1、 International Telecommunication Union ITU-T X.1057TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (05/2011) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Information and network security Security management Asset management guidelines in telecommunication organizations Recommenda
2、tion ITU-T X.1057 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM AS
3、PECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069Telebiometrics X.1080X.1099 SECURE AP
4、PLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cyber
5、security X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exc
6、hange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list of ITU-T Recommendations. Rec. IT
7、U-T X.1057 (05/2011) i Recommendation ITU-T X.1057 Asset management guidelines in telecommunication organizations Summary Recommendation ITU-T X.1057 provides guidelines for securely managing various assets, including electronic information, paper, and IT systems in telecommunication organizations.
8、This Recommendation also describes the main activities and methods for implementing asset management on the basis of the PDCA (Plan Do Check Act) process model. History Edition Recommendation Approval Study Group 1.0 ITU-T X.1057 2011-05-29 17 ii Rec. ITU-T X.1057 (05/2011) FOREWORD The Internationa
9、l Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating
10、 and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produc
11、e Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this
12、Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., inte
13、roperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest t
14、hat compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence,
15、 validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be
16、 required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2012 All rights reserved. No part of this publication may be rep
17、roduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1057 (05/2011) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 2 5 Conventions 3 6
18、Overview of asset management 3 6.1 Concept of asset management process . 3 6.2 Main activities in the asset management process . 4 7 Asset management process . 5 7.1 Establishment of asset management policy 5 7.2 Survey and identification 5 7.3 Classification and registration 6 7.4 Evaluation of ass
19、et value 6 7.5 Performance of change management 7 8 Telecommunication asset classification . 7 8.1 General and telecommunication specific assets . 7 Appendix I Example of evaluation of an asset value level . 9 Appendix II Example of asset maintenance information 11 Appendix III Example asset registe
20、r . 12 Bibliography. 13 Rec. ITU-T X.1057 (05/2011) 1 Recommendation ITU-T X.1057 Asset management guidelines in telecommunication organizations 1 Scope Telecommunication organizations should have very high goals for operating and managing their various assets, for providing customer services and fo
21、r directly or indirectly supporting their business. It is necessary to protect those assets critical to telecommunication organizations in order to ensure that the operations and services of the telecommunication business are not compromised. This Recommendation provides an overview of processes and
22、 methods that need to be addressed in place to identify, classify, evaluate and maintain the assets that telecommunication organizations own. This Recommendation also suggests some templates as a method for managing assets. 2 References The following ITU-T Recommendations and other references contai
23、n provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the
24、possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Re
25、commendation. ITU-T X.1051 Recommendation ITU-T X.1051 (2008) | ISO/IEC 27011:2008, Information technology Security techniques Information security management guidelines for telecommunications organizations based on ISO/IEC 27002. ISO/IEC 27000 ISO/IEC 27000:2009, Information technology Security tec
26、hniques Information security management systems Overview and vocabulary. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 asset ISO/IEC 27000: Anything that has value to the organization. NOTE There are many types of assets, including: a
27、) information (2.18); b) software, such as a computer program; c) physical, such as computer; d) services; e) people, and their qualifications, skills, and experience; and f) intangibles, such as reputation and image. 3.1.2 policy ISO/IEC 27000: Overall intention and direction as formally expressed
28、by management. 3.1.3 telecommunications equipment room ITU-T X.1051: A part of general building such as a room where equipment for providing telecommunications business are sited. 3.1.4 telecommunications facilities ITU-T X.1051: Machines, equipment, wire and cables, physical buildings or other elec
29、trical facilities for the operation of telecommunications. 2 Rec. ITU-T X.1057 (05/2011) 3.1.5 user ITU-T X.1051: Person or organization who utilizes information processing facilities or systems, e.g., employee, contractor or third party user. 3.2 Terms defined in this Recommendation This Recommenda
30、tion defines the following terms: 3.2.1 asset manager: A person or an organization who is designated by an asset owner for secure management and protection of the asset. 3.2.2 asset owner: A person or an organization who has the ownership and a final obligation of asset management such as asset acqu
31、isition, permit of asset use, disposal or discard of asset, etc. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: AMP Asset Management Process AP Access Point AVL Asset Value Level CCTV Closed Circuit Television CMTS Cable Modem Termination System DBMS
32、Database Management System DHCP Dynamic Host Configuration Protocol DNS Domain Name System ESM Enterprise Security Management IDS Intrusion Detection System IPS Intrusion Prevention System ISMS Information Security Management System IT Information Technology NAS Network Access Server NMS Network Man
33、agement System NTP Network Time Protocol OS Operating System PC Personal Computer PDCA Plan Do Check Act RAS Remote Access Server R loss of profit Degree of financial loss; loss of customer Possibility of customer loss; image Damage of an organizations image. 6.1 Concept of asset management process
34、In general, an asset has value if it is actively used for business and services in an organization. Asset management refers, from the viewpoint of information security, to the appropriate handling and protection measures considering the asset value in the scope defined by telecommunication organizat
35、ions. In order to systematically and securely manage the various and large number of assets included in an organization, the assets should be managed according to an asset life cycle, which corresponds to a process of acquisition or generation, change, disposal or destruction of the asset. In an org
36、anization, while a series of management processes is applied on assets, it is required that certain standards and rules be determined. The asset management process and its alignment to the PDCA model is described in Figure 1. 4 Rec. ITU-T X.1057 (05/2011) X.1057(11)_F013.Classificationandregistratio
37、n2.SurveyandidentificationPlan1.Establishmentof assetmanagementpolicyAssetmanagementprocess (AMP)4.Evaluationofasset valueDo5.Performanceof changemanagementCheck/ActFigure 1 Concept of AMP 6.2 Main activities in the asset management process There are five steps in the asset management process. Some
38、important activities in each step are required for performing asset management. The key activities in each step are: a) Establish the policy for asset management: i) define procedures and methods for handling the assets; ii) appoint the asset manager responsible for the management of assets; iii) de
39、fine the classification criteria in consideration of asset type; iv) define the criteria for evaluating the asset value level; v) define the role and responsibility of the asset manager; vi) define the range or scope of the asset to be managed. b) Survey and identify the assets: i) survey all assets
40、 comprehensively in the established scope of asset management; ii) recognize and select the assets to be managed; iii) cooperate with related teams or departments when surveying assets; iv) give a name to the identified asset and create an asset register or inventory. c) Classify and register the as
41、sets: i) draw up an asset list based on the predefined criteria for asset classification; ii) register the basic and additional maintenance information of each asset (see Appendix II); iii) consider the grouping strategy and label for identified assets by using physical or logical means, for effecti
42、ve handling. d) Evaluate the importance level for the asset: i) assess the importance of the asset with respect to the security requirements; ii) grant the value level to each asset in order to apply the appropriate security measures; Rec. ITU-T X.1057 (05/2011) 5 iii) always reassess the value of t
43、he the asset, if its status has changed. e) Perform change management: i) periodically check the status of assets; ii) update the results to an asset register, if the status of any asset has changed; iii) find and report new issues for improving the asset management policy and process. 7 Asset manag
44、ement process 7.1 Establishment of asset management policy For the purpose of systematically and efficiently managing the assets, protection objectives should be defined and a management policy should be established for handling assets and selecting control measures. These activities may be helpful
45、as a baseline to determine practicality and cost efficiency of protective controls. a) A procedure should be established for managing the assets according to their lifecycle, including creation and registration, change, and disposal of the assets. b) An asset manager having the role of asset owner f
46、or security purposes should be assigned. c) Assets should be classified and managed by their types so as to systematically manage the assets. In this case, consistent criteria in consideration of the asset types managed by each telecommunication organization should be prepared, for the purpose of ef
47、fective asset classification. d) The criteria for evaluating the importance of the identified asset should be established and the criteria for assigning a security level to the assets should be established, for the purpose of managing the assets in accordance with the security level of the assets. e
48、) The asset owner is comprehensively responsible for the corresponding assets. The asset owner may appoint and entrust the asset manager to manage them. The appointed asset manager should be able to acquire the responsibility of asset protection and to continuously maintain the asset security. f) Th
49、e asset manager should define the range or scope of the asset to be managed, in relation to the application of asset management policies. When defining the scope of asset management, it is necessary to consider all aspects of the organizations business and the security of the assets. 7.2 Survey and identification There are very many assets, such as IT systems, in telecommunication organizations. In order to effectively protect the assets, it is first necessary to survey and identify o
