You are on page 1of 18

B THNG TIN V TRUYN THNG

---------

THUYT MINH D THO TIU CHUN QUC GIA

TCVN xxxx:xxxx CNG NGH THNG TIN CC K THUT AN TON QUY TC THC HNH QUN L AN TON THNG TIN
Information technology Security techniques Code of practice for infomation security management

H NI - 9/2010

MC LC

1 HIN TRNG QUN L AN TON THNG TIN VIT NAM ..............................3 1.1 Hin trng qun l an ton thng tin Vit Nam............................................................3 1.2 Ch trng chnh sch ca nh nc v an ton thng tin..............................................3 1.3 Kt lun.............................................................................................................................4 2 GII THIU V TI LIU THAM CHIU, TIU CHUN VIN DN....................4 2.1 ISO/IEC 27002 Cng ngh thng tin - Quy tc thc hnh qun l an ton thng tin .......................................................................................................................................6 2.2 TCVN 7562:2005 ISO/IEC 17799:2000- Cng ngh thng tin - M thc hnh qun l an ninh thng tin...........................................................................................................8 2.3 So snh TCVN 7562:2005 ISO/IEC 17799:2000 v ISO/IEC 27002: 2005...................9 3 D THO TIU CHUN QUC GIA V QUY TC QUN L AN TON THNG TIN.......................................................................................................................13 3.1 L do xy dng tiu chun: ...........................................................................................13 3.2 Nhu cu thc t v kh nng p dng: .........................................................................14 3.3 Mc ch: .......................................................................................................................14 3.4 S c xy dng tiu chun ............................................................................................14 3.5 Phng php xy dng tiu chun.................................................................................14 3.6 Cc ni dung d tho......................................................................................................14

1 HIN TRNG QUN L AN TON THNG TIN VIT NAM 1.1 Hin trng qun l an ton thng tin Vit Nam
- S bng n ca Internet v thng mi in t bn cnh vic to ra nhng c hi ln l nhng nguy c ri ro mt an ton thng tin, nh hng trc tip n nn kinh t v x hi hin i. Trong giai on u ca qu trnh pht trin thng mi in t Vit Nam, vn mt an ton thng tin c nh gi l tr ngi ln nht. - Hin trng an ton thng tin Vit Nam vn cn rt yu, trong nhn thc v tm quan trng ca an ton thng tin ca cc t chc, doanh nghip vn cha cao v a s khng ch trng n lnh vc ny. - Kin thc v an ton thng tin ca cc t chc, doanh nghip cn thp (nhiu ni khng r ng c ca ti phm tin hc v nh lng c thit hi ti chnh khi b tn cng). - Vic kim sot an ton thng tin hin nay ch yu l thuc vo cc gii php k thut m cha ch trng n yu t con ngi. Con ngi y khng phi ch nhng ngi lm v CNTT trong t chc, doanh nghip, m l tt c mi ngi tt c cc b phn. Phi lm sao tt c nhng ngi h nhn thc c rng an ton thng tin l rt quan trng v n nm vai tr quyt nh s thnh cng cng nh s pht trin ca t chc, doanh nghip mnh. - Hu ht t chc, doanh nghip khng c quy ch v an ton thng tin v quy trnh phn ng khi c s c.

1.2 Ch trng chnh sch ca nh nc v an ton thng tin


- Ngh nh s 64/2007/N-CP ngy 10/4/2007 ca Chnh ph v ng dng cng ngh thng tin trong hot ng ca c quan nh nc quy nh c quan nh nc phi xy dng ni quy bo m an ton thng tin; c cn b ph trch qun l an ton thng tin; p dng, hng dn v kim tra nh k vic thc hin cc bin php bo m cho h thng thng tin trn mng p ng cc tiu chun, quy chun k thut v an ton thng tin. - Nm 2007, B Bu chnh Vin thng (nay l B Thng tin v Truyn thng) c Ch th s 03/2007/CT-BBCVT ngy 23/02/2007 v vic tng cng m bo an ninh thng tin trn mng Internet yu cu cc c quan, t chc, doanh nghip vin thng, internet tham gia hot ng trn mng Internet phi xy dng quy trnh v quy ch m bo an ninh thng tin cho cc h thng thng tin, tham kho cc chun qun l an ton TCVN 7562, ISO 27001, m bo kh nng truy vt v khi phc thng tin trong trng hp c s c. - Ngy 13/1/2010, Th tng Chnh ph k Quyt nh s 63/Q-TTg ph duyt Quy hoch pht trin an ton thng tin s quc gia n nm 2020.

Quy hoch t ra 4 mc tiu tng qut n nm 2020, h thng thng tin trng yu quc gia c m bo ATTT bi cc h thng bo mt chuyn dng c tin cy cao; hnh thnh mng li iu phi ng cu s c v an ton mng v h tng thng tin quc gia vi s tham gia ca cc thnh phn kinh t; Nhn lc cng ngh thng tin ca Vit nam c o to v ATTT vi trnh tng ng vi cc nc dn u trong khu vc ASEAN; nhn thc x hi v ATTT c ph cp v ngy mt nng cao; 100% cn b qun tr h thng trong h thng thng tin trng yu quc gia c o to v cp chng ch quc gia v ATTT. Nm 2010, ban hnh h thng cc tiu chun v tiu ch nh gi ATTT cho cc h thng thng tin, t nm 2015 cc tiu chun ny c p dng rng ri trong ton b cc h thng thng tin trng yu ca quc gia. Cc An ton thng tin quc gia s c thnh lp qun l, iu phi v hng dn cho cc hot ng m bo ATTT trn phm vi c nc. ng thi, thnh lp cc Nhm ng cu s c my tnh (CSIRT) ti cc c quan n v v lin kt cc CSIRT thnh mt mng li trn ton quc nhm ng ph kp thi khi xy ra cc s c mt ATTT.

1.3 Kt lun
Cng vi vic ng dng rng ri ca Internet, c bit Internet bng thng rng, s v xm phm an ton bo mt Vit Nam ngy cng tng, t ra mi quan tm ngy cng ln i vi vn an ton thng tin Vit Nam. ATTT l mt mt xch lin kt hai yu t: yu t cng ngh v yu t con ngi. Tuy nhin, con ngi li l khu yu nht trong ton b qu trnh m bo an ton thng tin. Vic nhn thc km, thiu cn thn v l l bo mt l nguyn nhn chnh gy ra lm cho tnh trng mt an ton thng tin ngy cng nghim trng. Hu ht t chc, doanh nghip khng c quy ch v an ton thng tin v quy trnh phn ng khi c s c. Do vy, cn c cc chnh sch v h thng tiu chun, quy chun k thut v an ton thng tin lm cn c cho cc t chc xy dng quy ch an ton thng tin ca t chc bo v thng tin trc cc mi e da v m bo s lin tc ca hot ng, gim thiu ri ro, t c ti a li nhun u t v cc c hi kinh doanh.

2 GII THIU V TI LIU THAM CHIU, TIU CHUN VIN DN


4

Bng 1: Cc tiu chun v h thng qun l an ton thng tin trn th gii v Vit Nam STT Tiu chun ISO/IEC ISO/IEC 27000 1 Information security management systems Overview and vocabulary ISO/IEC 27001 2 TCVN ISO/IEC 27001:2009 ISO/IEC 27001:2005 Tiu chun quc gia

Information security management Cng ngh thng tin - H thng qun l systems Requirements an ton thng tin Cc yu cu ISO/IEC 27002 TCVN 7562:2005 ISO/IEC 17799:2000 Cng ngh thng tin - M thc hnh qun l an ninh thng tin

Code of practice for information security management ISO/IEC 27003

Information security management system implementation guidance ISO/IEC 27004

Information security risk management ISO/IEC 27005

Information security risk management management systems ISO/IEC 27006 Requirements for bodies providing audit and certification of information security management systems

ISO/IEC 27011 8 Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 ISO 27799 9 Information security management in health using ISO/IEC 27002

2.1 ISO/IEC 27002 Cng ngh thng tin - Quy tc thc hnh qun l an ton
thng tin Phin bn hin ti: ISO/IEC 27002: 2005 T nm 2005, tiu chun quc t ISO 17799:2000 c t chc ISO/IEC thay th chnh thc bng tiu chun quc t ISO/IEC 17799:2005 v nm 2007 c i tn thnh tiu chun ISO/IEC 27002:2005 p dng cng vi cc tiu chun khc v qun l an ton thng tin trong b tiu chun v h thng qun l an ton thng tin ISO/IEC 27000. Mc tiu Tiu chun ny thit lp cc nh hng v nguyn tc chung cho khi to, trin khai, duy tr v ci thin cng tc qun l an ton thng tin trong mt t chc. Mc tiu t ra ca tiu chun ny l a ra hng dn chung nhm t c cc mc ch chung c cng nhn v qun l an ton thng tin. Cc mc tiu v bin php kim sot ca tiu chun ny c trin khai p ng cc yu cu c xc nh bi qu trnh nh gi ri ro. Tiu chun ny c th ng vai tr nh mt nh hng thc hnh trong vic xy dng cc tiu chun an ton cho t chc v thc hnh qun l an ton hiu qu v gip to dng s tin cy trong cc hot ng lin t chc. Ni dung S pht trin cng ngh, dch v cng nh s thay i khc trong x hi bc l nhng vn m tiu chun ISO/IEC 17799: 2000 cha p ng c. Ni dung ca ISO/IEC 27002: 2005 c cp nht b sung, iu chnh mt s vn so vi ISO/IEC 17799: 2000 p ng c cc yu cu thc tin. Ni dung ca ISO/IEC 27002: 2005 bao gm 134 bin php cho an ton thng tin v c chia thnh 11 nhm. Da trn vic phn tch cc kin thu thp t vic trin khai thc t cu trc phin bn mi ny c kh nhiu thay i so vi phin bn nm 2000. Ni dung mi c cp nht lm r hn cc vn trong vic bo m an ton thng 6

tin trong thng mi in t, cc dch v do cc i tc bn ngoi cung cp, qun l nhn s, s dng mng khng dy Cu trc V mt cu trc, tiu chun ISO/IEC 27002: 2005 c mt s thay i ph hp hn vi thc t so vi tiu chun ISO/IEC 17799. Tiu chun ny gm 11 iu v kim sot an ton thng tin vi tt c 39 danh mc an ton chnh v mt iu gii thiu v nh gi v x l ri ro. Mi iu gm mt s danh mc an ton chnh:

Chnh sch an ton (1) T chc thc hin an ton thng tin (2) Qun l ti sn (2) An ton ngun nhn lc (3) An ton vt l v mi trng (2) Qun l khai thc v truyn thng (10) Kim sot truy cp (7) Thu thp, pht trin v duy tr h thng thng tin (6) Qun l s c an ton thng tin (2) Qun l tnh lin tc v nghip v (1) S tun th (3)

Trong tiu chun ny ni dung ca cc iu khng cp n tm quan trng ca chng. Ty thuc vo tng trng hp c th, tt c cc iu ny c th rt quan trng, v vy mi t chc p dng tiu chun ny cn xc nh cc iu khon thch hp, tm quan trng ca chng v p dng chng cho cc qu trnh nghip v c th. Cc danh mc trong tiu chun ny khng c t theo th t u tin (tr khi c ch thch). ISO/IEC 27002 c cc tiu chun hon ton tng ng mt s quc gia.

Bng 2: Cc tiu chun quc gia tng ng ISO/IEC 27002 Quc gia Australia Tiu chun tng ng AS/NZS ISO/IEC 27002:2006

New Zealand

Brazil

ISO/IEC NBR 17799/2007 - 27002

Czech Republic SN ISO/IEC 27002:2006 Denmark Estonia Japan Lithuania Netherlands Poland Peru South Africa Spain Sweden Turkey DS484:2005 EVS-ISO/IEC 17799:2003, ang dch phin bn nm 2005 JIS Q 27002 LST ISO/IEC 17799:2005 NEN-ISO/IEC 17799:2002 nl, ang dch phin bn nm 2005 PN-ISO/IEC 17799:2007 NTP-ISO/IEC 17799:2007 SANS 17799:2005 UNE 71501 SS 627799 TS ISO/IEC 27002

United Kingdom BS ISO/IEC 27002:2005 Uruguay Russia China UNIT/ISO 17799:2005 / 17799-2005 GB/T 22081-2008

2.2 TCVN 7562:2005 ISO/IEC 17799:2000- Cng ngh thng tin - M thc hnh
qun l an ninh thng tin Tiu chun ny c xy dng da trn tiu chun quc t ISO/IEC 17799:2000 v hon ton tng ng vi tiu chun quc t ny. y chnh l phin bn c ca ISO/IEC 27002. Tiu chun ny a ra cc khuyn ngh v cng tc qun l an ninh thng tin cho nhng ngi c trch nhim ci t, thc thi hoc duy tr an ninh trong t chc ca h. Tiu chun ny nhm cung cp mt c s chung xy dng cc tiu chun an ninh trong t chc v thc hnh qun l an ton thng tin mt cch hiu qu v to s tin cy trong cc giao dch lin t chc. 8

Cng nh ISO/IEC 17799:2000, TCVN 7562:2005 ISO/IEC 17799:2000 a ra 127 bin php nhm m bo an ton thng tin c phn thnh 10 nhm, bao gm:

Chnh sch an ninh An ninh t chc Phn loi v kim sot ti sn An ninh c nhn An ninh mi trng v vt l Qun l truyn thng v hot ng Kim sot truy cp Pht trin v duy tr h thng Qun l lin tc trong kinh doanh S tun th

2.3 So snh TCVN 7562:2005 ISO/IEC 17799:2000 v ISO/IEC 27002: 2005


Phn ny so snh 2 tiu chun TCVN 7562:2005 ISO/IEC 17799:2000 (ISO/IEC 17799:2000) v ISO/IEC 27002: 2005 thy c s ci tin ca ISO/IEC 27002: 2005 so vi phin bn c ng thi nh gi s ph hp v kh nng p ng yu cu thc tin ca TCVN 7562:2005 ISO/IEC 17799:2000. V ni dung: Ni dung ca ISO/IEC 27002: 2005 c cp nht, b sung, iu chnh mt s vn so vi ISO/IEC 17799: 2000. C th: B sung, iu chnh mt s thut ng: o B sung 14 thut ng o Thut ng nh gi ri ro trong ISO/IEC 27002: 2005 c nh ngha l ton b qu trnh phn tch ri ro v c lng ri ro, cn trong TCVN 7562 l nh gi cc mi e da, nhng nh hng v im yu ca thng tin v cc phng tin x l thng tin cng nh kh nng c th xy ra. o Thut ng qun l ri ro trong ISO/IEC 27002: 2005 c nh ngha l cc hot ng phi hp nhm iu khin v qun l mt t chc trc cc ri ro c th xy ra vi lu rng Qun l ri ro thng gm nh gi ri ro, x l ri ro, tha nhn ri ro v thng bo ri ro. B sung cc 2 iu v nh gi v x l ri ro, v qun l s c an ton thng tin

Ni dung trong cc iu c ISO/IEC 17799: 2000 khi c a vo ISO/IEC 27002: 2005 cng c s b sung, iu chnh ph hp. V d, iu 10qun l khai thc v truyn thng, c b sung ni dung v trao i thng tin khi lm vic vi t chc bn ngoi, v ni dung v cc dch v thng mi in t.

Ngoi ra, TCVN 7562:2005 ISO/IEC 17799:2000 c mt s li dch thut cha chnh xc: Thut ng an ninh v an ninh thng tin c s dng trong tiu chun TCVN 7562:2005 ISO/IEC 17799:2000 phi c dch l an ton v an ton thng tin theo ng nh ngha v an ton thng tin l S duy tr tnh bo mt, tnh ton vn v tnh sn sng ca thng tin. iu 6 ca TCVN 7562:2005 ISO/IEC 17799:2000 c tn l an ninh c nhn xut pht t cm t personnel security. Cm t personnel security trong tiu chun ny c ngha l vic m bo an ton thng tin t ngun nhn lc.

Bng 3: So snh TCVN 7562:2005 ISO/IEC 17799:2000 v ISO/IEC 27002: 2005

10

TCVN 7562:2005 ISO/IEC 17799:2000

ISO/IEC 17799:2005

Thut ng v nh ngha (Terms and Terms and definitions: 17 thut ng definitions): 3 thut ng Risk assessment & treatment Chnh sch an ninh (Security policy) Chnh sch an ninh thng tin An ninh t chc (Security organization) H tng an ninh thng tin An ninh i vi s truy cp ca bn th ba Cung ng bn ngoi Phn loi v kim sot ti sn (Asset Asset management classification and control) Trch nhim gii trnh cc ti sn Phn loi thng tin An ninh c nhn (Personnel security) An ninh theo nh ngha v ngun cng vic o to ngi s dng i ph vi cc s c v s c an ninh An ninh mi trng vt l (Physical and environmental security) Phm vi an ninh An ninh thit b Kim sot chung Qun l truyn thng v hot ng (Communication and operation management) Trch nhim v th tc hot ng Lp k hoch h thng v s cng nhn Bo v chng li phn mm c gy hi Cng vic cai qun Qun l mng Trnh iu khin v an ninh mi trng truyn thng Communications management Operational responsibilities and procedures operations and Secure areas Equipment security Responsibility for Assets Information classification Human resource security Prior to employment During employment Termination or change employment Physical and environmental security Internal Organization External parties Security policy

Information security policy


Organisation of information security

Thirt party service delivery management System planning and acceptance Protection agains malicious and mobilde code Back-up Network security management

11

Cc trao i thng tin v phn mm

Media handling Exchange of information Electronic commerce services Monitoring

Kim sot truy cp (Access control) Yu cu kinh doanh i vi kim sot truy cp Qun l truy cp ngi s dng Trch nhim ca ngi s dng Kim sot truy cp mng Kim sot truy cp h iu hnh Kim sot truy cp ca ng dng Kim tra s truy cp v s dng h thng Cng tc t xa v tnh ton lu ng Pht trin v duy tr h thng (System development & maintenance) Cc yu cu an ninh ca h thng An ninh trong cc h thng ng dng Cc kim sot mt m ha An ninh cc tp h thng An ninh qu trnh h tr v pht trin

Access control Business requirement for access control User access management User responsibilities Network access control Operating system access control Application control and information access

Mobile computing and teleworking Information systems acquisition development and maintenance. Security requirements of information systems Correct processing in applications Cryptographic controls Security of system files Sucurity in development and support process Technical vulnerability management Information security incident management

Qun l lin tc trong kinh doanh (Business continuity) Cc kha cnh v qun l lin tc trong kinh doanh S tun th (Compliance) Tun th cc yu cu php l Sot xt ca chnh sch an ninh v yu cu k thut S xem xt kim tra h thng

Business continuity management Information secrity aspects of business continuity management Compliance Compliance with legal requirements Compliance with security policies and standard, and technical compliance Information systems audit consideration

Cu trc

12

V mt cu trc, tiu chun ISO/IEC 27002: 2005 cng c nhiu thay i so vi phin bn c ISO/IEC 17799:2000. Cu trc ca cc danh mc chnh trong ISO/IEC 27002: 2005: Mi danh mc chnh bao gm:

Mc tiu kim sot cn t c; v Mt hoc nhiu bin php kim sot c th c p dng t c mc tiu kim sot.

Phn m t bin php kim sot c cu trc nh sau:

Bin php kim sot: a ra bin php kim sot c th tha mn mc tiu kim sot. Hng dn trin khai: Cung cp nhiu thng tin chi tit hn h tr trin khai bin php kim sot v ph hp vi mc tiu kim sot. Mt vi trong s cc hng dn ny c th khng ph hp vi mi trng hp v v vy cn la chn phng thc trin khai bin php kim sot ph hp. Thng tin khc: Cung cp thng tin su hn c th cn phi quan tm, v d cc vn v php l v tham chiu n cc tiu chun khc.

Nh vy c th thy rng: o Ni dung ca TCVN 7562:2005 ISO/IEC 17799:2000 cha ph hp vi s pht trin ca cng ngh v dch v trong giai on bng n thng tin nh hin nay. o ISO/IEC 27002:2005 c nhiu im ci tin c v cu trc v ni dung. Hn na, khi phin bn ny ra i, rt nhiu quc gia cng s dng phin bn ny thay th tiu chun c c xy dng da trn phin bn nm 2000.

3 D THO TIU CHUN QUC GIA V QUY TC QUN L AN TON


THNG TIN

3.1 L do xy dng tiu chun:


- Xy dng tiu chun v quy tc qun l an ton thng tin hon chnh h thng tiu chun v an ton thng tin ca Vit Nam, lm s c xy dng cc chnh sch qun l an ton thng tin v tng cng p dng cc bin php an ton thng tin ti Vit Nam. - Tiu chun quc gia TCVN 7562:2005 ISO/IEC 17799:2000 Cng ngh thng tin M thc hnh qun l an ninh thng tin c xy dng chp thun nguyn vn ISO/IEC 17799:2000 l phin bn c ca ISO/IEC 27002:2005 nn ni dung cha c 13

cp nht v ph hp vi thc tin. Phin bn mi ISO/IEC 27002 cp nht, b sung, iu chnh mt s vn so vi phin bn nm 2000, vi nhiu thay i v ni dung v cu trc ph hp vi vic p dng thc t. Chnh v vy cn thit phi r sot TCVN 7562:2005 ISO/IEC 17799:2000, xy dng tiu chun quc gia mi thay th da trn tiu chun quc t ISO/IEC 27002:2005.

3.2 Nhu cu thc t v kh nng p dng:


Tiu chun TCVN v quy tc thc hnh qun l an ton thng tin cn thit khuyn khch cc c quan, t chc v doanh nghip p dng nhm bo v cc ti sn thng tin ca h, ng thi ng thi to thm s tin tng ca khch hng v cc i tc.

3.3 Mc ch:
Xy dng, ban hnh tiu chun khuyn ngh p dng, lm s c cho cc c quan nh nc ban hnh cc quy nh qun l v an ton thng tin p dng ti Vit Nam.

3.4 S c xy dng tiu chun


Tiu chun quc t ISO/IEC 27002:2005, y cng l ti liu c nhiu quc gia s dng lm ti liu gc xy dng cc tiu chun quc gia tng ng

3.5 Phng php xy dng tiu chun


- Tham chiu, chp nhn p dng nguyn vn tiu chun ISO/IEC 27002:2005. - R sot 7562:2005 ISO/IEC 17799:2000, k tha cc ni dung v thut ng, dch thut... Tn tiu chun: CNG NGH THNG TIN CC K THUT AN TON QUY TC THC HNH QUN L AN TON THNG TIN Information technology Security techniques Code of practice for infomation security management

3.6 Cc ni dung d tho


D tho tiu chun c xy dng da theo phng php chp thun nguyn vn ISO/IEC 27002:2005 v ni dung. Tuy nhin cn iu chnh cho ph hp vi quy nh hin hnh v th thc v trnh by tiu chun quc gia. 14

Bng 4: Bng i chiu tiu chun vin dn D tho TCVN Cng ngh thng tin Cc k thut an ton Quy tc thc hnh qun l an ton thng tin 1 2 3 4 Pham vi ap dung Tiu chun vin dn Thut ng va inh nghia nh gi v x l ri ro 4.1 nh gi ri ro an ton 4.2 X l cc ri ro an ton thng tin 5 Chnh sch an ton 5.1 Chnh sch an ton thng tin 6 T chc m bo an ton thng tin 2: Terms and Definitions 4: Risk assessment and treatment 4.1: Assessment security risks 4.2: Treating security risks 5: security policy 5.1: Information security policy 6: Organization of information security 6.1: Internal Organization 6.2: External parties 7 : Asset management 7.1: Responsibility for Assets 7.2: Information classification 8: Human resources security ISO/IEC 27002:2005 Information technology Security techniques Code of practice for information security management 1: Scope

6.1 T chc trong ni b 6.2 Cc bn tham gia bn ngoi 7 Qun l ti sn

7.1 Trch nhim i vi ti sn 7.2 Phn loi thng tin 8 m bo an ton ti nguyn con ngi 8.1 Trc khi tuyn dng 8.2 Trong thi gian lm vic 8.3 Chm dt hoc thay i cng vic 9

8.1: prior to employment 8.2: during employment 8.3: termination or change employment

m bo an ton vt l v mi trng 9: Physical and environmental security 9.1 Cc khu vc an ton 9.2 m bo an ton trang thit b 9.1: Secure areas 9.2 Equipment security 15

D tho TCVN Cng ngh thng tin Cc k thut an ton Quy tc thc hnh qun l an ton thng tin

ISO/IEC 27002:2005 Information technology Security techniques Code of practice for information security management

10 Qun l truyn thng v iu hnh

10: Communications and operations management

10.1 Cc trch nhim v th tc iu hnh 10.1: operational procedures and responsibilities 10.2 Qun l chuyn giao dch v ca bn 10.2: thirt party service delivery th ba management 10.3 Chp nhn v lp k hoch h thng 10.4 Bo v chng li m c hi v m di ng 10.5 Sao lu 10.6 Qun l an ton mng 10.7 Qun l phng tin 10.8 Trao i thng tin 10.9 Cc dch v thng mi in t 10.10 Gim st 11 Qun l truy cp 11.1 Yu cu nghip v i vi qun l truy cp 11.2 Qun l s truy cp ngi dng 11.3 Cc trch nhim ca ngi dng 11.4 Qun l truy cp mng 11.5 Kim sot truy cp h thng iu hnh 11.6 iu khin truy cp thng tin v ng dng 10.3: System planning and acceptance 10.4: Protection agains malicious and mobilde code 10.5: back-up 10.6: network security management 10.7: Media handling 10.8: Exchange of information 10.9: Electronic commerce services 10.10: Monitoring 11: Access control 11.1: Business requirement for access control 11.2: User access management 11.3: User responsibilities 11.4: Network access control 11.5: Operating system access control 11.6: Application and information access control

16

D tho TCVN Cng ngh thng tin Cc k thut an ton Quy tc thc hnh qun l an ton thng tin 11.7. Tnh ton di ng v lm vic t xa 12 Tip nhn, pht trin v duy tr cc h thng thng tin 12.1 Yu cu m bo an ton cho cc h thng thng tin 12.2 X l ng trong cc ng dng 12.3 Qun l m ha 12.4 An ton cc tp tin h thng 12.5 Bo m an ton trong cc quy trnh h tr v pht trin 12.6 Qun l cc im yu v k thut 13 Qun l cc s c an ton thng tin

ISO/IEC 27002:2005 Information technology Security techniques Code of practice for information security management 11.7: Mobile computing and teleworking 12: Information systems acquisition, development and maintenance 12.1: Security requirements of information systems 12.2: Correct processing in applications 12.3: Cryptographic controls 12.4: Security of system files 12.5: Sucurity in development and support process 12.6: Technical vulnerability management 13: Information security incident management

13.1 Bo co v cc s kin an ton thng 13.1: Reporting information secrity tin v cc nhc im events and weaknesses 13.2 Qun l cc s c an ton thng tin v ci tin 14 Qun l s lin tc ca hot ng nghip v 14.1 Cc kha cnh an ton thng tin trong qun l s lin tc ca hot ng nghip v 15 S tun th 15.1 S tun th cc quy nh php l 15.2 S tun th cc chnh sch v tiu chun an ton, v tng thch k thut 13.2: management of information secrity incidents and improvements 14: Business continuity management 14.1: information secrity aspects of business continuity management 15: Compliance 15.1: Compliance with legal requirements 15.2: Compliance with security policies and standard, and technical compliance

15.3 Xem xt vic kim ton cc h thng 15.3: Information systems audit 17

D tho TCVN Cng ngh thng tin Cc k thut an ton Quy tc thc hnh qun l an ton thng tin thng tin Th mc ti liu tham kho

ISO/IEC 27002:2005 Information technology Security techniques Code of practice for information security management consideration Bibliography

18

You might also like