目录简介 | Contents
Foreword 5
Introduction 6
1 Scope 8
2 Normative references 8
3 Terms and definitions 8
4 General requirements of information system security management 9
4.1Content of information system security management 9
4.2 Information system security management principles 10
5 Information system security management elements and the strength 12
5.1 Policy and system 12
5.1.1 Information security management policy 12
5.1.2 Security management rules and regulations 16
5.1.3 Policy and system document management 19
5.2 organization and personnel management 21
5.2.1 Security management organization 21
5.2.2 Security mechanism centralized management organization 23
5.2.3 Personnel management 24
5.2.4 Education and training 28
5.3 Risk management 29
5.3.1 Risk management requirements and policies 29
5.3.2 Risk analysis and assessment 30
5.3.3 Risk control 33
5.3.4 Decision making based on risks 33
5.3.5 Risk assessment management 34
5.4 Environment and resource management 36
5.4.1 Environment security management 36
5.4.2 Resources management 39
5.5 Operation and maintenance management 43
5.5.1 User management 43
5.5.2 Operation management 45
5.5.3 Operation maintenance management 49
5.5.4 Outsourced service management 53
5.5.5 Guarantee Related to Security Mechanism 55
5.5.6 Security centralized management 63
5.6 Business continuity management 67
5.6.1 Backup and recovery 67
5.6.2 Security incident handling 68
5.6.3 Emergency processing 71
5.7 Supervision and inspection management 73
5.7.1 Conforming with legal requirements 73
5.7.2 Compliance inspection 74
5.7.3 Audit and supervision control 76
5.7.4 Responsibility determination 77
5.8 Life cycle management 78
5.8.1 Plan and project approval management 78
5.8.2 Construction process management 80
5.8.3 System startup and stop management 83
6 Information system security management grading requirements 85
6.1 Grade I: user discretionary protection 85
6.1.1 Management objective and scope 85
6.1.2 Policy and system requirements 85
6.1.3 organization and personnel management requirements 86
6.1.4 Risk management requirements 86
6.1.5 Environment and resource management requirements 87
6.1.6 Operation and maintenance management requirements 88
6.1.7 Business continuity management requirements 89
6.1.8 Supervision and inspection management requirements 90
6.1.9 Life cycle management requirements 90
6.2 Grade II: system audit protection 91
6.2.1 Management objective and scope 91
6.2.2 Policy and system requirements 91
6.2.3 organization and personnel management requirements 92
6.2.4 Risk management requirements 93
6.2.5 Environment and resource management requirements 94
6.2.6 Operation and maintenance management requirements 94
6.2.7 Business continuity management requirements 96
6.2.8 Supervision and inspection management requirements 96
6.2.9 Life cycle management requirements 97
6.3 Grade III: security sign protection 98
6.3.1 Management objective and scope 98
6.3.2 Policy and system requirements 98
6.3.3 organization and personnel management requirements 99
6.3.4 Risk management requirements 100
6.3.5 Environment and resource management requirements 101
6.3.6 Operation and maintenance management requirements 102
6.3.7 Business continuity management requirements 103
6.3.8 Supervision and inspection management requirements 104
6.3.9 Life cycle management requirements 105
6.4 Level four: structured protection level 106
6.4.1 Management objectives and scope 106
6.4.2 Policy and system requirements 107
6.4.3 organization and personnel management requirements 107
6.4.4 Risk management requirements 108
6.4.5 Environment and resource management requirements 109
6.4.6 Operation and maintenance management requirements 109
6.4.7 Business continuity management requirements 111
6.4.8 Supervision and inspection management requirements 111
6.4.9 Life cycle management requirements 112
6.5 Level five: access validation protection level 113
6.5.1 Management objectives and scope 113
6.5.2 Policy and system requirements 113
6.5.3 organization and personnel management requirements 114
6.5.4 Risk management requirements 115
6.5.5 Environment and resource management requirements 115
6.5.6 Operation and maintenance management requirements 115
6.5.7 Business continuity management requirements 116
6.5.8 Supervision and inspection management requirements 117
6.5.9 Life cycle management requirements 117
Annex A (Informative) Corresponding Relationship among Security Management Factors, Strength and Security Management Grading Requirements 118
Annex B (Informative) Information System Security Management Concept Description 127
B.1 Main security factors 128
B.1.1 Assets 128
B.1.2 Threats 129
B.1.3 Vulnerability 129
B.1.4 Effects of accidents 129
B.1.5 Risks 130
B.1.6 Protective measures 130
B.2 Security management process 130
B.2.1 Security management process model 130
B.2.2 Security objectives 131
B.2.3 Determination of security protection level 131
B.2.4 Security risk analysis and assessment 132
B.2.5 Develop security polices 132
B.2.6 Security requirements analysis 133
B.2.7 Implementation of security measures 135
B.2.8 Supervision of security implementation process 136
B.2.9 Security audit of the information system 137
B.2.10 Life cycle management 138
Bibliography 139
|
中文版 
English
