1、 Reference numberISO/IEC TR 27015:2012(E)ISO/IEC 2012TECHNICAL REPORT ISO/IECTR27015First edition2012-12-01Information technology Security techniques Information security management guidelines for financial services Technologies de linformation Techniques de scurit Lignes directrices pour le managem
2、ent de la scurit de linformation pour les services financiers ISO/IEC TR 27015:2012(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2012 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including
3、 photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published i
4、n Switzerland ii ISO/IEC 2012 All rights reservedISO/IEC TR 27015:2012(E) ISO/IEC 2012 All rights reserved iiiContents Page Foreword vi Introduction . vii 1 Scope 1 2 Normative references 1 3 Terms, definitions and abbreviated terms 1 3.1 Terms and definitions . 1 3.2 Abbreviated terms . 1 4 Structu
5、re of this technical report . 1 5 Security Policy . 2 6 Organization of information security 2 6.1 Internal organization . 2 6.1.1 Management commitment to information security 2 6.1.2 Information security co-ordination 2 6.1.3 Allocation of information security responsibilities . 2 6.1.4 Authorizat
6、ion process for information processing facilities 2 6.1.5 Confidentiality agreements 2 6.1.6 Contact with authorities 3 6.1.7 Contact with special interest groups 3 6.1.8 Independent review of information security . 3 6.2 External parties 3 6.2.1 Identification of risks related to external parties .
7、 3 6.2.2 Addressing security when dealing with customers 3 6.2.3 Addressing security in third party agreements . 5 7 Asset management 6 7.1 Responsibility for assets 6 7.1.1 Inventory of assets 6 7.1.2 Ownership of assets . 6 7.1.3 Acceptable use of assets 6 7.2 Information classification . 7 8 Huma
8、n resources security . 7 8.1 Prior to employment 7 8.1.1 Roles and responsibilities 7 8.1.2 Screening . 7 8.1.3 erms and conditions of employment . 7 8.2 During employment . 8 8.2.1 Management responsibilities . 8 8.2.2 Information security awareness, education and training 8 8.3 Termination or chan
9、ge of employment . 8 9 Physical and environmental security 8 9.1 Secure areas 8 9.1.1 Physical security perimeter 8 9.1.2 Physical entry controls . 8 9.1.3 Securing offices, rooms, and facilities 8 9.1.4 Protecting against external and environmental threats 8 9.1.5 Working in secure areas . 8 9.1.6
10、Public access, delivery, and loading areas 9 9.2 Equipment security . 9 ISO/IEC TR 27015:2012(E) iv ISO/IEC 2012 All rights reserved9.2.1 Equipment siting and protection 9 9.2.2 Supporting utilities 9 9.2.3 Cabling security .9 9.2.4 Equipment maintenance .9 9.2.5 Security of equipment off-premises 9
11、 9.2.6 Secure disposal or re-use of equipment .9 10 Communications and operations management .10 10.1 Operational procedures and responsibilities .10 10.1.1 Documented operating procedures .10 10.1.2 Change management 10 10.1.3 1Segregation of duties 10 10.1.4 Separation of development, test, and op
12、erational facilities 10 10.2 Third party service delivery management .10 10.3 System planning and acceptance 10 10.3.1 Capacity management .10 10.3.2 System acceptance .11 10.4 Protection against malicious and mobile code 11 10.4.1 Controls against malicious code .11 10.4.2 Controls against mobile c
13、ode 11 10.5 Back-up .11 10.6 Network security management .11 10.7 Media handling .11 10.7.1 Management of removable media 11 10.7.2 Disposal of media 11 10.7.3 Information handling procedures 11 10.7.4 Security of system documentation 12 10.8 Exchange of information .12 10.9 Electronic commerce serv
14、ices .12 10.9.1 Electronic commerce 12 10.9.2 On-Line Transactions 12 10.9.3 Publicly available information 12 10.9.4 Internet banking services .12 10.10 Monitoring 13 10.10.1 Audit logging 13 10.10.2 Monitoring system use 13 10.10.3 Protection of log information .13 10.10.4 Administrator and operat
15、or logs 13 10.10.5 Fault logging 13 10.10.6 Clock synchronization 13 11 Access control .13 12 Information systems acquisition, development and maintenance .14 12.1 Security requirements of information systems 14 12.1.1 Security requirements analysis and specification .14 12.2 Correct processing in a
16、pplications 14 12.3 Cryptographic controls .15 12.3.1 Policy on the use of cryptographic controls 15 12.3.2 Key management .15 12.4 Security of system files .15 12.4.1 Control of operational software .15 12.4.2 Protection of system test data .15 12.4.3 Access control to program source code .15 12.5
17、Security in development and support processes 16 12.6 Technical Vulnerability Management.16 13 Information security incident management 16 14 Business continuity management .16 14.1 Information security aspects of business continuity management .16 14.1.1 Including information security in the busine
18、ss continuity management process .16 ISO/IEC TR 27015:2012(E) ISO/IEC 2012 All rights reserved v14.1.2 Business continuity and risk assessment 16 14.1.3 Developing and implementing continuity plans including information security 16 14.1.4 Business continuity planning framework . 16 14.1.5 Testing, m
19、aintaining and re-assessing business continuity plans . 17 15 Compliance 17 15.1 Compliance with legal requirements . 17 15.2 Compliance with security policies and standards, and technical compliance . 17 15.2.1 Compliance with security policies and standards . 17 15.2.2 Technical compliance checkin
20、g 17 15.2.3 Compliance monitoring 17 Bibliography 18 ISO/IEC TR 27015:2012(E) vi ISO/IEC 2012 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards
21、 is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take p
22、art in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to
23、 prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. In exceptional circumstances, when a te
24、chnical committee has collected data of a different kind from that which is normally published as an International Standard (“state of the art”, for example), it may decide by a simple majority vote of its participating members to publish a Technical Report. A Technical Report is entirely informativ
25、e in nature and does not have to be reviewed until the data it provides are considered to be no longer valid or useful. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all s
26、uch patent rights. ISO/IEC TR 27015 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee 27, IT Security techniques. ISO/IEC TR 27015:2012(E) ISO/IEC 2012 All rights reserved viiIntroduction Continuous developments in information technology have led to an inc
27、reased reliance by organizations providing financial services on their assets processing information. Consequently, management, customers and regulators have heightened expectations regarding an effective information security protection of these assets and of processed information. Whereas ISO/IEC 2
28、7001:2005 and ISO/IEC 27002:2005 address information security management and controls, they do so in a generalised form. Organizations providing financial services have specific information security needs and constraints within their respective organization or while performing financial transactions
29、 with business partners, which require a high level of reliance between involved stakeholders. This technical report is a supplement to ISO/IEC 27000 family of International Standards for use by organizations providing financial services. In particular, the guidance contained in this technical repor
30、t complements and is in addition to information security controls defined in ISO/IEC 27002:2005. The term “financial services” should be understood as services in the management, investment, transfer, or lending of money which could be provided by organizations offering their fiscal expertise rather
31、 than selling physical products (i.e. anyone in the “business of money”). In addition to the implementation of both ISO/IEC 27001:2005 and ISO/IEC 27002:2005, by using this technical report, organizations providing financial services may establish a higher level of trust within their organization, w
32、ith customers and with business partners, in particular, when it can be demonstrated that they have adopted sector-specific guidance for information security management. This technical report reflects the state of art and is not intended for certification purposes. TECHNICAL REPORT ISO/IEC TR 27015:
33、2012(E) ISO/IEC 2012 All rights reserved 1Information technology Security techniques Information security management guidelines for financial services 1 Scope This Technical Report provides information security guidance complementing and in addition to information security controls defined in ISO/IE
34、C 27002:2005 for initiating, implementing, maintaining, and improving information security within organizations providing financial services. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited
35、 applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000:2009, Information technology Security techniques Information security management systems Overview and vocabulary 3 Terms, definitions and abbreviated terms 3.1 Terms and
36、definitions For the purposes of this document, the terms and definitions in ISO/IEC 27000:2009 and the following apply. 3.1.1 financial services services in the management, investment, transfer, or lending of money 3.2 Abbreviated terms ATM Automatic Teller Machines COBIT Control Objectives for Info
37、rmation Technology OTP One-Time Password PCI-DSS Payment Card Industry - Data Security Standard POS Point Of Sale SST Self Service Terminal 4 Structure of this technical report Information security guidance complementing and in addition to information security controls from ISO/IEC 27002:2005 is pro
38、vided in clauses 5 to 15 below. ISO/IEC TR 27015:2012(E) 2 ISO/IEC 2012 All rights reserved5 Security Policy No additional guidance for organizations providing financial services. 6 Organization of information security 6.1 Internal organization 6.1.1 Management commitment to information security No
39、additional guidance for organizations providing financial services. 6.1.2 Information security co-ordination No additional guidance for organizations providing financial services. 6.1.3 Allocation of information security responsibilities Control 6.1.3 from ISO/IEC 27002:2005 is augmented as follows:
40、 Implementation guidance An organization providing financial services should consider the following in the definition of information security roles and responsibilities requirements and recommendations stated by laws and regulations, which applied to it, along with industry frameworks. Care should a
41、lso be taken by an organization providing financial services to ensure local implementation of relevant requirements and recommendations stated by international partners in regards to its definition of information security roles and responsibilities. Examples of frameworks which are generally used b
42、y organizations providing financial services and which provide information about allocation of information security roles and responsibilities: a) PCI-DSS 1 with the following sub-clause: 1. PCI 12.5 Assigned information security management responsibilities. b) COBIT 2 with following sub-clauses: 2.
43、 4.0 Define the IT organization and relationships. 3. 4.4 Roles and Responsibilities. 4. 4.6 Responsibility for Logical and Physical Security. Assigned information security roles and responsibilities should be reviewed on a regular basis to ensure conformity with changes in requirements and recommen
44、dations stated by laws, regulations, industry frameworks and partners. 6.1.4 Authorization process for information processing facilities No additional guidance for organizations providing financial services. 6.1.5 Confidentiality agreements No additional guidance for organizations providing financia
45、l services. ISO/IEC TR 27015:2012(E) ISO/IEC 2012 All rights reserved 36.1.6 Contact with authorities No additional guidance for organizations providing financial services. 6.1.7 Contact with special interest groups Control 6.1.7 from ISO/IEC 27002:2005 is augmented as follows: Implementation guidan
46、ce In addition to the guidance provided in ISO/IEC 27002, membership in special interest groups or forums should be considered as a means to: a) confidentially share and exchange information about recent fraudulent and criminal activities. 6.1.8 Independent review of information security No addition
47、al guidance for organizations providing financial services. 6.2 External parties 6.2.1 Identification of risks related to external parties Control 6.2.1 from ISO/IEC 27002:2005 is augmented as follows: Implementation guidance In addition to the guidance provided in ISO/IEC 27002, the following issue
48、 should also be considered by an organization providing financial services when identifying risks related to external party access: a) Legal and regulatory requirements, along with contractual obligations which could be imposed to the external party located in foreign countries and which could resul
49、t in customer and financial information disclosure to third parties (e.g. mother organization, affiliate, or public authority) without prior notification to the organization. This issue could then induce significant security breaches with the unauthorized disclosure of this information. 6.2.2 Addressing security when dealing with customers Control 6.2.2 from ISO/IEC 27002:2005 is augmented as follows: Implementation guidance In addition to the guidance provided in ISO/IEC 27002, the following principles should be considere
