資訊安全管理系統建置初始工作的研究

Similar documents
892213E006146

NSTISSC: National Security Telecommunications and Information System Security Committee 2. NSTISSI: National Security Telecommunications and In

職業安全衛生績效量測技術手冊

穨ld-sms-c

PowerPoint プレゼンテーション

國立中山大學學位論文典藏

Microsoft Word - 2目录.doc

Microsoft PowerPoint ARIS_Platform_en.ppt

Improving the Effectiveness of the Training of Civil Service by Applying Learning Science and Technology: The Case Study of the National Academy of Ci


Microsoft Word - 簡章.doc

1.2 资 金 的 管 理 1.1 权 利 义 务 来 源 MOU 1.3 数 据 的 使 用 和 保 护 2 国 际 空 间 站 资 源 分 配 方 案 54

0B职责及违规

标题


政府機關_構_資通安全責任等級分級作業規定

() ISO ISO ISO/IEC Directives2012 (High Level Structure, HLS) () ISO31000 ISO31000 () () 2005 ISO 2.(Normative references) ISO27001:

No

Vol. 14 No Λ fl 2fl y1) % % % % % 201

No

<4D F736F F D20312D3120D5D0B9C9CBB5C3F7CAE9A3A8C9EAB1A8B8E5A3A92E646F63>

<4D F736F F F696E74202D20C8EDBCFEBCDCB9B9CAA6D1D0D0DEBDB2D7F92E707074>

University of Science and Technology of China A dissertation for master s degree Research of e-learning style for public servants under the context of

LH_Series_Rev2014.pdf

杜邦行为守则

a b

COSO Page - 2 -

untitled


Microsoft Word ___Non_English_Translation_of_Kohler_Global_Supplier_Qualit-Ch_12_18.doc

建设工程项目管理规范

untitled

我国原奶及乳制品安全生产和质量安全管理研究

; ; ; ()1978~1985 : 1978~1985 : ( ) : % 73.9% 176.4% 87.8% 2.97 [1] 15.5% 1978~ % 14.8%



21 CFR 21 CFR (11.10(d) (i) (g) (b)) 21 CFR Botha Eloff IBM [1] 2

<4D F736F F D20A1BE342D34A1BF20A1B6B8A3BDA8CCDAD0C2CAB3C6B7B9C9B7DDD3D0CFDEB9ABCBBECAD7B4CEB9ABBFAAB7A2D0D0B9C9C6B1D5D0B9C9CBB5C3F7CAE9A1B72E646F63>

untitled

Microsoft Word - _test_06ms-318.doc

目 次 壹 前 言... 2 貳 支 付 系 統 概 述... 4 一 大 額 支 付 系 統... 4 二 零 售 支 付 系 統... 5 參 零 售 支 付 發 展 與 創 新... 7 一 傳 統 零 售 支 付 工 具... 7 二 電 子 商 務 帶 動 零 售 支 付 發 展... 9

Microsoft Word - 24.doc

Microsoft Word - 98全國大學校長會議

基 于 SCORM 规 范 的 资 源 打 包 方 法 设 计 与 实 现 摘 要 共 享 式 教 材 组 件 参 考 模 型 (Sharable Course Object Reference Model, 简 称 SCORM), 已 成 为 目 前 国 际 上 公 认 的 e-learning

課務組第三次行政會議資料:

Microsoft Word 論文1 戴基福.doc

一 南 安 普 顿 大 学 介 绍 南 安 普 顿 大 学 介 绍 南 安 普 顿 大 学 的 前 身 是 哈 特 利 学 院,1862 年 由 当 时 的 首 相 帕 密 尔 敦 揭 牌 成 立 1952 年 获 得 皇 家 特 许 升 格 为 大 学, 成 为 英 国 15 所 科 研 重 点

Abstract Today, the structures of domestic bus industry have been changed greatly. Many manufacturers enter into the field because of its lower thresh

Form: RWPRR401-B

\\Lhh\07-02\黑白\内页黑白1-16.p

标题

WHO % http / /www. who. int /gho /en

Microsoft Word - 01李惠玲ok.doc

PowerPoint Presentation

rights and interests of doctors and patients. But it is insufficient jurisprudential basis and legitimacy crisis of legal forms through the form of mi

<4D F736F F D D DBACEC0F25FD0A3B6D4B8E55F2DB6FED0A32D2D2DC8A5B5F4CDBCD6D0B5C4BBD8B3B5B7FBBAC52E646F63>

, , 10, , %, % %; %, % %,2030,, 2., ,90%,

(Microsoft Word Linux\272\364\270\364\264\372\305\347\250t\262\316\244\247\254\343\250s.doc)

中華電信憑證總管理中心憑證實務作業基準

<4D F736F F D20D5E3BDADB0C2CFE8D2A9D2B5B9C9B7DDD3D0CFDEB9ABCBBECAD7B4CEB9ABBFAAB7A2D0D0B9C9C6B1D5D0B9C9CBB5C3F7CAE9A3A8C9EAB1A8B8E C4EA35D4C23239C8D5B1A8CBCDA3A92E646F63>

0520第一ARcover.indd

<B0EAA467A4CEA4BDA640AA76B27A4E6F2E31332E706466>

1 2 3 GARCH GARCH α > 0 α i > 0 p α i + q β j < 1 i = 1 j = 1 α < 0 β < 0 p α i + q β j < 1 i = 1 j = 1 1. GARCH α + β > 1 α β α > 0 β < 1 α + β > 1 4

Ansell Gash ~ ~ Rhodes ~ H. Haken 20 90

Microsoft Word doc

高層辦公建築避難演練驗證與避難安全評估之研究

案例正文:(幼圆、小三、加粗)(全文段前与段后0

课题调查对象:

Microsoft Word - 28-QM03.doc

COMPUTERS TEXT 1

The frame research on the management system of Chinese herbal medicine A Dissertation Submitted for the Master s Degree Candidate:Han Feng Tutor: Prof

1 2 3

<4D F736F F D20B5DAC8FDB7BDBE57C9CFD6A7B8B6D6AEB7A8C2C98696EE7DCCBDBEBF2E646F63>

目次 

1 1

政治哲學要跨出去!

,7 8,9 10,11 (1) (2) (3)

Shanghai International Studies University A STUDY ON SYNERGY BUYING PRACTICE IN ABC COMPANY A Thesis Submitted to the Graduate School and MBA Center I

Mechanical Science and Technology for Aerospace Engineering October Vol No. 10 Web SaaS B /S Web2. 0 Web2. 0 TP315 A

發 行 人 : 郭 政 弘 編 輯 顧 問 : 施 景 彬 陳 光 宇 萬 幼 筠 鄭 興 范 有 偉 林 鴻 鵬 成 德 潤 李 東 峰 林 淑 婉 許 晉 銘 洪 惠 玲 吳 佳 翰 法 律 顧 問 : 林 瑞 彬 總 編 輯 : 洪 國 田 責 任 編 輯 : 龔 則 立 郭 瓊 俐 吳 品

32 台 灣 文 學 學 報 第 二 十 四 期 Hino Ashihei and war-time writing by Japanese in Taiwan under Japanese rule Lin, Hui-chun Associate Professor, Center of Gene

<4D F736F F F696E74202D20A8E2A9A4AA41B0C8B77EB654A9F6B67DA9F1ABE1A141BB4FC657AAF7BFC4AAF7BFC4AA41B0C8B77EA4A7B0D3BEF7BB50AC44BED420A6BFACB C >

标题

2 目 录 2 简 介 3 第 1 部 分 :ITIL 和 软 件 开 发 4 从 孤 立 转 向 概 念 性 分 离 6 为 什 么 需 要 合 作? 7 建 立 管 理 策 略 8 第 2 部 分 : 实 现 有 效 的 流 程 11 映 射 流 程 11 识 别 关 键 临 界 区 域 14

中国主权资产负债表风险分析


M M. 20

Microsoft Word - 複製 -朱竹元EMBA畢業論文0630.doc

认证机构环境管理体系认证

1

<4D F736F F D20C9EEDBDAD0C5B2E2B1EAD7BCBCBCCAF5B7FECEF1B9C9B7DDD3D0CFDEB9ABCBBEB4B4D2B5B0E5CAD7B4CEB9ABBFAAB7A2D0D0B9C9C6B1D5D0B9C9CBB5C3F7CAE9A3A8C9EAB1A8B8E C4EA36D4C23138C8D5B1A8CBCDA3A92E646F63>


(Electronic Data Interchange) (Executive Information System) (Economic Order Quantity) (Enterprise Resource Planning) (Flexible Manufacture System) (F

Microsoft Word 专业学位培养方案.doc

目 录

Acrobat Distiller, Job 3

http / /yxxy. cbpt. cnki. net / % % %

WTO

一 本 学 科 概 况 ( 学 科 一 般 情 况 ) 1.1 学 科 概 况 ( 管 理 科 学 与 工 程 ) 管 理 科 学 与 工 程 是 管 理 学 门 类 中 的 一 级 学 科, 其 下 不 设 二 级 学 科 管 理 科 学 与 工 程 学 科 是 以 人 类 社 会 组 织 管 理

本人声明

Transcription:

43 * ** *** *** * ** *** ISO 9000 ISO 14000 A Study on the Implementation of Information Security Management Systems Abstract During the 90's, global civilization went through a great change. Quality of life, preservation of our environment, and management of human health and safety all turned gradually toward universal consistency and toward a high level of standardization. Related international standards have influenced economic development as well as operations in corporate organizations. Best examples are the compliance with the series of ISO 9000 standards for quality management and ISO 14000 standards for environmental protection. In the last month of the twentieth century, an international standard for the emerging field of information security management was adopted by ISO, the standardization body. The standard offers guidelines for establishing reliable and safe environment for information processing and communication. In this article, the authors describe the approach and steps for systematic implementation of information security management systems under the guideline of this newly adopted standardiso 17799. Key Words: Information Policy, Information Security Management System, Risk Assessment, Risk Management, Standard

44 1. 2001 4 27 1.1 1.1 7 6,000 N.T.$1,300,000,000.- 41 [1] 1999 1998 U.S.$6,500,000.- U.S.$37,600,000.- 478%[6] 1999 12 18 [5] 1.1 1.1 (International Organization for Standardization, ISO) 2000 12 1 (Information technologycode of practice for information security management) ISO/IEC 17799[14] (Information Security Management System, ISMS) 1.1 1. 2001 4 27 1 / 6 2. 7 6,000 N.T.$1,300,000,000.- 41 3. 2 SOGO N.T.$300.-

45 1 N.T.$8,000.-~N.T.$9,000.- 1,200~1,300 N.T.$50,000.-~N.T.$70,000.- 1 N.T.$10,000,000.- 4. 7 ( ) ( ) ( 5. SOGO 6. ISO/IEC 17799 2000(E) (Covert Channels and Trojan Code) 20014 27 5 1.1

46 ISO/IEC 17799 ISMS ISO/IEC 17799 (British Standard Institute, BSi) 1999 BS7799 (Part 1) BS7799 (Part 2) (Specification for information security management systems)[9] (Certification Body)ISMS ISMS ISO/IEC 17799 BS7799 ISO/IEC 17799 1.2 2 3 ISMS 4 1.2 1. 1990 (Organization for Economic Cooperation and Development, OECD) 2. 1992 OECD 1992 11 26 3. 1993 4. 1995 BS7799 (International Organization for Standardization, ISO) ISO DIS 14980 5. 1996 BS7799 (ISO) 1996 2 24 6 6. 1997 6.1 OECD 1997 3 27 6.2 7. 1998 7.1 BS7799 7.2 1995 10 1998 10 25 (Adequacy Standard) 8. 1999 BS7799 ISO 9. 2000 BS7799 2000 12 1 ISO ISO/IEC 17799 10. 2001 (?): ISO 17799 BS7799

47 2. 2.1 2.2 2.1 1996 8 6 AOL 24 1. 1. U.S. $3,000.000.- 2. 2. U.S. $80,000,000.- 1998 4 13 AT&T 6~26 1. U.S. $40,000,000.- 1999 2 3 ~1999 3 3 E*Trade 1999 2 24 Charles ~1999 4 21 Schwab& Co. 2. 5 1. 2. 1999 2 5 22% 4 1. 1. 2. 2. U.S. $70,000,000.- 1999 6 12 ebay 2 1.U.S. $3,000,000.-~U.S. $4,000,000.- 2. 26% 20% 40% 40% ISO/IEC 17799 ( )

48 2.2 1. 1.1 200173 5 / 1.2 200173 3 / 1.3 200173 3 / 2. 2,000 3. 20016304 4. 2 5. SET(Secure Electronic Transaction) 6. ISO/IEC 17799 (Systems Development and Maintenance) (User Registration) 1. 2. 3. 4. 5. BS7799-2 2.1

49 1 2 ISMS ISMS, 3, 4 BS 7799, 5 BS 7799 6 ISMSInformation Security Management System 1. ( ) 2. 3. (Risk Analysis) (Risk Evaluation) (Gap Analysis) (Patch) [4] 4. 5. ISO/IEC 17799 6.

50 7. BS7799 ISO/IEC 17799 BS7799 P-D-C-A (Plan-Do-Control-Action) BS7799 3. ISO/IEC 17799 BS7799 ISO/IEC 17799 BS7799 [12] (Risk Assessment) / 3.1 [13] 3.2 3.3 3.4 3.5 3.6 3.1 (Risk Management)

51 4 4

52 3.1

53 3.1 () 3.2IEC(International Electrotechnical Commission)1508 3.3IEC 1508

54 (Catastrophic) (Critical) (Marginal) (Negligible) 3.4 (Certificate Authority, CA) 3.5 http://www.caida.org/analysis/security/code-red (2001)7 19 250000 (code-red) (worm)[8] 4% ( (Microsoft) 6 18 ) 3.2

55 [7] 3.5 3.1 3.3 BS7799-2 [3,15,17] 1. 2. (Hazard) 3. (Estimation) (Evaluation) 1. (Tolerability) 2. 1. 2. 3. (Assessment) (Management)

56 3.6 3.1 1. 1.1 1.2 1.3 2. 2.1 2.2 2.3 (Guidelines) 3. 3.1 3.2 3.3 [11] 3.2 1. 1.1 (2001)2001 Web 76~90 1.2 (2001) 11 107~116 1.3 (2001) 82001613 2. 21664Web 1.1 82.5% 3. 2000522~20001121 43 50 1.2 18% 24%16%42% 4. 200159~2001510

57 520 1 (Worm) 1.3 562 5. ISO/IEC 17799 2000(E) (Malicious Software) (Scanner) (Patch)

58 3.3BS7799-2 2002 BS7799-2 1999 1. 2. 1. 2. ISO/IEC 15026 3. 2. ISO/IEC 15408 1. 2. ISO/IEC 15026 2. ISO/IEC 15408 3. ISO/IEC 15504 1. 2. ISO/IEC 15026 2. ISO/IEC 15408 3. ISO/IEC 15504 4. NIST FIPS 140-2 1. 2. 3. 3.3 1997 (Federal Deposit Insurance Corporation, FDIC) (Division of Supervision, DOS) [2](Electronic Banking Safety and Soundness Examination Procedures,

59 S&S Exam.) 1. (Level 1) (Information-only) 2. (Level 2) (Electronic Information Transfer) 3. (Level 3) (Fully Transactional Information) 3.6 1. 2. BS7799-2 4.1~4.10 (BS7799-2 3.6) 3-6

60 4. [10,16] (Policy) (Guideline) (Standard) (Procedure) (Control) 1. 2. 3. 4.

61 1. (Guideline) (Guideline) (must) (should) (universal application)( ) 2. (Standard) 3. (Procedure) ( ) 4. (Control) ( )

62 1. 2. 3. 4. 5. 6. 7.

63 8. (Fundamental Conceptual Models) ( ) [1] 2001 4 27 [2] 1999 [3] 2001 [4] 2001 Web 2001 76-90 [5] 1999 12 18

64 [6] (2001 5 21~25 ) [7] 2000 1(1), 29-38 [8] / 31 / 31 2001 8 1 11 [9] BSi, Information security management Part 2: Specificatoin for information security management systems, BS7799-2:1999, BSi. [10] Cresson, C., Information Security Polices Made Easy, Version 7, Accu-Disk, 1999. [11] Eckes, G., The Six Sigma Revolution, Wiley, 2000. [12] Eloff, M.M. and Von Solms S.H., Information security Management: An Approach to Combine Process Certification and Product Evaluation, Computers and Security, 19(8), 2000, 698-709. [13] ISO, Banking and Related financial services Information security guidelines, ISO/TR 13569:1997(E), ISO. [14] ISO, Information TechnologyCode of practice for information security management,iso/iec 17799:2000 (E), ISO. [15] NIST(National Institute of Standards and Technology), Security Requirements for Cryptographic Modules, FIPS (Federal Information Processing Standard)PUB (Publication) 140-2, 2001, NIST. [16] Peltier, T.R., Information Security Policies and Procedures, Auerbach, 1999. [17] Siponen, M.T., A Paradigmatic Analysis of Convention Approaches for Developing and Managing Secure IS, IFIP (International Federation for Information Processing)/Sec01, 2001, 437-452.

65

2024 © docsplayer.com 隐私 | 条款 | 反馈