ISO27001的133个安全控制措施

network · 发表于 2010-8-5 09:08:51

ISO27001的133个安全控制措施，网上下载的，供大家学习使用，与国家现在推行的等级保护制度相比，等级保护制度的技术管理等测评项更具有实际操作性。

1 5.1.1 Information security policy document
2 5.1.2 Review of the information security policy
3 6.1.1 Management commitment to information security
4 6.1.2 Information security co-ordination
5 6.1.3 Allocation of information security responsibilities
6 6.1.4 Authorization process for information processing facilities
7 6.1.5 Confidentiality agreements
8 6.1.6 Contact with authorities
9 6.1.7 Contact with special interest groups
10 6.1.8 Independent review of information security
11 6.2.1 Identification of risks related to external parties
12 6.2.2 Addressing security when dealing with customers
13 6.2.3 Addressing security in third party agreements
14 7.1.1 Inventory of assets
15 7.1.2 Ownership of assets
16 7.1.3 Acceptable use of assets
17 7.2.1 Classification guidelines
18 7.2.2 Information labeling and handling
19 8.1.1 Roles and responsibilities
20 8.1.2 Screening
21 8.1.3 Terms and conditions of employment
22 8.2.1 Management responsibilities
23 8.2.2 Information security awareness, education, and training
24 8.2.3 Disciplinary process
25 8.3.1 Termination responsibilities
26 8.3.2 Return of assets
27 8.3.3 Removal of access rights
28 9.1.1 Physical security perimeter
29 9.1.2 Physical entry controls
30 9.1.3 Securing offices, rooms, and facilities
31 9.1.4 Protecting against external and environmental threats
32 9.1.5 Working in secure areas
33 9.1.6 Public access, delivery, and loading areas
34 9.2.1 Equipment siting and protection
35 9.2.2 Supporting utilities
36 9.2.3 Cabling security
37 9.2.4 Equipment maintenance
38 9.2.5 Security of equipment off-premises
39 9.2.6 Secure disposal or re-use of equipment
40 9.2.7 Removal of property
41 10.1.1 Documented operating procedures
42 10.1.2 Change management
43 10.1.3 Segregation of duties
44 10.1.4 Separation of development, test, and operational facilities
45 10.2.1 Service delivery
46 10.2.2 Monitoring and review of third party services
47 10.2.3 Managing changes to third party services
48 10.3.1 Capacity management
49 10.3.2 System acceptance
50 10.4.1 Controls against malicious code
51 10.4.2 Controls against mobile code
52 10.5.1 Information back-up
53 10.6.1 Network controls
54 10.6.2 Security of network services
55 10.7.1 Management of removable media
56 10.7.2 Disposal of media
57 10.7.3 Information handling procedures
58 10.7.4 Security of system documentation
59 10.8.1 Information exchange policies and procedures
60 10.8.2 Exchange agreements
61 10.8.3 Physical media in transit
62 10.8.4 Electronic messaging
63 10.8.5 Business information systems
64 10.9.1 Electronic commerce
65 10.9.2 On-Line Transactions
66 10.9.3 Publicly available information
67 10.10.1 Audit logging
68 10.10.2 Monitoring system use
69 10.10.3 Protection of log information
70 10.10.4 Administrator and operator logs
71 10.10.5 Fault logging
72 10.10.6 Clock synchronization
73 11.1.1 Access control policy
74 11.2.1 User registration
75 11.2.2 Privilege management
76 11.2.3 User password management
77 11.2.4 Review of user access rights
78 11.3.1 Password use
79 11.3.2 Unattended user equipment
80 11.3.3 Clear desk and clear screen policy
81 11.4.1 Policy on use of network services
82 11.4.2 User authentication for external connections
83 11.4.3 Equipment identification in networks
84 11.4.4 Remote diagnostic and configuration port protection
85 11.4.5 Segregation in networks
86 11.4.6 Network connection control
87 11.4.7 Network routing control
88 11.5.1 Secure log-on procedures
89 11.5.2 User identification and authentication
90 11.5.3 Password management system.
91 11.5.4 Use of system utilities
92 11.5.5 Session time-out
93 11.5.6 Limitation of connection time
94 11.6.1 Information access restriction .
95 11.6.2 Sensitive system isolation
96 11.7.1 Mobile computing and communications
97 11.7.2 Teleworking
98 12.1.1 Security requirements analysis and specification
99 12.2.1 Input data validation
100 12.2.2 Control of internal processing.
101 12.2.3 Message integrity
102 12.2.4 Output data validation
103 12.3.1 Policy on the use of cryptographic controls
104 12.3.2 Key management
105 12.4.1 Control of operational software
106 12.4.2 Protection of system test data..
107 12.4.3 Access control to program source code
108 12.5.1 Change control procedures
109 12.5.2 Technical review of applications after operating system changes
110 12.5.3 Restrictions on changes to software packages
111 12.5.4 Information leakage
112 12.5.5 Outsourced software development
113 12.6.1 Control of technical vulnerabilities
114 13.1.1 Reporting information security events
115 13.1.2 Reporting security weaknesses
116 13.2.1 Responsibilities and procedures
117 13.2.2 Learning from information security incidents
118 13.2.3 Collection of evidence
119 14.1.1 Including information security in the business continuity management process
120 14.1.2 Business continuity and risk assessment
121 14.1.3 Developing and implementing continuity plans including informa

swap · 发表于 2010-8-5 11:08:27

5.1.1信息安全措施报告
5.1.2信息安全措施审查
6.1.1信息安全管理
6.1.2 信息安全协调
6.1.3 信息安全责任划分
6.1.4 信息处理设施授权
6.1.5 保密协议
6.1.6 与监管机构联系
6.1.7 专业的信息小组建立联系
6.1.8 独立审查信息安全
6.2.1 识别外部组织风险
6.2.2 对客户强调安全
6.2.3 第三方协议中强调安全
7.1.1 资产清单
7.1.2 资产所有权
7.1.3 资产合理使用
7.2.1 分类指导
7.2.2 信息标识和操作
8.1.1 角色和职责
8.1.2 人员审查
8.1.3 雇佣人员合同条款
8.2.1 管理职责
8.2.2 信息安全意识教育培训
8.2.3 培训过程
8.3.1 合同终止
8.3.2 资产信息反馈
8.3.3 清除访问权限
9.1.1 物理安全防护
9.1.2 物理安全登记检查
9.1.3 办公室房间设施安全
9.1.4 防护外部和威胁环境
9.1.5 安全区域工作
9.1.6 公共访问安装区域
9.2.1 设备安置及保护
9.2.2 设备支持
9.2.3 电缆安全
9.2.4 设备保养
9.2.5 安全区域外设备安全
9.2.6 设备报废或重新使用
9.2.7 财产转移
10.1.1 操作流程书面指到
10.1.2 变更管理
10.1.3 职责区分
10.1.4 开发测试操作分离
10.2.1 提供服务
10.2.2 监督审查第三方服务
10.2.3 第三方服务的变更管理
10.3.1 容量管理
10.3.2 系统验收
10.4.1 控制恶意代码
10.4.2 控制移动代码
10.5.1 信息备份
10.6.1 网络控制
10.6.2 安全网络服务
10.7.1 可移动介质管理
10.7.2 处理媒介
10.7.3 信息处理程序
10.7.4 系统文档安全
10.8.1 信息交换策略和程序
10.8.2 交换协议
10.8.3 物理介质传输
10.8.4 电子信息
10.8.5 业务信息系统
10.9.1 电子商务
10.9.2 在线交易
10.9.3 公共的可用信息
10.10.1 审计日志
10.10.2 使用监控系统
10.10.3 日志信息保护
10.10.4 管理员和操作员日志
10.10.5 故障记录
10.10.6 时间同步
11.1.1 访问控制策略
11.2.1 用户注册
11.2.2 特权管理
11.2.3 用户密码管理
11.2.4 用户访问权限评审
11.3.1 使用口令
11.3.2 无人管理的用户设备
11.3.3 清楚桌面和屏幕方针
11.4.1 基于使用网络服务安全策略
11.4.2 外部用户连接访问
11.4.3 网络设备识别
11.4.4 远程诊断和配置端口保护
11.4.5 网络隔离
11.4.6 网络连接控制
11.4.7 网络路由控制
11.5.1 安全登录控制
11.5.2 用户标识和认证
11.5.3 口令管理系统
11.5.4 系统设施维护使用
11.5.5 会话超时
11.5.6 连接时间限制
11.6.1 信息访问限制
11.6.2 敏感系统分离
11.7.1 移动计算和通讯
11.7.2 电子办公
12.1.1 安全需求分析及规范
12.2.1 数据输入审核
12.2.2 内部处理控制
12.2.3 消息完整性
12.2.4 输出数据审核
12.3.1 基于加密控制策略
12.3.2 密钥管理
12.4.1 操作系统控制
12.4.2 系统测试数据保护
12.4.3 源代码访问控制
12.5.1 改变控制程序
12.5.2 操作系统变更的技术审查
12.5.3 软件包变更限制
12.5.4 信息泄漏
12.5.5 外包软件开发
12.6.1 控制技术漏洞
13.1.1 信息安全事件报告
13.1.2 信息安全报告弱点
13.2.1 职责和程序
13.2.2 从安全事件中学习
13.2.3 收集证据
14.1.1 包含信息安全的业务连续性管理策略
14.1.2 业务连续性和风险评估
14.1.3 开发和实施包含信息的连续性。

network · 发表于 2010-8-5 11:15:37

有长进

账号		自动登录	找回密码
密码			注册