommendation | International Standard should refer to clauses 5 to 18 in ISO/IEC 27002 for controls, implementation guidance and other information. Because of the general applicability of ISO/IEC 27002, many of the controls,

47、implementation guidance and other information apply to both the general and cloud computing contexts of an organization. For example, “6.1.2 Segregation of duties“ of ISO/IEC 27002 provides a control that can be applied whether the organization is acting as a cloud service provider or not. Additiona

48、lly, a cloud service customer can derive requirements for segregation of duties in the cloud environment from the same control, e.g., segregating the cloud service customers cloud service administrators and cloud service users. As an extension to ISO/IEC 27002, this Recommendation | International St

49、andard further provides cloud service specific controls, implementation guidance and other information (see clause 4.5) that are intended to mitigate the risks that accompany the technical and operational features of cloud services (see Annex B). The cloud service customers and the cloud service providers can refer to ISO/IEC 27002 and this Recommendation | International Standard to select controls with the implementation gui