Ly Thuyet Thuyet Trinh

Table of Contents
12 Operations security............................................................................................... 1
12.1 Operational procedures and responsibilities...................................................1
12.1.1 Documented operating procedures...........................................................1
9. Qun l truyn thng v vn hnh.........................................................................1
9.1. Cc trch nhim v th tc vn hnh..............................................................1
9.1.1. Cc th tc vn hnh c ghi thnh vn bn...........................................2
12.1.2 Change management...................................................................................... 2
9.1.2. Qun l thay i......................................................................................... 3
12.1.3 Capacity management.............................................................................. 4
9.3.1. Qun l nng lc h thng.........................................................................4
12.1.4 Separation of development, testing and operational environments..........5
9.1.4. Phn tch cc chc nng pht trin, kim th v vn hnh.......................6
12.2 Protection from malware................................................................................. 7
12.2.1 Controls against malware..........................................................................7
9.4. Bo v chng li m c hi v m di ng........................................................8
9.4.1. Qun l chng li m c hi........................................................................8
12.3 Backup.......................................................................................................... 10
12.3.1 Information backup.................................................................................10
9.5. Sao lu........................................................................................................... 11
9.5.1. Sao lu thng tin......................................................................................... 11
12.4 Logging and monitoring................................................................................ 12
12.4.1 Event logging.......................................................................................... 12
9.10. Gim st....................................................................................................... 12
9.10.1. Ghi nht k nh gi.............................................................................. 13
12.4.2 Protection of log information...................................................................13
9.10.3. Bo v cc thng tin nht k..................................................................14
12.4.3 Administrator and operator logs.............................................................14
9.10.4. Nht k ca ngi iu hnh v ngi qun tr......................................15
12.4.4 Clock synchronisation.............................................................................15
9.10.6. ng b thi gian................................................................................... 16
12.5 Control of operational software.....................................................................16
12.5.1 Installation of software on operational systems......................................16

11.4.1. Qun l cc phn mm iu hnh..........................................................17
12.6 Technical vulnerability management.............................................................18
12.6.1 Management of technical vulnerabilities.................................................18
11.6.1. Qun l cc im yu v k thut..........................................................20
12.6.2 Restrictions on software installation........................................................21
12.7 Information systems audit considerations.....................................................21
12.7.1 Information systems audit controls.........................................................21
13 Communications security.................................................................................... 23
13.1 Network security management.....................................................................23
13.1.1 Network controls..................................................................................... 23
13.1.2 Security of network services...................................................................24
13.1.3 Segregation in networks.........................................................................24
10.4.5. Phn tch trn mng..............................................................................25
13.2 Information transfer...................................................................................... 26
13.2.1 Information transfer policies and procedures..........................................26
9.8. Trao i thng tin........................................................................................... 27
9.8.1. Cc chnh sch v th tc trao i thng tin............................................27
13.2.2 Agreements on information transfer.......................................................29
13.2.3 Electronic messaging..............................................................................30
9.8.4. Thng ip in t................................................................................... 31
12 Operations security
12.1 Operational procedures and responsibilities
Objective: To ensure correct and secure operations of information processing
facilities.
12.1.1 Documented operating procedures

Control
Operating procedures should be documented and made available to all users who
need them.
Implementation guidance
Documented procedures should be prepared for operational activities associated
with information
processing and communication facilities, such as computer start-up and close-down

procedures, backup, equipment maintenance, media handling, computer room and
mail handling management and safety.
The operating procedures should specify the operational instructions, including:
a) the installation and configuration of systems;
b) processing and handling of information both automated and manual;
c) backup (see 12.3);
d) scheduling requirements, including interdependencies with other systems,
earliest job start and
latest job completion times;
e) instructions for handling errors or other exceptional conditions, which might arise
during job
execution, including restrictions on the use of system utilities (see 9.4.4);
f) support and escalation contacts including external support contacts in the event
of unexpected
operational or technical difficulties;
g) special output and media handling instructions, such as the use of special
stationery or the
management of confidential output including procedures for secure disposal of
output from failed
jobs (see 8.3 and 11.2.7);
h) system restart and recovery procedures for use in the event of system failure;
i) the management of audit-trail and system log information (see 12.4);
j) monitoring procedures.
Operating procedures and the documented procedures for system activities should
be treated as formal documents and changes authorized by management. Where
technically feasible, information systems should be managed consistently, using the
same procedures, tools and utilities.
9. Qun l truyn thng v vn hnh

9.1. Cc trch nhim v th tc vn hnh
Mc tiu: Nhm m bo s vn hnh cc phng tin x l thng tin ng n v
an ton.
Cn thit lp cc trch nhim v th tc qun l v vn hnh cho tt c cc phng
tin x l thng tin. Bao gm c vic xy dng cc th tc vn hnh ph hp.
Nu ph hp th cn trin khai phn nh cc nhim v nhm gim ri ro do s dng
cu th hoc lm dng h thng mt cch c ch .
9.1.1. Cc th tc vn hnh c ghi thnh vn bn

Bin php qun l
Cc th tc vn hnh cn c ghi thnh vn bn, duy tr, v lun sn sng i vi mi ngi cn dng
n.
Hng dn trin khai
Cn chun b cc vn bn th tc cho cc hot ng h thng c lin quan n cc thit b trao i v x
l thng tin, v d cc th tc khi ng v tt my tnh, sao lu, bo dng thit b, iu khin thit b,
qun l phng my tnh v x l th t, v vn an ton.
Cc th tc vn hnh cn a ra cc hng dn thc hin chi tit tng cng vic gm:
a) x l v qun l thng tin
b) sao lu (xem 9.5.1);
c) cc yu cu v thi gian biu, bao hm c s ph thuc vi cc h thng khc, cc thi im bt u
cng vic sm nht v cc thi im kt thc cng vic mun nht;
d) cc hng dn x l cc s c hoc cc iu kin ngoi l khc, nhng vn ny c th xut hin
trong khi thc hin cng vic, bao gm c cc gii hn s dng cc tin ch ca h thng (xem 10.5.4);
e) h tr lin lc trong cc trng hp c tr ngi khng mong mun v vn hnh hoc k thut;
f) cc hng dn x l thit b v d liu u ra c bit, nh s dng dng vn phng c bit hoc
qun l d liu u ra bo mt bao gm cc th tc loi b mt cch an ton d liu u ra t cc cng
vic b li (xem 9.7.2 v 9.7.3);
g) cc th tc khi ng v khi phc h thng trong trng hp c li h thng;
h) qun l truy vt v thng tin nht k ca h thng (xem 9.10).
Cc th tc khai thc v cc vn bn th tc cho cc hot ng ca h thng cn c coi nh cc vn
bn chnh thc v c cp php thay i bi ban qun l. Nu iu kin k thut cho php th cc h
thng thng tin cn c qun l lin tc bng cc th tc, cng c v cc tin ch nht qun.
12.1.2 Change management

Control
Changes to the organization, business processes, information processing facilities
and systems that
affect information security should be controlled.
In particular, the following items should be considered:
a) identification and recording of significant changes;
b) planning and testing of changes;
c) assessment of the potential impacts, including information security impacts, of
such changes;
d) formal approval procedure for proposed changes;
e) verification that information security requirements have been met;
f) communication of change details to all relevant persons;
g) fall-back procedures, including procedures and responsibilities for aborting and
recovering from
unsuccessful changes and unforeseen events;
h) provision of an emergency change process to enable quick and controlled
implementation of changes
needed to resolve an incident (see 16.1).
Formal management responsibilities and procedures should be in place to ensure
satisfactory control of
all changes. When changes are made, an audit log containing all relevant
information should be retained.
Other information
Inadequate control of changes to information processing facilities and systems is a

common cause of system or security failures. Changes to the operational
environment, especially when transferring a system from development to
operational stage, can impact on the reliability of applications (see 14.2.2).
9.1.2. Qun l thay i

Bin php qun l
Cc thay i trong cc phng tin v h thng x l thng tin phi c kim sot.
Hng dn trin khai
Cn qun l cht ch cc thay i i vi phn mm ng dng v cc h thng vn hnh.
C th l, nhng vn sau cn c quan tm:
a) Xc nh v ghi li nhng thay i quan trng;
b) Lp k hoch v kim tra nhng thay i;
c) nh gi nhng nh hng tim n, bao gm nhng nh hng v an ton ca nhng thay i ;
d) Th tc chp nhn chnh thc i vi nhng thay i c pht hin;
e) Thng bo chi tit v cc thay i cho tt c nhng ngi lin quan;
f) Cc th tc phc hi li h thng trc thay i, bao gm cc th tc v trch nhim i vi vic hy
b v khi phc d liu t nhng thay i khng thnh cng v cc s kin bt ng xy ra.
Cc th tc v trch nhim qun l chnh thc cn c t ra nhm m bo qun l tha ng tt c
nhng thay i i vi thit b, phn mm hoc cc th tc. Khi nhng thay i c thc hin th cn
lu li nht k nh gi cha tt c cc thng tin lin quan.
Thng tin khc
Vic qun l nhng thay i ca cc phng tin x l thng tin khng thch hp l nguyn nhn ph
bin dn n cc s c i vi h thng v an ton thng tin. Nhng thay i v mi trng khai thc,
c bit l khi chuyn mt h thng t giai on pht trin sang giai on khai thc, c th nh hng
n tin cy ca cc ng dng (xem thm 11.5.1).
Ch c thc thi nhng thay i i vi cc h iu hnh khi c l do nghip v hp l, chng hn khi
c s gia tng ri ro i vi h thng. Vic nng cp cc h thng bng cc phin bn h iu hnh hoc
ng dng mi nht thng khng hay c quan tm v c th gy ra nhng nguy him v s mt n
nh hn so vi phin bn hin ti. Vic nng cp cc phin bn phn mm c th cng lm pht sinh
thm cc yu cu v o to, cc chi ph cho vic ng k, chi ph cho h tr, duy tr v qun l, v c
bit l phn cng mi trong qu trnh chuyn phin bn.
12.1.3 Capacity management

Control
The use of resources should be monitored, tuned and projections made of future
capacity requirements
to ensure the required system performance.
Capacity requirements should be identified, taking into account the business
criticality of the concerned
system. System tuning and monitoring should be applied to ensure and, where
necessary, improve the
availability and efficiency of systems. Detective controls should be put in place to

indicate problems in
due time. Projections of future capacity requirements should take account of new
business and system
requirements and current and projected trends in the organizations information
processing capabilities.
Particular attention needs to be paid to any resources with long procurement lead
times or high costs;
therefore managers should monitor the utilization of key system resources. They
should identify trends
in usage, particularly in relation to business applications or information systems
management tools.
Managers should use this information to identify and avoid potential bottlenecks
and dependence on
key personnel that might present a threat to system security or services, and plan
appropriate action.
Providing sufficient capacity can be achieved by increasing capacity or by reducing
demand. Examples
of managing capacity demand include:
a) deletion of obsolete data (disk space);
b) decommissioning of applications, systems, databases or environments;
c) optimising batch processes and schedules;
d) optimising application logic or database queries;
e) denying or restricting bandwidth for resource-hungry services if these are not
business critical (e.g.
video streaming).
A documented capacity management plan should be considered for mission critical
systems.
Other information
This control also addresses the capacity of the human resources, as well as offices
and facilities.
9.3.1. Qun l nng lc h thng

Bin php qun l
Vic s dng ti nguyn phi c gim st, iu chnh v c d on cc yu cu v nng lc h thng
trong tng lai nhm m bo hiu sut theo yu cu.
Hng dn trin khai
Cn xc nh cc yu cu v nng lc cho tng hot ng mi v sp ti. Cn gim st v iu chnh h
thng nhm m bo v, nu cn thit, nng cao sn sng v hiu qu ca cc h thng, cn thc thi
cc bin php qun l d tm nhm ch ra cc vn ng lc. Cc k hoch thc thi cc yu cu nng
lc trong tng lai cn quan tm n cc yu cu h thng v nghip v mi v cc xu hng hin ti
v c d on v cc nng lc x l thng tin ca t chc.
Cn c bit lu n cc ngun ti nguyn c chi ph cao; nhng ngi qun l cn gim st vic s
dng cc ngun ti nguyn h thng quan trng. H cn xc nh nhng xu hng s dng, c bit
trong mi quan h vi cc ng dng nghip v hoc cc cng c h thng thng tin qun l.
Nhng ngi qun l cn s dng thng tin ny nhm xc nh v phng trnh hin tng nt c chai
tim n v trnh ph thuc vo mt c nhn ch cht v iu c th e da n s an ton h thng
hoc cc dch v, v ln k hoch hnh ng ph hp.
12.1.4 Separation of development, testing and operational environments

Control
Development, testing, and operational environments should be separated to reduce
the risks of
unauthorized access or changes to the operational environment.
The level of separation between operational, testing, and development
environments that is necessary
to prevent operational problems should be identified and implemented.
The following items should be considered:
a) rules for the transfer of software from development to operational status should
be defined and
documented;
b) development and operational software should run on different systems or
computer processors and in different domains or directories;
c) changes to operational systems and applications should be tested in a testing or
staging environment prior to being applied to operational systems;
d) other than in exceptional circumstances, testing should not be done on
operational systems;
e) compilers, editors and other development tools or system utilities should not be
accessible from
operational systems when not required;
f) users should use different user profiles for operational and testing systems, and
menus should
display appropriate identification messages to reduce the risk of error;
g) sensitive data should not be copied into the testing system environment unless
equivalent controls are provided for the testing system (see 14.3).
Other information
Development and testing activities can cause serious problems, e.g. unwanted
modification of files or system environment or system failure. There is a need to
maintain a known and stable environment in which to perform meaningful testing
and to prevent inappropriate developer access to the operational environment.
Where development and testing personnel have access to the operational system
and its information, they may be able to introduce unauthorized and untested code
or alter operational data. On some systems this capability could be misused to
commit fraud or introduce untested or malicious code, which can cause serious
operational problems.
Development and testing personnel also pose a threat to the confidentiality of
operational information.
Development and testing activities may cause unintended changes to software or
information if they share the same computing environment. Separating
development, testing and operational environments is therefore desirable to reduce
the risk of accidental change or unauthorized access to operational software and
business data (see 14.3 for the protection of test data).
9.1.4. Phn tch cc chc nng pht trin, kim th v vn hnh

Bin php qun l
Cc chc nng pht trin, kim th v vn hnh cn c phn tch nhm gim thiu cc ri ro do truy
cp hoc thay i h thng vn hnh tri php.
Hng dn trin khai
Cn xc nh mc phn tch gia cc mi trng vn hnh, kim th v pht trin cn cho vic
phng chng cc s c v vn hnh v thc thi cc bin php qun l thch hp.
Cn quan tm n cc vn sau:
a) cc quy tc chuyn i phn mm t trng thi pht trin sang khai thc cn c xc nh v lp
thnh vn bn;
b) phn mm pht trin v vn hnh cn chy trn cc h thng hoc cc b x l my tnh khc nhau v
nm trong cc th mc hoc min khc nhau;
c) nu khng c yu cu th t cc h thng vn hnh khng th truy cp c vo cc trnh bin dch,
trnh bin son v cc tin ch h thng;
d) mi trng h thng th nghim cn m phng mi trng khai thc gn nht n mc c th;
e) ngi dng cn s dng cc h s ngi dng khc nhau cho cc h thng th nghim v vn hnh,
v cc ty chn trong h s cng cn hin th cc thng tin nhn dng ph hp nhm gim ri ro mc li;
f) Khng c sao chp d liu nhy cm vo mi trng h thng th nghim (xem 11.4.2)
Thng tin khc
Cc hot ng pht trin v th nghim c th gy ra cc vn nghim trng, v d lm sa i khng
mong mun cc tp hoc mi trng h thng, hoc gy ra s c h thng. Trong trng hp ny, cn
duy tr mt mi trng n nh c th thc hin th nghim theo mc ch v ngn chn truy cp
khng ph hp.
Khi nhn vin pht trin v nhn vin th nghim truy cp vo h thng vn hnh v cc thng tin ca n
th h c kh nng a vo m tri php v cha c kim tra hoc lm thay i d liu hot ng.
mt s h thng, kh nng ny c th b li dng nhm gian ln, hoc a vo m cha c kim tra
hoc c hi, v gy ra cc s c nghim trng.
Cc nhn vin pht trin v th nghim cng c th e da ti tnh b mt ca thng tin vn hnh. Cc
hot ng th nghim v pht trin c th gy ra nhng thay i khng nh trc i vi phn mm
hoc thng tin nu h cng chia s mi trng hot ng my tnh. Vic phn tch cc thit b h tr
pht trin, th nghim v vn hnh do vy rt cn thit trong vic gim ri ro do v tnh thay i hoc truy
cp tri php ti phn mm khai thc v d liu nghip v (xem thm 11.4.2 v vn bo v d liu
kim tra).
12.2 Protection from malware

Objective: To ensure that information and information processing facilities are
protected against
malware.
12.2.1 Controls against malware

Control
Detection, prevention and recovery controls to protect against malware should be

implemented,
combined with appropriate user awareness.
Protection against malware should be based on malware detection and repair
software, information security awareness and appropriate system access and
change management controls. The following guidance should be considered:
a) establishing a formal policy prohibiting the use of unauthorized software (see
12.6.2 and 14.2.);
b) implementing controls that prevent or detect the use of unauthorized software
(e.g. application
whitelisting);
c) implementing controls that prevent or detect the use of known or suspected
malicious websites (e.g. blacklisting);
d) establishing a formal policy to protect against risks associated with obtaining files
and software
either from or via external networks or on any other medium, indicating what
protective measures
should be taken;
e) reducing vulnerabilities that could be exploited by malware, e.g. through
technical vulnerability
management (see 12.6);
f) conducting regular reviews of the software and data content of systems
supporting critical business processes; the presence of any unapproved files or
unauthorized amendments should be formally investigated;
g) installation and regular update of malware detection and repair software to scan
computers and
media as a precautionary control, or on a routine basis; the scan carried out should
include:
1) scan any files received over networks or via any form of storage medium, for
malware before use;
2) scan electronic mail attachments and downloads for malware before use; this
scan should be
carried out at different places, e.g. at electronic mail servers, desk top computers
and when
entering the network of the organization;
3) scan web pages for malware;
h) defining procedures and responsibilities to deal with malware protection on
systems, training in
their use, reporting and recovering from malware attacks;
i) preparing appropriate business continuity plans for recovering from malware
attacks, including all necessary data and software backup and recovery
arrangements (see 12.3);
j) implementing procedures to regularly collect information, such as subscribing to
mailing lists or
verifying websites giving information about new malware;
k) implementing procedures to verify information relating to malware, and ensure
that warning
bulletins are accurate and informative; managers should ensure that qualified
sources, e.g. reputable
journals, reliable Internet sites or suppliers producing software protecting against

malware, are
used to differentiate between hoaxes and real malware; all users should be made
aware of the
problem of hoaxes and what to do on receipt of them;
l) isolating environments where catastrophic impacts may result.
Other information
The use of two or more software products protecting against malware across the
information processing
environment from different vendors and technology can improve the effectiveness
of malware protection.
Care should be taken to protect against the introduction of malware during
maintenance and emergency
procedures, which may bypass normal malware protection controls.
Under certain conditions, malware protection might cause disturbance within
operations.
Use of malware detection and repair software alone as a malware control is not
usually adequate and commonly needs to be accompanied by operating procedures
that prevent introduction of malware.
9.4. Bo v chng li m c hi v m di ng
Mc tiu: Nhm bo v tnh ton vn ca thng tin v phn mm.
Cn c nhng phng nhm ngn nga v pht hin s c mt ca m c hi v
m di ng tri php.
Phn mm v cc phng tin x l thng tin l cc i tng rt d b tn ti bi
m c, v d cc loi virut my tnh, su mng, nga trojan, v bom my tnh.
Ngi ng cn c nhn thc v nhng: mi nguy him t m c hi. Nu thch
hp th ngi qun l cn a ra cc bin php qun l nhm ngn chn, pht hin,
loi b m c hi v x l m di ng.
9.4.1. Qun l chng li m c hi

Bin php qun l
Cc bin php qun l trong vic pht hin, ngn chn, v phc hi nhm chng li cc on m c hi
v cc th tc tuyn truyn nng cao nhn thc ca ngi dng phi c thc hin.
Hng dn trin khai
Bo v chng li m c hi cn da trn c s pht hin m c hi v sa cha phn mm, nng cao
nhn thc v an ton thng tin, v cc bin php qun l thay i v truy cp h thng ph hp. Cn
quan tm n nhng hng dn sau:
a) thit lp mt chnh sch chnh thc ngn cm s dng phn mm tri php (xem 14.1.2);
b) thit lp mt chnh sch chnh thc nhm bo v chng li cc ri ro lin quan n vic s dng cc
tp v phn mm n t hoc i qua cc mng bn ngoi, hoc bt k mt mi trng no khc, ch ra
cc bin php bo v cn thc hin;
c) ch o cc cuc sot xt thng xuyn phn mm v cc ni dung d liu ca cc h thng h tr
cc qu trnh nghip v then cht; cn chnh thc iu tra s xut hin ca cc tp cha c chp
nhn hoc cc b sung tri php;
d) ci t v thng xuyn cp nht phn mm khc phc v pht hin m c hi qut my tnh v
cc phng tin vi vai tr nh mt bin php phng nga; cc cuc kim tra cn bao gm:
1) trc khi s dng cn kim tra m c hi i vi tt c cc tp trn thit b in t hoc quang hc,
v cc tp nhn c trn mng;
2) trc khi s dng cn kim tra m c hi i vi cc tp nh km trn th in t v cc tp ti
c trn mng; vic kim tra ny cn c thc hin ti cc ni khc nhau, v d ti c cc my ch
th in t, cc my tnh bn v c khi xm nhp vo mng ca t chc;
3) kim tra m c hi trong cc trang mng;
e) xc nh cc th tc v trch nhim qun l trong vic bo v chng li m c hi trn cc h thng,
o to s dng cc th tc ny, bo co v khi phc h thng trc s tn cng ca m c hi (xem
12.1 v 12.2);
f) chun b cc k hoch m bo s lin tc v nghip v cho vic khi phc sau nhng tn cng ca
m c hi, bao gm ton b nhng chun b khi phc v sao lu phn mm v d liu cn thit (xem
13);
g) trin khai cc th tc nhm thng xuyn thu thp thng tin, v d ng k vo danh sch th in t
v/hoc kim tra cc a ch mng cho thng tin v cc loi m c hi mi;
h) trin khai cc th tc xc thc thng tin lin quan n m c hi v m bo rng cc bn tin cnh
bo l chnh xc v cung cp c nhiu thng tin; nhng ngi qun l cn m bo c cc ngun tin
cy, v d cc t bo c ting tm, cc a ch internet hoc cc nh sn xut phn mm chng m c
hi ng tin cy, c s dng nhm phn bit gia cc tr la o v m c hi thc s; tt c nhng
ngi dng cn c trang b kin thc v nhng tr la o v nhng vic phi lm khi nhn c
chng
Thng tin khc
S dng hai hoc nhiu sn phm phn mm chng m c hi ca nhiu nh cung cp khc nhau trong
mi trng x l thng tin c th nng cao hiu qu phng chng m c.
Phn mm gip bo v chng li m c hi c th c ci t nhm cung cp cc ni dung cp nht
ca cc tp nh ngha v cc cng c qut nhm chc chn rng vic bo v c cp nht. Hn
na, phn mm ny c th c ci t trn mi my tnh bn nhm thc hin kim tra t ng.
Cn quan tm n vic bo v chng li s xm nhp ca m c hi trong cc th tc bo dng v
khn cp, do chng c th b b qua khi s dng cc bin php chng m c hi thun ty.
9.4.2. Kim sot cc m di ng
Bin php qun l
i vi cc m di ng hp l, vic ci t phi m bo ph hp vi cc chnh sch an ton c
t ra. Ngc li, cc on m di ng tri php s b ngn chn.
Hng dn trin khai
Cn quan tm n cc hot ng sau nhm ngn chn m di ng thc hin cc hot ng cha c
cp php:
a) thc thi m di ng trong mt mi trng c c lp v mt logic;
b) hn ch s dng m di ng;
c) hn ch nhn m di ng;
d) kch hot cc bin php k thut sn sng trn mt h thng chuyn dng nhm qun l m di ng;
e) qun l cc ngun ti nguyn sn sng cho truy cp m di ng;
f) qun l bng mt m nhm xc thc m di ng.
Thng tin khc
M di ng l mt m phn mm truyn t my tnh ny sang my tnh khc v sau t ng thc hin
mt chc nng no m khng c tng tc ngi dng hoc ch c mt t. M di ng lin quan n
rt nhiu dch v phn mm trung gian.
Bn cnh vic m bo m di ng khng cha m c hi th vic qun l m c hi cng rt cn thit
nhm ngn nga s dng tri php hoc lm ph v h thng, mng, hoc cc ngun ti nguyn ng
dng v cc vi phm an ton thng tin khc.
12.3 Backup
Objective: To protect against loss of data.
12.3.1 Information backup

Control
Backup copies of information, software and system images should be taken and
tested regularly in
accordance with an agreed backup policy.
A backup policy should be established to define the organizations requirements for
backup of
information, software and systems.
The backup policy should define the retention and protection requirements.
Adequate backup facilities should be provided to ensure that all essential
information and software can
be recovered following a disaster or media failure.
When designing a backup plan, the following items should be taken into
consideration:
a) accurate and complete records of the backup copies and documented restoration
procedures
should be produced;
b) the extent (e.g. full or differential backup) and frequency of backups should
reflect the business
requirements of the organization, the security requirements of the information
involved and the
criticality of the information to the continued operation of the organization;
c) the backups should be stored in a remote location, at a sufficient distance to
escape any damage
from a disaster at the main site;
d) backup information should be given an appropriate level of physical and
environmental protection
(see Clause 11) consistent with the standards applied at the main site;
e) backup media should be regularly tested to ensure that they can be relied upon
for emergency use
when necessary; this should be combined with a test of the restoration procedures
and checked
against the restoration time required. Testing the ability to restore backed-up data
should be
performed onto dedicated test media, not by overwriting the original media in case
the backup or
restoration process fails and causes irreparable data damage or loss;
f) in situations where confidentiality is of importance, backups should be protected
by means of encryption.
Operational procedures should monitor the execution of backups and address
failures of scheduled
backups to ensure completeness of backups according to the backup policy.
Backup arrangements for individual systems and services should be regularly tested
to ensure that
they meet the requirements of business continuity plans. In the case of critical
systems and services,
backup arrangements should cover all systems information, applications and data
necessary to recover
the complete system in the event of a disaster.
The retention period for essential business information should be determined,
taking into account any requirement for archive copies to be permanently retained.
9.5. Sao lu
Mc tiu: Nhm duy tr s ton vn v s sn sng ca thng tin v cc phng tin
x l thng tin.
Cn thit lp cc th tc thng xuyn nhm thc hin chin lc v chnh sch sao
lu c tha thun (xem 13.1) trong vic sao lu v kp thi khi phc d liu.
9.5.1. Sao lu thng tin

Bin php qun l
Thng tin v phn mm cn c sao lu v thng xuyn kim tra li chng theo chnh sch sao lu
c tha thun.
Hng dn trin khai
Cn cung cp cc phng tin sao lu thch hp nhm m bo rng tt c cc thng tin v phn mm
cn thit c th c khi phc li sau thm ha hoc li hng thit b.
Cn quan tm n cc vn sau trong vic sao lu thng tin:
a) cn xc nh mc cn thit ca thng tin sao lu;
b) cn a ra cc bn sao lu y v chnh xc v cc vn bn v th tc khi phc;
c) phm vi (v d sao lu y hoc tng phn) v tn sut sao lu cn th hin cc yu cu nghip v
ca t chc, cc yu cu v an ton thng tin c lin quan, v quan trng ca thng tin trong vic m
bo tnh lin tc v nghip v ca t chc;
d) cc bn sao cn c lu gi mt v tr xa, vi khong cch ph hp nhm trnh nhng thit hi
do thm ha ti tr s chnh.
e) thng tin sao chp cn c t mc bo v vt l v mi trng ph hp (xem iu 8) tun th

cc tiu chun c p dng ti tr s chnh; cc bin php qun l c p dng i vi thit b ti tr
s chnh cng cn c thc hin ti ni cha bn sao lu;
f) thit b sao chp cn c kim tra nh k nhm m bo rng chng c th tin cy trong iu kin s
dng khn cp;
g) cc th tc khi phc thng tin cn c xem xt v kim tra nh k nhm m bo chng hot ng
hiu qu v chng c th c thc hin y trong khong thi gian c xc nh trong cc th
tc khai thc v khi phc;
h) Trong cc trng hp khi tnh b mt l mt yu cu quan trng th cc bn sao cn c bo v bng
cc hnh thc m ha.
Cc th tc sao lu dnh cho cc h thng ring cn c kim tra thng xuyn nhm m bo rng
chng p ng c cc yu cu ca cc k hoch m bo tnh lin tc v nghip v (xem iu 13).
i vi cc h thng quan trng th cn thc hin sao lu tt c thng tin. cc ng dng, d liu cn thit
ca h thng nhm c th phc hi c ton b h thng trong trng hp c thm ha xy ra.
Thi gian lu tr cc thng tin nghip v cn thit v cc yu cu lu tr bn sao lu di cng cn c
xc nh (xem 14.1.3).
Thng tin khc
C th thc hin sao lu t ng nhm lm d dng quy trnh sao lu v khi phc. Cc gii php t
ng nh vy cn c kim tra ph hp trc khi trin khai v vo cc thi im nh k.
12.4 Logging and monitoring

Objective: To record events and generate evidence.
12.4.1 Event logging

Control
Event logs recording user activities, exceptions, faults and information security
events should be
produced, kept and regularly reviewed.
Event logs should include, when relevant:
a) user IDs;
b) system activities;
c) dates, times and details of key events, e.g. log-on and log-off;
d) device identity or location if possible and system identifier;
e) records of successful and rejected system access attempts;
f) records of successful and rejected data and other resource access attempts;
g) changes to system configuration;
h) use of privileges;
i) use of system utilities and applications;
j) files accessed and the kind of access;
k) network addresses and protocols;
l) alarms raised by the access control system;
m) activation and de-activation of protection systems, such as anti-virus systems
and intrusion
detection systems;
n) records of transactions executed by users in applications.
Event logging sets the foundation for automated monitoring systems which are
capable of generating
consolidated reports and alerts on system security.
Other information
Event logs can contain sensitive data and personally identifiable information.
Appropriate privacy
protection measures should be taken (see 18.1.4).
Where possible, system administrators should not have permission to erase or deactivate logs of their own activities (see 12.4.3).
9.10. Gim st
Mc tiu: Nhm pht hin cc hot ng x l thng tin tri php
Cn gim st cc h thng v ghi li cc s kin lin quan n an ton thng tin.
Cc nht k ca ngi iu hnh v nht k li c th c s dng nhm m bo
nhn bit c tt c cc vn v h thng thng tin.
T chc cn tun th tt c cc yu cu php l lin quan trong cc hot ng gim
st v ghi nht k.
Gim st h thng cng cn c s dng nhm kim tra tnh hiu qu ca cc bin
php qun l c p dng v kim chng s ph hp vi mt m hnh chnh sch
truy cp.
9.10.1. Ghi nht k nh gi

Bin php qun l
Vic ghi li tt c cc hot ng ca ngi dng, cc li ngoi l v cc s kin an ton thng tin cn
phi c thc hin v duy tr trong mt khong thi gian theo tha thun nhm tr gip vic iu tra v
gim st iu khin truy cp sau ny.
Hng dn trin khai
Cc nht k nh gi cn bao gm:
a) cc ID ca ngi dng;
b) ngy thng, thi gian, v cc chi tit v cc s kin quan trng, v d ng nhp v thot ra;
c) v tr hoc nhn dng cui cng nu c th;
d) cc bo co v nhng truy cp thnh cng v b t chi;
e) cc bo co v d liu truy cp thnh cng v b t chi v nhng ln truy cp cc ngun ti nguyn
khc;
f) nhng thay i v cu hnh h thng;
g) s dng c quyn;
h) s dng cc ng dng v cc tin ch h thng;
i) cc tp c truy cp v loi truy cp;
j) cc a ch v giao thc mng;
k) cc cnh bo t h thng iu khin truy cp;
l) vic kch hot v gii kch hot cc h thng bo v, v d nh cc h thng chng virut v cc h
thng pht hin xm nhp.
Thng tin khc
Cc nht k nh gi c th cha d liu c nhn b mt. Cn thc hin cc bin php bo v ring ph
hp (xem thm 14.1.4). Nu c th th nhng ngi qun tr h thng khng c php xa b hoc gii
kch hot cc nht k v cc hot ng ring ca h (xem 9.1.3).
12.4.2 Protection of log information

Control
Logging facilities and log information should be protected against tampering and
unauthorized access.
Controls should aim to protect against unauthorized changes to log information and
operational
problems with the logging facility including:
a) alterations to the message types that are recorded;
b) log files being edited or deleted;
c) storage capacity of the log file media being exceeded, resulting in either the
failure to record events
or over-writing of past recorded events.
Some audit logs may be required to be archived as part of the record retention
policy or because of
requirements to collect and retain evidence (see 16.1.7).
Other information
System logs often contain a large volume of information, much of which is
extraneous to information
security monitoring. To help identify significant events for information security
monitoring purposes,
the copying of appropriate message types automatically to a second log, or the use
of suitable system
utilities or audit tools to perform file interrogation and rationalization should be
considered.
System logs need to be protected, because if the data can be modified or data in
them deleted, their
existence may create a false sense of security. Real-time copying of logs to a
system outside the control of a system administrator or operator can be used to
safeguard logs.
9.10.3. Bo v cc thng tin nht k

Bin php qun l
Cc chc nng ghi nht k v thng tin nht k cn c bo v khi s gi mo v truy cp tri php.
Hng dn trin khai
Cc bin php cn hng ti vic bo v khi nhng thay i tri php v cc vn v s dng chc
nng ghi nht k, bao gm:
a) nhng thay i i vi cc loi thng ip c ghi li;
b) cc tp nht k b chnh sa hoc xa b;
c) dung lng lu tr ca phng tin ghi nht k ang b vt, dn n li i vi cc s kin ghi
c hoc ghi ln cc s kin ghi trc y.
Mt s nht k nh gi c th c yu cu nh mt phn ca chnh sch lu gi cc bo co hoc do
cc yu cu phi thu thp v lu gi chng c (xem thm 12.2.3).
Thng tin khc
Cc nht k h thng thng cha mt lng ln thng tin, phn ln trong s chng li khng lin quan
n vic gim st an ton. d dng nhn din cc s kin quan trng cho cc mc ch gim st an
ton th cn quan tm n vic t ng sao chp li cc loi thng ip ph hp vo mt nht k th hai,
v/hoc s dng cc tin ch h thng ph hp hoc cc cng c nh gi nhm thc hin iu tra v
hp l ha tp.
Cc nht k h thng cn c bo v, v nu d liu c th b sa i hoc d liu trong nht k b xa
b th s tn ti ca chng c th gy ra li an ton thng tin.
12.4.3 Administrator and operator logs

Control
System administrator and system operator activities should be logged and the logs
protected and
regularly reviewed.
Privileged user account holders may be able to manipulate the logs on information
processing
facilities under their direct control, therefore it is necessary to protect and review
the logs to maintain
accountability for the privileged users.
Other information
An intrusion detection system managed outside of the control of system and
network administrators
can be used to monitor system and network administration activities for
compliance.
9.10.4. Nht k ca ngi iu hnh v ngi qun tr

Bin php
Cc hot ng ca ngi qun tr v ngi iu hnh h thng cn c ghi vo nht k.
Hng dn trin khai
Cc nht k cn bao gm cc thng tin sau:
a) thi gian xy ra s kin (d thnh cng hay tht bi);
b) thng tin v s kin (v d cc tp c x l) hoc s c (v d li xy ra v hot ng sa li
c thc hin);
c) ti khon no v ngi qun tr hoc ngi iu hnh no tham gia;
d) cc hot ng no c thc hin.
Cn thng xuyn sot xt li cc nht k ca ngi iu hnh v qun tr h thng.
Thng tin khc
Bn cnh vic kim sot nhng ngi qun tr v iu hnh, c th s dng thm h thng pht hin
xm nhp nhm gim st h thng v cc hot ng qun tr mng cn tun th.
12.4.4 Clock synchronisation

Control
The clocks of all relevant information processing systems within an organization or
security domain
should be synchronised to a single reference time source.
External and internal requirements for time representation, synchronisation and
accuracy should
be documented. Such requirements can be legal, regulatory, contractual
requirements, standards
compliance or requirements for internal monitoring. A standard reference time for
use within the
organization should be defined.
The organizations approach to obtaining a reference time from external source(s)
and how to synchronise
internal clocks reliably should be documented and implemented.
Other information
The correct setting of computer clocks is important to ensure the accuracy of audit
logs, which may
be required for investigations or as evidence in legal or disciplinary cases.
Inaccurate audit logs may hinder such investigations and damage the credibility of
such evidence. A clock linked to a radio time broadcast from a national atomic clock
can be used as the master clock for logging systems. A network time protocol can
be used to keep all of the servers in synchronisation with the master clock.
9.10.6. ng b thi gian

Bin php qun l
ng h trn cc h thng x l thng tin trong t chc hoc trong mt phm vi an ton cn c ng
b vi mt ngun thi gian chnh xc c ng la chn.
Hng dn trin khai
Nu mt my tnh hoc thit b truyn thng c kh nng iu khin mt ng h thi gian thc th ng
h ny cn c t v mt chun theo tha thun, v d UTC hoc thi gian chun ni b. V mt s
ng h thng b tri thi gian nn cn c th tc kim tra v hiu chnh ng h.
Cch hin th nh dng ngy/gi rt quan trng trong vic m bo phn nh ng thi gian thc, cn
lu cc c im c tnh cht a phng (nh thay i gi theo ma...).
Thng tin khc
t cc ng h my tnh mt cch chnh xc l vn quan trng nhm m bo tnh chnh xc ca
cc nht k nh gi, cc nht k nh gi ny c th cn cho vic iu tra hoc l bng chng trong cc
trng hp vi phm php lut hoc k lut. Cc nht k nh gi khng chnh xc c th gy tr ngi
cho cc cuc iu tra v lm nh hng n tin cy ca cc bng chng. ng h c lin kt n
mt chng trnh pht thanh v tuyn t mt ng h nguyn t quc gia c th c s dng nh
ng h ch i vi cc h thng ghi nht k. C th s dng mt giao thc thi gian mng gi cho
tt c cc ng h t u ng b vi ng h ch.
12.5 Control of operational software

Objective: To ensure the integrity of operational systems.
12.5.1 Installation of software on operational systems

Control
Procedures should be implemented to control the installation of software on
operational systems.
The following guidelines should be considered to control changes of software on
operational systems:
a) the updating of the operational software, applications and program libraries
should only be
performed by trained administrators upon appropriate management authorization
(see 9.4.5);
b) operational systems should only hold approved executable code and not
development code or compilers;
c) applications and operating system software should only be implemented after
extensive and
successful testing; the tests should cover usability, security, effects on other
systems and userfriendliness
and should be carried out on separate systems (see 12.1.4); it should be ensured
that all
corresponding program source libraries have been updated;
d) a configuration control system should be used to keep control of all implemented
software as well
as the system documentation;
e) a rollback strategy should be in place before changes are implemented;
f) an audit log should be maintained of all updates to operational program libraries;
g) previous versions of application software should be retained as a contingency
measure;
h) old versions of software should be archived, together with all required
information and parameters, procedures, configuration details and supporting
software for as long as the data are retained in archive.
Vendor supplied software used in operational systems should be maintained at a
level supported by the supplier. Over time, software vendors will cease to support
older versions of software. The organization should consider the risks of relying on
unsupported software.
Any decision to upgrade to a new release should take into account the business
requirements for the change and the security of the release, e.g. the introduction of
new information security functionality
or the number and severity of information security problems affecting this version.
Software patches should be applied when they can help to remove or reduce
information security weaknesses (see 12.6).
Physical or logical access should only be given to suppliers for support purposes
when necessary and with management approval. The suppliers activities should be
monitored (see 15.2.1).
Computer software may rely on externally supplied software and modules, which
should be monitored and controlled to avoid unauthorized changes, which could
introduce security weaknesses.
11.4.1. Qun l cc phn mm iu hnh

Bin php qun l
Cn phi c cc th tc sn sng cho vic qun l qu trnh ci t cc phn mm trn h thng vn
hnh.
Hng dn trin khai
gim thiu ri ro do sa i cc h thng vn hnh, cc hng dn sau y cn c quan tm trong
vic qun l cc thay i:
a) vic cp nht phn mm iu hnh, cc ng dng v cc th vin chng trnh ch c thc hin
bi nhng nhn vin qun tr c o to theo quyn hn qun l ph hp (xem 11.4.3);
b) cc h thng vn hnh ch c gi m thi hnh c chp nhn, v khng c gi m pht
trin hoc cc trnh bin dch;
c) cc ng dng v phn mm h thng iu hnh ch c trin khai sau khi kim tra m rng v
thnh cng; vic kim tra bao gm cc kim tra v tnh tin dng, tnh an ton, cc tc ng ln cc h
thng khc v s thn thin vi ngi dng, v cn c thc hin trn cc h thng ring bit (xem
thm 9.1.4); cng cn m bo rng tt c cc th vin ngun chng trnh u c cp nht;
d) mt h thng qun l cu hnh cn c s dng qun l tt c phn mm c trin khai cng
nh ti liu h thng;
e) chin lc hon tr cn c thc hin trc khi trin khai cc thay i;
f) nht k nh gi cn c duy tr i vi mi cp nht v cc th vin chng trnh iu hnh;
g) cc phin bn trc y ca phn mm ng dng cn c gi ti vi vai tr l mt bin php phng
nga bt trc;
h) cc phin bn c ca phn mm cng cn c lu li cng vi tt c thng tin v tham s, cc th
tc, cu hnh chi tit, v phn mm h tr c yu cu min sao d liu vn c lu li.
Phn mm do nh cung cp h tr c s dng trong cc h thng vn hnh cn c duy tr ti mt
mc c h tr bi nh cung cp . Qua thi gian, cc nh cung cp phn mm s ngng h tr cc
phin bn phn mm c. T chc cn quan tm ti cc ri ro do phi s dng phn mm khng c h
tr.
Cc quyt nh nng cp ln phin bn mi u phi xem xt cc yu cu nghip v i vi s thay i
, v tnh an ton ca phin bn, tc l phi quan tm n cc tnh nng an ton mi hoc s lng v
mc nghim trng ca cc vn an ton nh hng n phin bn ny. Cc bn v phn mm
cng cn c p dng nu chng c th gip loi b hoc gim cc im yu an ton (xem thm
11.6.1).
Truy cp vt l v logic ch c cp php cho cc nh cung cp vi cc mc ch h tr khi cn thit, v
phi c s chp thun ca ban qun l. Cc hot ng ca nh cung cp cn c gim st.
Phn mm my tnh c th da trn modun v phn mm c cung cp t bn ngoi, chng cn c
gim st v qun l ngn chn cc thay i tri php gy ra cc im yu v an ton thng tin.
Thng tin khc
H iu hnh ch c nng cp khi c yu cu, v d, khi phin bn hin ti ca h iu hnh khng th
tip tc h tr cc yu cu nghip v. Khng c thc hin cc nng cp ch v c phin bn mi
ca h iu hnh. Cc phin bn mi ca h iu hnh phin bn c th km an ton, t n nh v t

c hiu r hn h thng hin ti.
12.6 Technical vulnerability management

Objective: To prevent exploitation of technical vulnerabilities.
12.6.1 Management of technical vulnerabilities

Control
Information about technical vulnerabilities of information systems being used should
be obtained in a timely fashion, the organizations exposure to such vulnerabilities
evaluated and appropriate measures taken to address the associated risk.
A current and complete inventory of assets (see Clause 8) is a prerequisite for
effective technical
vulnerability management. Specific information needed to support technical
vulnerability management includes the software vendor, version numbers, current
state of deployment (e.g. what software is installed on what systems) and the
person(s) within the organization responsible for the software.
Appropriate and timely action should be taken in response to the identification of
potential technical vulnerabilities. The following guidance should be followed to
establish an effective management process for technical vulnerabilities:
a) the organization should define and establish the roles and responsibilities
associated with technical vulnerability management, including vulnerability
monitoring, vulnerability risk assessment, patching, asset tracking and any
coordination responsibilities required;
b) information resources that will be used to identify relevant technical
vulnerabilities and to maintain awareness about them should be identified for
software and other technology (based on the asset inventory list, see 8.1.1); these
information resources should be updated based on changes in theinventory or when
other new or useful resources are found;
c) a timeline should be defined to react to notifications of potentially relevant
technical vulnerabilities;
d) once a potential technical vulnerability has been identified, the organization
should identify the
associated risks and the actions to be taken; such action could involve patching of
vulnerable
systems or applying other controls;
e) depending on how urgently a technical vulnerability needs to be addressed, the
action taken should
be carried out according to the controls related to change management (see 12.1.2)
or by following
information security incident response procedures (see 16.1.5);
f) if a patch is available from a legitimate source, the risks associated with installing
the patch should be
assessed (the risks posed by the vulnerability should be compared with the risk of
installing the patch);
g) patches should be tested and evaluated before they are installed to ensure they
are effective and do
not result in side effects that cannot be tolerated; if no patch is available, other
controls should be
considered, such as:
1) turning off services or capabilities related to the vulnerability;

2) adapting or adding access controls, e.g. firewalls, at network borders (see 13.1);
3) increased monitoring to detect actual attacks;
4) raising awareness of the vulnerability;
h) an audit log should be kept for all procedures undertaken;
i) the technical vulnerability management process should be regularly monitored
and evaluated in
order to ensure its effectiveness and efficiency;
j) systems at high risk should be addressed first;
k) an effective technical vulnerability management process should be aligned with
incident
management activities, to communicate data on vulnerabilities to the incident
response function
and provide technical procedures to be carried out should an incident occur;
l) define a procedure to address the situation where a vulnerability has been
identified but there is
no suitable countermeasure. In this situation, the organization should evaluate risks
relating to the
known vulnerability and define appropriate detective and corrective actions.
Other information
Technical vulnerability management can be viewed as a sub-function of change
management and as
such can take advantage of the change management processes and procedures
(see 12.1.2 and 14.2.2).
Vendors are often under significant pressure to release patches as soon as possible.
Therefore, there is
a possibility that a patch does not address the problem adequately and has
negative side effects. Also, in
some cases, uninstalling a patch cannot be easily achieved once the patch has been
applied.
If adequate testing of the patches is not possible, e.g. because of costs or lack of
resources, a delay in
patching can be considered to evaluate the associated risks, based on the
experience reported by other
users. The use of ISO/IEC 27031[14] can be beneficial.
11.6. Qun l cc im yu k thut
Mc tiu: Nhm gim thiu cc mi nguy him xut pht t vic tin tc li dng cc
im yu k thut c cng b.
Vic qun l cc im yu k thut cn c trin khai theo mt phng thc hiu
qu, c h thng v lp li vi cc bin php c thc hin nhm xc nhn hiu
qu ca n. Nhng i tng cn quan tm phi bao gm c cc h iu hnh, v
cc ng dng khc ang c s dng.
11.6.1. Qun l cc im yu v k thut

Bin php qun l
Thng tin kp thi v cc im yu k thut ca cc h thng thng tin ang c s dng cn phi
c thu thp. T chc cn cng b nh gi v cc im yu ny v thc hin cc bin php thch hp
gii quyt cc ri ro lin quan.
Hng dn trin khai
Vic kim k cc ti sn hin c v b sung (xem 6.1) l mt iu kin tin quyt c c s qun l
cc im yu k thut hiu qu. Cc thng tin c th cn h tr qun l cc im yu k thut bao
gm nh cung cp phn mm, s lng phin bn, trng thi trin khai hin ti (v d phn mm no
hin ang c ci t trong cc h thng no), v nhng c nhn trong t chc chu trch nhim v
phn mm .
Hot ng thch hp, kp thi cn c thc hin nhm nh danh cc im yu k thut tim n. Cn
tun theo cc hng dn sau thit lp c mt quy trnh qun l cc im yu k thut hiu qu:
a) t chc cn xc nh v thit lp cc nguyn tc v trch nhim lin quan n vic qun l cc im
yu k thut, gm vic gim st cc im yu, nh gi ri ro ca cc im yu, v, theo di ti sn, v
cc trch nhim phi hp bt k c yu cu;
b) cc ti nguyn thng tin s c s dng nh danh cc im yu k thut lin quan v duy tr
mi quan tm v chng cng cn c xc nh i vi phn mm v cc cng ngh khc (da trn
danh sch kim k ti sn, xem 6.1.1); nhng ti nguyn thng tin ny cn c cp nht khi c nhng
thay i trong bng kim k, hoc khi tm ra cc ngun ti nguyn mi hoc hu dng;
c) cn xc nh thi hn phn ng li mi khi c cc thng bo v cc im yu k thut tim n;
d) mi khi c mt im yu k thut tim n c xc nh, t chc cn xc nh cc ri ro lin quan v
cc hot ng cn thc hin; hot ng c th ch l v cc h thng b tn hi v/hoc s dng cc
bin php qun l khc;
e) ty thuc s khn cp cn gii quyt cc im yu k thut m hot ng c xc nh phi c
thc hin theo cc bin php qun l lin quan ti vic qun l s thay i (xem 11.5.1) hoc bng cch
tun theo cc th tc i ph vi s c an ton thng tin (xem 12.2);
f) nu bn v c sn th cc ri ro lin quan ti vic ci t bn v cn c nh gi (cc ri ro xut
pht t im yu cn c so snh vi ri ro do ci t bn v);
g) cc bn v cn c kim tra v nh gi trc khi chng c ci t nhm m bo s hiu qu
v khng dn ti nhng tc dng ph qu sc chu ng ca h thng; nu khng c bn v no sn
sng th cn quan tm n cc bin php qun l khc, v d:
1) tt cc dch v hoc cc kh nng c lin quan ti im yu;
2) sa li hoc a thm cc bin php qun l truy cp, v d t cc bc tng la ti cc bin gii
mng (xem 10.4.5);
3) tng cng gim st nhm pht hin hoc ngn chn cc tn cng thc s;
4) nng cao nhn thc v im yu;
h) duy tr mt nht k nh gi i vi tt c cc th tc thc hin;
i) qu trnh qun l cc yu im k thut cn c gim st v nh gi nh k nhm m bo nh
hng v hiu qu ca n;
j) cc h thng c mc ri ro cao cn c tp trung x l trc tin.

Thng tin khc
Thc hin chc nng chnh sa ca quy trnh qun l cc im yu k thut ca t chc l vn then
cht i vi nhiu t chc v v vy cn c gim st nh k. Vic kim k ti sn chnh xc cng rt
cn thit c th m bo c rng cc im yu k thut lin quan tim n u c xc nh.
Vic qun l cc im yu k thut c th c coi nh l mt chc nng ph ca vic qun l s thay
i v v th n c th tn dng c cc th tc v cc quy trnh qun l s thay i (xem 9.1.2 v
11.5.1).
Cc nh cung cp thng phi chu p lc ln trong vic ban hnh cc bn v cng sm cng tt. V
vy, mt bn v c th khng gii quyt c vn mt cch tha ng v c th gy ra nhng nh
hng tiu cc. Hn na, trong mt s trng hp, vic g cc bn v c th li khng d dng nu
bn v c p dng.
Nu khng th kim tra cc bn v mt cch tha ng, v d do chi ph hoc do thiu ti nguyn, th
cng c th cn nhc n vic tr hon v nh gi cc ri ro lin quan da trn kinh nghim c
bo co bi nhng ngi dng khc.
12.6.2 Restrictions on software installation

Control
Rules governing the installation of software by users should be established and
implemented.
The organization should define and enforce strict policy on which types of software
users may install.
The principle of least privilege should be applied. If granted certain privileges, users
may have the
ability to install software. The organization should identify what types of software
installations are
permitted (e.g. updates and security patches to existing software) and what types
of installations are
prohibited (e.g. software that is only for personal use and software whose pedigree
with regard to being
potentially malicious is unknown or suspect). These privileges should be granted
having regard to the
roles of the users concerned.
Other information
Uncontrolled installation of software on computing devices can lead to introducing
vulnerabilities and
then to information leakage, loss
--.. chua dich
Quy nh iu chnh ci t ca phn mm bng cch s dng nn c thit lp v
thc hin.
hng dn thi hnh
Cc t chc phi xc nh v thc thi chnh sch nghim ngt m cc loi ca ngi
s dng phn mm c th ci t.
Cc nguyn tc c quyn ti thiu c p dng. Nu c cp c quyn nht
nh, ngi dng c th c cc
kh nng ci t phn mm. Cc t chc cn xc nh nhng loi ci t phn mm
cho php (v d nh cp nht v bn v li bo mt cho phn mm hin c) v

nhng loi ci t l
cm (v d nh phn mm l ch cho s dng c nhn v phn mm c lin quan
vi ph h c
kh nng c hi cha c bit hoc nghi ng). Nhng c quyn ny phi c
cp c lin quan n cc
vai tr ca ngi dng quan tm.
cc thng tin khc
Khng kim sot c ci t phn mm trn thit b my tnh c th dn n l
hng v gii thiu
sau r r thng tin, mt
12.7 Information systems audit considerations

Objective: To minimise the impact of audit activities on operational systems.
12.7.1 Information systems audit controls

Control
Audit requirements and activities involving verification of operational systems
should be carefully
planned and agreed to minimize disruptions to business processes.
The following guidelines should be observed:
a) audit requirements for access to systems and data should be agreed with
appropriate management;
b) the scope of technical audit tests should be agreed and controlled;
c) audit tests should be limited to read-only access to software and data;
d) access other than read-only should only be allowed for isolated copies of system
files, which should
be erased when the audit is completed, or given appropriate protection if there is an
obligation to
keep such files under audit documentation requirements;
e) requirements for special or additional processing should be identified and agreed;
f) audit tests that could affect system availability should be run outside business
hours;
g) all access should be monitored and logged to produce a reference trail.
14.3. Xem xt vic nh gi cc h thng thng tin
Mc tiu: Nhm ti u ha v gim thiu nhng nh hng xu t/ti qu trnh nh

gi cc h thng thng tin.
Cn c cc bin php qun l nhm bo v an ton cho cc h thng vn hnh v
cc cng c nh gi trong khi nh gi cc h thng thng tin.
Vic bo v cng c yu cu nhm bo v tnh ton vn v ngn nga s lm
dng cc cng c nh gi.
14.3.1. Cc bin php qun l nh gi cc h thng thng tin
Bin php qun l
Cc yu cu v hot ng nh gi cc h thng vn hnh cn c hoch nh thn trng v thng
nht nhm hn ch ri ro hoc s v ca cc quy trnh hot ng nghip v.
Hng dn trin khai

Nhng hng dn sau cn c quan tm:
a) cc yu cu nh gi cn c thng qua vi ban qun l;
b) phm vi ca cc cuc kim tra cn c thng qua v qun l;
c) cc cuc kim tra cn c gii hn ch truy cp c ti phn mm v d liu;
d) cc truy cp khc ngoi truy cp ch c ch c cho php i vi cc bn sao c phn tch
ca cc tp tin h thng, cc bn sao ny phi c xa b khi vic nh gi hon tt hoc c bo
v ph hp nu c ngha v phi gi li cc tp tin theo cc yu cu ca h s nh gi;
e) cc ngun ti nguyn s dng thc thi cc cuc kim tra phi c xc nh r v sn sng;
f) cc yu cu v x l c bit hoc x l thm cng cn c xc nh r v c thng qua;
g) mi truy cp u phi c gim st v ghi li cung cp vt tham chiu; vic s dng cc vt tham
chiu theo thi gian cn c xem xt i vi cc h thng hoc d liu quan trng;
h) mi th tc, yu cu v trch nhim u phi c lp thnh vn bn;
i) (nhng) ngi thc hin nh gi cn c lp vi cc hot ng cn nh gi.
14.3.2. Bo v cc cng c nh gi h thng thng tin
Bin php qun l
Truy cp ti cc cng c nh gi h thng thng tin cn c bo v khi mi s lm dng hoc li
dng.
Hng dn trin khai
Cc cng c nh gi h thng thng tin, v d, cc phn mm hoc tp d liu, cn c cch ly vi
cc h thng vn hnh v pht trin v khng c gi trong cc th vin bng ghi m hoc cc khu vc
c ngi dng, tr khi c bo v mc ph hp.
Thng tin khc
Nu cng vic nh gi c s tham gia ca cc bn th ba th c th xut hin ri ro do cc bn th ba
lm dng cc cng c nh gi v truy cp vo thng tin. Cc bin php qun l nh 5.2.1 ( nh gi
ri ro) v 8.1.2 ( hn ch truy cp vt l) c th cn c quan tm gii quyt ri ro ny v mi hu
qu ca n, v d ngay lp tc thay i cc mt khu c tit l cho cc nhn vin nh gi
13 Communications security
13.1 Network security management
Objective: To ensure the protection of information in networks and its supporting
facilities.
13.1.1 Network controls

Control
Networks should be managed and controlled to protect information in systems and
applications.
Controls should be implemented to ensure the security of information in networks

and the protection of
connected services from unauthorized access. In particular, the following items
should be considered:
a) responsibilities and procedures for the management of networking equipment
should be established;
b) operational responsibility for networks should be separated from computer
operations where
appropriate (see 6.1.2);
c) special controls should be established to safeguard the confidentiality and
integrity of data
passing over public networks or over wireless networks and to protect the
connected systems
and applications (see Clause 10 and 13.2); special controls may also be required to
maintain the
availability of the network services and computers connected;
d) appropriate logging and monitoring should be applied to enable recording and
detection of actions
that may affect, or are relevant to, information security;
e) management activities should be closely coordinated both to optimize the service
to the
organization and to ensure that controls are consistently applied across the
infrastructure;
f) systems on the network should be authenticated;
g) systems connection to the network should be restricted.
Other information
Additional information on network security can be found in ISO/IEC 27033. [15][16][17]
[18][19]
13.1 Mng li qun l an ninh

Mc tiu: m bo vic bo v thng tin trong mng li v x l thng tin h tr ca n
c s vt cht.
Mc tiu: Nhm m bo an ton cho thng tin trn mng v an ton cho c s h tng h tr.
Vic qun l an ton mng, c th m rng ra ngoi phm vi t chc, i hi phi ch n lung d
liu, cc vn php l lin quan, vic gim st, v bo v.
C th yu cu thm cc bin php qun l h tr nhm bo v khng cho thng tin nhy cm lt ra cc
mng cng cng.
13.1.1 Kim sot mng
Kim sot
Cc mng cn c qun l v kim sot mt cch tha ng nhm bo v khi cc mi e da v duy

tr s an ton cho cc h thng, cc ng dng s dng mng v thng tin ang c truyn trn mng.
Hng dn thi hnh
Nhng ngi qun l mng cn trin khai cc bin php qun l nhm m bo s an ton ca thng tin
trn mng, v m bo bo v cc dch v kt ni trc s truy cp tri php. C th l, cn quan tm
n cc vn sau:
a) nu cn, phi tch bch trch nhim v mt khai thc mng vi vic vn hnh my tnh (xem 9.1.3);
b) cn thit lp cc trch nhim v th tc i vi vic qun l thit b xa, bao gm c thit b trong
phm vi ca ngi dng;
c) cn thit lp cc bin php qun l c bit nhm bo v tnh b mt v s ton vn ca d liu i qua
cc mng cng cng hoc qua cc mng v tuyn, v bo v cc h thng c kt ni v cc ng dng
(xem 10.4 v 11.3); cc bin php bo v c bit c th c yu cu nhm duy tr kh nng sn sng
ca cc dch v mng v cc my tnh c kt ni;
d) cn p dng hnh thc ghi nht k v gim st ph hp nhm ghi li cc hot ng lin quan n an
ton thng tin;
e) cn phi hp cht ch cc hot ng qun l nhm ti u dch v ng thi m bo rng cc bin
php qun l c p dng nht qun qua h tng x l thng tin.
Thng tin khc
C th tm thm thng tin v an ton mng trong ISO/IEC 18028, Cng ngh thng tin - Cc k thut an
ton - An ton mng IT
Cc thng tin khc
B sung thng tin v an ninh mng c th c tm thy trong ISO / IEC 27033. [15] [16] [17] [18] [19]
13.1.2 Security of network services

Control
Security mechanisms, service levels and management requirements of all network
services should be identified and included in network services agreements, whether
these services are provided in-house or outsourced.
The ability of the network service provider to manage agreed services in a secure
way should be
determined and regularly monitored, and the right to audit should be agreed.
The security arrangements necessary for particular services, such as security
features, service levels
and management requirements, should be identified. The organization should
ensure that network
service providers implement these measures.
Other information
Network services include the provision of connections, private network services and
value added
networks and managed network security solutions such as firewalls and intrusion
detection systems.
These services can range from simple unmanaged bandwidth to complex valueadded offerings.
Security features of network services could be:
a) technology applied for security of network services, such as authentication,
encryption and network
connection controls;
b) technical parameters required for secured connection with the network services
in accordance
with the security and network connection rules;
c) procedures for the network service usage to restrict access to network services or
applications,
where necessary.
13.1.2 an ninh ca cc dch v mng

Bin php qun l
Cc tnh nng an ton, cc mc dch v v cc yu cu qun l ca tt c cc dch v mng cn c
xc nh v ghi r trong tha thun v cc dch v mng, bt k dch v l do ni b cp hay thu khon.
Hng dn trin khai
Cn xc nh v thng xuyn gim st kh nng ca nh cung cp dch v mng trong vic qun l an
ton cc dch v tha thun, v cng cn tha thun v quyn nh gi.
Cng cn xc nh cc yu cu v an ton cn thit cho cc dch v c th, v d nh cc thuc tnh dch
v, cc mc dch v, v cc yu cu v qun l. T chc cn m bo rng cc nh cung cp dch v c
trin khai cc bin php ny.
Thng tin khc
Cc dch v mng bao gm cung cp kt ni, cc dch v mng ring, v cc mng cung cp dch v gi
tr gia tng v cc gii php an ton mng c qun l, v d cc h thng tng la v cc h thng
pht hin xm nhp. Cc dch v ny c th l dng dch v n gin c bng thng khng c qun l
n cc dch v gi tr gia tng phc tp.
Cc thuc tnh an ton ca cc dch v mng c th l:
a) cng ngh c p dng nhm m bo s an ton ca cc dch v mng, nh xc thc, m ha, v
cc bin php qun l kt ni;
b) cc tham s k thut v kt ni an ton ca cc dch v mng tun theo an ton v cc quy tc kt
ni mng;
c) cc th tc s dng dch v mng nhm hn ch truy cp ti cc dch v mng hoc cc ng dng,
nu cn thit.
--------------------------------- tu dich
Kim sot
C ch bo mt, mc dch v v yu cu qun l ca tt c cc dch v mng
nn c
xc nh v bao gm trong tha thun cc dch v mng, cho d cc dch v ny
c cung cp trong nh
hoc thu ngoi.
Hng dn thi hnh
Kh nng ca cc nh cung cp dch v mng qun l cc dch v tho thun
trong mt cch an ton nn c
xc nh v theo di thng xuyn, v quyn c kim ton phi c s ng .
Cc bin php an ninh cn thit cho cc dch v c bit, chng hn nh tnh nng
bo mt, mc dch v
v yu cu qun l, cn c xc nh. Cc t chc phi m bo rng mng

cc nh cung cp dch v thc hin cc bin php ny.
Cc thng tin khc
Cc dch v mng bao gm vic cung cp cc kt ni, dch v mng ring v gi tr
gia tng
mng v cc gii php an ninh mng c qun l nh tng la v cc h thng
pht hin xm nhp.
Nhng dch v ny c th dao ng t bng thng n gin khng c qun l cho
cc dch v gi tr gia tng phc tp.
Tnh nng bo mt ca dch v mng c th l:
a) p dng cng ngh bo mt ca dch v mng, chng hn nh chng thc, m
ha v mng
iu khin kt ni;
b) Cc thng s k thut cn thit kt ni bo mt vi cc dch v mng theo
quy nh
vi cc quy tc bo mt v kt ni mng;
c) cc th tc cho vic s dng dch v mng hn ch quyn truy cp vo cc
dch v mng hoc cc ng dng,
khi cn thit.
13.1.3 Segregation in networks

Control
Groups of information services, users and information systems should be
segregated on networks.
One method of managing the security of large networks is to divide them into
separate network domains.
The domains can be chosen based on trust levels (e.g. public access domain,
desktop domain, server
domain), along organizational units (e.g. human resources, finance, marketing) or
some combination (e.g.
server domain connecting to multiple organizational units). The segregation can be
done using either
physically different networks or by using different logical networks (e.g.virtual
private networking).
The perimeter of each domain should be well defined. Access between network
domains is allowed, but
should be controlled at the perimeter using a gateway (e.g. firewall, filtering router).
The criteria for
segregation of networks into domains, and the access allowed through the
gateways, should be based
on an assessment of the security requirements of each domain. The assessment
should be in accordance
with the access control policy (see 9.1.1), access requirements, value and
classification of information
processed and also take account of the relative cost and performance impact of
incorporating suitable
gateway technology.
Wireless networks require special treatment due to the poorly defined network
perimeter. For sensitive
environments, consideration should be made to treat all wireless access as external

connections and
to segregate this access from internal networks until the access has passed through
a gateway in
accordance with network controls policy (see 13.1.1) before granting access to
internal systems.
The authentication, encryption and user level network access control technologies
of modern, standards
based wireless networks may be sufficient for direct connection to the
organizations internal network
when properly implemented.
Other information
Networks often extend beyond organizational boundaries, as business partnerships
are formed that
require the interconnection or sharing of information processing and networking
facilities. Such
extensions can increase the risk of unauthorized access to the organizations
information systems that
use the network, some of which require protection from other network users
because of their sensitivity or criticality.
10.4.5. Phn tch trn mng

Bin php qun l
Cc nhm ngi dng, dch v v h thng thng tin cn c phn tch trn cc mng.
Hng dn trin khai
Mt phng php kim sot an ton cho cc mng ln l phn tch chng thnh cc vng mng logic, v
d cc vng mng bn trong v cc vng mng bn ngoi ca t chc, mi vng c bo v bi mt
vnh ai an ton xc nh. Mt b cc bin php qun l tng tin c th c p dng trong cc vng
mng logic khc nhau tip tc phn tch tip cc mi trng an ninh mng, v d cc h thng truy
cp cng cng, cc mng ni b v cc ti sn quan trng. Cc vng cn c xc nh da trn qu
trnh nh gi ri ro v cc yu cu an ton thng tin khc nhau trong tng lnh vc.
Mt vnh ai mng nh vy c th c trin khai khi ci t mt cng an ton gia hai mng kt ni vi
nhau qun l truy cp v lung thng tin gia hai min, cng an ton ny cn c cu hnh lc
lu lng gia cc min ny (xem 10.4.6 v 10.4.7) v chn truy cp tri php theo quy nh ca chnh
sch qun l truy cp ca t chc (xem 10.1). Tng la l mt v d ca cng an ton. Mt phng
php phn tch cc min logic khc l hn ch truy cp mng bng cch s dng mng ring o cho cc
nhm ngi dng trong t chc.
Cc mng cng c th c phn tch nh tnh nng ca thit b mng, v d chuyn mch IP. Khi
cc min phn tch c th c trin khai khi qun l cc lung d liu mng bng cc nng lc nh
tuyn/chuyn mch, v d tnh nng danh sch qun l truy cp.
Tiu ch phn tch mng cn da trn chnh sch qun l truy cp v cc yu cu truy cp (xem 9.1), v
cng cn xem xt chi ph tng i v nh hng ca nh tuyn mng hp l hoc cng ngh cng ln
cht lng mng (xem 10.4.6 v 10.4.7).
Hn na, vic phn tch mng cng cn da trn gi tr v s phn loi thng tin c lu tr hoc
c x l trong mng, cc mc tin cy hoc cc gii hn nghip v lm gim nh hng tng th
ca vic phn tch dch v.
Cn quan tm n vic phn tch cc mng khng dy khi cc mng ni b v mng c nhn. Nu
khng xc nh c cc vnh ai mng ca mng khng dy th cn thc hin nh gi ri ro xc
nh cc bin php qun l (v d xc thc mnh, cc phng php m ha, v la chn tn s) duy
tr s phn tch mng.
Thng tin khc
Mng cng ngy cng c xu hng m rng ra ngoi ranh gii ca t chc, v cc quan h i tc kinh
doanh c hnh thnh c th yu cu kt ni hoc chia s cc phng tin mng v phng tin x l
thng tin. Cc mng m rng c th lm tng nguy c truy cp tri php vo cc h thng thng tin hin
ang s dng mng, mt s mng m rng c th i hi phi c bo v trc nhng ngi dng
mng khc v tnh cht quan trng hay nhy cm ca cc mng ny.
13.2 Information transfer

Objective: To maintain the security of information transferred within an organization
and with any
external entity.
13.2.1 Information transfer policies and procedures

Control
Formal transfer policies, procedures and controls should be in place to protect the
transfer of information through the use of all types of communication facilities.
The procedures and controls to be followed when using communication facilities for
information
transfer should consider the following items:
a) procedures designed to protect transferred information from interception,
copying, modification,
mis-routing and destruction;
b) procedures for the detection of and protection against malware that may be
transmitted through
the use of electronic communications (see 12.2.1);
c) procedures for protecting communicated sensitive electronic information that is
in the form of
an attachment;
d) policy or guidelines outlining acceptable use of communication facilities (see
8.1.3);
e) personnel, external party and any other users responsibilities not to compromise
the organization,
e.g. through defamation, harassment, impersonation, forwarding of chain letters,
unauthorized
purchasing, etc.;
f) use of cryptographic techniques e.g. to protect the confidentiality, integrity and
authenticity of
information (see Clause 10);
g) retention and disposal guidelines for all business correspondence, including
messages, in accordance
with relevant national and local legislation and regulations;
h) controls and restrictions associated with using communication facilities, e.g.
automatic forwarding of electronic mail to external mail addresses;
i) advising personnel to take appropriate precautions not to reveal confidential

information;
j) not leaving messages containing confidential information on answering machines
since these may be replayed by unauthorized persons, stored on communal
systems or stored incorrectly as a result of misdialling;
k) advising personnel about the problems of using facsimile machines or services,
namely:
1) unauthorized access to built-in message stores to retrieve messages;
2) deliberate or accidental programming of machines to send messages to specific
numbers;
3) sending documents and messages to the wrong number either by misdialling or
using the wrong
stored number.
In addition, personnel should be reminded that they should not have confidential
conversations in public
places or over insecure communication channels, open offices and meeting places.
Information transfer services should comply with any relevant legal requirements
(see 18.1).
Other information
Information transfer may occur through the use of a number of different types of
communication
facilities, including electronic mail, voice, facsimile and video.
Software transfer may occur through a number of different mediums, including
downloading from the
Internet and acquisition from vendors selling off-the-shelf products.
The business, legal and security implications associated with electronic data
interchange, electronic
commerce and electronic communications and the requirements for controls should
be considered.
9.8. Trao i thng tin

Mc tiu: Nhm duy tr an ton cho cc thng tin v phn mm c trao i trong
ni b t chc hoc vi cc thc th bn ngoi.
Nhng trao i thng tin v phn mm gia cc t chc cn da trn mt chnh
sch trao i chnh thc, c thc hin theo cc tha thun trao i, v cn tun
th cc quy nh ca php lut lin quan.
Cn thit lp cc th tc v cc tiu chun nhm bo v thng tin v phng tin vt
l cha thng tin trong qu trnh trao i
9.8.1. Cc chnh sch v th tc trao i thng tin

Bin php qun l
Cc chnh sch, th tc v bin php qun l chnh thc cn phi sn c bo v s trao i thng tin
thng qua h thng truyn thng.
Hng dn trin khai
Cc bin php v th tc cn tun th khi s dng cc phng tin truyn thng in t trong trao i
thng tin cn quan tm n cc vn sau:
a) cc th tc c thit k nhm bo v thng tin c trao i khi s nghe ln, sao chp, sa i, sai
a ch, v ph hy;
b) cc th tc nhm pht hin v bo v chng li m c hi b pht tn khi s dng cc phng tin
truyn thng in t (xem 9.4.1);
c) cc th tc nhm bo v thng tin in t nhy cm c trao i c tp tin nh km;
chnh sch hoc cc hng dn s lc v s dng cc phng tin truyn thng in t (xem 6.1.3);
e) cc th tc s dng cc phng tin truyn thng v tuyn, quan tm n cc ri ro c th;
f) trch nhim ca nhn vin, ngi ca nh thu v nhng ngi dng khc trong vic khng lm nh
hng xu n t chc, v d ph bng, quy ri, mo danh, chuyn cc bc th hng lot, mua bn tri
php...;
g) c th s dng cc k thut mt m nhm bo v tnh b mt, tnh ton vn v tnh xc thc ca thng
tin (xem 11.3);
h) hng dn ngn chn v hy b cc th t giao dch, bao gm c cc thng ip, theo cc quy nh
v quy ch ni b v quc gia c lin quan;
i) khng c thng tin nhy cm hoc thng tin quan trng trn cc thit b in n, v d cc my sao
chp ti liu, my in, my qut, v chng c th b truy cp bi nhng c nhn khng c php;
j) cc bin php qun l v cc hn ch lin quan n vic chuyn tip cc phng tin truyn thng, v
d t ng chuyn tip th in t vo cc a ch hp th bn ngoi;
k) nhc nh vi mi ngi v vic thc hin phng, v d khng tit l thng tin nhy cm nhm trnh
khng b nghe lm hoc b nghe trm khi ang gi in thoi bi:
1) nhng ngi xung quanh, c bit l khi ang s dng in thoi di ng;
2) nghe trm, v cc hnh thc nghe trm khc thng qua truy nhp vt l n my in thoi cm tay
hoc ng in thoi, hoc s dng cc my thu qut;
3) nhng ngi u my kia;
I) khng cc thng ip cha thng tin nhy cm cc my tr li v cc thng ip ny c th b
nhng ngi khng c quyn nghe li, ct gi trn cc h thng cng cng hoc ct gi khng ng quy
cch do quay s nhm;
m) nhc nh vi mi ngi v cc s c do s dng my sao chp, c th l:
1) truy cp tri php vo cc b lu gi thng ip bn trong nhm ly cc thng ip;
2) c hoc v tnh lp trnh cho cc my thc hin gi cc-thng ip n cc s c th no ;
3) do quay s sai hoc s dng s lu tr sai m gi nhm cc ti liu v cc thng ip;
n) nhc nh mi ngi khng c ng k d liu c nhn, v d cc thng tin nh a ch th in t
hoc cc thng tin c nhn khc, trong bt c phn mm no nhm trnh b thu thp thng tin cho cc
mc ch s dng tri php;
o) nhc nh mi ngi rng cc my sao chp ti liu hin i u c cc b nh trong v c th lu
c ni dung cc trang trong trng hp c li truyn dn hoc li v giy in, cc trang ny s c in
li ngay khi li c khc phc.
Hn na, cng cn nhc nh mi ngi khng c ni nhng iu b mt cc ni cng cng hoc

cc vn phng rng v cc ni hp hp khng c tng cch m.
Cc phng tin trao i thng tin cn tun th cc yu cu php l lin quan (xem 14).
Thng tin khc
C th xy ra trao i thng tin khi s dng nhiu loi phng tin truyn thng khc nhau, bao gm th
in t, thoi, sao chp, v hnh nh.
C th xy ra trao i phn mm thng qua nhiu phng thc khc nhau, bao gm ti thng tin t
internet v ti thng tin c cc nh cung cp cc sn phm mua c sn yu cu.
Cn quan tm n nhng vn v an ton, php l v nghip v lin quan n vic trao i d liu in
t, thng mi in t, truyn thng in t v cc yu cu v cc bin php qun l.
Thng tin c th b tn hi do s thiu hiu bit, cc th tc v chnh sch s dng cc phng tin trao
i thng tin, v d b nghe trm trn my in thoi di ng ni cng cng, chuyn sai a ch ca
thng ip th in t, cc my tr li b nghe trm, truy cp tri php n cc h thng hp th thoi
quay s hoc v tnh gi nhm n thit b sao chp ti liu.
Cc hot ng nghip v c th b ph v v thng tin c th b tn hi nu cc phng tin truyn thng
b li, b qu ti hoc b ngt kt ni (xem 9.3 v iu 13). Thng tin c th b tn hi nu b truy cp bi
nhng ngi dng tri php (xem iu 10).
13.2.2 Agreements on information transfer

Control
Agreements should address the secure transfer of business information between the
organization and
external parties.
Information transfer agreements should incorporate the following:
a) management responsibilities for controlling and notifying transmission, dispatch
and receipt;
b) procedures to ensure traceability and non-repudiation;
c) minimum technical standards for packaging and transmission;
d) escrow agreements;
e) courier identification standards;
f) responsibilities and liabilities in the event of information security incidents, such
as loss of data;
g) use of an agreed labelling system for sensitive or critical information, ensuring
that the meaning of
the labels is immediately understood and that the information is appropriately
protected (see 8.2);
h) technical standards for recording and reading information and software;
i) any special controls that are required to protect sensitive items, such as
cryptography (see Clause 10);
j) maintaining a chain of custody for information while in transit;
k) acceptable levels of access control.
Policies, procedures and standards should be established and maintained to protect
information and
physical media in transit (see 8.3.3), and should be referenced in such transfer
agreements.
The information security content of any agreement should reflect the sensitivity of
the business
information involved.
Other information
Agreements may be electronic or manual, and may take the form of formal
contracts. For confidential
information, the specific mechanisms used for the transfer of such information
should be consistent for all organizations and types of agreements.
9.8.2. Cc tha thun trao i
Bin php qun l
Cc tha thun cn c thit lp cho vic trao i thng tin v phn mm gia t chc v cc thc th
bn ngoi.
Hng dn trin khai
Cc tha thun trao i cn quan tm n cc iu kin an ton sau y:
a) cc trch nhim ca ban qun l trong vic qun l v thng bo v vic truyn, gi v nhn thng tin
chuyn giao;
b) cc th tc thng bo vi ngi gi v vic truyn, gi v nhn;
c) cc th tc m bo kh nng truy vt v khng th chi b;
d) cc tiu chun k thut ti thiu cho vic ng gi v truyn;
e) cc tha thun giao ko;
f) cc tiu chun nhn dng cch thc chuyn;
g) cc trch nhim v ngha v khi c cc s kin an ton thng tin, nh mt d liu;
h) s dng h thng dn nhn tha thun i vi cc thng tin quan trng hoc nhy cm, m bo
rng ngha ca cc nhn c th c hiu ngay v thng tin c bo v ph hp;
i) quyn s hu v cc trch nhim bo v d liu, bn quyn, tun th bn quyn phn mm v cc vn
tng t khc (xem 14.1.2 v 14.1.4);
j) cc tiu chun k thut cho ghi v c thng tin v phn mm;
k) cc bin php qun l c bit c th c yu cu nhm bo v cc danh mc thng tin nhy cm,
nh cc kha bo mt (xem 11.3).
Cc chnh sch, th tc, v tiu chun cn c thit lp v c qun l nhm bo v thng tin v
phng tin vt l trong qu trnh trao i (xem thm 9.8.3), v cn c tham chiu trong cc tha
thun trao i.
Ni dung v an ton ca cc tha thun cn th hin nhy cm ca thng tin nghip v lin quan.
Thng tin khc
Cc tha thun c th dng in t hoc vit tay, v hnh thc c th nh cc bn hp ng chnh
thc hoc cc iu kin tuyn dng. i vi thng tin nhy cm th cc c ch c bit s dng cho trao
i thng tin cn ph hp vi tt c cc t chc v cc loi tha thun.
13.2.3 Electronic messaging

Control
Information involved in electronic messaging should be appropriately protected.
Information security considerations for electronic messaging should include the
following:
a) protecting messages from unauthorized access, modification or denial of service
commensurate
with the classification scheme adopted by the organization;
b) ensuring correct addressing and transportation of the message;
c) reliability and availability of the service;
d) legal considerations, for example requirements for electronic signatures;
e) obtaining approval prior to using external public services such as instant
messaging, social
networking or file sharing;
f) stronger levels of authentication controlling access from publicly accessible
networks.
Other information
There are many types of electronic messaging such as email, electronic data
interchange and social
networking which play a role in business communications.
9.8.4. Thng ip in t
Bin php qun l
Thng tin bao hm trong cc thng ip in t cn c bo v mt cch tha ng.
Hng dn trin khai
Cn quan tm n cc vn an ton sau i vi thng ip in t:
a) bo v thng ip khi s truy cp tri php, sa i hoc t chi dch v;
b) m bo nh ng a ch v gi ng a ch thng ip;
c) tin cy v sn sng chung ca dch v;
d) cc vn php l, v d cc yu cu v ch k in t;
e) c chp thun trc khi s dng cc dch v cng cng bn ngoi nh nhn tin nhanh hoc chia s
tp;
f) truy cp t cc mng cng cng d truy cp phi c qun l bng mc xc thc cao hn.
Thng tin khc
Thng ip in t nh th in t, trao i d liu in t (EDI), v nhn tin nhanh ng vai tr ngy
cng cao trong cc giao dch thng mi. Thng ip in t cha nhiu ri ro hn truyn thng bng
giy.
13.2.4 Confidentiality or non-disclosure agreements

Control
Requirements for confidentiality or non-disclosure agreements reflecting the
organizations needs for
the protection of information should be identified, regularly reviewed and

documented.
Confidentiality or non-disclosure agreements should address the requirement to
protect confidential
information using legally enforceable terms. Confidentiality or non-disclosure
agreements are
applicable to external parties or employees of the organization. Elements should be
selected or added
in consideration of the type of the other party and its permissible access or handling
of confidential
information. To identify requirements for confidentiality or non-disclosure
agreements, the following
elements should be considered:
a) a definition of the information to be protected (e.g. confidential information);
b) expected duration of an agreement, including cases where confidentiality might
need to be
maintained indefinitely;
c) required actions when an agreement is terminated;
d) responsibilities and actions of signatories to avoid unauthorized information
disclosure;
e) ownership of information, trade secrets and intellectual property, and how this
relates to the
protection of confidential information;
f) the permitted use of confidential information and rights of the signatory to use
information;
g) the right to audit and monitor activities that involve confidential information;
h) process for notification and reporting of unauthorized disclosure or confidential
information leakage;
i) terms for information to be returned or destroyed at agreement cessation;
j) expected actions to be taken in case of a breach of the agreement.
Based on an organizations information security requirements, other elements may
be needed in a
confidentiality or non-disclosure agreement.
Confidentiality and non-disclosure agreements should comply with all applicable
laws and regulations
for the jurisdiction to which they apply (see 18.1).
Requirements for confidentiality and non-disclosure agreements should be reviewed
periodically and
when changes occur that influence these requirements.
Other information
Confidentiality and non-disclosure agreements protect organizational information
and inform signatories
of their responsibility to protect, use and disclose information in a responsible and
authorized manner.
There may be a need for an organization to use different forms of confidentiality or
non-disclosure
agreements in different circumstances.
13.2.4 mt hoc khng cng b tha thun Bin php qun l
Cc yu cu v bo mt hoc cc tha thun khng tit l phn nh nhu cu ca t chc i vi vic bo

v thng tin phi c xc nh r v thng xuyn sot xt li.
Hng dn trin khai
Cc tha thun bo mt hoc khng tit l cn tp trung vo cc yu cu nhm bo v thng tin mt vi
cc iu khon c kh nng thc thi v mt php l. Khi xc nh cc yu cu i vi cc tha thun bo
mt hoc khng tit l, cn quan tm n cc yu t sau:
a) nh ngha v thng tin cn c bo v (v d, thng tin mt);
b) khong thi gian d kin ca tha thun, bao gm c cc trng hp yu cu bo mt khng thi
hn;
c) cc hot ng c yu cu khi kt thc tha thun;
d) cc trch nhim v hnh ng ca cc bn k kt nhm trnh tit l thng tin tri php;
e) quyn s hu thng tin, cc b mt giao dch v quyn s hu tr tu, v mi quan h ca chng vi
vic bo v thng tin mt;
f) vic c php s dng thng tin mt v cc quyn ca ngi k kt s dng thng tin;
g) quyn nh gi v gim st cc hot ng lin quan n thng tin mt;
h) quy trnh thng bo v bo co v vic tit l tri php hoc nhng l hng thng tin mt;
i) cc iu khon i vi thng tin c tr v hoc b hy khi chm dt tha thun;
j) cc hnh ng d kin trong trng hp c vi phm tha thun.
Da trn cc yu cu v an ton thng tin ca t chc, c th a thm mt s iu khon khc vo
tha thun khng tit l hoc tha thun bo mt.
Cc tha thun bo mt v khng tit l cn tun th tt c nhng quy nh v iu lut ph hp (xem
thm 14.1.1);
Cc yu cu i vi cc tha thun bo mt v khng tit l cn c sot xt nh k v ti cc thi
im xy ra thay i lm nh hng n cc yu cu ny.
Thng tin khc
Cc tha thun bo mt hoc khng tit l s bo v cc thng tin ca t chc v thng bo cho cc bn
k kt v trch nhim ca h trong vic bo v, s dng v tit l thng tin mt cch c trch nhim v
ng thm quyn.
Mi t chc cng cn s dng cc hnh thc tha thun bo mt hoc khng tit l khc nhau theo tng
tnh hung c th.

Ly Thuyet Thuyet Trinh

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ly Thuyet Thuyet Trinh

Uploaded by

Copyright:

Available Formats

Table of Contents

12.5.1 Installation of software on operational systems......................................16

12.1.1 Documented operating procedures

processing and communication facilities, such as computer start-up and close-down

9. Qun l truyn thng v vn hnh

9.1.1. Cc th tc vn hnh c ghi thnh vn bn

12.1.2 Change management

Inadequate control of changes to information processing facilities and systems is a

9.1.2. Qun l thay i

12.1.3 Capacity management

availability and efficiency of systems. Detective controls should be put in place to

9.3.1. Qun l nng lc h thng

12.1.4 Separation of development, testing and operational environments

9.1.4. Phn tch cc chc nng pht trin, kim th v vn hnh

12.2 Protection from malware

12.2.1 Controls against malware

Detection, prevention and recovery controls to protect against malware should be

journals, reliable Internet sites or suppliers producing software protecting against

9.4.1. Qun l chng li m c hi

12.3.1 Information backup

9.5.1. Sao lu thng tin

e) thng tin sao chp cn c t mc bo v vt l v mi trng ph hp (xem iu 8) tun th

12.4 Logging and monitoring

12.4.1 Event logging

9.10.1. Ghi nht k nh gi

12.4.2 Protection of log information

9.10.3. Bo v cc thng tin nht k

12.4.3 Administrator and operator logs

9.10.4. Nht k ca ngi iu hnh v ngi qun tr

12.4.4 Clock synchronisation

9.10.6. ng b thi gian

12.5 Control of operational software

12.5.1 Installation of software on operational systems

11.4.1. Qun l cc phn mm iu hnh

ca h iu hnh. Cc phin bn mi ca h iu hnh phin bn c th km an ton, t n nh v t

12.6 Technical vulnerability management

12.6.1 Management of technical vulnerabilities

1) turning off services or capabilities related to the vulnerability;

11.6.1. Qun l cc im yu v k thut

j) cc h thng c mc ri ro cao cn c tp trung x l trc tin.

12.6.2 Restrictions on software installation

cho php (v d nh cp nht v bn v li bo mt cho phn mm hin c) v

12.7 Information systems audit considerations

12.7.1 Information systems audit controls

Mc tiu: Nhm ti u ha v gim thiu nhng nh hng xu t/ti qu trnh nh

Hng dn trin khai

13.1.1 Network controls

Controls should be implemented to ensure the security of information in networks

13.1 Mng li qun l an ninh

Cc mng cn c qun l v kim sot mt cch tha ng nhm bo v khi cc mi e da v duy

13.1.2 Security of network services

13.1.2 an ninh ca cc dch v mng

v yu cu qun l, cn c xc nh. Cc t chc phi m bo rng mng

13.1.3 Segregation in networks

environments, consideration should be made to treat all wireless access as external

10.4.5. Phn tch trn mng

13.2 Information transfer

13.2.1 Information transfer policies and procedures

i) advising personnel to take appropriate precautions not to reveal confidential

9.8. Trao i thng tin

9.8.1. Cc chnh sch v th tc trao i thng tin

Hn na, cng cn nhc nh mi ngi khng c ni nhng iu b mt cc ni cng cng hoc

13.2.2 Agreements on information transfer

13.2.3 Electronic messaging