1、BSI Standards Publication BS ISO/IEC 30111:2013 Information technology Security techniques Vulnerability handling processesBS ISO/IEC 30111:2013 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 30111:2013. The UK participation in its preparation was entrus
2、ted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.
3、The British Standards Institution 2013. Published by BSI Standards Limited 2013 ISBN 978 0 580 75882 9 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee o
4、n 31 October 2013. Amendments issued since publication Date Text affectedBS ISO/IEC 30111:2013 Information technology Security techniques Vulnerability handling processes Technologies de linformation Techniques de scurit Processus de traitement de la vulnrabilit ISO/IEC 2013 INTERNATIONAL STANDARD I
5、SO/IEC 30111 First edition 2013-11-01 Reference number ISO/IEC 30111:2013(E)BS ISO/IEC 30111:2013ISO/IEC 30111:2013(E)ii ISO/IEC 2013 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2013 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utiliz
6、ed otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright
7、 office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in SwitzerlandBS ISO/IEC 30111:2013ISO/IEC 30111:2013(E) ISO/IEC 2013 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative refe
8、rences 1 3 T erms and definitions . 1 4 Abbreviated terms 2 5 Interface between ISO/IEC 29147 - Vulnerability disclosure and ISO/IEC 30111 - Vulnerability handling processes . 2 6 Policy and Organizational Framework for Vulnerability Handling Processes .3 6.1 General . 3 6.2 Vulnerability Handling P
9、olicy Development . 4 6.3 Development of an Organizational Framework to Support the Vulnerability Handling Process . 4 6.4 Vendor CSIRT or PSIRT 5 6.5 Responsibilities of the Product Business Division . 6 6.6 Responsibilities of the Customer Support Division and Public Relation Division 6 6.7 Legal
10、Consultation . 6 7 Vulnerability handling process . 7 7.1 Introduction to vulnerability handling phases 7 7.2 Vulnerability handling phases . 8 7.3 Monitoring of Vulnerability handling phases 10 7.4 Confidentiality of Vulnerability Information10 8 Supply chain vulnerability handling process 11 Bibli
11、ography .12BS ISO/IEC 30111:2013ISO/IEC 30111:2013(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the
12、 development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-gov
13、ernmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task
14、 of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a v
15、ote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 30111 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information techn
16、ology, Subcommittee SC 27, Security techniques.iv ISO/IEC 2013 All rights reservedBS ISO/IEC 30111:2013ISO/IEC 30111:2013(E) Introduction This International Standard describes processes for vendors to handle reports of potential vulnerabilities in products and online services. The audience for this
17、standard includes consumers, developers, vendors, and evaluators of secure IT products. The following audiences may use this standard: developers and vendors, when responding to reported actual or potential vulnerabilities; evaluators, when assessing the security assurance afforded by vendors and de
18、velopers vulnerability handling processes and the associated products and services; consumers, when selecting product and online service vendors to express best practice assurance requirements to developers, vendors and integrators. This International Standard is related to ISO/IEC 29147. 5It interf
19、aces with elements described in ISO/IEC 29147 at the point of receiving potential vulnerability reports, and at the point of distributing vulnerability resolution information. This International Standard takes into consideration the relevant elements of ISO/IEC 15408-3, 113.5 Flaw remediation (ALC_F
20、LR). ISO/IEC 2013 All rights reserved vBS ISO/IEC 30111:2013BS ISO/IEC 30111:2013Information technology Security techniques Vulnerability handling processes 1 Scope This International Standard gives guidelines for how to process and resolve potential vulnerability information in a product or online
21、service. This International Standard is applicable to vendors involved in handling vulnerabilities. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited
22、 applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000, Information technology Security techniques Information security management systems Overview and vocabulary 3 T erms a nd definiti ons For the purposes of this document,
23、the terms and definitions given in ISO/IEC 27000 and the following apply. 3.1 coordinator opt ion a l pa r t ic ip a nt t h at c a n a s s i s t vendor s a nd f i nder s i n h a nd l i ng a nd d i sc los i ng v u l ner abi l it y i n for m at ion Note 1 to entry: Acts as trusted liaison between invo
24、lved parties, enabling communication between involved parties (vendors and finders). 3.2 online service service which is implemented by hardware, software or a combination of them, and provided over a communication line or network EXAMPLE Search engines, online backup services, Internet-hosted email
25、, and software as a service are considered to be online services. 3.3 product system or service implemented or refined for sale or to be offered for free Note 1 to entry: In information technology, a distinction is often made between hardware and software products, although the boundary is not alway
26、s clear. EXAMPLE A router can be seen as a hardware product even though a vital component of it is software and/or firmware. 3.4 remediation patch, fix, upgrade, configuration or documentation change to address a vulnerability Note 1 to entry: A change intended to resolve or mitigate a vulnerability
27、. A remediation typically takes the form of a configuration change, binary file replacement, hardware change, or source code patch, etc. Remediations are usually provided by vendors. Vendors use different terms including update, patch, fix, hotfix, and upgrade. INTERNATIONAL ST ANDARD ISO/IEC 30111:
28、2013(E) ISO/IEC 2013 All rights reserved 1BS ISO/IEC 30111:2013ISO/IEC 30111:2013(E) 3.5 service means of delivering value to users by facilitating results users want to achieve without the ownership of specific resources and risks 3.6 system combination of interacting elements organized to achieve
29、one or more stated purposes SOURCE: ISO/IEC 15288:2008, 4.31 3.7 vendor person or organization that developed the product, or service, or is responsible for maintaining it 3.8 vulnerability weakness of software, hardware, or online service that can be exploited SOURCE: ISO/IEC 27000:2009, 2.46, modi
30、fied Note 1 to entry: Examples of weaknesses in a system are software and hardware design flaws, poor administrative processes, lack of awareness and education, and advancements in the state of the art or improvements to current practices. Regardless of cause, an exploitation of such vulnerabilities
31、 may result in real threats to mission-critical information systems. 4 Abbreviated terms CSIRT Computer Security Incident Response Team PSIRT Product Security Incident Response Team 5 Interface between ISO/IEC 29147 - Vulnerability disclosure and ISO/IEC 30111 - Vulnerability handling processes ISO/
32、IEC 29147 5- Vulnerability disclosure and ISO/IEC 30111 - Vulnerability handling processes are related standards, as Figure 1 shows. ISO/IEC 29147 provides a guideline for vendors to include in their normal business processes on receiving information about potential vulnerabilities from people or or
33、ganizations externally and distributing vulnerability resolution information to affected users. ISO/IEC 30111 gives guidelines for how to process and resolve potential vulnerability information reported by individuals or organizations that find a potential vulnerability in a product or online servic
34、e. While ISO/IEC 29147 deals with the interface between vendors and those who find and report potential vulnerabilities, ISO/IEC 30111 deals with the investigation, triage, and resolution of vulnerabilities, regardless if the source of the potential vulnerability was external to the vendor, or from
35、within the vendors own organization, typically security, development, or testing teams.2 ISO/IEC 2013 All rights reservedBS ISO/IEC 30111:2013ISO/IEC 30111:2013(E) Figure 1 A model of the Interface between ISO/IEC 29147 and ISO/IEC 30111 6 Policy and Organizational Framework for Vulnerability Handli
36、ng Processes 6.1 General Vendors should create a vulnerability handling process in accordance with this International Standard in order to prepare for investigating and resolving potential vulnerabilities. The creation of a vulnerability handling process is a task that is performed by a vendor, and
37、should be periodically assessed to facilitate process improvement opportunities and ensure that the process performs as expected. Vendors should document their vulnerability handling procedure in order to ensure that it is repeatable. The documentation should describe the procedures and methods used
38、 to track all reported vulnerabilities. ISO/IEC 2013 All rights reserved 3BS ISO/IEC 30111:2013ISO/IEC 30111:2013(E) See ISO/IEC 27034 3for information on how identification of the root cause of a vulnerability, which is a step in the process of vulnerability handling, can help improve secure softwa
39、re development lifecycles and result in an outcome of more secure product development. The following clause describes the elements that vendors should consider included in their vulnerability handling processes. 6.2 Vulnerability Handling Policy Development A vendor should develop and maintain a vul
40、nerability handling policy to define and clarify its intentions when investigating and remediating vulnerabilities for the development of a vulnerability handling process. The policy should consist of two parts: an internal-only portion and a public portion. The internal-only part of the policy is i
41、ntended for the vendors staff and defines who is responsible in each stage of the vulnerability handling process and how they should handle information on potential vulnerabilities. It should include the following items: a) basic guidance, principles, and responsibilities for handling potential vuln
42、erabilities in products or online services; b) a list of departments and roles responsible for handling potential vulnerabilities; c) safeguards to prevent premature disclosure of information about potential vulnerabilities before they are fixed. The audience for the public part of the vulnerability
43、 handling policy is internal and external stakeholders, including finders who wish to report potential vulnerabilities, and users of the vendors products or online services. It informs the audience of how the vendor is willing to interact with them when a potential vulnerability is found in the vend
44、ors product or online services. Guidance, details and examples of public vulnerability handling policies are described in the sections describing vulnerability disclosure processes in ISO/IEC 29147. 5 6.3 Development of an Organizational Framework to Support the Vulnerability Han- dling Process 6.3.
45、1 General Handling vulnerabilities has several additional aspects than just engineering and technology (for example, customer service and public relations). An organizational framework should be designed, recognized, and supported by the stakeholder divisions of the vendor responsible for each area.
46、 An organization should have a role or capability that is responsible for and has authority to make decisions on vulnerability handling, preferably at a management level. This role or capability must understand the responsibility toward the vendors users, the internal processes, and the organization
47、al framework for vulnerability handling. An organization should have a role or capability that is a point of contact for handling potential vulnerabilities. This point of contact should be identified for each division or department within a vendor that provides products or online services to custome
48、rs. An organization should establish a point of contact for external parties to reach and communicate with about vulnerabilities. The point of contact may be part of a vendor computer security incident response team (vendor CSIRT) or a product security incident response team (PSIRT). Its details are
49、 discussed in 6.4. Since customers and members of the media may contact the vendor with questions or requests for additional information after a vulnerability is disclosed, divisions responsible for customer and public relations should be prepared so that they can respond.4 ISO/IEC 2013 All rights reservedBS ISO/IEC 30111:2013ISO/IEC 30111:2013(E) 6.4 Vendor CSIRT or PSIRT 6.4.1 General A vendor CSIRT or PSIRT is responsible for coordinating vulnerability reports from external finders of vulnerabilit
