1、 Reference numberISO/IEC 13335-1:2004(E)ISO/IEC 2004Technologies de linformation Techniques de scurit Gestion de la scurit des technologies de linformation et des communications Partie 1: Concepts et modles pour la gestion de la scurit des technologies de linformation et des communications Informati
2、on technology Securitytechniques Management of information and communicationstechnology security Part 1:Concepts and models for information andcommunications technology securitymanagementNational Standard of CanadaCAN/CSA-ISO/IEC 13335-1:05(ISO/IEC 13335-1:2004)International Standard ISO/IEC 13335-1
3、:2004 (first edition, 2004-11-15) has been adopted withoutmodification (IDT) as CSA Standard CAN/CSA-ISO/IEC 13335-1:05, which has been approved as a NationalStandard of Canada by the Standards Council of Canada.ISBN 1-55397-922-2 October 2005The Canadian Standards Association (CSA), under whose aus
4、pices this National Standard has been produced, was chartered in 1919 and accredited by the Standards Council of Canada to the National Standards system in 1973. It is a not-for-profit, nonstatutory, voluntary membership association engaged in standards development and certification activities. CSA
5、standards reflect a national consensus of producers and users including manufacturers, consumers, retailers, unions and professional organizations, and governmental agencies. The standards are used widely by industry and commerce and often adopted by municipal, provincial, and federal governments in
6、 their regulations, particularly in the fields of health, safety, building and construction, and the environment. Individuals, companies, and associations across Canada indicate their support for CSAs standards development by volunteering their time and skills to CSA Committee work and supporting th
7、e Associations objectives through sustaining memberships. The more than 7000 committee volunteers and the 2000 sustaining memberships together form CSAs total membership from which its Directors are chosen. Sustaining memberships represent a major source of income for CSAs standards development acti
8、vities. The Association offers certification and testing services in support of and as an extension to its standards development activities. To ensure the integrity of its certification process, the Association regularly and continually audits and inspects products that bear the CSA Mark. In additio
9、n to its head office and laboratory complex in Toronto, CSA has regional branch offices in major centres across Canada and inspection and testing agencies in eight countries. Since 1919, the Association has developed the necessary expertise to meet its corporate mission: CSA is an independent servic
10、e organization whose mission is to provide an open and effective forum for activities facilitating the exchange of goods and services through the use of standards, certification and related services to meet national and international needs.For further information on CSA services, write toCanadian St
11、andards Association5060 Spectrum Way, Suite 100Mississauga, Ontario, L4W 5N6CanadaThe Standards Council of Canada is the coordinating body of the National Standards system, a federation of independent, autonomous organizations working towards the further development and improvement of voluntary stan
12、dardization in the national interest. The principal objects of the Council are to foster and promote voluntary standardization as a means of advancing the national economy, benefiting the health, safety, and welfare of the public, assisting and protecting the consumer, facilitating domestic and inte
13、rnational trade, and furthering international cooperation in the field of standards. A National Standard of Canada is a standard which has been approved by the Standards Council of Canada and one which reflects a reasonable agreement among the views of a number of capable individuals whose collectiv
14、e interests provide to the greatest practicable extent a balance of representation of producers, users, consumers, and others with relevant interests, as may be appropriate to the subject in hand. It normally is a standard which is capable of making a significant and timely contribution to the natio
15、nal interest. Approval of a standard as a National Standard of Canada indicates that a standard conforms to the criteria and procedures established by the Standards Council of Canada. Approval does not refer to the technical content of the standard; this remains the continuing responsibility of the
16、accredited standards development organization. Those who have a need to apply standards are encouraged to use National Standards of Canada whenever practicable. These standards are subject to periodic review; therefore, users are cautioned to obtain the latest edition from the organization preparing
17、 the standard.The responsibility for approving National Standards of Canada rests with theStandards Council of Canada270 Albert Street, Suite 200Ottawa, Ontario, K1P 6N7CanadaAlthough the intended primary application of this Standard is stated in its Scope, it is importantto note that it remains the
18、 responsibility of the users to judge its suitability for their particular purpose.Registered trade-mark of Canadian Standards AssociationCette norme est offerte en anglais seulement pour le moment. La CSA publiera la version enfranais ds quelle sera produite par lorganisme rdacteur.CAN/CSA-ISO/IEC
19、13335-1:05Information technology Security techniques Management of informationand communications technology security Part 1: Concepts and models forinformation and communications technology security managementOctober 2005 Canadian Standards Association CSA/1CAN/CSA-ISO/IEC 13335-1:05Information tech
20、nology Security techniques Management of information and communications technology security Part 1: Concepts and models for information and communications technology security managementCSA PrefaceStandards development within the Information Technology sector is harmonized with international standard
21、s development. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the Canadian Advisory Committee (CAC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and
22、sponsor of the Canadian National Committee of the IEC. Also, as a member of the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T).This Standard replaces CAN/CSA-ISO/IEC TR 13335-1-01 (adoption of ISO/IEC TR 13
23、335-1:1996). At the time of publication, ISO/IEC 13335-1:2004 is available from ISO and IEC in English only. CSA will publish the French version when it becomes available from ISO and IEC.This International Standard was reviewed by the CSA TCIT under the jurisdiction of the Strategic Steering Commit
24、tee on Information Technology and deemed acceptable for use in Canada. (A committee membership list is available on request from the CSA Project Manager.) From time to time, ISO/IEC may publish addenda, corrigenda, etc. The CSA TCIT will review these documents for approval and publication. For a lis
25、ting, refer to the CSA Information Products catalogue or CSA Info Update or contact a CSA Sales representative. This Standard has been formally approved, without modification, by the Technical Committee and has been approved as a National Standard of Canada by the Standards Council of Canada.October
26、 2005 Canadian Standards Association 2005All rights reserved. No part of this publication may be reproduced in any form whatsoever without the prior permission ofthe publisher. ISO/IEC material is reprinted with permission. Where the words “this International Standard” appear in the text, they shoul
27、d be interpreted as “this National Standard of Canada”.Inquiries regarding this National Standard of Canada should be addressed toCanadian Standards Association5060 Spectrum Way, Suite 100, Mississauga, Ontario, Canada L4W 5N61-800-463-6727 416-747-4044www.csa.caReference numberISO/IEC 13335-1:2004(
28、E)ISO/IEC 2004INTERNATIONAL STANDARD ISO/IEC13335-1First edition2004-11-15Information technology Security techniques Management of information and communications technology security Part 1: Concepts and models for information and communications technology security management Technologies de linforma
29、tion Techniques de scurit Gestion de la scurit des technologies de linformation et des communications Partie 1: Concepts et modles pour la gestion de la scurit des technologies de linformation et des communications ISO/IEC 13335-1:2004(E) PDF disclaimer This PDF file may contain embedded typefaces.
30、In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing A
31、dobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized f
32、or printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. ISO/IEC 2004 All rights reserved. Unless otherwise specified, no pa
33、rt of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale
34、56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org ii ISO/IEC 2004 All rights reservedISO/IEC 13335-1:2004(E) ISO/IEC 2004 All rights reserved iiiContents Page TABLE OF CONTENTS iiiFOREWORD. ivINTRODUCTION.v1SCOPE12 DEFINITIONS 13 SECURITY CONCE
35、PTS AND RELATIONSHIPS53.1 SECURITY PRINCIPLES.53.2 ASSETS.53.3 THREATS63.4 VULNERABILITIES.83.5 IMPACT.83.6 RISK.93.7 SAFEGUARDS93.8 CONSTRAINTS.103.9 SECURITY ELEMENT RELATIONSHIPS.114 OBJECTIVES, STRATEGIES AND POLICIES 134.1 ICT SECURITY OBJECTIVES AND STRATEGY144.2 POLICY HIERARCHY164.3 CORPORAT
36、E ICT SECURITY POLICY ELEMENTS.185 ORGANIZATIONAL ASPECTS OF ICT SECURITY205.1 ROLES AND RESPONSIBILITIES205.1.1 Organizational roles, accountabilities and responsibilities .205.1.2 ICT security forum 235.1.3 Corporate ICT security officer235.1.4 ICT users .245.2 ORGANIZATIONAL PRINCIPLES255.2.1 Com
37、mitment 255.2.2 Consistent approach255.2.3 Integrating ICT security266 ICT SECURITY MANAGEMENT FUNCTIONS 276.1 OVERVIEW.276.2 CULTURAL AND ENVIRONMENTAL CONDITIONS276.3 RISK MANAGEMENT28ISO/IEC 13335-1:2004(E) iv ISO/IEC 2004 All rights reservedForeword ISO (the International Organization for Standa
38、rdization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the representative organi
39、zation to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technolog
40、y, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards ad
41、opted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject
42、of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 13335-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. This first edition of ISO/IEC 13335-1 cancels and re
43、places ISO/IEC TR 13335-1:1996 and ISO/IEC TR 13335-2:1997, which have been technically revised. ISO/IEC 13335 consists of the following parts, under the general title Information technology Security techniques Management of information and communications technology security: Part 1: Concepts and mo
44、dels for information and communications technology security management The following part is under preparation: Part 2: Techniques for information and communications technology security risk management ISO/IEC 13335-2, when published, will cancel and replace ISO/IEC TR 13335-3:1998 and ISO/IEC TR 13
45、335-4:2000. ISO/IEC TR 13335-5:2001 is currently under revision. In the course of the revision process it will be merged with ISO/IEC 18028-1. When it is published, ISO/IEC 18028-1 will consequently cancel and replace ISO/IEC TR 13335-5:2001. ISO/IEC 2004 All rights reserved vISO/IEC 13335-1:2004(E)
46、 Introduction Government and commercial organizations rely heavily on the use of information to conducttheir business activities. Compromise of confidentiality, integrity, availability, non-repudiation,accountability, authenticity and reliability of an organizations assets can have an adverse impact
47、.Consequently, there is a critical need to protect information and to manage the security of ICTsystems within organizations. This requirement to protect information is particularly importantin todays environment because many organizations are internally and externally connected bynetworks of ICT sy
48、stems not necessarily controlled by their organizations. As well, legislation inmany countries requires that management take appropriate action to mitigate risk related to thebusiness and the use of ICT systems. Such legislation may cover not only privacy/data protectionbut also healthcare and finan
49、cial markets, among others.Part 1 provides a high-level management overview. This material is suitable for managers andthose who have responsibility for ICT security, for an organizations overall security program oran organizations ICT systems. Part 1 focuses its attention on concepts and models for managingthe planning, implementation and operations of ICT security. This Part contains:Ga7 definitions applicable to all parts of this International Standard (Clause 2);Ga7 descriptions o
