BS ISO IEC 29151-2017 Information technology Security techniques Code of practice for personally identifiable information protection《信息技术 安全技术 个人识别信息保护业务守则》.pdf

1、Information technology Security techniques Code of practice for personally identifiable information protection BS ISO/IEC 29151:2017 BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Information t echnology Security t echniques Code of pr actice for personally identif

2、iable information pr ot ection Technologies de linformation Techniques de scurit Code de bonne pratique pour la protection des donnes caractre personnel IN T E R NA T I O NA L S TA N DA R D ISO/IE C 29151 R ef erence number ISO/IEC 29151:2017(E) First edition 2017-0 8 ISO/IEC 2017 National foreword

3、This British Standard is the UK implementation of ISO/IEC 29151:2017. The UK participation in its preparation was entrusted to Technical Committee IST/33/5, Identity Management and Privacy Technologies. A list of organizations represented on this committee can be obtained on request to its secretary

4、. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2017 Published by BSI Standards Limited 2017 ISBN 978 0 580 83692 3 ICS 35.030Compliance with a British Standard cannot conf

5、er immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 September 2017. Amendments/corrigenda issued since publication Date Text affected BRITISH STANDARD BS ISO/IEC 29151:2017Information t echnology Security t

6、echniques Code of pr actice for personally identifiable information pr ot ection Technologies de linformation Techniques de scurit Code de bonne pratique pour la protection des donnes caractre personnel IN T E R NA T I O NA L S TA N DA R D ISO/IE C 29151 R ef erence number ISO/IEC 29151:2017(E) Firs

7、t edition 2017-0 8 ISO/IEC 2017 BS ISO/IEC 29151:2017 ii ISO/IEC 2017 All rights r eserv ed COPYRIGHT PR OT ECTED DOCUMENT ISO/IEC 2017, Published in S witzer land All rights r eserved. Unless otherwise specified, no part of this publication may be r eproduced or utilized otherwise in any form or by

8、 any means, electronic or mechanical, including phot ocopying, or posting on the internet or an intr anet, without prior written permission. Permission can be r equested from either ISO at the address below or ISOs member body in the country of the r equest er . ISO cop yright office Ch. de Blandonn

9、et 8 CP 401 CH-1214 V ernier, Gene va, S witzer land Tel. +41 22 749 01 11 Fax +41 22 749 09 47 cop yrig htiso.or g www .iso.or g ISO/IEC 29151:2017(E) BS ISO/IEC 29151:2017 ii ISO/IEC 2017 All rights r eserv ed COPYRIGHT PR OT ECTED DOCUMENT ISO/IEC 2017, Published in S witzer land All rights r ese

10、rved. Unless otherwise specified, no part of this publication may be r eproduced or utilized otherwise in any form or by any means, electronic or mechanical, including phot ocopying, or posting on the internet or an intr anet, without prior written permission. Permission can be r equested from eithe

11、r ISO at the address below or ISOs member body in the country of the r equest er . ISO cop yright office Ch. de Blandonnet 8 CP 401 CH-1214 V ernier, Gene va, S witzer land Tel. +41 22 749 01 11 Fax +41 22 749 09 47 cop yrig htiso.or g www .iso.or g ISO/IEC 29151:2017(E) BS ISO/IEC 29151:2017Rec. IT

12、U-T X.1058 (03/2017) iii CONTENTS Page 1 Scope 1 2 Normative references 1 3 Definitions and abbreviated terms 1 3.1 Definitions. 1 3.2 Abbreviated terms . 1 4 Overview 2 4.1 Objective for the protection of PII 2 4.2 Requirement for the protection of PII . 2 4.3 Controls. 2 4.4 Selecting controls 2 4

13、.5 Developing organization specific guidelines. 3 4.6 Life cycle considerations. 3 4.7 Structure of this Specification . 3 5 Information security policies 4 5.1 Management directions for information security 4 6 Organization of information security 4 6.1 Internal organization . 4 6.2 Mobile devices

14、and teleworking 5 7 Human resource security 6 7.1 Prior to employment 6 7.2 During employment 6 7.3 Termination and change of employment. 6 8 Asset management 7 8.1 Responsibility for assets 7 8.2 Information classification 7 8.3 Media handling 8 9 Access control 9 9.1 Business requirement of access

15、 control. 9 9.2 User access management. 9 9.3 User responsibilities 10 9.4 System and application access control 10 10 Cryptography 11 10.1 Cryptographic controls 11 11 Physical and environmental security 11 11.1 Secure areas. 11 11.2 Equipment . 12 12 Operations security. 12 12.1 Operational proced

16、ures and responsibilities 12 12.2 Protection from malware . 13 12.3 Backup 13 12.4 Logging and monitoring 13 12.5 Control of operational software. 14 12.6 Technical vulnerability management 14 12.7 Information systems audit considerations . 14 13 Communications security . 15 13.1 Network security ma

17、nagement 15 13.2 Information transfer. 15 14 System acquisition, development and maintenance . 15 14.1 Security requirements of information systems 15 14.2 Security in development and support processes 16 ISO/IEC 29151:2017(E) BS ISO/IEC 29151:2017Rec. ITU-T X.1058 (03/2017) iii CONTENTS Page 1 Scop

18、e 1 2 Normative references 1 3 Definitions and abbreviated terms 1 3.1 Definitions. 1 3.2 Abbreviated terms . 1 4 Overview 2 4.1 Objective for the protection of PII 2 4.2 Requirement for the protection of PII . 2 4.3 Controls. 2 4.4 Selecting controls 2 4.5 Developing organization specific guideline

19、s. 3 4.6 Life cycle considerations. 3 4.7 Structure of this Specification . 3 5 Information security policies 4 5.1 Management directions for information security 4 6 Organization of information security 4 6.1 Internal organization . 4 6.2 Mobile devices and teleworking 5 7 Human resource security 6

20、 7.1 Prior to employment 6 7.2 During employment 6 7.3 Termination and change of employment. 6 8 Asset management 7 8.1 Responsibility for assets 7 8.2 Information classification 7 8.3 Media handling 8 9 Access control 9 9.1 Business requirement of access control. 9 9.2 User access management. 9 9.3

21、 User responsibilities 10 9.4 System and application access control 10 10 Cryptography 11 10.1 Cryptographic controls 11 11 Physical and environmental security 11 11.1 Secure areas. 11 11.2 Equipment . 12 12 Operations security. 12 12.1 Operational procedures and responsibilities 12 12.2 Protection

22、from malware. 13 12.3 Backup 13 12.4 Logging and monitoring 13 12.5 Control of operational software. 14 12.6 Technical vulnerability management 14 12.7 Information systems audit considerations . 14 13 Communications security . 15 13.1 Network security management 15 13.2 Information transfer. 15 14 S

23、ystem acquisition, development and maintenance . 15 14.1 Security requirements of information systems 15 14.2 Security in development and support processes 16 ISO/IEC 29151:2017(E) iv Rec. ITU-T X.1058 (03/2017) Page 14.3 Test data 16 15 Supplier relationships . 17 15.1 Information security in suppl

24、ier relationships . 17 15.2 Supplier service delivery management 18 16 Information security incident management 18 16.1 Management of information security incidents and improvements. 18 17 Information security aspects of business continuity management 19 17.1 Information security continuity . 19 17.

25、2 Redundancies 19 18 Compliance. 20 18.1 Compliance with legal and contractual requirements 20 18.2 Information security reviews. 21 Annex A Extended control set for PII protection (This annex forms an integral part of this Recommendation | International Standard.) 22 A.1 General 22 A.2 General poli

26、cies for the use and protection of PII . 22 A.3 Consent and choice . 22 A.4 Purpose legitimacy and specification 24 A.5 Collection limitation 26 A.6 Data minimization. 26 A.7 Use, retention and disclosure limitation 27 A.8 Accuracy and quality. 30 A.9 Openness, transparency and notice . 31 A.10 PII

27、principal participation and access 32 A.11 Accountability. 34 A.12 Information security 37 A.13 Privacy compliance . 37 Bibliography 39 ISO/IEC 29151:2017(E) BS ISO/IEC 29151:2017F or e w ord IS O ( t he I n t er n at i onal O r g an i zat i on for S ta n da rd i z a ti o n ) a nd IE C ( the I n t e

28、r n at i onal El e c t ro t ec h n ical C o m mi ssi o n) f o rm th e s p ec i ali zed sy st e m fo r w o rl dw i de s ta n da rdi z a ti o n . N at i on al b o di es th a t a re me mb e r s of IS O or I EC p a rti c i p a te in the d ev elop m en t of I n t er n at i on al S ta n da rds t hr o ug h

29、 t ec h n ic al co mm it t e es e s t ab li s h ed by th e r e sp e ct iv e or g an i zat i on to d eal wi t h p ar t i c u lar fi elds of t e ch n ica l a ct iv it y . IS O a nd I EC t e ch n ical co mm it t e e s c ol lab or ate in fi eld s of m u tual i n te re s t. O th e r i n te rn a ti o n a

30、l or g an i zat i on s, go ve r n m e ntal a nd no n - g ov er n m en tal, in li ai s on w i th IS O a nd I EC, a lso ta ke pa rt in th e wo rk. In th e fi eld of i n fo r m at i o n t e c hn olog y, I SO an d I EC h ave es t ab l i s h ed a jo i nt t e c h nical co m mit t e e , I S O/I E C JTC 1.

31、The pro c e d u re s u s ed to d ev elop t h is d o cu me n t a nd th o se i nt e nd e d for i ts f u rth e r m a i nt e na nce a re de s c ri b e d in the I S O/I E C D ir e ct iv e s, Pa r t 1. In p ar t i c u lar the d i ffer en t a ppro val c ri t e ria n eed ed f or t he d i ffe r en t t yp e s

32、 of d o cu me nt s ho uld be n o te d. This d oc um e n t was dra f te d in a c co r d a nce wi t h th e e di to r i al ru l es of th e IS O / IEC D ir e ct iv e s, Pa r t 2 (s e e w w w . i s o . o rg /d i re c ti v e s ). A tte n ti o n is dra w n to th e p o s sib i l it y th a t so me of th e el

33、e m en ts of this d oc um e n t m ay be th e sub j e ct of pa te nt ri g h ts . ISO a nd IE C s h a ll no t be h eld r e s p o ns i bl e for i d e nt i f yi ng any or all such pa te n t r i gh t s. Det ai l s of a ny p at en t ri g h ts id e n t if ie d d u rin g the d ev elop m en t of the d oc u m

34、 en t will be in t he I n tro du c ti o n a n d /o r on t he ISO l is t of p at en t de c l a ra ti o n s r ec ei v e d (s e e www. i s o . o rg / pa t e n t s ) . Any tra de na me u se d in th is doc um e nt i s i n for m at i on gi ven for the c onve ni e nc e o f us e rs and d o es no t c o n st

35、it ute an e n do rs e m e n t. Fo r an ex p lan at i on on th e v olu n t ar y na t u re of s ta n da rds , the m ean i n g of IS O sp e cif ic te rms a nd ex p r es s i on s r elat ed to c o n f o rm i ty a s se ssm e nt, as well as i n for m at i on ab ou t IS O s ad h er en ce to th e W o rl d T

36、ra de O r g an i zat i o n (WTO ) p r in cip l es in th e Te ch n i ca l B ar r i ers to T ra de ( TB T) s ee th e f ollow i n g U R L: w w w .i s o.or g / i s o/ fo r ew or d . ht m l . T he co mm it t e e r es p on s i b le for th is d oc um e n t is IS O / IEC JTC 1, Information technology, SC 27

37、, IT Security techniques , in c ollab or at i on wi t h IT U - T. The i de n ti cal te x t is p u b l i s h ed as IT U - T R e co mm e nd a t io n X. 10 58. ISO/IEC 29151:2017(E) ISO 20 17 A ll r i g hts r e s e r v e d v BS ISO/IEC 29151:2017F or e w ord IS O ( t he I n t er n at i onal O r g an i

38、zat i on for S ta n da rd i z a ti o n ) a nd IE C ( the I n t er n at i onal El e c t ro t ec h n ical C o m mi ssi o n) f o rm th e s p ec i ali zed sy st e m fo r w o rl dw i de s ta n da rdi z a ti o n . N at i on al b o di es th a t a re me mb e r s of IS O or I EC p a rti c i pa te in the d ev

39、 elop m en t of I n t er n at i on al S ta n da rds t hr oug h t ec h n ic al co mm it t e es e s t ab li s h ed by th e r e sp e ct iv e or g an i zat i on to d eal wi t h p ar t i c u lar fi elds of t e ch n ica l a ct iv it y . IS O a nd I EC t e ch n ical co mm it t e e s c ol lab or ate in fi e

40、ld s of m u tual i n te re s t. O th e r i n te rn a ti o n a l or g an i zat i on s, go ve r n m e ntal a nd no n - g ov er n m en tal, in li ai s on w i th IS O a nd I EC, a lso ta ke pa rt in th e wo rk. In th e fi eld of i n fo r m at i o n t e c hn olog y, I SO an d I EC h ave es t ab l i s h e

41、d a jo i nt t e c h nical co m mit t e e , I S O/I E C JTC 1. The pro c e d u re s u s ed to d ev elop t h is d o cu me n t a nd th o se i nt e nd e d for i ts f u r th e r m a i nt e na nce a re de s c ri b e d in the I S O/I E C D ir e ct iv e s, Pa r t 1. In p ar t i c u lar the d i ffer en t a p

42、pro val c ri t e ria n eed ed f or t he d i ffe r en t t yp e s of d o cu me nt s ho uld be n o te d. This d oc um e n t was dra f te d in a c co r d a nce wi t h th e e di to r i al ru l es of th e IS O / IEC D ir e ct iv e s, Pa r t 2 (s e e w w w . i s o . o rg /d i re c ti v e s ). A tte n ti o

43、n is dra w n to th e p o s sib i l it y th a t so me of th e ele m en ts of this d oc um e n t m ay be th e sub j e ct of pa te nt ri g h ts . ISO a nd IE C s h a ll no t be h eld r e s p o ns i bl e for i d e nt i f yi ng any or all such pa te n t r i gh t s. Det ai l s of a ny p at en t ri g h ts

44、id e n t if ie d d u rin g the d ev elop m en t of the d oc u m en t will be in t he I n tro du c ti o n a n d /o r on t he ISO l is t of p at en t de c l a ra ti o n s r ec ei v e d (s e e www. i s o . o rg / pa t e n t s ) . Any tra de na me u se d in th is doc um e nt i s i n for m at i on gi ven

45、 for the c onve ni e nc e o f us e rs and d o es no t c o n st it ute an e n do rs e m e n t. Fo r an ex p lan at i on on th e v olu n t ar y na t u re of s ta n da r ds , the m ean i n g of IS O sp e cif ic te rms a nd ex p r es s i on s r elat ed to c o n f o rm i ty a s se ssm e nt, as well as i

46、n for m at i on ab ou t IS O s ad h er en ce to th e W o rl d T ra de O r g an i zat i o n (WT O ) p r in cip l es in th e Te ch n i ca l B ar r i ers to T ra de ( TB T) s ee th e f ollow i n g U R L: w w w .i s o.or g / i s o/ fo r ew or d . ht m l . T he co mm it t e e r es p on s i b le for th is

47、 d oc um e n t is IS O / IEC JTC 1, Information technology, SC 27, IT Security techniques , in c ollab or at i on wi t h IT U - T. The i de n ti cal te x t is p u b l i s h ed as IT U - T R e co mm e nd a t io n X. 10 58. ISO/IEC 29151:2017(E) ISO 20 17 A ll r i g hts r e s e r v e d v Rec. ITU-T X.

48、1058 (03/2017) vi Introduction The number of organizations processing personally identifiable information (PII) is increasing, as is the amount of PII that these organizations deal with. At the same time, societal expectations for the protection of PII and the security of data relating to individual

49、s are also increasing. A number of countries are augmenting their laws to address the increased number of high profile data breaches. As the number of PII breaches increases, organizations collecting or processing PII will increasingly need guidance on how they should protect PII in order to reduce the risk of privacy breaches occurring, and to reduce the impact of breaches on the organization and on the individuals concerned. This Specification provides such guidance. This Specification offers guidance for PII controllers