1、 International Telecommunication Union ITU-T X.1051TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (02/2008) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security Information technology Security techniques Information security management guidelines for telecommu
2、nications organizations based on ISO/IEC 27002 ITU-T Recommendation X.1051 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.
3、90X.149 Maintenance X.150X.179 Administrative arrangements X.180X.199 OPEN SYSTEMS INTERCONNECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol
4、 Identification X.260X.269 Security Protocols X.270X.279 Layer Managed Objects X.280X.289 Conformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 Available X.380X.399 MESSAGE HANDLING SYSTEMS X.400X.4
5、99DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.600X.629 Efficiency X.630X.639 Quality of service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Ma
6、nagement Communication Service and Protocol X.710X.719 Structure of Management Information X.720X.729 Management functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889
7、 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 TELECOMMUNICATION SECURITY X.1000 For further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. X.1051 (02/2008) i INTERNATIONAL STANDARD ISO/IEC 27011 ITU-T RECOMMENDATION X.1051 Information techno
8、logy Security techniques Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 Summary ITU-T Rec. X.1051 | ISO/IEC 27011: a) establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security ma
9、nagement in telecommunications organizations based on ISO/IEC 27002; b) provides an implementation baseline of information security management within telecommunications organizations to ensure the confidentiality, integrity and availability of telecommunications facilities and services. As a result
10、of implementing this Recommendation | International Standard, telecommunications organizations, both within and between jurisdictions, will: a) be able to assure the confidentiality, integrity and availability of the global telecommunications facilities and services; b) have adopted secure collabora
11、tive processes and controls ensuring the lowering of risks in the delivery of telecommunications services; c) be able to redeployed resources to more productive activities; d) have adopted a consistent holistic approach to information security; e) be able to improve personnel awareness and morale, a
12、nd increase public trust. Objective The objectives of this Recommendation | International Standard are to provide practical guidance specially suited for telecommunications organizations on: a) commonly-accepted goals of information security management specifically suited for telecommunications orga
13、nizations; b) information security management practices to assist in the building of confidence for telecommunications activities. Source ITU-T Recommendation X.1051 was approved on 13 February 2008 by ITU-T Study Group 17 (2005-2008) under the ITU-T Recommendation A.8 procedure. An identical text i
14、s also published as ISO/IEC 27011. ii ITU-T Rec. X.1051 (02/2008) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector
15、(ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every fo
16、ur years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, th
17、e necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary.
18、However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negati
19、ve equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use
20、 of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation,
21、 ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www
22、.itu.int/ITU-T/ipr/. ITU 2008 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. ITU-T Rec. X.1051 (02/2008) iii CONTENTS Page 1 Scope . 1 2 Normative references 1 3 Definitions and abbreviations 1 3.1 Definitions
23、. 1 3.2 Abbreviations. 2 4 Overview 3 4.1 Structure of this guideline. 3 4.2 Information security management systems in telecommunications business 3 5 Security policy. 5 6 Organization of information security 5 6.1 Internal organization 5 6.2 External parties. 7 7 Asset management 10 7.1 Responsibi
24、lity for assets . 10 7.2 Information classification . 12 8 Human resources security. 13 8.1 Prior to employment 13 8.2 During employment. 15 8.3 Termination or change of employment 15 9 Physical and environmental security. 15 9.1 Secure areas. 15 9.2 Equipment security 17 10 Communications and opera
25、tions management 19 10.1 Operational procedures and responsibilities 19 10.2 Third party service delivery management. 21 10.3 System planning and acceptance 21 10.4 Protection against malicious and mobile code . 22 10.5 Back-up 22 10.6 Network security management. 22 10.7 Media handling. 23 10.8 Exc
26、hange of information 23 10.9 Electronic commerce services 23 10.10 Monitoring. 23 11 Access control . 25 11.1 Business requirement for access control. 25 11.2 User access management 26 11.3 User responsibilities 26 11.4 Network access control 26 11.5 Operating system access control. 26 11.6 Applicat
27、ion and information access control 26 11.7 Mobile computing and teleworking. 26 12 Information systems acquisition, development and maintenance 26 12.1 Security requirements of information systems. 26 12.2 Correct processing in applications 26 12.3 Cryptographic controls. 26 12.4 Security of system
28、files 26 12.5 Security in development and support processes . 27 12.6 Technical vulnerability management. 27 13 Information security incident management 28 13.1 Reporting information security events and weaknesses . 28 13.2 Management of information security incidents and improvements 29 iv ITU-T Re
29、c. X.1051 (02/2008) Page 14 Business continuity management . 31 14.1 Information security aspects of business continuity management 31 15 Compliance . 33 Annex A Telecommunications extended control set 34 A.9 Physical and environmental security . 34 A.10 Communications and operations management. 37
30、A.11 Access control 39 A.15 Compliance 39 Annex B Additional implementation guidance 42 B.1 Network security measures against cyber attacks. 42 B.2 Network security measures for network congestion 42 Bibliography . 44 ITU-T Rec. X.1051 (02/2008) v Introduction This Recommendation | International Sta
31、ndard provides interpretation guidelines for the implementation and management of information security management in telecommunications organizations based on ISO/IEC 27002 (Code of practice for information security management). In addition to the application of security objectives and controls desc
32、ribed in ISO/IEC 27002, telecommunications organizations have to take into account the following security features: 1) Confidentiality Information related to telecommunications organizations should be protected from unauthorized disclosure. This implies non-disclosure of communications in terms of t
33、he existence, the content, the source, the destination and the date and time of communicated information. It is critical that telecommunications organizations ensure that the non-disclosure of communications being handled by them is not breached. Persons engaged by the telecommunications organizatio
34、n should maintain the confidentiality of any information regarding others that may have come to be known during their work duties. NOTE The term “secrecy of communications“ is used in some countries in the context of “non-disclosure of communications“. 2) Integrity The installation and use of teleco
35、mmunications facilities should be controlled, ensuring the authenticity, accuracy and completeness of information transmitted, relayed or received by wire, radio or any other methods. 3) Availability Only authorized access should be provided when necessary to telecommunications information, faciliti
36、es and the medium used for the provision of communication services whether it might be provided by wire, radio or any other methods. As an extension of the availability, telecommunications organizations should give priority to essential communications in case of emergency, and comply with regulatory
37、 requirements. Information security management in telecommunications organizations is required regardless of the method, e.g., wired, wireless or broadband technologies. If information security management is not implemented properly, the extent of telecommunications risks regarding confidentiality,
38、integrity and availability may be increased. Telecommunications organizations are designated to provide telecommunications services by intermediating communications of others through facilities for the use of others communications. Therefore, it should be taken into account that information processi
39、ng facilities within a telecommunication organization are accessed and utilized by not only its own employees and contractors, but also various users outside of the organization. In order to provide telecommunications services, telecommunications organizations need to interconnect and/or share their
40、 telecommunications services and facilities, and/or use the telecommunications services and facilities of other telecommunications organizations. Therefore, the management of information security in telecommunications organizations is mutually dependent and may include any and all areas of network i
41、nfrastructure, services applications and other facilities. Regardless of operational scales, service areas or service types, telecommunications organizations should implement appropriate controls to ensure confidentiality, integrity, availability and any other security property of telecommunications
42、. Audience This Recommendation | International Standard provides telecommunications organizations, and those responsible for information security; together with security vendors, auditors, telecommunications terminal vendors and application content providers, with a common set of general security co
43、ntrol objectives based on ISO/IEC 27002, telecommunications sector specific controls, and information security management guidelines allowing for the selection and implementation of such controls. ISO/IEC 27011:2008 (E) ITU-T Rec. X.1051 (02/2008) 1 INTERNATIONAL STANDARD ITU-T RECOMMENDATION Inform
44、ation technology Security techniques Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 1 Scope The scope of this Recommendation | International Standard is to define guidelines supporting the implementation of information security management in te
45、lecommunications organizations. The adoption of this Recommendation | International Standard will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant security property. 2 Normative ref
46、erences The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subj
47、ect to revision, and parties to agreements based on this Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently valid Internati
48、onal Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. ISO/IEC 27001:2005, Information technology Security techniques Information security management systems Requirements. ISO/IEC 27002:2005, Information technology Security
49、techniques Code of practice for information security management. 3 Definitions and abbreviations 3.1 Definitions For the purposes of this Recommendation | International Standard, the definitions given in ISO/IEC 27002 apply. Additionally, the following definitions apply: 3.1.1 collocation: Installation of telecommunications facilities on the premises of other telecommunications carriers. 3.1.2 communication centre: Building where facilities for providing telecommunications business are sited. 3.1.3 essential communication
