Professional Documents
Culture Documents
---------
TCVN xxxx:xxxx CNG NGH THNG TIN CC K THUT AN TON QUY TC THC HNH QUN L AN TON THNG TIN
Information technology Security techniques Code of practice for infomation security management
H NI - 9/2010
MC LC
1 HIN TRNG QUN L AN TON THNG TIN VIT NAM ..............................3 1.1 Hin trng qun l an ton thng tin Vit Nam............................................................3 1.2 Ch trng chnh sch ca nh nc v an ton thng tin..............................................3 1.3 Kt lun.............................................................................................................................4 2 GII THIU V TI LIU THAM CHIU, TIU CHUN VIN DN....................4 2.1 ISO/IEC 27002 Cng ngh thng tin - Quy tc thc hnh qun l an ton thng tin .......................................................................................................................................6 2.2 TCVN 7562:2005 ISO/IEC 17799:2000- Cng ngh thng tin - M thc hnh qun l an ninh thng tin...........................................................................................................8 2.3 So snh TCVN 7562:2005 ISO/IEC 17799:2000 v ISO/IEC 27002: 2005...................9 3 D THO TIU CHUN QUC GIA V QUY TC QUN L AN TON THNG TIN.......................................................................................................................13 3.1 L do xy dng tiu chun: ...........................................................................................13 3.2 Nhu cu thc t v kh nng p dng: .........................................................................14 3.3 Mc ch: .......................................................................................................................14 3.4 S c xy dng tiu chun ............................................................................................14 3.5 Phng php xy dng tiu chun.................................................................................14 3.6 Cc ni dung d tho......................................................................................................14
1 HIN TRNG QUN L AN TON THNG TIN VIT NAM 1.1 Hin trng qun l an ton thng tin Vit Nam
- S bng n ca Internet v thng mi in t bn cnh vic to ra nhng c hi ln l nhng nguy c ri ro mt an ton thng tin, nh hng trc tip n nn kinh t v x hi hin i. Trong giai on u ca qu trnh pht trin thng mi in t Vit Nam, vn mt an ton thng tin c nh gi l tr ngi ln nht. - Hin trng an ton thng tin Vit Nam vn cn rt yu, trong nhn thc v tm quan trng ca an ton thng tin ca cc t chc, doanh nghip vn cha cao v a s khng ch trng n lnh vc ny. - Kin thc v an ton thng tin ca cc t chc, doanh nghip cn thp (nhiu ni khng r ng c ca ti phm tin hc v nh lng c thit hi ti chnh khi b tn cng). - Vic kim sot an ton thng tin hin nay ch yu l thuc vo cc gii php k thut m cha ch trng n yu t con ngi. Con ngi y khng phi ch nhng ngi lm v CNTT trong t chc, doanh nghip, m l tt c mi ngi tt c cc b phn. Phi lm sao tt c nhng ngi h nhn thc c rng an ton thng tin l rt quan trng v n nm vai tr quyt nh s thnh cng cng nh s pht trin ca t chc, doanh nghip mnh. - Hu ht t chc, doanh nghip khng c quy ch v an ton thng tin v quy trnh phn ng khi c s c.
Quy hoch t ra 4 mc tiu tng qut n nm 2020, h thng thng tin trng yu quc gia c m bo ATTT bi cc h thng bo mt chuyn dng c tin cy cao; hnh thnh mng li iu phi ng cu s c v an ton mng v h tng thng tin quc gia vi s tham gia ca cc thnh phn kinh t; Nhn lc cng ngh thng tin ca Vit nam c o to v ATTT vi trnh tng ng vi cc nc dn u trong khu vc ASEAN; nhn thc x hi v ATTT c ph cp v ngy mt nng cao; 100% cn b qun tr h thng trong h thng thng tin trng yu quc gia c o to v cp chng ch quc gia v ATTT. Nm 2010, ban hnh h thng cc tiu chun v tiu ch nh gi ATTT cho cc h thng thng tin, t nm 2015 cc tiu chun ny c p dng rng ri trong ton b cc h thng thng tin trng yu ca quc gia. Cc An ton thng tin quc gia s c thnh lp qun l, iu phi v hng dn cho cc hot ng m bo ATTT trn phm vi c nc. ng thi, thnh lp cc Nhm ng cu s c my tnh (CSIRT) ti cc c quan n v v lin kt cc CSIRT thnh mt mng li trn ton quc nhm ng ph kp thi khi xy ra cc s c mt ATTT.
1.3 Kt lun
Cng vi vic ng dng rng ri ca Internet, c bit Internet bng thng rng, s v xm phm an ton bo mt Vit Nam ngy cng tng, t ra mi quan tm ngy cng ln i vi vn an ton thng tin Vit Nam. ATTT l mt mt xch lin kt hai yu t: yu t cng ngh v yu t con ngi. Tuy nhin, con ngi li l khu yu nht trong ton b qu trnh m bo an ton thng tin. Vic nhn thc km, thiu cn thn v l l bo mt l nguyn nhn chnh gy ra lm cho tnh trng mt an ton thng tin ngy cng nghim trng. Hu ht t chc, doanh nghip khng c quy ch v an ton thng tin v quy trnh phn ng khi c s c. Do vy, cn c cc chnh sch v h thng tiu chun, quy chun k thut v an ton thng tin lm cn c cho cc t chc xy dng quy ch an ton thng tin ca t chc bo v thng tin trc cc mi e da v m bo s lin tc ca hot ng, gim thiu ri ro, t c ti a li nhun u t v cc c hi kinh doanh.
Bng 1: Cc tiu chun v h thng qun l an ton thng tin trn th gii v Vit Nam STT Tiu chun ISO/IEC ISO/IEC 27000 1 Information security management systems Overview and vocabulary ISO/IEC 27001 2 TCVN ISO/IEC 27001:2009 ISO/IEC 27001:2005 Tiu chun quc gia
Information security management Cng ngh thng tin - H thng qun l systems Requirements an ton thng tin Cc yu cu ISO/IEC 27002 TCVN 7562:2005 ISO/IEC 17799:2000 Cng ngh thng tin - M thc hnh qun l an ninh thng tin
Information security risk management management systems ISO/IEC 27006 Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27011 8 Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 ISO 27799 9 Information security management in health using ISO/IEC 27002
2.1 ISO/IEC 27002 Cng ngh thng tin - Quy tc thc hnh qun l an ton
thng tin Phin bn hin ti: ISO/IEC 27002: 2005 T nm 2005, tiu chun quc t ISO 17799:2000 c t chc ISO/IEC thay th chnh thc bng tiu chun quc t ISO/IEC 17799:2005 v nm 2007 c i tn thnh tiu chun ISO/IEC 27002:2005 p dng cng vi cc tiu chun khc v qun l an ton thng tin trong b tiu chun v h thng qun l an ton thng tin ISO/IEC 27000. Mc tiu Tiu chun ny thit lp cc nh hng v nguyn tc chung cho khi to, trin khai, duy tr v ci thin cng tc qun l an ton thng tin trong mt t chc. Mc tiu t ra ca tiu chun ny l a ra hng dn chung nhm t c cc mc ch chung c cng nhn v qun l an ton thng tin. Cc mc tiu v bin php kim sot ca tiu chun ny c trin khai p ng cc yu cu c xc nh bi qu trnh nh gi ri ro. Tiu chun ny c th ng vai tr nh mt nh hng thc hnh trong vic xy dng cc tiu chun an ton cho t chc v thc hnh qun l an ton hiu qu v gip to dng s tin cy trong cc hot ng lin t chc. Ni dung S pht trin cng ngh, dch v cng nh s thay i khc trong x hi bc l nhng vn m tiu chun ISO/IEC 17799: 2000 cha p ng c. Ni dung ca ISO/IEC 27002: 2005 c cp nht b sung, iu chnh mt s vn so vi ISO/IEC 17799: 2000 p ng c cc yu cu thc tin. Ni dung ca ISO/IEC 27002: 2005 bao gm 134 bin php cho an ton thng tin v c chia thnh 11 nhm. Da trn vic phn tch cc kin thu thp t vic trin khai thc t cu trc phin bn mi ny c kh nhiu thay i so vi phin bn nm 2000. Ni dung mi c cp nht lm r hn cc vn trong vic bo m an ton thng 6
tin trong thng mi in t, cc dch v do cc i tc bn ngoi cung cp, qun l nhn s, s dng mng khng dy Cu trc V mt cu trc, tiu chun ISO/IEC 27002: 2005 c mt s thay i ph hp hn vi thc t so vi tiu chun ISO/IEC 17799. Tiu chun ny gm 11 iu v kim sot an ton thng tin vi tt c 39 danh mc an ton chnh v mt iu gii thiu v nh gi v x l ri ro. Mi iu gm mt s danh mc an ton chnh:
Chnh sch an ton (1) T chc thc hin an ton thng tin (2) Qun l ti sn (2) An ton ngun nhn lc (3) An ton vt l v mi trng (2) Qun l khai thc v truyn thng (10) Kim sot truy cp (7) Thu thp, pht trin v duy tr h thng thng tin (6) Qun l s c an ton thng tin (2) Qun l tnh lin tc v nghip v (1) S tun th (3)
Trong tiu chun ny ni dung ca cc iu khng cp n tm quan trng ca chng. Ty thuc vo tng trng hp c th, tt c cc iu ny c th rt quan trng, v vy mi t chc p dng tiu chun ny cn xc nh cc iu khon thch hp, tm quan trng ca chng v p dng chng cho cc qu trnh nghip v c th. Cc danh mc trong tiu chun ny khng c t theo th t u tin (tr khi c ch thch). ISO/IEC 27002 c cc tiu chun hon ton tng ng mt s quc gia.
Bng 2: Cc tiu chun quc gia tng ng ISO/IEC 27002 Quc gia Australia Tiu chun tng ng AS/NZS ISO/IEC 27002:2006
New Zealand
Brazil
Czech Republic SN ISO/IEC 27002:2006 Denmark Estonia Japan Lithuania Netherlands Poland Peru South Africa Spain Sweden Turkey DS484:2005 EVS-ISO/IEC 17799:2003, ang dch phin bn nm 2005 JIS Q 27002 LST ISO/IEC 17799:2005 NEN-ISO/IEC 17799:2002 nl, ang dch phin bn nm 2005 PN-ISO/IEC 17799:2007 NTP-ISO/IEC 17799:2007 SANS 17799:2005 UNE 71501 SS 627799 TS ISO/IEC 27002
United Kingdom BS ISO/IEC 27002:2005 Uruguay Russia China UNIT/ISO 17799:2005 / 17799-2005 GB/T 22081-2008
2.2 TCVN 7562:2005 ISO/IEC 17799:2000- Cng ngh thng tin - M thc hnh
qun l an ninh thng tin Tiu chun ny c xy dng da trn tiu chun quc t ISO/IEC 17799:2000 v hon ton tng ng vi tiu chun quc t ny. y chnh l phin bn c ca ISO/IEC 27002. Tiu chun ny a ra cc khuyn ngh v cng tc qun l an ninh thng tin cho nhng ngi c trch nhim ci t, thc thi hoc duy tr an ninh trong t chc ca h. Tiu chun ny nhm cung cp mt c s chung xy dng cc tiu chun an ninh trong t chc v thc hnh qun l an ton thng tin mt cch hiu qu v to s tin cy trong cc giao dch lin t chc. 8
Cng nh ISO/IEC 17799:2000, TCVN 7562:2005 ISO/IEC 17799:2000 a ra 127 bin php nhm m bo an ton thng tin c phn thnh 10 nhm, bao gm:
Chnh sch an ninh An ninh t chc Phn loi v kim sot ti sn An ninh c nhn An ninh mi trng v vt l Qun l truyn thng v hot ng Kim sot truy cp Pht trin v duy tr h thng Qun l lin tc trong kinh doanh S tun th
Ni dung trong cc iu c ISO/IEC 17799: 2000 khi c a vo ISO/IEC 27002: 2005 cng c s b sung, iu chnh ph hp. V d, iu 10qun l khai thc v truyn thng, c b sung ni dung v trao i thng tin khi lm vic vi t chc bn ngoi, v ni dung v cc dch v thng mi in t.
Ngoi ra, TCVN 7562:2005 ISO/IEC 17799:2000 c mt s li dch thut cha chnh xc: Thut ng an ninh v an ninh thng tin c s dng trong tiu chun TCVN 7562:2005 ISO/IEC 17799:2000 phi c dch l an ton v an ton thng tin theo ng nh ngha v an ton thng tin l S duy tr tnh bo mt, tnh ton vn v tnh sn sng ca thng tin. iu 6 ca TCVN 7562:2005 ISO/IEC 17799:2000 c tn l an ninh c nhn xut pht t cm t personnel security. Cm t personnel security trong tiu chun ny c ngha l vic m bo an ton thng tin t ngun nhn lc.
10
ISO/IEC 17799:2005
Thut ng v nh ngha (Terms and Terms and definitions: 17 thut ng definitions): 3 thut ng Risk assessment & treatment Chnh sch an ninh (Security policy) Chnh sch an ninh thng tin An ninh t chc (Security organization) H tng an ninh thng tin An ninh i vi s truy cp ca bn th ba Cung ng bn ngoi Phn loi v kim sot ti sn (Asset Asset management classification and control) Trch nhim gii trnh cc ti sn Phn loi thng tin An ninh c nhn (Personnel security) An ninh theo nh ngha v ngun cng vic o to ngi s dng i ph vi cc s c v s c an ninh An ninh mi trng vt l (Physical and environmental security) Phm vi an ninh An ninh thit b Kim sot chung Qun l truyn thng v hot ng (Communication and operation management) Trch nhim v th tc hot ng Lp k hoch h thng v s cng nhn Bo v chng li phn mm c gy hi Cng vic cai qun Qun l mng Trnh iu khin v an ninh mi trng truyn thng Communications management Operational responsibilities and procedures operations and Secure areas Equipment security Responsibility for Assets Information classification Human resource security Prior to employment During employment Termination or change employment Physical and environmental security Internal Organization External parties Security policy
Thirt party service delivery management System planning and acceptance Protection agains malicious and mobilde code Back-up Network security management
11
Kim sot truy cp (Access control) Yu cu kinh doanh i vi kim sot truy cp Qun l truy cp ngi s dng Trch nhim ca ngi s dng Kim sot truy cp mng Kim sot truy cp h iu hnh Kim sot truy cp ca ng dng Kim tra s truy cp v s dng h thng Cng tc t xa v tnh ton lu ng Pht trin v duy tr h thng (System development & maintenance) Cc yu cu an ninh ca h thng An ninh trong cc h thng ng dng Cc kim sot mt m ha An ninh cc tp h thng An ninh qu trnh h tr v pht trin
Access control Business requirement for access control User access management User responsibilities Network access control Operating system access control Application control and information access
Mobile computing and teleworking Information systems acquisition development and maintenance. Security requirements of information systems Correct processing in applications Cryptographic controls Security of system files Sucurity in development and support process Technical vulnerability management Information security incident management
Qun l lin tc trong kinh doanh (Business continuity) Cc kha cnh v qun l lin tc trong kinh doanh S tun th (Compliance) Tun th cc yu cu php l Sot xt ca chnh sch an ninh v yu cu k thut S xem xt kim tra h thng
Business continuity management Information secrity aspects of business continuity management Compliance Compliance with legal requirements Compliance with security policies and standard, and technical compliance Information systems audit consideration
Cu trc
12
V mt cu trc, tiu chun ISO/IEC 27002: 2005 cng c nhiu thay i so vi phin bn c ISO/IEC 17799:2000. Cu trc ca cc danh mc chnh trong ISO/IEC 27002: 2005: Mi danh mc chnh bao gm:
Mc tiu kim sot cn t c; v Mt hoc nhiu bin php kim sot c th c p dng t c mc tiu kim sot.
Bin php kim sot: a ra bin php kim sot c th tha mn mc tiu kim sot. Hng dn trin khai: Cung cp nhiu thng tin chi tit hn h tr trin khai bin php kim sot v ph hp vi mc tiu kim sot. Mt vi trong s cc hng dn ny c th khng ph hp vi mi trng hp v v vy cn la chn phng thc trin khai bin php kim sot ph hp. Thng tin khc: Cung cp thng tin su hn c th cn phi quan tm, v d cc vn v php l v tham chiu n cc tiu chun khc.
Nh vy c th thy rng: o Ni dung ca TCVN 7562:2005 ISO/IEC 17799:2000 cha ph hp vi s pht trin ca cng ngh v dch v trong giai on bng n thng tin nh hin nay. o ISO/IEC 27002:2005 c nhiu im ci tin c v cu trc v ni dung. Hn na, khi phin bn ny ra i, rt nhiu quc gia cng s dng phin bn ny thay th tiu chun c c xy dng da trn phin bn nm 2000.
cp nht v ph hp vi thc tin. Phin bn mi ISO/IEC 27002 cp nht, b sung, iu chnh mt s vn so vi phin bn nm 2000, vi nhiu thay i v ni dung v cu trc ph hp vi vic p dng thc t. Chnh v vy cn thit phi r sot TCVN 7562:2005 ISO/IEC 17799:2000, xy dng tiu chun quc gia mi thay th da trn tiu chun quc t ISO/IEC 27002:2005.
3.3 Mc ch:
Xy dng, ban hnh tiu chun khuyn ngh p dng, lm s c cho cc c quan nh nc ban hnh cc quy nh qun l v an ton thng tin p dng ti Vit Nam.
Bng 4: Bng i chiu tiu chun vin dn D tho TCVN Cng ngh thng tin Cc k thut an ton Quy tc thc hnh qun l an ton thng tin 1 2 3 4 Pham vi ap dung Tiu chun vin dn Thut ng va inh nghia nh gi v x l ri ro 4.1 nh gi ri ro an ton 4.2 X l cc ri ro an ton thng tin 5 Chnh sch an ton 5.1 Chnh sch an ton thng tin 6 T chc m bo an ton thng tin 2: Terms and Definitions 4: Risk assessment and treatment 4.1: Assessment security risks 4.2: Treating security risks 5: security policy 5.1: Information security policy 6: Organization of information security 6.1: Internal Organization 6.2: External parties 7 : Asset management 7.1: Responsibility for Assets 7.2: Information classification 8: Human resources security ISO/IEC 27002:2005 Information technology Security techniques Code of practice for information security management 1: Scope
7.1 Trch nhim i vi ti sn 7.2 Phn loi thng tin 8 m bo an ton ti nguyn con ngi 8.1 Trc khi tuyn dng 8.2 Trong thi gian lm vic 8.3 Chm dt hoc thay i cng vic 9
8.1: prior to employment 8.2: during employment 8.3: termination or change employment
m bo an ton vt l v mi trng 9: Physical and environmental security 9.1 Cc khu vc an ton 9.2 m bo an ton trang thit b 9.1: Secure areas 9.2 Equipment security 15
D tho TCVN Cng ngh thng tin Cc k thut an ton Quy tc thc hnh qun l an ton thng tin
ISO/IEC 27002:2005 Information technology Security techniques Code of practice for information security management
10.1 Cc trch nhim v th tc iu hnh 10.1: operational procedures and responsibilities 10.2 Qun l chuyn giao dch v ca bn 10.2: thirt party service delivery th ba management 10.3 Chp nhn v lp k hoch h thng 10.4 Bo v chng li m c hi v m di ng 10.5 Sao lu 10.6 Qun l an ton mng 10.7 Qun l phng tin 10.8 Trao i thng tin 10.9 Cc dch v thng mi in t 10.10 Gim st 11 Qun l truy cp 11.1 Yu cu nghip v i vi qun l truy cp 11.2 Qun l s truy cp ngi dng 11.3 Cc trch nhim ca ngi dng 11.4 Qun l truy cp mng 11.5 Kim sot truy cp h thng iu hnh 11.6 iu khin truy cp thng tin v ng dng 10.3: System planning and acceptance 10.4: Protection agains malicious and mobilde code 10.5: back-up 10.6: network security management 10.7: Media handling 10.8: Exchange of information 10.9: Electronic commerce services 10.10: Monitoring 11: Access control 11.1: Business requirement for access control 11.2: User access management 11.3: User responsibilities 11.4: Network access control 11.5: Operating system access control 11.6: Application and information access control
16
D tho TCVN Cng ngh thng tin Cc k thut an ton Quy tc thc hnh qun l an ton thng tin 11.7. Tnh ton di ng v lm vic t xa 12 Tip nhn, pht trin v duy tr cc h thng thng tin 12.1 Yu cu m bo an ton cho cc h thng thng tin 12.2 X l ng trong cc ng dng 12.3 Qun l m ha 12.4 An ton cc tp tin h thng 12.5 Bo m an ton trong cc quy trnh h tr v pht trin 12.6 Qun l cc im yu v k thut 13 Qun l cc s c an ton thng tin
ISO/IEC 27002:2005 Information technology Security techniques Code of practice for information security management 11.7: Mobile computing and teleworking 12: Information systems acquisition, development and maintenance 12.1: Security requirements of information systems 12.2: Correct processing in applications 12.3: Cryptographic controls 12.4: Security of system files 12.5: Sucurity in development and support process 12.6: Technical vulnerability management 13: Information security incident management
13.1 Bo co v cc s kin an ton thng 13.1: Reporting information secrity tin v cc nhc im events and weaknesses 13.2 Qun l cc s c an ton thng tin v ci tin 14 Qun l s lin tc ca hot ng nghip v 14.1 Cc kha cnh an ton thng tin trong qun l s lin tc ca hot ng nghip v 15 S tun th 15.1 S tun th cc quy nh php l 15.2 S tun th cc chnh sch v tiu chun an ton, v tng thch k thut 13.2: management of information secrity incidents and improvements 14: Business continuity management 14.1: information secrity aspects of business continuity management 15: Compliance 15.1: Compliance with legal requirements 15.2: Compliance with security policies and standard, and technical compliance
15.3 Xem xt vic kim ton cc h thng 15.3: Information systems audit 17
D tho TCVN Cng ngh thng tin Cc k thut an ton Quy tc thc hnh qun l an ton thng tin thng tin Th mc ti liu tham kho
ISO/IEC 27002:2005 Information technology Security techniques Code of practice for information security management consideration Bibliography
18